Overview
TheSSO service manages OIDC and SAML 2.0 enterprise connections,
domain-based enforcement, JIT provisioning, and sessions. It also exposes the
current LDAP direct-bind preview; that preview is not a general LDAP directory
integration and has the limitations documented below.
Enterprise SSO Connections
Create Connection
Create a new SSO identity provider connection. You can create multiple connections for different domains or providers.SAML example
CreateSsoConnectionParams
SsoConnection
Note: The ClientSecret is never returned in responses. It is stored securely on the server.
List Connections
List all SSO connections for your organization.Get Connection
Retrieve a single SSO connection by ID.Update Connection
Update an existing SSO connection.UpdateSsoConnectionParams
Delete Connection
Delete an SSO connection. Users associated with this connection will no longer be able to log in via SSO.Warning: Deleting a connection immediately disables SSO login for all users routed through it. Ensure you have an alternative authentication method configured before removing a connection.
Test Connection
Test an SSO connection to verify that the IdP configuration is correct and reachable.SsoTestResult
Enforcement
Set Enforcement
Enforce SSO login for your organization. When enabled, all members must authenticate through an SSO connection.SsoEnforcementParams
SsoEnforcementResponse
Session Management
List Sessions
List active SSO sessions for your organization.SsoSession
Revoke Session
Revoke an active SSO session, forcing the user to re-authenticate.Enterprise Login Flow
Get Login URL (enterprise)
Get the SSO authorization URL for an organization, with an optional email-domain hint used to select a configured connection.Parameters
SsoLoginResponse (enterprise)
Handle OIDC Callback
Handle the callback from an OIDC identity provider. Exchanges the authorization code for user information and provisions the user if JIT is enabled.SsoOidcCallbackParams
SsoCallbackResult
Handle SAML Callback
Handle the callback from a SAML 2.0 identity provider. Validates the SAML assertion and provisions the user if JIT is enabled.SsoSamlCallbackParams
Returns the same
SsoCallbackResult as HandleOidcCallback().
Handle LDAP Callback
Authenticate a user with the LDAP direct-bind preview. Unlike OIDC and SAML, credentials are submitted directly. The built-in client binds a service account, constructs a user DN fromLdapSearchFilter plus LdapSearchBase, and binds that
DN with the submitted password. It does not search entries, read attributes, or
retrieve group memberships.
SsoLdapCallbackParams
Returns
SsoCallbackResult. With the built-in LDAP client, Groups is empty,
Name and Email are absent, and MappedScopes therefore contains only
configured default scopes.
Note: LDAP credentials are never stored by Grantex. They are used only for the bind operations and discarded after authentication. LDAP search, attribute retrieval, group lookup/mapping, and broad provider compatibility are not supported by the built-in preview client.
Full Enterprise SSO Flow Example
Legacy Single-Config Methods
Note: The following methods manage a single OIDC configuration per organization. They are retained for backward compatibility. For new integrations, use the enterprise connection methods above which support multiple IdPs, SAML, and domain-based routing.