SSOService
Esta página aún no está disponible en tu idioma.
Manages SSO (Single Sign-On) identity provider configuration for enterprise identity federation via SAML 2.0 and OpenID Connect.
Profile attribute mappings (mapping identity provider claims to Pidgr profile fields) are managed separately via OrganizationService.UpdateSsoAttributeMappings.
Methods
Section titled “Methods”| Method | Description |
|---|---|
CheckSSOByDomain |
Check if an email domain has SSO configured |
CreateSSOProvider |
Create a new SSO provider |
GetSSOProvider |
Get the organization’s SSO provider |
DeleteSSOProvider |
Delete the organization’s SSO provider |
CheckSSOByDomain
Section titled “CheckSSOByDomain”Check if an email’s domain has an SSO provider configured. Used during the login flow to redirect users to their identity provider. This is a pre-authentication endpoint.
Authorization: Public (no authentication required)
Request: CheckSSOByDomainRequest
Section titled “Request: CheckSSOByDomainRequest”| Field | Type | Description |
|---|---|---|
email |
string |
Email address to check. The domain part is extracted. Max 254 characters. |
Response: CheckSSOByDomainResponse
Section titled “Response: CheckSSOByDomainResponse”| Field | Type | Description |
|---|---|---|
sso_enabled |
bool |
Whether SSO is enabled for the email’s domain. |
provider_name |
string |
Identity provider name for the redirect flow. Empty if sso_enabled is false. |
Example
Section titled “Example”TypeScript (Connect-Web)
const response = await ssoClient.checkSSOByDomain({ email: "alice@company.com",});
if (response.ssoEnabled) { // Redirect to SSO login flow using response.providerName}Go (gRPC)
resp, err := ssoClient.CheckSSOByDomain(ctx, &pidgrv1.CheckSSOByDomainRequest{ Email: "alice@company.com",})if resp.SsoEnabled { // Redirect to SSO login flow}CreateSSOProvider
Section titled “CreateSSOProvider”Create an SSO provider for the organization. The metadata URL is validated before saving.
Authorization: Requires PERMISSION_ORG_WRITE permission
Request: CreateSSOProviderRequest
Section titled “Request: CreateSSOProviderRequest”| Field | Type | Description |
|---|---|---|
domain |
string |
Email domain to associate (e.g. acme.com). Max 253 characters. |
type |
SSOProviderType |
Provider type (SAML or OIDC). |
metadata_url |
string |
SAML metadata URL or OIDC discovery URL. HTTPS required. Max 2048 characters. |
attribute_mapping |
SamlAttributeNames |
Optional custom SAML attribute name overrides. When omitted, attribute names are auto-detected from the metadata URL. |
Response: CreateSSOProviderResponse
Section titled “Response: CreateSSOProviderResponse”| Field | Type | Description |
|---|---|---|
provider |
SSOProvider |
The created SSO provider. |
GetSSOProvider
Section titled “GetSSOProvider”Get the organization’s SSO provider configuration.
Authorization: Requires PERMISSION_ORG_READ permission
Request: GetSSOProviderRequest
Section titled “Request: GetSSOProviderRequest”Empty request.
Response: GetSSOProviderResponse
Section titled “Response: GetSSOProviderResponse”| Field | Type | Description |
|---|---|---|
provider |
SSOProvider |
The organization’s SSO provider, or null if not configured. |
DeleteSSOProvider
Section titled “DeleteSSOProvider”Delete the organization’s SSO provider. Users with that domain fall back to passkey/email OTP authentication.
Authorization: Requires PERMISSION_ORG_WRITE permission
Request: DeleteSSOProviderRequest
Section titled “Request: DeleteSSOProviderRequest”| Field | Type | Description |
|---|---|---|
provider_id |
string |
ID of the provider to delete. |
Response: DeleteSSOProviderResponse
Section titled “Response: DeleteSSOProviderResponse”Empty response on success.
SSOProvider Message
Section titled “SSOProvider Message”| Field | Type | Description |
|---|---|---|
id |
string |
Unique identifier. |
domain |
string |
Email domain that triggers this SSO provider (e.g. acme.com). |
type |
SSOProviderType |
Provider type. |
metadata_url |
string |
SAML metadata URL or OIDC discovery URL. |
idp_provider_name |
string |
Identity provider name used for the redirect flow. Set by the API on creation. |
created_at |
Timestamp |
Creation timestamp. |
updated_at |
Timestamp |
Last update timestamp. |
attribute_mapping |
SamlAttributeNames |
Optional custom SAML attribute name overrides. |
SamlAttributeNames
Section titled “SamlAttributeNames”Custom SAML attribute name overrides for identity providers that use non-standard attribute names. When provided, these override the auto-detected values.
| Field | Type | Description |
|---|---|---|
email |
string |
SAML attribute name for the user’s email address. |
given_name |
string |
SAML attribute name for the user’s first name. |
family_name |
string |
SAML attribute name for the user’s last name. |
SSOProviderType
Section titled “SSOProviderType”| Value | Description |
|---|---|
SSO_PROVIDER_TYPE_SAML |
SAML 2.0 identity provider (e.g. Okta, Azure AD) |
SSO_PROVIDER_TYPE_OIDC |
OpenID Connect identity provider (e.g. Google Workspace, Auth0) |