Pular para o conteúdo

SSOService

Este conteúdo não está disponível em sua língua ainda.

Manages SSO (Single Sign-On) identity provider configuration for enterprise identity federation via SAML 2.0 and OpenID Connect.

Profile attribute mappings (mapping identity provider claims to Pidgr profile fields) are managed separately via OrganizationService.UpdateSsoAttributeMappings.

Method Description
CheckSSOByDomain Check if an email domain has SSO configured
CreateSSOProvider Create a new SSO provider
GetSSOProvider Get the organization’s SSO provider
DeleteSSOProvider Delete the organization’s SSO provider

Check if an email’s domain has an SSO provider configured. Used during the login flow to redirect users to their identity provider. This is a pre-authentication endpoint.

Authorization: Public (no authentication required)

Field Type Description
email string Email address to check. The domain part is extracted. Max 254 characters.
Field Type Description
sso_enabled bool Whether SSO is enabled for the email’s domain.
provider_name string Identity provider name for the redirect flow. Empty if sso_enabled is false.

TypeScript (Connect-Web)

const response = await ssoClient.checkSSOByDomain({
email: "alice@company.com",
});
if (response.ssoEnabled) {
// Redirect to SSO login flow using response.providerName
}

Go (gRPC)

resp, err := ssoClient.CheckSSOByDomain(ctx, &pidgrv1.CheckSSOByDomainRequest{
Email: "alice@company.com",
})
if resp.SsoEnabled {
// Redirect to SSO login flow
}

Create an SSO provider for the organization. The metadata URL is validated before saving.

Authorization: Requires PERMISSION_ORG_WRITE permission

Field Type Description
domain string Email domain to associate (e.g. acme.com). Max 253 characters.
type SSOProviderType Provider type (SAML or OIDC).
metadata_url string SAML metadata URL or OIDC discovery URL. HTTPS required. Max 2048 characters.
attribute_mapping SamlAttributeNames Optional custom SAML attribute name overrides. When omitted, attribute names are auto-detected from the metadata URL.
Field Type Description
provider SSOProvider The created SSO provider.

Get the organization’s SSO provider configuration.

Authorization: Requires PERMISSION_ORG_READ permission

Empty request.

Field Type Description
provider SSOProvider The organization’s SSO provider, or null if not configured.

Delete the organization’s SSO provider. Users with that domain fall back to passkey/email OTP authentication.

Authorization: Requires PERMISSION_ORG_WRITE permission

Field Type Description
provider_id string ID of the provider to delete.

Empty response on success.

Field Type Description
id string Unique identifier.
domain string Email domain that triggers this SSO provider (e.g. acme.com).
type SSOProviderType Provider type.
metadata_url string SAML metadata URL or OIDC discovery URL.
idp_provider_name string Identity provider name used for the redirect flow. Set by the API on creation.
created_at Timestamp Creation timestamp.
updated_at Timestamp Last update timestamp.
attribute_mapping SamlAttributeNames Optional custom SAML attribute name overrides.

Custom SAML attribute name overrides for identity providers that use non-standard attribute names. When provided, these override the auto-detected values.

Field Type Description
email string SAML attribute name for the user’s email address.
given_name string SAML attribute name for the user’s first name.
family_name string SAML attribute name for the user’s last name.
Value Description
SSO_PROVIDER_TYPE_SAML SAML 2.0 identity provider (e.g. Okta, Azure AD)
SSO_PROVIDER_TYPE_OIDC OpenID Connect identity provider (e.g. Google Workspace, Auth0)