Sso
SSO connection configuration (read-only from config). View OIDC and proxy auth settings for JIT user provisioning.
Get the SSO configuration for an organization
Authorization
api_key API key authentication using Bearer token format
In: header
Path Parameters
Organization slug
Response Body
application/json
application/json
application/json
curl -X GET "https://loading/admin/v1/organizations/string/sso-config"{
"allowed_email_domains": [
"string"
],
"client_id": "string",
"create_users": true,
"created_at": "2019-08-24T14:15:22Z",
"default_org_role": "string",
"default_team_id": "191a8aa0-ed67-48ff-affa-ea86ee797d86",
"default_team_role": "string",
"discovery_url": "string",
"enabled": true,
"enforcement_mode": "optional",
"groups_claim": "string",
"id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
"identity_claim": "string",
"issuer": "string",
"org_claim": "string",
"org_id": "a40f5d1f-d889-42e9-94ea-b9b33585fc6b",
"provider_type": "oidc",
"provisioning_enabled": true,
"redirect_uri": "string",
"saml_authn_context_class_ref": "string",
"saml_email_attribute": "string",
"saml_force_authn": true,
"saml_groups_attribute": "string",
"saml_identity_attribute": "string",
"saml_idp_certificate": "string",
"saml_idp_entity_id": "string",
"saml_idp_slo_url": "string",
"saml_idp_sso_url": "string",
"saml_metadata_url": "string",
"saml_name_attribute": "string",
"saml_name_id_format": "string",
"saml_sign_requests": true,
"saml_sp_certificate": "string",
"saml_sp_entity_id": "string",
"scopes": [
"string"
],
"sync_attributes_on_login": true,
"sync_memberships_on_login": true,
"updated_at": "2019-08-24T14:15:22Z"
}{
"error": {
"code": "budget_exceeded",
"message": "Budget limit exceeded for monthly period",
"param": null,
"request_id": "550e8400-e29b-41d4-a716-446655440000",
"type": "invalid_request_error"
}
}{
"error": {
"code": "budget_exceeded",
"message": "Budget limit exceeded for monthly period",
"param": null,
"request_id": "550e8400-e29b-41d4-a716-446655440000",
"type": "invalid_request_error"
}
}Create a new SSO configuration for an organization
Authorization
api_key API key authentication using Bearer token format
In: header
Path Parameters
Organization slug
Request Body
application/json
Allowed email domains (empty = allow all)
OAuth2 client ID (required for OIDC, not used for SAML)
OAuth2 client secret (will be stored in secret manager) Required for OIDC, not used for SAML
Whether to create new users on first login (default: true)
Default role for new users in the organization (default: "member")
Default team to add new users to (optional)
uuidDefault role for new users in the default team (default: "member")
Discovery URL for OIDC metadata (optional - defaults to issuer/.well-known/openid-configuration)
Whether this SSO config is active (default: true)
SSO enforcement mode (default: optional)
"optional" | "required" | "test"JWT claim containing group memberships (optional)
JWT claim to use as the user's identity (default: "sub")
OIDC issuer URL (e.g., "https://accounts.google.com") Required for OIDC, not used for SAML
JWT claim containing organization IDs (optional)
Provider type (defaults to 'oidc')
"oidc" | "saml"Whether JIT provisioning is enabled (default: true)
Redirect URI for OAuth2 callback (optional - uses global default if not set)
Requested authentication context class
SAML attribute name for email
Whether to force re-authentication at IdP (default: false)
SAML attribute name for groups
SAML attribute name for user identity (like identity_claim for OIDC)
IdP X.509 certificate for signature validation (PEM format)
IdP entity identifier (e.g., "https://idp.example.com/metadata")
IdP Single Logout service URL (optional)
IdP Single Sign-On service URL (HTTP-Redirect or HTTP-POST binding)
IdP metadata URL for auto-configuration (alternative to manual config)
SAML attribute name for display name
NameID format to request (e.g., 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress')
Whether to sign AuthnRequests (default: false)
SP X.509 certificate for metadata (PEM format)
Service Provider entity ID (Hadrian's identifier to the IdP)
SP private key for signing AuthnRequests (PEM format, will be stored in secret manager)
