Skip to main content

Overview

The SSO service manages OIDC and SAML 2.0 enterprise connections, domain-based enforcement, JIT provisioning, and sessions. It also exposes the current LDAP direct-bind preview; that preview is not a general LDAP directory integration and has the limitations documented below.

Enterprise SSO Connections

Create Connection

Create a new SSO identity provider connection. You can create multiple connections for different domains or providers.

SAML example

CreateSsoConnectionParams

SsoConnection

Note: The ClientSecret is never returned in responses. It is stored securely on the server.

List Connections

List all SSO connections for your organization.

Get Connection

Retrieve a single SSO connection by ID.

Update Connection

Update an existing SSO connection.

UpdateSsoConnectionParams


Delete Connection

Delete an SSO connection. Users associated with this connection will no longer be able to log in via SSO.
Warning: Deleting a connection immediately disables SSO login for all users routed through it. Ensure you have an alternative authentication method configured before removing a connection.

Test Connection

Test an SSO connection to verify that the IdP configuration is correct and reachable.

SsoTestResult


Enforcement

Set Enforcement

Enforce SSO login for your organization. When enabled, all members must authenticate through an SSO connection.

SsoEnforcementParams

SsoEnforcementResponse


Session Management

List Sessions

List active SSO sessions for your organization.

SsoSession


Revoke Session

Revoke an active SSO session, forcing the user to re-authenticate.

Enterprise Login Flow

Get Login URL (enterprise)

Get the SSO authorization URL for an organization, with an optional email-domain hint used to select a configured connection.

Parameters

SsoLoginResponse (enterprise)


Handle OIDC Callback

Handle the callback from an OIDC identity provider. Exchanges the authorization code for user information and provisions the user if JIT is enabled.

SsoOidcCallbackParams

SsoCallbackResult


Handle SAML Callback

Handle the callback from a SAML 2.0 identity provider. Validates the SAML assertion and provisions the user if JIT is enabled.

SsoSamlCallbackParams

Returns the same SsoCallbackResult as HandleOidcCallback().

Handle LDAP Callback

Authenticate a user with the LDAP direct-bind preview. Unlike OIDC and SAML, credentials are submitted directly. The built-in client binds a service account, constructs a user DN from LdapSearchFilter plus LdapSearchBase, and binds that DN with the submitted password. It does not search entries, read attributes, or retrieve group memberships.

SsoLdapCallbackParams

Returns SsoCallbackResult. With the built-in LDAP client, Groups is empty, Name and Email are absent, and MappedScopes therefore contains only configured default scopes.
Note: LDAP credentials are never stored by Grantex. They are used only for the bind operations and discarded after authentication. LDAP search, attribute retrieval, group lookup/mapping, and broad provider compatibility are not supported by the built-in preview client.

Full Enterprise SSO Flow Example


Legacy Single-Config Methods

Note: The following methods manage a single OIDC configuration per organization. They are retained for backward compatibility. For new integrations, use the enterprise connection methods above which support multiple IdPs, SAML, and domain-based routing.

Create Config

Get Config

Delete Config

Get Login URL (legacy)

Handle Callback

Legacy Types

SsoConfig

Last modified on July 11, 2026