Skip to main content

Overview

The sso client manages OIDC and SAML 2.0 enterprise connections, domain-based enforcement, JIT provisioning, and sessions. It also exposes the current LDAP direct-bind preview; that preview is not a general LDAP directory integration and has the limitations documented below. Access the SSO client via client.sso.

Enterprise SSO Connections

Create Connection

Create a new SSO identity provider connection. You can create multiple connections for different domains or providers.

SAML example

CreateSsoConnectionParams

SsoConnection

Note: The client_secret is never returned in responses. It is stored securely on the server.

List Connections

List all SSO connections for your organization.

SsoConnectionList


Get Connection

Retrieve a single SSO connection by ID.

Parameters


Update Connection

Update an existing SSO connection.

UpdateSsoConnectionParams


Delete Connection

Delete an SSO connection. Users associated with this connection will no longer be able to log in via SSO.

Parameters

Warning: Deleting a connection immediately disables SSO login for all users routed through it. Ensure you have an alternative authentication method configured before removing a connection.

Test Connection

Test an SSO connection to verify that the IdP configuration is correct and reachable.

Parameters

SsoTestResult


Enforcement

Set Enforcement

Enforce SSO login for your organization. When enabled, all members must authenticate through an SSO connection.

SsoEnforcementParams

SsoEnforcement


Session Management

List Sessions

List active SSO sessions for your organization.

SsoSessionList

SsoSession


Revoke Session

Revoke an active SSO session, forcing the user to re-authenticate.

Parameters


Enterprise Login Flow

Get Login URL (enterprise)

Get the SSO authorization URL for a user based on their email domain. The domain is matched against configured connections to route the user to the correct IdP.

SsoLoginParams

SsoLoginResponse


Handle OIDC Callback

Handle the callback from an OIDC identity provider. Exchanges the authorization code for user information and provisions the user if JIT is enabled.

SsoOidcCallbackParams

SsoCallbackResponse


Handle SAML Callback

Handle the callback from a SAML 2.0 identity provider. Validates the SAML assertion and provisions the user if JIT is enabled.

SsoSamlCallbackParams

Response

Returns the same SsoCallbackResponse as handle_oidc_callback().

Handle LDAP Callback

Authenticate a user with the LDAP direct-bind preview. Unlike OIDC and SAML, credentials are submitted directly. The built-in client binds a service account, constructs a user DN from ldap_search_filter plus ldap_search_base, and binds that DN with the submitted password. It does not search entries, read attributes, or retrieve group memberships.

SsoLdapCallbackParams

Response

Returns SsoCallbackResult. With the built-in LDAP client, groups is empty, name and email are None, and mapped_scopes therefore contains only configured default scopes.
Note: LDAP credentials are never stored by Grantex. They are used only for the bind operations and discarded after authentication. LDAP search, attribute retrieval, group lookup/mapping, and broad provider compatibility are not supported by the built-in preview client.

Full Enterprise SSO Flow Example


Legacy Single-Config Methods

Note: The following methods manage a single OIDC configuration per organization. They are retained for backward compatibility. For new integrations, use the enterprise connection methods above which support multiple IdPs, SAML, and domain-based routing.

Create Config

Create or update the OIDC SSO configuration for your developer organization:

CreateSsoConfigParams

Get Config

Retrieve the current SSO configuration. The client secret is not included in the response:

SsoConfig

Delete Config

Remove the SSO configuration:

Get Login URL (legacy)

Generate the OIDC authorization URL to redirect a user to for SSO login:

Parameters

SsoLoginResponse (legacy)

Handle Callback

Exchange the OIDC authorization code for user information after the IdP redirects back to your application:

Parameters

SsoCallbackResponse (legacy)

Legacy SSO Flow Example

Last modified on July 11, 2026