{  "app": {    "id": "string",    "name": "string",    "description": "string",    "enabled": true,    "logo": "string",    "appType": "string",    "samlSettings": {      "loginPageUrl": "string",      "idpCert": "string",      "useMetadataInfo": true,      "metadataUrl": "string",      "entityId": "string",      "acsUrl": "string",      "certificate": "string",      "attributeMapping": [        {          "name": "string",          "type": "string",          "value": "string"        }      ],      "groupsMapping": [        {          "name": "string",          "type": "string",          "filterType": "string",          "value": "string",          "roles": [            {              "id": "string",              "name": "string"            }          ]        }      ],      "idpMetadataUrl": "string",      "idpEntityId": "string",      "idpSsoUrl": "string",      "acsAllowedCallbacks": [        "string"      ],      "subjectNameIdType": "string",      "subjectNameIdFormat": "string",      "defaultRelayState": "string",      "idpInitiatedUrl": "string",      "forceAuthentication": true,      "idpLogoutUrl": "string",      "logoutRedirectUrl": "string",      "errorRedirectUrl": "string",      "defaultSignatureAlgorithm": "string"    },    "oidcSettings": {      "loginPageUrl": "string",      "issuer": "string",      "discoveryUrl": "string",      "claims": [        "string"      ],      "forceAuthentication": true,      "jwtBearerSettings": {        "issuers": {          "property1": {            "jwksUri": "string",            "signAlgorithm": "string",            "userInfoUri": "string",            "externalIdFieldName": "string"          },          "property2": {            "jwksUri": "string",            "signAlgorithm": "string",            "userInfoUri": "string",            "externalIdFieldName": "string"          }        },        "jwtBearerGrantTypeAudienceToUse": "string",        "jwtBearerGrantTypeScopeToUse": "string",        "jwtBearerGrantTypeCustomClaimsToUse": "string"      },      "backChannelLogoutUrl": "string",      "customIdpInitiatedLoginPageUrl": "string",      "sessionSettings": {        "enabled": true,        "refreshTokenExpiration": 0,        "refreshTokenExpirationUnit": "string",        "sessionTokenExpiration": 0,        "sessionTokenExpirationUnit": "string",        "userTemplateId": "string",        "keyTemplateId": "string",        "keySessionTokenExpiration": 0,        "keySessionTokenExpirationUnit": "string"      },      "clientId": "string",      "clientSecret": "string",      "clientType": "string",      "approvedRedirectUrls": [        "string"      ],      "authorizationCodeDisabled": true,      "clientCredentialsDisabled": true,      "refreshTokenDisabled": true,      "jwtBearerDisabled": true,      "deviceCodeDisabled": true,      "forcePkce": true,      "defaultAudience": "string",      "scopeClaimMapping": [        {          "scope": "string",          "claims": {            "property1": "string",            "property2": "string"          },          "description": "string",          "useProjectMapping": true        }      ]    },    "customSettings": {      "loginPageUrl": "string",      "sessionSettings": {        "enabled": true,        "refreshTokenExpiration": 0,        "refreshTokenExpirationUnit": "string",        "sessionTokenExpiration": 0,        "sessionTokenExpirationUnit": "string",        "userTemplateId": "string",        "keyTemplateId": "string",        "keySessionTokenExpiration": 0,        "keySessionTokenExpirationUnit": "string"      }    },    "wsfedSettings": {      "loginPageUrl": "string",      "realm": "string",      "replyUrl": "string",      "attributeMapping": [        {          "name": "string",          "type": "string",          "value": "string"        }      ],      "groupsMapping": [        {          "name": "string",          "type": "string",          "filterType": "string",          "value": "string",          "roles": [            {              "id": "string",              "name": "string"            }          ]        }      ],      "forceAuthentication": true,      "logoutRedirectUrl": "string",      "errorRedirectUrl": "string",      "idpCert": "string",      "idpInitiatedUrl": "string",      "idpMetadataUrl": "string",      "idpEntityId": "string",      "idpSsoUrl": "string",      "idpLogoutUrl": "string",      "replyAllowedCallbacks": [        "string"      ]    },    "trustedAppIds": [      "string"    ],    "customAttributes": {      "attribute-key": "attribute-value"    }  }}

