Stytch · Schema
api_sso_v1_SAMLConnection
AuthenticationIdentityPasswordlessSecurityB2BConnected AppsMCPAI AgentsDeveloper Tools
Properties
| Name | Type | Description |
|---|---|---|
| organization_id | string | Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organi |
| connection_id | string | Globally unique UUID that identifies a specific SAML Connection. |
| status | string | The status of the connection. The possible values are pending or active. See the [Update SAML Connection endpoint](https://stytch.com/docs/b2b/api/update-saml-connection) for more details. |
| idp_entity_id | string | A globally unique name for the IdP. This will be provided by the IdP. |
| display_name | string | A human-readable display name for the connection. |
| idp_sso_url | string | The URL for which assertions for login requests will be sent. This will be provided by the IdP. |
| acs_url | string | The URL of the Assertion Consumer Service. This value will be passed to the IdP to redirect the Member back to Stytch after a sign-in attempt. Read our [SAML Overview](https://stytch.com/docs/b2b/api/ |
| audience_uri | string | The URL of the Audience Restriction. This value will indicate that Stytch is the intended audience of an assertion. Read our [SAML Overview](https://stytch.com/docs/b2b/api/saml-overview) for more inf |
| signing_certificates | array | A list of X.509 certificates Stytch will use to sign its assertion requests. Certificates should be uploaded to the IdP. |
| verification_certificates | array | A list of X.509 certificates Stytch will use to validate an assertion callback. Certificates should be populated from the IdP. |
| encryption_private_keys | array | |
| saml_connection_implicit_role_assignments | array | All Members who log in with this SAML connection will implicitly receive the specified Roles. See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) for more information about r |
| saml_group_implicit_role_assignments | array | Defines the names of the SAML groups that grant specific role assignments. For each group-Role pair, if a Member logs in with this SAML connection and belongs to the specified SAML group, they will be |
| alternative_audience_uri | string | An alternative URL to use for the Audience Restriction. This value can be used when you wish to migrate an existing SAML integration to Stytch with zero downtime. Read our [SSO migration guide](https: |
| identity_provider | string | Name of the IdP. Enum with possible values: `classlink`, `cyberark`, `duo`, `google-workspace`, `jumpcloud`, `keycloak`, `miniorange`, `microsoft-entra`, `okta`, `onelogin`, `pingfederate`, `rippling` |
| nameid_format | string | The NameID format the SAML Connection expects to use. Defaults to `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`. |
| alternative_acs_url | string | An alternative URL to use for the `AssertionConsumerServiceURL` in SP initiated SAML AuthNRequests. This value can be used when you wish to migrate an existing SAML integration to Stytch with zero dow |
| idp_initiated_auth_disabled | boolean | Determines whether IDP initiated auth is allowed for a given SAML connection. Defaults to false (IDP Initiated Auth is enabled). |
| allow_gateway_callback | boolean | |
| attribute_mapping | object | An object that represents the attributes used to identify a Member. This object will map the IdP-defined User attributes to Stytch-specific values. Required attributes: `email` and one of `full_name` |
JSON Schema
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "#/components/schemas/api_sso_v1_SAMLConnection",
"title": "api_sso_v1_SAMLConnection",
"type": "object",
"properties": {
"organization_id": {
"type": "string",
"description": "Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience."
},
"connection_id": {
"type": "string",
"description": "Globally unique UUID that identifies a specific SAML Connection."
},
"status": {
"type": "string",
"description": "The status of the connection. The possible values are pending or active. See the [Update SAML Connection endpoint](https://stytch.com/docs/b2b/api/update-saml-connection) for more details."
},
"idp_entity_id": {
"type": "string",
"description": "A globally unique name for the IdP. This will be provided by the IdP."
},
"display_name": {
"type": "string",
"description": "A human-readable display name for the connection."
},
"idp_sso_url": {
"type": "string",
"description": "The URL for which assertions for login requests will be sent. This will be provided by the IdP."
},
"acs_url": {
"type": "string",
"description": "The URL of the Assertion Consumer Service. This value will be passed to the IdP to redirect the Member back to Stytch after a sign-in attempt. Read our [SAML Overview](https://stytch.com/docs/b2b/api/saml-overview) for more info."