OAuth2 scopes to request (defaults to ["openid", "email", "profile"])
Whether to sync user attributes on each login (default: false)
Whether to sync team memberships from IdP groups on each login (default: true)
Response Body
application/json
application/json
application/json
application/json
curl -X POST "https://loading/admin/v1/organizations/string/sso-config" \ -H "Content-Type: application/json" \ -d '{}'{
"allowed_email_domains": [
"string"
],
"client_id": "string",
"create_users": true,
"created_at": "2019-08-24T14:15:22Z",
"default_org_role": "string",
"default_team_id": "191a8aa0-ed67-48ff-affa-ea86ee797d86",
"default_team_role": "string",
"discovery_url": "string",
"enabled": true,
"enforcement_mode": "optional",
"groups_claim": "string",
"id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
"identity_claim": "string",
"issuer": "string",
"org_claim": "string",
"org_id": "a40f5d1f-d889-42e9-94ea-b9b33585fc6b",
"provider_type": "oidc",
"provisioning_enabled": true,
"redirect_uri": "string",
"saml_authn_context_class_ref": "string",
"saml_email_attribute": "string",
"saml_force_authn": true,
"saml_groups_attribute": "string",
"saml_identity_attribute": "string",
"saml_idp_certificate": "string",
"saml_idp_entity_id": "string",
"saml_idp_slo_url": "string",
"saml_idp_sso_url": "string",
"saml_metadata_url": "string",
"saml_name_attribute": "string",
"saml_name_id_format": "string",
"saml_sign_requests": true,
"saml_sp_certificate": "string",
"saml_sp_entity_id": "string",
"scopes": [
"string"
],
"sync_attributes_on_login": true,
"sync_memberships_on_login": true,
"updated_at": "2019-08-24T14:15:22Z"
}{
"error": {
"code": "budget_exceeded",
"message": "Budget limit exceeded for monthly period",
"param": null,
"request_id": "550e8400-e29b-41d4-a716-446655440000",
"type": "invalid_request_error"
}
}{
"error": {
"code": "budget_exceeded",
"message": "Budget limit exceeded for monthly period",
"param": null,
"request_id": "550e8400-e29b-41d4-a716-446655440000",
"type": "invalid_request_error"
}
}{
"error": {
"code": "budget_exceeded",
"message": "Budget limit exceeded for monthly period",
"param": null,
"request_id": "550e8400-e29b-41d4-a716-446655440000",
"type": "invalid_request_error"
}
}Update the SSO configuration for an organization
Authorization
api_key API key authentication using Bearer token format
In: header
Path Parameters
Organization slug
Request Body
application/json
Update allowed email domains
Update OAuth2 client ID
Update OAuth2 client secret (will be stored in secret manager)
Update create users flag
Update default org role
Update default team (set to null to remove)
uuidUpdate default team role
Update discovery URL (set to null to use default)
Update enabled flag
Update groups claim (set to null to remove)
Update identity claim
Update OIDC issuer URL
Update org claim (set to null to remove)
Update provisioning enabled flag
Update redirect URI (set to null to use global default)
Update authentication context class (set to null to remove)
Update SAML email attribute (set to null to remove)
Update force re-authentication flag
Update SAML groups attribute (set to null to remove)
Update SAML identity attribute (set to null to remove)
Update IdP certificate (set to null to remove)
Update IdP entity identifier (set to null to remove)
Update IdP SLO URL (set to null to remove)
Update IdP SSO URL (set to null to remove)
Update IdP metadata URL (set to null to remove)
Update SAML name attribute (set to null to remove)
Update NameID format (set to null to remove)
Update sign requests flag
Update SP certificate (set to null to remove)
Update SP entity ID (set to null to remove)
Update SP private key (will be stored in secret manager)
Update OAuth2 scopes
Update sync attributes on login flag
Update sync memberships on login flag
Response Body
application/json
application/json
application/json
curl -X PATCH "https://loading/admin/v1/organizations/string/sso-config" \ -H "Content-Type: application/json" \ -d '{}'{
"allowed_email_domains": [
"string"
],
"client_id": "string",
"create_users": true,
"created_at": "2019-08-24T14:15:22Z",
"default_org_role": "string",
"default_team_id": "191a8aa0-ed67-48ff-affa-ea86ee797d86",
"default_team_role": "string",
"discovery_url": "string",
