Enterprise SSO API Reference

These APIs can be called from your backend using your PropelAuth API Key. Click here more information about Enterprise SSO.

POST/api/backend/v1/org/<orgId>/allow_saml

Allow Org To Setup SAML

Allows an organization to setup SAML SSO. Users in the organization will then be able to go through the SAML setup flow.

Required Permissions

Update Organization SSO Settings

Properties

Name
orgId *
Type
string
Description
The organization ID

Request

auth.allowOrgToSetupSamlConnection(
    "1189c444-8a2d-4c41-8b4b-ae43ce79a492"
)

Successful Response

POST/api/backend/v1/org/<orgId>/disallow_saml

Disallow Org To Setup SAML

Disallows an organization to setup SAML SSO. If the organization already has SAML setup, they will no longer be able to use it.

Required Permissions

Update Organization SSO Settings

Properties

Name
orgId *
Type
string
Description
The organization ID

Request

auth.disallowOrgToSetupSamlConnection(
    "1189c444-8a2d-4c41-8b4b-ae43ce79a492"
)

Successful Response

POST/api/backend/v1/org/<orgId>/create_saml_connection_link

Create SAML Connection Link

Creates a link that allows a user to setup SAML for an organization without logging in or creating an account. Visit our SAML/Enterprise SSO docs for more information.

Required Permissions

Manage SSO Setup Links

Properties

Name
orgId *
Type
string
Description
The organization ID
Name
expiresInSeconds
Type
number
Description
The amount of seconds before the link expires

Request

auth.createOrgSamlConnectionLink(
    "1189c444-8a2d-4c41-8b4b-ae43ce79a492", // orgId
    86400, // expired in seconds
)

Successful Response

{
    url: "https://example.com"
}

GET/api/backend/v1/saml_sp_metadata/<orgId>

Fetch SAML SP Metadata

Fetches SAML Service Provider Metadata. This is the information your organizations will input into their IdP when configuring SAML.

Required Permissions

Read SSO Connections

Properties

Name
orgId *
Type
string
Description
The ID of the organization

Request

auth.fetchSamlSpMetadata("1189c444-8a2d-4c41-8b4b-ae43ce79a492")

Successful Response

{
    entityId: "https://auth.your.domain/saml/ORGS-URL-SLUG/metadata",
    acsUrl: "https://auth.your.domain/saml/ORGS-URL-SLUG/acs",
    logoutUrl: "https://auth.your.domain/saml/ORGS-URL-SLUG/logout"
}

POST/api/backend/v1/saml_idp_metadata

Set SAML IdP Metadata

Sets the SAML metadata from an organization's IdP. Must be completed before using the SAML Go Live endpoint.

Required Permissions

Setup SSO Connections

Properties

Name
idpEntityId *
Type
string
Description
The Entity ID (also known as Identity Provider Issuer) from the organization's IdP
Name
idpSsoUrl *
Type
string
Description
The Single Sign-On URL from the organization's IdP
Name
idpCertificate *
Type
string
Description
The Base-64 encoded X.509 certificate from the organization's IdP
Name
provider *
Type
string
Description
The name of the SAML provider. Must equal 'Google', 'Rippling', 'OneLogin', 'JumpCloud', 'Okta', 'Azure', 'Duo', or 'Generic'

Request

auth.setSamlIdpMetadata(orgId, {
    idpEntityId: "https://sts.windows.net/SOME-UUID/",
    idpSsoUrl: "https://login.microsoftonline.com/SOME-UUID/saml2",
    idpCertificate: "-----BEGIN CERTIFICATE-----MyCertificateHere-----END CERTIFICATE-----",
    provider: "Azure"
});

Successful Response

POST/api/backend/v1/oidc_idp_metadata

Set OIDC IdP Metadata

Sets the OIDC metadata from an organization's IdP. Must be completed before using the SAML Go Live endpoint.

