Create New SSO Settings | API Reference

Authorization

Descope Project ID and Management Key

AuthorizationBearer <token>

Project ID:Management Key as bearer token.

In: header

Request Body

application/json

tenantId?string

ssoId?string

displayName?string

Create new SSO settings for a tenant, using a valid management key.

This API endpoint allows you to create a new SSO configuration for a tenant. The endpoint accepts the tenant ID, an optional SSO ID, and a display name for the SSO configuration.

{
  "tenant": {
    "id": "string",
    "name": "string",
    "selfProvisioningDomains": [
      "string"
    ],
    "customAttributes": {
      "attribute-key": "attribute-value"
    },
    "authType": "string",
    "domains": [
      "string"
    ],
    "createdTime": 0,
    "disabled": true,
    "enforceSSO": true,
    "enforceSSOExclusions": [
      "string"
    ],
    "federatedAppIds": [
      "string"
    ],
    "parent": "string",
    "successors": [
      "string"
    ],
    "defaultRoles": [
      "string"
    ],
    "roleInheritance": "string"
  },
  "saml": {
    "idpEntityId": "string",
    "idpSSOUrl": "string",
    "idpCertificate": "string",
    "idpMetadataUrl": "string",
    "spEntityId": "string",
    "spACSUrl": "string",
    "spCertificate": "string",
    "attributeMapping": {
      "name": "string",
      "email": "string",
      "username": "string",
      "group": "string",
      "givenName": "string",
      "middleName": "string",
      "familyName": "string",
      "picture": "string",
      "customAttributes": {
        "property1": "string",
        "property2": "string"
      },
      "verifiedEmail": "string",
      "verifiedPhone": "string"
    },
    "groupsMapping": [
      {
        "role": {
          "id": "string",
          "name": "string"
        },
        "groups": [
          "string"
        ]
      }
    ],
    "redirectUrl": "string",
    "spSignCertificate": "string",
    "subjectNameIdFormat": "string",
    "defaultSSORoles": [
      "string"
    ],
    "fgaMappings": {
      "property1": {
        "relations": [
          {
            "resource": "string",
            "relationDefinition": "string",
            "namespace": "string"
          }
        ]
      },
      "property2": {
        "relations": [
          {
            "resource": "string",
            "relationDefinition": "string",
            "namespace": "string"
          }
        ]
      }
    },
    "providerID": "string",
    "scimProviderID": "string",
    "configFGATenantIDResourcePrefix": "string",
    "configFGATenantIDResourceSuffix": "string",
    "idpAdditionalCertificates": [
      "string"
    ],
    "groupsPriority": [
      "string"
    ]
  },
  "oidc": {
    "name": "string",
    "clientId": "string",
    "clientSecret": "string",
    "redirectUrl": "string",
    "authUrl": "string",
    "tokenUrl": "string",
    "userDataUrl": "string",
    "scope": [
      "string"
    ],
    "JWKsUrl": "string",
    "userAttrMapping": {
      "loginId": "string",
      "username": "string",
      "name": "string",
      "email": "string",
      "verifiedEmail": "string",
      "verifiedPhone": "string",
      "picture": "string",
      "givenName": "string",
      "middleName": "string",
      "familyName": "string",
      "customAttributes": {
        "property1": "string",
        "property2": "string"
      },
      "group": "string"
    },
    "manageProviderTokens": true,
    "callbackDomain": "string",
    "prompt": [
      "string"
    ],
    "grantType": "string",
    "issuer": "string",
    "groupsMapping": [
      {
        "role": {
          "id": "string",
          "name": "string"
        },
        "groups": [
          "string"
        ]
      }
    ],
    "defaultSSORoles": [
      "string"
    ],
    "fgaMappings": {
      "property1": {
        "relations": [
          {
            "resource": "string",
            "relationDefinition": "string",
            "namespace": "string"
          }
        ]
      },
      "property2": {
        "relations": [
          {
            "resource": "string",
            "relationDefinition": "string",
            "namespace": "string"
          }
        ]
      }
    },
    "roleMappings": [
      {
        "groups": [
          "string"
        ],
        "roleName": "string"
      }
    ],
    "providerID": "string",
    "scimProviderID": "string",
    "groupsPriority": [
      "string"
    ]
  },
  "ssoId": "string"
}

{  "tenant": {    "id": "string",    "name": "string",    "selfProvisioningDomains": [      "string"    ],    "customAttributes": {      "attribute-key": "attribute-value"    },    "authType": "string",    "domains": [      "string"    ],    "createdTime": 0,    "disabled": true,    "enforceSSO": true,    "enforceSSOExclusions": [      "string"    ],    "federatedAppIds": [      "string"    ],    "parent": "string",    "successors": [      "string"    ],    "defaultRoles": [      "string"    ],    "roleInheritance": "string"  },  "saml": {    "idpEntityId": "string",    "idpSSOUrl": "string",    "idpCertificate": "string",    "idpMetadataUrl": "string",    "spEntityId": "string",    "spACSUrl": "string",    "spCertificate": "string",    "attributeMapping": {      "name": "string",      "email": "string",      "username": "string",      "group": "string",      "givenName": "string",      "middleName": "string",      "familyName": "string",      "picture": "string",      "customAttributes": {        "property1": "string",        "property2": "string"      },      "verifiedEmail": "string",      "verifiedPhone": "string"    },    "groupsMapping": [      {        "role": {          "id": "string",          "name": "string"        },        "groups": [          "string"        ]      }    ],    "redirectUrl": "string",    "spSignCertificate": "string",    "subjectNameIdFormat": "string",    "defaultSSORoles": [      "string"    ],    "fgaMappings": {      "property1": {        "relations": [          {            "resource": "string",            "relationDefinition": "string",            "namespace": "string"          }        ]      },      "property2": {        "relations": [          {            "resource": "string",            "relationDefinition": "string",            "namespace": "string"          }        ]      }    },    "providerID": "string",    "scimProviderID": "string",    "configFGATenantIDResourcePrefix": "string",    "configFGATenantIDResourceSuffix": "string",    "idpAdditionalCertificates": [      "string"    ],    "groupsPriority": [      "string"    ]  },  "oidc": {    "name": "string",    "clientId": "string",    "clientSecret": "string",    "redirectUrl": "string",    "authUrl": "string",    "tokenUrl": "string",    "userDataUrl": "string",    "scope": [      "string"    ],    "JWKsUrl": "string",    "userAttrMapping": {      "loginId": "string",      "username": "string",      "name": "string",      "email": "string",      "verifiedEmail": "string",      "verifiedPhone": "string",      "picture": "string",      "givenName": "string",      "middleName": "string",      "familyName": "string",      "customAttributes": {        "property1": "string",        "property2": "string"      },      "group": "string"    },    "manageProviderTokens": true,    "callbackDomain": "string",    "prompt": [      "string"    ],    "grantType": "string",    "issuer": "string",    "groupsMapping": [      {        "role": {          "id": "string",          "name": "string"        },        "groups": [          "string"        ]      }    ],    "defaultSSORoles": [      "string"    ],    "fgaMappings": {      "property1": {        "relations": [          {            "resource": "string",            "relationDefinition": "string",            "namespace": "string"          }        ]      },      "property2": {        "relations": [          {            "resource": "string",            "relationDefinition": "string",            "namespace": "string"          }        ]      }    },    "roleMappings": [      {        "groups": [          "string"        ],        "roleName": "string"      }    ],    "providerID": "string",    "scimProviderID": "string",    "groupsPriority": [      "string"    ]  },  "ssoId": "string"}

TypeScript

export interface Response {
tenant?: {
id?: string
name?: string
selfProvisioningDomains?: string[]
/**
 * Custom attributes as key-value pairs. Keys must be strings; values can be strings, numbers, booleans, or arrays.
 */
customAttributes?: {
[k: string]: string
}
authType?: string
domains?: string[]
createdTime?: number
disabled?: boolean
enforceSSO?: boolean
enforceSSOExclusions?: string[]
federatedAppIds?: string[]
parent?: string
successors?: string[]
defaultRoles?: string[]
roleInheritance?: string
}
saml?: SamlSettingsResponse
oidc?: {
name?: string
clientId?: string
clientSecret?: string
redirectUrl?: string
authUrl?: string
tokenUrl?: string
userDataUrl?: string
scope?: string[]
JWKsUrl?: string
userAttrMapping?: OAuthUserDataClaimsMapping
manageProviderTokens?: boolean
callbackDomain?: string
prompt?: string[]
grantType?: string
issuer?: string
groupsMapping?: {
role?: RoleItem
groups?: string[]
}[]
defaultSSORoles?: string[]
fgaMappings?: {
[k: string]: {
relations?: ReBACGroupsMappingRelation[]
}
}
roleMappings?: {
groups?: string[]
roleName?: string
}[]
providerID?: string
scimProviderID?: string
groupsPriority?: string[]
}
ssoId?: string
}
export interface SamlSettingsResponse {
idpEntityId?: string
idpSSOUrl?: string
idpCertificate?: string
idpMetadataUrl?: string
spEntityId?: string
spACSUrl?: string
spCertificate?: string
attributeMapping?: {
name?: string
email?: string
username?: string
group?: string
givenName?: string
middleName?: string
familyName?: string
picture?: string
customAttributes?: {
[k: string]: string
}
verifiedEmail?: string
verifiedPhone?: string
}
groupsMapping?: {
role?: RoleItem
groups?: string[]
}[]
redirectUrl?: string
spSignCertificate?: string
subjectNameIdFormat?: string
defaultSSORoles?: string[]
fgaMappings?: {
[k: string]: {
relations?: ReBACGroupsMappingRelation[]
}
}
providerID?: string
scimProviderID?: string
configFGATenantIDResourcePrefix?: string
configFGATenantIDResourceSuffix?: string
idpAdditionalCertificates?: string[]
groupsPriority?: string[]
}
export interface RoleItem {
id?: string
name?: string
}
export interface ReBACGroupsMappingRelation {
/**
 * Resource identifier of the relation
 */
resource?: string
/**
 * The name of the relation definition
 */
relationDefinition?: string
/**
 * The namespace of the relation definition
 */
namespace?: string
}
/**
 * Note that this is used both in SSO settings and in OAuth settings import/export,
 *  make sure not to change any fields which might break backwards compatibility with
 *  existing exported project data
 */
export interface OAuthUserDataClaimsMapping {
loginId?: string
username?: string
name?: string
email?: string
verifiedEmail?: string
verifiedPhone?: string
picture?: string
givenName?: string
middleName?: string
familyName?: string
customAttributes?: {
[k: string]: string
}
group?: string
}