"enabled": true,
"enforcement_mode": "optional",
"groups_claim": "string",
"id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
"identity_claim": "string",
"issuer": "string",
"org_claim": "string",
"org_id": "a40f5d1f-d889-42e9-94ea-b9b33585fc6b",
"provider_type": "oidc",
"provisioning_enabled": true,
"redirect_uri": "string",
"saml_authn_context_class_ref": "string",
"saml_email_attribute": "string",
"saml_force_authn": true,
"saml_groups_attribute": "string",
"saml_identity_attribute": "string",
"saml_idp_certificate": "string",
"saml_idp_entity_id": "string",
"saml_idp_slo_url": "string",
"saml_idp_sso_url": "string",
"saml_metadata_url": "string",
"saml_name_attribute": "string",
"saml_name_id_format": "string",
"saml_sign_requests": true,
"saml_sp_certificate": "string",
"saml_sp_entity_id": "string",
"scopes": [
"string"
],
"sync_attributes_on_login": true,
"sync_memberships_on_login": true,
"updated_at": "2019-08-24T14:15:22Z"
}{
"error": {
"code": "budget_exceeded",
"message": "Budget limit exceeded for monthly period",
"param": null,
"request_id": "550e8400-e29b-41d4-a716-446655440000",
"type": "invalid_request_error"
}
}{
"error": {
"code": "budget_exceeded",
"message": "Budget limit exceeded for monthly period",
"param": null,
"request_id": "550e8400-e29b-41d4-a716-446655440000",
"type": "invalid_request_error"
}
}Delete the SSO configuration for an organization
Authorization
api_key API key authentication using Bearer token format
In: header
Path Parameters
Organization slug
Response Body
application/json
application/json
curl -X DELETE "https://loading/admin/v1/organizations/string/sso-config"{
"error": {
"code": "budget_exceeded",
"message": "Budget limit exceeded for monthly period",
"param": null,
"request_id": "550e8400-e29b-41d4-a716-446655440000",
"type": "invalid_request_error"
}
}{
"error": {
"code": "budget_exceeded",
"message": "Budget limit exceeded for monthly period",
"param": null,
"request_id": "550e8400-e29b-41d4-a716-446655440000",
"type": "invalid_request_error"
}
}Parse SAML IdP metadata from a URL
Authorization
api_key API key authentication using Bearer token format
In: header
Path Parameters
Organization slug
Request Body
application/json
URL to fetch IdP metadata from (must be HTTPS for security)
Response Body
application/json
application/json
application/json
application/json
curl -X POST "https://loading/admin/v1/organizations/string/sso-config/saml/parse-metadata" \ -H "Content-Type: application/json" \ -d '{ "metadata_url": "string" }'{
"certificates": [
"string"
],
"entity_id": "string",
"name_id_formats": [
"string"
],
"slo_url": "string",
"sso_url": "string"
}{
"error": {
"code": "budget_exceeded",
"message": "Budget limit exceeded for monthly period",
"param": null,
"request_id": "550e8400-e29b-41d4-a716-446655440000",
"type": "invalid_request_error"
}
}{
"error": {
"code": "budget_exceeded",
"message": "Budget limit exceeded for monthly period",
"param": null,
"request_id": "550e8400-e29b-41d4-a716-446655440000",
"type": "invalid_request_error"
}
}{
"error": {
"code": "budget_exceeded",
"message": "Budget limit exceeded for monthly period",
"param": null,
"request_id": "550e8400-e29b-41d4-a716-446655440000",
"type": "invalid_request_error"
}
}Get SP metadata for IdP configuration
Authorization
api_key API key authentication using Bearer token format
In: header
Path Parameters
Organization slug
Response Body
application/samlmetadata+xml
application/json
application/json
curl -X GET "https://loading/admin/v1/organizations/string/sso-config/saml/sp-metadata"{
"error": {
"code": "budget_exceeded",
"message": "Budget limit exceeded for monthly period",
"param": null,
"request_id": "550e8400-e29b-41d4-a716-446655440000",
"type": "invalid_request_error"
}
}{
"error": {
"code": "budget_exceeded",
"message": "Budget limit exceeded for monthly period",
"param": null,
"request_id": "550e8400-e29b-41d4-a716-446655440000",
"type": "invalid_request_error"
}
}List SSO group mappings for an organization
Authorization
api_key API key authentication using Bearer token format
In: header
Path Parameters
Organization slug
Query Parameters
Maximum number of results to return
int64Cursor for keyset pagination. Encoded as base64 string.
Pagination direction: "forward" (default) or "backward".
Include soft-deleted records in results
Response Body
application/json
application/json
application/json
application/json
curl -X GET "https://loading/admin/v1/organizations/string/sso-group-mappings"{
"data": [
{
"created_at": "2019-08-24T14:15:22Z",
"id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
"idp_group": "string",
"org_id": "a40f5d1f-d889-42e9-94ea-b9b33585fc6b",
"priority": 0,
"role": "string",
"sso_connection_name": "string",
"team_id": "810007d0-bec5-486c-b5d1-28fcd8a079ba",
"updated_at": "2019-08-24T14:15:22Z"
}
],
"pagination": {
"has_more": true,
"limit": 100,
"next_cursor": "MTczMzU4MDgwMDAwMDphYmMxMjM0NS02Nzg5LTAxMjMtNDU2Ny0wMTIzNDU2Nzg5YWI",
"prev_cursor": "string"
}
}{
"error": {
"code": "budget_exceeded",
"message": "Budget limit exceeded for monthly period",
"param": null,
"request_id": "550e8400-e29b-41d4-a716-446655440000",
"type": "invalid_request_error"
}
}{
"error": {
"code": "budget_exceeded",
"message": "Budget limit exceeded for monthly period",
"param": null,
"request_id": "550e8400-e29b-41d4-a716-446655440000",
"type": "invalid_request_error"
}
}{
"error": {
"code": "budget_exceeded",
"message": "Budget limit exceeded for monthly period",
"param": null,
"request_id": "550e8400-e29b-41d4-a716-446655440000",
"type": "invalid_request_error"
}
}Create a new SSO group mapping
Authorization
api_key API key authentication using Bearer token format
In: header
Path Parameters
Organization slug
Request Body
application/json
The IdP group name exactly as it appears in the groups claim
Priority for role precedence (higher = wins when multiple mappings target same team) Defaults to 0 if not specified.
int32Role to assign (within the team if team_id is set, otherwise org-level role)
Which SSO connection this mapping applies to (defaults to 'default')
Team to add users to when they have this IdP group (optional)
uuidResponse Body
application/json
application/json
application/json
curl -X POST "https://loading/admin/v1/organizations/string/sso-group-mappings" \ -H "Content-Type: application/json" \ -d '{ "idp_group": "string" }'{
"created_at": "2019-08-24T14:15:22Z",
"id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
"idp_group": "string",
"org_id": "a40f5d1f-d889-42e9-94ea-b9b33585fc6b",
"priority": 0,
"role": "string",
"sso_connection_name": "string",
"team_id": "810007d0-bec5-486c-b5d1-28fcd8a079ba",
"updated_at": "2019-08-24T14:15:22Z"
}{
"error": {
"code": "budget_exceeded",
"message": "Budget limit exceeded for monthly period",
"param": null,
"request_id": "550e8400-e29b-41d4-a716-446655440000",
"type": "invalid_request_error"
}
}{
"error": {
"code": "budget_exceeded",
"message": "Budget limit exceeded for monthly period",
"param": null,
"request_id": "550e8400-e29b-41d4-a716-446655440000",
"type": "invalid_request_error"
}
}Export SSO group mappings
Authorization
api_key API key authentication using Bearer token format
In: header
Path Parameters
Organization slug
Query Parameters
Export format (json or csv, defaults to json)
"json" | "csv"Filter by SSO connection name (optional)
Response Body
text/csv
application/json
application/json
curl -X GET "https://loading/admin/v1/organizations/string/sso-group-mappings/export"{
"error": {
"code": "budget_exceeded",
"message": "Budget limit exceeded for monthly period",
"param": null,
"request_id": "550e8400-e29b-41d4-a716-446655440000",
"type": "invalid_request_error"
}
}{
"error": {
"code": "budget_exceeded",
"message": "Budget limit exceeded for monthly period",
"param": null,
"request_id": "550e8400-e29b-41d4-a716-446655440000",
"type": "invalid_request_error"
}
}Import SSO group mappings
Authorization
