Modern user authentication for SaaS applications

Add modern authentication features to your SaaS applications, including passwordless login, single sign-on (SSO), multi-factor authentication (MFA), and customizable login flows.

Authentication overview

SecureAuth CIAM provides user authentication and SSO for connected applications and APIs by default. Adding an application enables you to leverage these authentication services.

Authentication needs for SaaS applications

Nearly all SaaS applications require user authentication, especially multi-tenant services delivered by a SaaS identity platform..

Early-stage SaaS applications. Prioritize quick setup, scalability, and pay-per-use models for user authentication.
Mature SaaS applications. Focus on advanced authorization and access control to handle more complex use cases

Consumer vs. Business SaaS authentication

SecureAuth CIAM supports both consumer and business use cases, offering flexible login options like social login for consumers and SSO/SAML for enterprise scenarios.

Consumer SaaS applications. Passwordless login, social login, and simplicity.
Business Saas applications. SSO with delegated administration, enterprise identity providers, and SAML support.

SecureAuth excels in Business SaaS scenarios with its advanced authorization engine and multi-tenancy capabilities.

SecureAuth as an identity provider

SecureAuth supports user storage and authentication across various user populations. It also enables business accounts to connect external identity providers through self-service.

To learn more, see Authentication methods and External authentication providers in this topic.

Authentication methods

SecureAuth CIAM supports multiple secure login methods to help you protect access to your applications. Identity Pools connect users to workspaces, enforcing authentication before accessing your applications.

Passwordless authentication with passkeys

Users log in using a device’s built-in biometric or PIN, such as a fingerprint or face scan. This method replaces passwords and supports a smoother, more secure experience.

Passkey login follows the WebAuthn protocol, developed by W3C, FIDO. It uses public-key cryptography to ensure strong, phishing-resistant authentication across devices.

Authentication with verification codes

Users receive a unique, time-limited code by email or SMS. They enter the code, along with an identifier (such as email or phone number), to log in.

Custom apps can also generate and send codes. These codes are single-use and expire quickly, making them more secure than passwords.

Authentication with magic links

SecureAuth generates a unique, time-limited link and sends it to the user’s email or phone. Clicking the link logs the user in and redirects them to the application.

Note

Magic links require API integration or a custom login page. They are not currently supported through the standard UI.

Authentication with identifier and password

Users enter a username, email, or phone number along with a password. SecureAuth checks these credentials and grants access if they match stored values.

This is a standard and widely supported method but is more vulnerable compared to passkeys or verification codes.

External authentication providers

Connect external identity providers to enable users to log in with accounts they already use. Choose from social or enteprise providers to streamline authentication for different user types.

List of social and enterprise identity providers in CIAM

Select a social or enterprise identity provider to create a connection

Social login providers

Users can log in with accounts they already use, such as Google or GitHub. This removes the need to create and manage new credentials.

Supported social login providers:

Apple
Facebook
GitHub
Google
LinkedIn
Microsoft
X (Twitter)

Each provider supports two connection types:

Option	Description
Embedded	Uses a pre-registered client application from SecureAuth. Setup is fast and requires no external configuration. Social identity provider - Embedded configuration example
Bring your Own	Uses credentials from a client application registered by your organization. This option allows you manage your application configuration. Social identity provider - Bring your Own configuration example

Enterprise identity providers

Use enterprise Identity providers to enable SSO and centralized authentication for your workforce.

Supported enterprise providers include:

Amazon Cognito
Auth0
Custom IDP
Entrust
Google Workspace
MIcrosoft Azure AD B2C
Microsoft Entra ID
OAuth2
Okta
OpenID Connect
SAML

Configure these providers in a selected workspace under Authentication > Providers > Create Connection. Select an enterprise provider type and follow the prompts to complete setup.

Single sign-on (SSO) and enterprise authentication

Businesses often require identity federation to manage identities across multiple domains or enterprises. SecureAuth enables you to:

Connect multiple enterprise identity providers
Control the login flow
Integrate with SAML-based applications
Standardize user data from different IDPs into a unified authentication schema

Approach to authentication

Developers must choose between a universal login flow or an embedded login flow for user authentication.

Universal login. Redirects users to a central domain for authentication before returning them to the application.
Embedded login. Keeps users on the same page, displaying a login widget and sending credentials to the authentication provider via a cross-origin request.

SecureAuth recommends using universal login for secure authentication. This method reduces the risk of cross-origin attacks andaligns with OAuth best practices.

In this section: