Skip to main content

SAML SSO

Management endpoints

  • GET /api/saml/metadata/:workspaceId
  • POST /api/saml/connections
  • GET /api/saml/connections
  • PATCH /api/saml/connections/:id
  • DELETE /api/saml/connections/:id
  • PATCH /api/saml/enforce

Runtime endpoints

  • GET /api/saml/authorize/:workspaceId
  • POST /api/saml/callback
  • GET /api/saml/check
  • GET /api/saml/logout/:workspaceId
  • POST /api/saml/logout/callback
  • GET /api/saml/logout/callback

Access and requirements

  • Management APIs are session-only and reject API-key auth.
  • Management requires workspace admin role.
  • Enterprise entitlement required for SAML usage.

Connection configuration

Connections can be configured using:
  • metadata URL
  • raw metadata
  • manual IdP settings
Validation covers required fields and certificate correctness before activation.

Enforcement behavior

PATCH /api/saml/enforce updates workspace SSO policy. When enforced, matching users must authenticate via SAML according to configured domain rules.

Common errors

  • 400: invalid metadata/config payload
  • 403: missing admin role or entitlement
  • 404: connection/workspace not found