api_key API key authentication using Bearer token format
In: header
Path Parameters
Organization slug
Request Body
application/json
List of mappings to import
How to handle conflicts with existing mappings
"skip" | "overwrite" | "error"Response Body
application/json
application/json
application/json
application/json
curl -X POST "https://loading/admin/v1/organizations/string/sso-group-mappings/import" \ -H "Content-Type: application/json" \ -d '{ "mappings": [ { "idp_group": "string" } ] }'{
"created": 0,
"errors": [
{
"error": "string",
"idp_group": "string",
"index": 0
}
],
"skipped": 0,
"updated": 0
}{
"error": {
"code": "budget_exceeded",
"message": "Budget limit exceeded for monthly period",
"param": null,
"request_id": "550e8400-e29b-41d4-a716-446655440000",
"type": "invalid_request_error"
}
}{
"error": {
"code": "budget_exceeded",
"message": "Budget limit exceeded for monthly period",
"param": null,
"request_id": "550e8400-e29b-41d4-a716-446655440000",
"type": "invalid_request_error"
}
}{
"error": {
"code": "budget_exceeded",
"message": "Budget limit exceeded for monthly period",
"param": null,
"request_id": "550e8400-e29b-41d4-a716-446655440000",
"type": "invalid_request_error"
}
}Test SSO group mapping resolution
Authorization
api_key API key authentication using Bearer token format
In: header
Path Parameters
Organization slug
Request Body
application/json
Default role to use for mappings without a role (defaults to 'member')
List of IdP group names to test
SSO connection name (defaults to 'default')
Response Body
application/json
application/json
application/json
application/json
curl -X POST "https://loading/admin/v1/organizations/string/sso-group-mappings/test" \ -H "Content-Type: application/json" \ -d '{ "idp_groups": [ "string" ] }'{
"resolved": [
{
"idp_group": "string",
"role": "string",
"team_id": "810007d0-bec5-486c-b5d1-28fcd8a079ba",
"team_name": "string"
}
],
"unmapped_groups": [
"string"
]
}{
"error": {
"code": "budget_exceeded",
"message": "Budget limit exceeded for monthly period",
"param": null,
"request_id": "550e8400-e29b-41d4-a716-446655440000",
"type": "invalid_request_error"
}
}{
"error": {
"code": "budget_exceeded",
"message": "Budget limit exceeded for monthly period",
"param": null,
"request_id": "550e8400-e29b-41d4-a716-446655440000",
"type": "invalid_request_error"
}
}{
"error": {
"code": "budget_exceeded",
"message": "Budget limit exceeded for monthly period",
"param": null,
"request_id": "550e8400-e29b-41d4-a716-446655440000",
"type": "invalid_request_error"
}
}Get an SSO group mapping by ID
Authorization
api_key API key authentication using Bearer token format
In: header
Path Parameters
Organization slug
Mapping ID
uuidResponse Body
application/json
application/json
application/json
curl -X GET "https://loading/admin/v1/organizations/string/sso-group-mappings/497f6eca-6276-4993-bfeb-53cbbbba6f08"{
"created_at": "2019-08-24T14:15:22Z",
"id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
"idp_group": "string",
"org_id": "a40f5d1f-d889-42e9-94ea-b9b33585fc6b",
"priority": 0,
"role": "string",
"sso_connection_name": "string",
"team_id": "810007d0-bec5-486c-b5d1-28fcd8a079ba",
"updated_at": "2019-08-24T14:15:22Z"
}{
"error": {
"code": "budget_exceeded",
"message": "Budget limit exceeded for monthly period",
"param": null,
"request_id": "550e8400-e29b-41d4-a716-446655440000",
"type": "invalid_request_error"
}
}{
"error": {
"code": "budget_exceeded",
"message": "Budget limit exceeded for monthly period",
"param": null,
"request_id": "550e8400-e29b-41d4-a716-446655440000",
"type": "invalid_request_error"
}
}Update an SSO group mapping
Authorization
api_key API key authentication using Bearer token format
In: header
Path Parameters
Organization slug
