{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "#/components/schemas/access_saml_saas_app",
"title": "SAML SaaS App",
"properties": {
"auth_type": {
"description": "Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is \"saml\"",
"enum": [
"saml",
"oidc"
],
"example": "saml",
"type": "string"
},
"consumer_service_url": {
"description": "The service provider's endpoint that is responsible for receiving and parsing a SAML assertion.",
"example": "https://example.com",
"type": "string"
},
"created_at": {
"$ref": "#/components/schemas/access_timestamp"
},
"custom_attributes": {
"properties": {
"friendly_name": {
"description": "The SAML FriendlyName of the attribute.",
"example": "Last Name",
"type": "string"
},
"name": {
"description": "The name of the attribute.",
"example": "family_name",
"type": "string"
},
"name_format": {
"description": "A globally unique name for an identity or service provider.",
"enum": [
"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified",
"urn:oasis:names:tc:SAML:2.0:attrname-format:basic",
"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
],
"example": "urn:oasis:names:tc:SAML:2.0:attrname-format:basic",
"type": "string"
},
"required": {
"description": "If the attribute is required when building a SAML assertion.",
"example": true,
"type": "boolean"
},
"source": {
"properties": {
"name": {
"description": "The name of the IdP attribute.",
"example": "last_name",
"type": "string"
},
"name_by_idp": {
"additionalProperties": {
"type": "string"
},
"description": "A mapping from IdP ID to attribute name.",
"example": {
"exampleIdPID1": "AttributeName1",
"exampleIdPID2": "AttributeName2"
},
"type": "object"
}
},
"type": "object"
}
},
"type": "object"
},
"default_relay_state": {
"description": "The URL that the user will be redirected to after a successful login for IDP initiated logins.",
"example": "https://example.com",
"type": "string"
},
"idp_entity_id": {
"description": "The unique identifier for your SaaS application.",
"example": "https://example.cloudflareaccess.com",
"type": "string"
},
"name_id_format": {
"description": "The format of the name identifier sent to the SaaS application.",
"enum": [
"id",
"email"
],
"example": "id",
"type": "string"
},
"name_id_transform_jsonata": {
"description": "A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting.\n",
"example": "$substringBefore(email, '@') & '+sandbox@' & $substringAfter(email, '@')",
"type": "string"
},
"public_key": {
"description": "The Access public certificate that will be used to verify your identity.",
"example": "example unique name",
"type": "string"
},
"saml_attribute_transform_jsonata": {
"description": "A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object.\n",
"example": "$ ~>| groups | {'group_name': name} |",
"type": "string"
},
"sp_entity_id": {
"description": "A globally unique name for an identity or service provider.",
"example": "example unique name",
"type": "string"
},
"sso_endpoint": {
"description": "The endpoint where your SaaS application will send login requests.",
"example": "https://example.cloudflareaccess.com/cdn-cgi/access/sso/saml/b3f58a2b414e0b51d45c8c2af26fccca0e27c63763c426fa52f98dcf0b3b3bfd",
"type": "string"
},
"updated_at": {
"$ref": "#/components/schemas/access_timestamp"
}
},
"type": "object"
}