Overview
Thesso sub-client manages OIDC and SAML 2.0 enterprise connections,
domain-based enforcement, JIT provisioning, and sessions. It also exposes the
current LDAP direct-bind preview; that preview is not a general LDAP directory
integration and has the limitations documented below.
Enterprise SSO Connections
sso.createConnection()
Create a new SSO identity provider connection. You can create multiple connections for different domains or providers.SAML example
Parameters
A human-readable name for this connection (e.g.
"Okta Production").The SSO protocol. Use
"oidc" for OpenID Connect, "saml" for SAML 2.0, or
"ldap" for the current LDAP direct-bind preview.The OIDC issuer URL. Required when
protocol is "oidc".OAuth 2.0 client ID from your identity provider. Required when
protocol is "oidc".OAuth 2.0 client secret from your identity provider. Required when
protocol is "oidc".The SAML metadata URL. Required when
protocol is "saml".The SAML ACS URL where the IdP posts assertions. Required when
protocol is "saml".The SAML service provider entity ID. Required when
protocol is "saml".Email domains to associate with this connection. Users with matching email domains are automatically routed to this IdP.
Enable just-in-time user provisioning. When
true, users are automatically created on first login. Defaults to false.The default role assigned to JIT-provisioned users (e.g.
"member", "admin").Custom attribute mapping for SAML assertions. Maps Grantex fields to IdP attribute names.
Response: SsoConnection
Unique connection identifier (e.g.
sso_conn_01HX...).The connection display name.
The SSO protocol.
Current connection status.
Associated email domains.
Whether JIT provisioning is enabled.
ISO 8601 creation timestamp.
ISO 8601 last-updated timestamp.
The
clientSecret is never returned in responses. It is stored securely on the server.sso.listConnections()
List all SSO connections for your organization.Response: SsoConnectionList
Array of SSO connection objects.
sso.getConnection()
Retrieve a single SSO connection by ID.Parameters
The connection ID to retrieve.
Response
Returns anSsoConnection object.
sso.updateConnection()
Update an existing SSO connection.Parameters
The connection ID to update.
Updated display name.
Updated list of associated email domains.
Enable or disable JIT provisioning.
Updated default role for JIT-provisioned users.
Updated SAML attribute mapping.
Response
Returns the updatedSsoConnection object.
sso.deleteConnection()
Delete an SSO connection. Users associated with this connection will no longer be able to log in via SSO.Parameters
The connection ID to delete.
Response
Returnsvoid.
sso.testConnection()
Test an SSO connection to verify that the IdP configuration is correct and reachable.Parameters
The connection ID to test.
Response: SsoTestResult
Whether the connection test passed.
Human-readable result message.
IdP response time in milliseconds.
Enforcement
sso.setEnforcement()
Enforce SSO login for your organization. When enabled, all members must authenticate through an SSO connection.Parameters
Whether SSO login is enforced for all organization members.
Roles exempt from SSO enforcement (e.g.
["owner"]). Exempt users can still log in with API keys.Response: SsoEnforcement
Whether SSO enforcement is active.
Roles that are exempt from the enforcement policy.
Session Management
sso.listSessions()
List active SSO sessions for your organization.Response: SsoSessionList
Array of active SSO session objects.
SsoSession contains:
Session identifier.
The user’s email address.
The SSO connection used for this session.
Display name of the SSO connection.
ISO 8601 session creation timestamp.
ISO 8601 session expiration timestamp.
sso.revokeSession()
Revoke an active SSO session, forcing the user to re-authenticate.Parameters
The session ID to revoke.
Response
Returnsvoid.
Enterprise Login Flow
sso.getLoginUrl() (enterprise)
Get the SSO authorization URL for a user based on their email domain. The domain is matched against configured connections to route the user to the correct IdP.Parameters
The email domain to match against configured SSO connections (e.g.
"mycompany.com").Override the redirect URI for this login request.
Response: SsoLoginResponse
The full authorization URL. Redirect the user here.
The matched SSO connection ID.
The protocol of the matched connection.
sso.handleOidcCallback()
Handle the callback from an OIDC identity provider. Exchanges the authorization code for user information and provisions the user if JIT is enabled.Parameters
The authorization code from the OIDC callback.
The state parameter from the callback (used for CSRF protection).
Response: SsoCallbackResponse
The user’s email address from the IdP.
The user’s display name from the IdP.
The user’s subject identifier from the IdP.
The Grantex developer ID that the user has been mapped to.
The SSO connection that handled this authentication.
Whether the user was just-in-time provisioned during this login.
sso.handleSamlCallback()
Handle the callback from a SAML 2.0 identity provider. Validates the SAML assertion and provisions the user if JIT is enabled.Parameters
The base64-encoded SAML response from the IdP.
The RelayState parameter from the SAML callback.
Response
Returns the sameSsoCallbackResponse as handleOidcCallback().
sso.handleLdapCallback()
Authenticate a user with the LDAP direct-bind preview. Unlike OIDC and SAML, credentials are submitted directly. The built-in client binds a service account, constructs a user DN fromldapSearchFilter plus ldapSearchBase, and binds that
DN with the submitted password. It does not search entries, read attributes, or
retrieve group memberships.
Parameters
The username interpolated into the configured LDAP filter to construct the
user DN. The built-in preview does not perform a directory search.
The user’s LDAP password for bind authentication.
The SSO connection ID for the LDAP directory.
The organization/developer ID that owns the LDAP connection.
Response
ReturnsSsoCallbackResult. With the built-in LDAP client, groups is empty,
name and email are null, and mappedScopes therefore contains only
configured default scopes.
LDAP credentials are never stored by Grantex. They are used only for the bind
operations and discarded after authentication. LDAP search, attribute
retrieval, group lookup/mapping, and broad provider compatibility are not
supported by the built-in preview client.
Full Enterprise SSO Flow Example
Legacy Single-Config Methods
The following methods manage a single OIDC configuration per organization. They are retained for backward compatibility. For new integrations, use the enterprise connection methods above which support multiple IdPs, SAML, and domain-based routing.
sso.createConfig()
Create or update the OIDC SSO configuration for your organization.Parameters
The OIDC issuer URL (e.g.
https://accounts.google.com).OAuth 2.0 client ID from your identity provider.
OAuth 2.0 client secret from your identity provider.
The callback URL that your IdP redirects to after authentication.
Response: SsoConfig
The OIDC issuer URL.
The OAuth 2.0 client ID.
The configured callback URL.
ISO 8601 creation timestamp.
ISO 8601 last-updated timestamp.
The
clientSecret is never returned in responses. It is stored securely on the server.sso.getConfig()
Retrieve the current SSO configuration (without the client secret).Response
Returns anSsoConfig object.
sso.deleteConfig()
Remove the SSO configuration. After deletion, SSO login is disabled for the organization.Response
Returnsvoid.
sso.getLoginUrl() (legacy)
Get the OIDC authorization URL to redirect the user to for SSO login.Parameters
The developer ID of the organization initiating the SSO login.
Response: SsoLoginResponse
The full OIDC authorization URL. Redirect the user here.
sso.handleCallback()
Exchange the OIDC authorization code for user information after the identity provider redirects back.Parameters
The authorization code from the IdP callback.
The state parameter from the IdP callback (used for CSRF protection).
Response: SsoCallbackResponse
The user’s email address from the IdP.
The user’s display name from the IdP.
The user’s subject identifier from the IdP.
The Grantex developer ID that the user has been mapped to.