Mapping ID
uuidRequest Body
application/json
Update the IdP group name
Update the priority (higher = wins when multiple mappings target same team)
int32Update the role (set to null to remove role assignment)
Update the team assignment (set to null to remove team assignment)
uuidResponse Body
application/json
application/json
application/json
curl -X PATCH "https://loading/admin/v1/organizations/string/sso-group-mappings/497f6eca-6276-4993-bfeb-53cbbbba6f08" \ -H "Content-Type: application/json" \ -d '{}'{
"created_at": "2019-08-24T14:15:22Z",
"id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
"idp_group": "string",
"org_id": "a40f5d1f-d889-42e9-94ea-b9b33585fc6b",
"priority": 0,
"role": "string",
"sso_connection_name": "string",
"team_id": "810007d0-bec5-486c-b5d1-28fcd8a079ba",
"updated_at": "2019-08-24T14:15:22Z"
}{
"error": {
"code": "budget_exceeded",
"message": "Budget limit exceeded for monthly period",
"param": null,
"request_id": "550e8400-e29b-41d4-a716-446655440000",
"type": "invalid_request_error"
}
}{
"error": {
"code": "budget_exceeded",
"message": "Budget limit exceeded for monthly period",
"param": null,
"request_id": "550e8400-e29b-41d4-a716-446655440000",
"type": "invalid_request_error"
}
}Delete an SSO group mapping
Authorization
api_key API key authentication using Bearer token format
In: header
Path Parameters
Organization slug
Mapping ID
uuidResponse Body
application/json
application/json
curl -X DELETE "https://loading/admin/v1/organizations/string/sso-group-mappings/497f6eca-6276-4993-bfeb-53cbbbba6f08"{
"error": {
"code": "budget_exceeded",
"message": "Budget limit exceeded for monthly period",
"param": null,
"request_id": "550e8400-e29b-41d4-a716-446655440000",
"type": "invalid_request_error"
}
}{
"error": {
"code": "budget_exceeded",
"message": "Budget limit exceeded for monthly period",
"param": null,
"request_id": "550e8400-e29b-41d4-a716-446655440000",
"type": "invalid_request_error"
}
}List configured SSO connections
Authorization
api_key API key authentication using Bearer token format
In: header
Response Body
application/json
application/json
curl -X GET "https://loading/admin/v1/sso-connections"{
"data": [
{
"client_id": "string",
"default_org_role": "string",
"default_team_id": "string",
"default_team_role": "string",
"groups_claim": "string",
"identity_claim": "string",
"issuer": "string",
"jit_enabled": true,
"name": "string",
"organization_id": "string",
"scopes": [
"string"
],
"sync_memberships_on_login": true,
"type": "string"
}
]
}{
"error": {
"code": "budget_exceeded",
"message": "Budget limit exceeded for monthly period",
"param": null,
"request_id": "550e8400-e29b-41d4-a716-446655440000",
"type": "invalid_request_error"
}
}Get a specific SSO connection by name
Authorization
api_key API key authentication using Bearer token format
In: header
Path Parameters
SSO connection name
Response Body
application/json
application/json
application/json
curl -X GET "https://loading/admin/v1/sso-connections/string"{
"client_id": "string",
"default_org_role": "string",
"default_team_id": "string",
"default_team_role": "string",
"groups_claim": "string",
"identity_claim": "string",
"issuer": "string",
"jit_enabled": true,
"name": "string",
"organization_id": "string",
"scopes": [
"string"
],
"sync_memberships_on_login": true,
"type": "string"
}{
"error": {
"code": "budget_exceeded",
"message": "Budget limit exceeded for monthly period",
"param": null,
"request_id": "550e8400-e29b-41d4-a716-446655440000",
"type": "invalid_request_error"
}
}{
"error": {
"code": "budget_exceeded",
"message": "Budget limit exceeded for monthly period",
"param": null,
"request_id": "550e8400-e29b-41d4-a716-446655440000",
"type": "invalid_request_error"
}
}