export interface Response {app?: SSOApplication}export interface SSOApplication {id?: string/** * int64 version - excluded *  int64 createdTime - excluded *  string projectId - copied */name?: stringdescription?: stringenabled?: booleanlogo?: stringappType?: stringsamlSettings?: SSOApplicationSAMLSettingsoidcSettings?: SSOApplicationOIDCSettingscustomSettings?: SSOApplicationCustomSettingswsfedSettings?: SSOApplicationWSFedSettings/** * trustedAppIds lists sibling SSO apps whose roles are included in this app's JWT under the *  `trustedApps` claim at login time. Only OIDC and Custom app types may set a non-empty value. */trustedAppIds?: string[]/** * Custom attributes as key-value pairs. Keys must be strings; values can be strings, numbers, booleans, or arrays. */customAttributes?: {[k: string]: string}}export interface SSOApplicationSAMLSettings {loginPageUrl?: stringidpCert?: stringuseMetadataInfo?: booleanmetadataUrl?: stringentityId?: stringacsUrl?: stringcertificate?: stringattributeMapping?: {name?: stringtype?: stringvalue?: string}[]groupsMapping?: {name?: stringtype?: stringfilterType?: stringvalue?: stringroles?: SAMLIDPRoleGroupMappingInfo[]}[]idpMetadataUrl?: stringidpEntityId?: stringidpSsoUrl?: stringacsAllowedCallbacks?: string[]subjectNameIdType?: stringsubjectNameIdFormat?: stringdefaultRelayState?: stringidpInitiatedUrl?: stringforceAuthentication?: booleanidpLogoutUrl?: stringlogoutRedirectUrl?: stringerrorRedirectUrl?: stringdefaultSignatureAlgorithm?: string}export interface SAMLIDPRoleGroupMappingInfo {id?: stringname?: string}export interface SSOApplicationOIDCSettings {loginPageUrl?: stringissuer?: stringdiscoveryUrl?: stringclaims?: string[]forceAuthentication?: booleanjwtBearerSettings?: {issuers?: {[k: string]: IssuerSettings}jwtBearerGrantTypeAudienceToUse?: stringjwtBearerGrantTypeScopeToUse?: stringjwtBearerGrantTypeCustomClaimsToUse?: string}backChannelLogoutUrl?: stringcustomIdpInitiatedLoginPageUrl?: stringsessionSettings?: {enabled?: booleanrefreshTokenExpiration?: numberrefreshTokenExpirationUnit?: stringsessionTokenExpiration?: numbersessionTokenExpirationUnit?: stringuserTemplateId?: stringkeyTemplateId?: stringkeySessionTokenExpiration?: numberkeySessionTokenExpirationUnit?: string}clientId?: stringclientSecret?: stringclientType?: stringapprovedRedirectUrls?: string[]authorizationCodeDisabled?: booleanclientCredentialsDisabled?: booleanrefreshTokenDisabled?: booleanjwtBearerDisabled?: booleandeviceCodeDisabled?: booleanforcePkce?: boolean/** * Default audience policy for issued tokens. Applies only to modern apps (non-empty clientType): *  'projectId', 'clientId', or empty (both). Legacy apps are unaffected. Mirrors third-party apps. */defaultAudience?: string/** * Per-app scope→claims mapping. When non-empty, this mapping REPLACES the project-wide *  ScopeClaimMapping for tokens issued by this app: only scopes listed here can be requested *  (the set of scopes doubles as an allow-list — requesting an unlisted scope returns *  InvalidArguments), and only this mapping's claims are emitted. Per-entry useProjectMapping *  lets an app opt back into the project's claims for an individual scope without restating *  them. Empty list preserves today's behavior (no per-app restriction; project-wide mapping *  applies if configured). */scopeClaimMapping?: AppScopeClaimMappingEntry[]}export interface IssuerSettings {jwksUri?: stringsignAlgorithm?: stringuserInfoUri?: stringexternalIdFieldName?: string}/** * AppScopeClaimMappingEntry is the per-app variant of ScopeClaimMappingEntry. It lives only *  inside SSOApplicationOIDCSettings.scopeClaimMapping and carries an extra useProjectMapping *  flag that lets an entry inherit the project-wide mapping's claims for its scope without *  restating them. Keeping a dedicated message keeps the project-wide ScopeClaimMappingEntry *  API clean (no useProjectMapping field where it has no meaning). */export interface AppScopeClaimMappingEntry {scope?: string/** * claims is consulted only when useProjectMapping is false. When useProjectMapping is true, *  the project-wide mapping's entry for `scope` provides the claims and this field is ignored. */claims?: {[k: string]: string}description?: string/** * useProjectMapping, when true, reuses the project-wide ScopeClaimMapping's entry for this *  scope (the app's `claims` field is ignored). Default false uses the app's own `claims`. */useProjectMapping?: boolean}export interface SSOApplicationCustomSettings {loginPageUrl?: stringsessionSettings?: {enabled?: booleanrefreshTokenExpiration?: numberrefreshTokenExpirationUnit?: stringsessionTokenExpiration?: numbersessionTokenExpirationUnit?: stringuserTemplateId?: stringkeyTemplateId?: stringkeySessionTokenExpiration?: numberkeySessionTokenExpirationUnit?: string}}export interface SSOApplicationWSFedSettings {loginPageUrl?: stringrealm?: stringreplyUrl?: stringattributeMapping?: {name?: stringtype?: stringvalue?: string}[]groupsMapping?: {name?: stringtype?: stringfilterType?: stringvalue?: stringroles?: SAMLIDPRoleGroupMappingInfo[]}[]forceAuthentication?: booleanlogoutRedirectUrl?: stringerrorRedirectUrl?: stringidpCert?: stringidpInitiatedUrl?: stringidpMetadataUrl?: stringidpEntityId?: stringidpSsoUrl?: stringidpLogoutUrl?: stringreplyAllowedCallbacks?: string[]}