Required Permissions

Setup SSO Connections

Properties

Name
orgId *
Type
string
Description
The organization ID
Name
clientId *
Type
string
Description
The client ID from the organization's IdP
Name
clientSecret *
Type
string
Description
The client secret from the organization's IdP
Name
usesPkce *
Type
boolean
Description
Whether the client uses PKCE
Name
idpType *
Type
string
Description
Must equal either 'Generic', 'Okta', or 'Azure'
Name
oktaSsoDomain
Type
string
Description
The Okta SSO domain. Only use this field if idpType is 'Okta'
Name
entraTenantId
Type
string
Description
The Entra/Azure tenant ID. Only use this field if idpType is 'Azure'
Name
authUrl
Type
string
Description
The Auth URL of the OIDC app in your customer's IdP. Only use this field if idpType is 'Generic'
Name
tokenUrl
Type
string
Description
The Token URL of the OIDC app in your customer's IdP. Only use this field if idpType is 'Generic'
Name
userinfoUrl
Type
string
Description
The User Info URL of the OIDC app in your customer's IdP. Only use this field if idpType is 'Generic'

Request

auth.setOidcIdpMetadata({
    orgId: "1189c444-8a2d-4c41-8b4b-ae43ce79a492",
    clientId: "0oaulhbkt9YBiT3Pn697",
    clientSecret: "MHppDLafzd...",
    usesPkce: true,
    idpType: "Okta",
    oktaSsoDomain: "example.okta.com",
});

Successful Response

POST/api/backend/v1/saml_idp_metadata/go_live/<orgId>

Enable SAML Connection

Sets an organization's SAML status to Live after using the Set SAML IdP Metadata endpoint

Required Permissions

Setup SSO Connections

Properties

Name
orgId *
Type
string
Description
The organization ID

Request

auth.samlGoLive(
    "1189c444-8a2d-4c41-8b4b-ae43ce79a492"
)

Successful Response

DELETE/api/backend/v1/saml_idp_metadata/<orgId>

Delete SAML Connection

Deletes an organization's SAML connection. The organization will still be able to enable SAML.

Required Permissions

Delete SSO Connections

Properties

Name
orgId *
Type
string
Description
The organization ID

Request

auth.deleteSamlConnection("1189c444-8a2d-4c41-8b4b-ae43ce79a492")

Successful Response

POST/api/backend/v1/isolate_org

Migrate Org to Isolated

Converts an org to an isolated org. See the Isolated Org docs for more information.

Required Permissions

Migrate Organizations to Isolated

Properties

Name
orgId *
Type
string
Description
The organization ID

Request

auth.migrateOrgToIsolated(
    "1189c444-8a2d-4c41-8b4b-ae43ce79a492"
)

Successful Response

{}

GET/api/backend/v1/scim/<orgId>/groups

Fetch Org SCIM Groups

Fetches SCIM groups for an organization that has SCIM enabled and is syncing groups from an external identity provider. Can optionally filter by a user ID to get groups for a specific user.

Required Permissions

Read SCIM Groups

Properties

Name
orgId *
Type
string
Description
The ID of the organization
Name
userId
Type
string
Description
Filter by a user ID to get groups that a specific user belongs to.
Name
pageSize
Type
number
Description
The number of results to return per page.
Name
pageNumber
Type
number
Description
The page number to return.

Request

auth.fetchOrgScimGroups({
    orgId: "1189c444-8a2d-4c41-8b4b-ae43ce79a492",
    userId: "31c41c16-c281-44ae-9602-8a047e3bf33d",
    pageSize: 10,
    pageNumber: 0,
})

Successful Response

{
  totalGroups: 2,
  pageSize: 10,
  pageNumber: 0,
  groups: [
    {
      groupId: "021103f2-24c1-4867-bb51-d7a37777ea1d",
      displayName: "Engineering",
      externalIdFromIdp: "abc123"
    },
    {
      groupId: "4b14cf03-4f63-4840-9867-fb28c862b0d3",
      displayName: "Sales",
      externalIdFromIdp: "abc1234"
    }
  ]
}

GET/api/backend/v1/scim/<orgId>/groups/<groupId>

Fetch SCIM Group

Fetches a SCIM group for an organization and returns the group's membership.

Required Permissions

Read SCIM Groups

Properties

Name
orgId *
Type
string
Description
The ID of the organization
Name
groupId *
Type
string
Description
The ID of the group to fetch.
Name
membersPageSize
Type
number
Description
The number of members to fetch per page.
Name
membersPageNumber
Type
number
Description
The page number of members to fetch.

Request

auth.fetchOrgScimGroup({
    orgId: "1189c444-8a2d-4c41-8b4b-ae43ce79a492",
    groupId: "31c41c16-c281-44ae-9602-8a047e3bf33d",
    membersPageSize: 10,
    membersPageNumber: 0,
})

Successful Response

{
  groupId: "068ce3f1-0b7e-4b91-8559-f64a558d9f9f",
  externalIdFromIdp: "abc123",
  displayName: "Engineering",
  members: [
    {
      userId: "18bec57e-b6c0-4007-ba32-d65da45321ce"
    }
  ]
}