export interface Response {tenant?: {id?: stringname?: stringselfProvisioningDomains?: string[]/** * Custom attributes as key-value pairs. Keys must be strings; values can be strings, numbers, booleans, or arrays. */customAttributes?: {[k: string]: string}authType?: stringdomains?: string[]createdTime?: numberdisabled?: booleanenforceSSO?: booleanenforceSSOExclusions?: string[]federatedAppIds?: string[]parent?: stringsuccessors?: string[]defaultRoles?: string[]roleInheritance?: string}saml?: SamlSettingsResponseoidc?: {name?: stringclientId?: stringclientSecret?: stringredirectUrl?: stringauthUrl?: stringtokenUrl?: stringuserDataUrl?: stringscope?: string[]JWKsUrl?: stringuserAttrMapping?: OAuthUserDataClaimsMappingmanageProviderTokens?: booleancallbackDomain?: stringprompt?: string[]grantType?: stringissuer?: stringgroupsMapping?: {role?: RoleItemgroups?: string[]}[]defaultSSORoles?: string[]fgaMappings?: {[k: string]: {relations?: ReBACGroupsMappingRelation[]}}roleMappings?: {groups?: string[]roleName?: string}[]providerID?: stringscimProviderID?: stringgroupsPriority?: string[]}ssoId?: string}export interface SamlSettingsResponse {idpEntityId?: stringidpSSOUrl?: stringidpCertificate?: stringidpMetadataUrl?: stringspEntityId?: stringspACSUrl?: stringspCertificate?: stringattributeMapping?: {name?: stringemail?: stringusername?: stringgroup?: stringgivenName?: stringmiddleName?: stringfamilyName?: stringpicture?: stringcustomAttributes?: {[k: string]: string}verifiedEmail?: stringverifiedPhone?: string}groupsMapping?: {role?: RoleItemgroups?: string[]}[]redirectUrl?: stringspSignCertificate?: stringsubjectNameIdFormat?: stringdefaultSSORoles?: string[]fgaMappings?: {[k: string]: {relations?: ReBACGroupsMappingRelation[]}}providerID?: stringscimProviderID?: stringconfigFGATenantIDResourcePrefix?: stringconfigFGATenantIDResourceSuffix?: stringidpAdditionalCertificates?: string[]groupsPriority?: string[]}export interface RoleItem {id?: stringname?: string}export interface ReBACGroupsMappingRelation {/** * Resource identifier of the relation */resource?: string/** * The name of the relation definition */relationDefinition?: string/** * The namespace of the relation definition */namespace?: string}/** * Note that this is used both in SSO settings and in OAuth settings import/export, *  make sure not to change any fields which might break backwards compatibility with *  existing exported project data */export interface OAuthUserDataClaimsMapping {loginId?: stringusername?: stringname?: stringemail?: stringverifiedEmail?: stringverifiedPhone?: stringpicture?: stringgivenName?: stringmiddleName?: stringfamilyName?: stringcustomAttributes?: {[k: string]: string}group?: string}

Was this helpful?

Authorization

Request Body

Create new SSO settings for a tenant, using a valid management key.

See also