},
"audience_uri": {
"type": "string",
"description": "The URL of the Audience Restriction. This value will indicate that Stytch is the intended audience of an assertion. Read our [SAML Overview](https://stytch.com/docs/b2b/api/saml-overview) for more info."
},
"signing_certificates": {
"type": "array",
"items": {
"$ref": "#/components/schemas/api_sso_v1_X509Certificate"
},
"description": "A list of X.509 certificates Stytch will use to sign its assertion requests. Certificates should be uploaded to the IdP."
},
"verification_certificates": {
"type": "array",
"items": {
"$ref": "#/components/schemas/api_sso_v1_X509Certificate"
},
"description": "A list of X.509 certificates Stytch will use to validate an assertion callback. Certificates should be populated from the IdP."
},
"encryption_private_keys": {
"type": "array",
"items": {
"$ref": "#/components/schemas/api_sso_v1_EncryptionPrivateKey"
}
},
"saml_connection_implicit_role_assignments": {
"type": "array",
"items": {
"$ref": "#/components/schemas/api_sso_v1_SAMLConnectionImplicitRoleAssignment"
},
"description": "All Members who log in with this SAML connection will implicitly receive the specified Roles. See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) for more information about role assignment."
},
"saml_group_implicit_role_assignments": {
"type": "array",
"items": {
"$ref": "#/components/schemas/api_sso_v1_SAMLGroupImplicitRoleAssignment"
},
"description": "Defines the names of the SAML groups\n that grant specific role assignments. For each group-Role pair, if a Member logs in with this SAML connection and\n belongs to the specified SAML group, they will be granted the associated Role. See the\n [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) for more information about role assignment."
},
"alternative_audience_uri": {
"type": "string",
"description": "An alternative URL to use for the Audience Restriction. This value can be used when you wish to migrate an existing SAML integration to Stytch with zero downtime. Read our [SSO migration guide](https://stytch.com/docs/b2b/guides/migrations/additional-migration-considerations) for more info."
},
"identity_provider": {
"type": "string",
"description": "Name of the IdP. Enum with possible values: `classlink`, `cyberark`, `duo`, `google-workspace`, `jumpcloud`, `keycloak`, `miniorange`, `microsoft-entra`, `okta`, `onelogin`, `pingfederate`, `rippling`, `salesforce`, `shibboleth`, or `generic`.\n\nSpecifying a known provider allows Stytch to handle any provider-specific logic."
},
"nameid_format": {
"type": "string",
"description": "The NameID format the SAML Connection expects to use. Defaults to `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`."
},
"alternative_acs_url": {
"type": "string",
"description": "An alternative URL to use for the `AssertionConsumerServiceURL` in SP initiated SAML AuthNRequests. This value can be used when you wish to migrate an existing SAML integration to Stytch with zero downtime. Note that you will be responsible for proxying requests sent to the Alternative ACS URL to Stytch. Read our [SSO migration guide](https://stytch.com/docs/b2b/guides/migrations/additional-migration-considerations) for more info."
},
"idp_initiated_auth_disabled": {
"type": "boolean",
"description": "Determines whether IDP initiated auth is allowed for a given SAML connection. Defaults to false (IDP Initiated Auth is enabled)."
},
"allow_gateway_callback": {
"type": "boolean"
},
"attribute_mapping": {
"type": "object",
"additionalProperties": true,
"description": "An object that represents the attributes used to identify a Member. This object will map the IdP-defined User attributes to Stytch-specific values. Required attributes: `email` and one of `full_name` or `first_name` and `last_name`."
}
},
"required": [
"organization_id",
"connection_id",
"status",
"idp_entity_id",
"display_name",
"idp_sso_url",
"acs_url",
"audience_uri",
"signing_certificates",
"verification_certificates",
"encryption_private_keys",
"saml_connection_implicit_role_assignments",
"saml_group_implicit_role_assignments",
"alternative_audience_uri",
"identity_provider",
"nameid_format",
"alternative_acs_url",
"idp_initiated_auth_disabled",
"allow_gateway_callback"
]
}