Authorize end user to sign-in using SAML SSO
Initiate a SAML SSO (Single Sign-On, "sign-in" in Descope terminology) process for an end user. Descope will coordinate the sign-in process with the service provider. Specify the URL you want to redirect the end user to after a successful sign-in in the redirectURL
parameter.
When the SSO sign-in completes successfully, the endpoint returns a URL url
that has a unique code \<unique-code\\>
, also called a token) appended as a URL parameter to the redirectURL
you provided. For example, if redirectURL = https://sso.mycompany.com/mywork.htm
then url = https://sso.mycompany.com/mywork.htm?code=<unique-code\>
. The unique code will be exchanged for a valid user object in the next step.
After the end user has been successfully authenticated with the identity provider (IdP) the end user session is redirected to url
.
Next Steps
Call the Exchange Code endpoint from the flow that responds to the URL specified in the redirectURL
field, to exchange the unique code for a user session object.
See Also
- See The User Object for further details on how to identify users and their contact information such as email addresses and phone number.
- See User Login Options for further details on the stepup, mfa, and customClaims parameters.
Endpoint Authentication
Use authorization bearer header with the following format:
Authorization: Bearer <Project ID>
Authorization
Authorization
RequiredBearer <token>
In: header
Request Body
stepup
boolean
Default: false
customClaims
object
mfa
boolean
Default: false
ssoAppId
string
templateOptions
object
locale
string
pkceChallenge
string
relevant only for enchanted links in the point in time - other methods will ignore this field
Format:"bytes"
Query Parameters
tenant
string
redirectUrl
string
prompt
array<string>
test
boolean
Status code | Description |
---|---|
200 | OK |