SSO API
The SSO API provides Single Sign-On provider configuration, SCIM synchronization, and ABAC policy management.
Quick Navigation
Overview
This module provides:
- SSO provider configuration (SAML/OIDC)
- SCIM user provisioning
- ABAC (Attribute-Based Access Control) policies
- SSO session management
- Attribute mapping
Base Path
All SSO endpoints are prefixed with /api/v1/sso
Authentication
All endpoints require authentication:
Authorization: Bearer <access_token>
SSO Flow
The SSO API enables organizations to configure Single Sign-On providers, synchronize users via SCIM, and manage access control through ABAC policies. The system supports SAML and OIDC protocols for seamless authentication integration.
SSO Flow Diagram
View Flow Diagram
SSO Flow Overview:
This flow diagram illustrates the Single Sign-On provider configuration and management workflow. It shows how SSO providers are configured, how SCIM synchronization works, and how ABAC policies are managed.
Key Flow Components:
- Provider Configuration: Organizations can configure SAML or OIDC SSO providers
- Metadata Exchange: System exchanges metadata with identity providers for configuration
- SCIM Synchronization: User provisioning and synchronization via SCIM 2.0 protocol
- Attribute Mapping: Custom attribute mapping between identity provider and system
- ABAC Policies: Attribute-Based Access Control policies for fine-grained access management
- SSO Sessions: Management of SSO authentication sessions
Internal Developer Notes:
- Supports both SAML 2.0 and OIDC protocols
- SCIM synchronization enables automated user provisioning
- Attribute mapping allows custom field mapping from identity providers
- ABAC policies provide flexible access control based on user attributes
Endpoints
| Method | Endpoint | Description |
|---|---|---|
| POST | /providers | Create SSO provider |
| GET | /providers | List SSO providers |
| GET | /providers/{provider_id} | Get SSO provider details |
| PUT | /providers/{provider_id} | Update SSO provider |
| DELETE | /providers/{provider_id} | Delete SSO provider |
| GET | /providers/{provider_id}/metadata | Get SSO metadata |
| POST | /providers/{provider_id}/test | Test SSO provider |
| POST | /providers/{provider_id}/attribute-mapping | Update attribute mapping |
| GET | /sessions | List SSO sessions |
| DELETE | /sessions/{session_id} | Revoke SSO session |
| POST | /scim/sync | Trigger SCIM synchronization |
| GET | /scim/users | List SCIM users |
| POST | /abac/policies | Create ABAC policy |
| GET | /abac/policies | List ABAC policies |
| POST | /abac/decisions | Get ABAC decision |
Internal Notes
- [WARNING] Partially implemented - Many endpoints have TODO comments
- Fully implemented:
/providers(create, list) - TODO: Provider details, update, delete, metadata, test, attribute mapping
- TODO: SSO sessions, SCIM, ABAC endpoints
Swagger Documentation
Interactive API documentation available at: /docs#/sso