SSO API
Single Sign-On endpoints for OIDC and SAML authentication flows.
Endpoints Overview
| Method | Endpoint | Description |
|---|---|---|
| GET | /sso/config/{org_slug} | Get SSO config (public) |
| GET | /sso/login/{org_slug} | Initiate SSO login |
| GET | /sso/callback/{org_slug} | OIDC callback |
| POST | /sso/saml/{org_slug}/acs | SAML ACS endpoint |
| GET | /sso/saml/{org_slug}/metadata | SAML SP metadata |
| GET | /sso/logout/{org_slug} | SSO logout URL |
Get SSO Config
GET /sso/config/{org_slug}
Public endpoint — used by the login page to determine whether to show the SSO button.
{
"is_configured": true,
"provider_type": "oidc",
"provider_name": "Okta",
"is_sso_required": false
}
Initiate Login
GET /sso/login/{org_slug}
Redirects to the IdP authorization URL (OIDC) or generates a SAML AuthnRequest.
OIDC Callback
GET /sso/callback/{org_slug}?code=...&state=...
Exchanges the authorization code for tokens, provisions the user if needed, and redirects to the frontend with a JWT.
SAML ACS
POST /sso/saml/{org_slug}/acs
Receives the SAML Response from the IdP, validates the assertion, and redirects with a JWT.
SAML Metadata
GET /sso/saml/{org_slug}/metadata
Serves SP metadata XML for configuring the IdP.
SSO Logout
GET /sso/logout/{org_slug}
Returns the IdP SLO (Single Logout) URL for the frontend to initiate logout.