openapi: 3.0.0 paths: /resources/sso/v1/saml/configurations/vendor-config: get: operationId: SamlControllerV1_getVendorSamlConfig summary: Get Vendor's SAML Config description: 'Retrieve the environment’s SAML configuration. Returns the current SAML identity provider settings configured for the environment.' parameters: [] responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/VendorSamlConfigurationResponse' tags: - SAML Configurations /resources/sso/v1/saml/configurations/sp-certificate: get: operationId: SamlControllerV1_getSpCertificate summary: Get Service Provider Certificate description: Retrieve the service provider (SP) certificate used for SAML authentication. parameters: [] responses: '200': description: '' tags: - SAML Configurations /resources/sso/v1/saml/configurations/sp-metadata: get: operationId: SamlControllerV1_getSpMetadata summary: Get Service Provider Metadata description: Retrieve the service provider metadata for a specific account (tenant). parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: true schema: type: string responses: '200': description: '' tags: - SSO Settings /resources/sso/v1/configurations: post: operationId: SsoConfigurationControllerV1_createSsoConfiguration summary: Create SSO Configuration description: Create a new Single Sign-On (SSO) configuration for the specified account (tenant). parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateSSOConfigurationRequestDto' responses: '201': description: '' tags: - SSO Configurations get: operationId: SsoConfigurationControllerV1_getSsoConfigurations summary: Get SSO Configurations description: Retrieve Single Sign-On (SSO) configurations for the specified account (tenant). parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: true schema: type: string responses: '200': description: '' tags: - SSO Configurations /resources/sso/v1/configurations/{configurationId}: delete: operationId: SsoConfigurationControllerV1_deleteSsoConfiguration summary: Delete SSO Configuration description: Delete Single Sign-On (SSO) configurations for the specified account (tenant). parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: true schema: type: string - name: configurationId required: true in: path schema: type: string responses: '200': description: '' tags: - SSO Configurations patch: operationId: SsoConfigurationControllerV1_updateSsoConfiguration summary: Update SSO Configuration description: Update SSO configuration parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: true schema: type: string - name: configurationId required: true in: path schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateSSOConfigurationRequestDto' responses: '200': description: '' tags: - SSO Configurations /resources/sso/v1/configurations/metadata: post: operationId: SsoConfigurationControllerV1_createSsoConfigurationByMetadata summary: Create SSO Configuration Using Metadata description: Create a Single Sign-On (SSO) configuration using identity provider metadata for the specified account (tenant). parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/UpdateSSOConfigurationByMetadataRequestDto' responses: '201': description: '' tags: - SSO Configurations /resources/sso/v1/configurations/{configurationId}/metadata: put: operationId: SsoConfigurationControllerV1_updateSsoConfigurationByMetadata summary: Update SSO Configuration Using Metadata description: Update a Single Sign-On (SSO) configuration using identity provider metadata for the specified account (tenant). parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: true schema: type: string - name: configurationId required: true in: path schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/UpdateSSOConfigurationByMetadataRequestDto' responses: '200': description: '' tags: - SSO Configurations /resources/sso/v1/configurations/{configurationId}/domains: post: operationId: SsoDomainControllerV1_createSsoDomain summary: Create SSO Domain description: Add a domain to a Single Sign-On (SSO) configuration for the specified account (tenant). parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: true schema: type: string - name: configurationId required: true in: path schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateSSODomainRequestDto' responses: '201': description: '' tags: - SSO Configurations /resources/sso/v1/configurations/{configurationId}/domains/{domainId}: delete: operationId: SsoDomainControllerV1_deleteSsoDomain summary: Delete SSO Domain description: Remove a domain from a Single Sign-On (SSO) configuration for the specified account (tenant). parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: true schema: type: string - name: configurationId required: true in: path schema: type: string - name: domainId required: true in: path schema: type: string responses: '200': description: '' tags: - SSO Configurations /resources/sso/v1/configurations/{configurationId}/domains/{domainId}/validate/email: put: operationId: SsoDomainControllerV1_validateSsoDomainByEmail summary: Validate SSO Domain by Email description: Validate a domain in a Single Sign-On (SSO) configuration using the user's email domain. parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: true schema: type: string - name: configurationId required: true in: path schema: type: string - name: domainId required: true in: path schema: type: string responses: '200': description: '' tags: - SSO Configurations /resources/sso/v2/configurations/{configurationId}/domains/{domainId}/validate: put: operationId: SsoDomainControllerV2_validateSsoDomain summary: Validate SSO Domain description: Validate a domain in a Single Sign-On (SSO) configuration for the specified account (tenant). parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: true schema: type: string - name: configurationId required: true in: path schema: type: string - name: domainId required: true in: path schema: type: string responses: '200': description: '' tags: - SSO Configurations /resources/sso/v1/configurations/{configurationId}/roles: put: operationId: SsoRolesControllerV1_setSsoDefaultRoles summary: Set SSO Default Roles description: Set default roles assigned to users authenticated through Single Sign-On (SSO) for the specified account (tenant). parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: true schema: type: string - name: configurationId required: true in: path schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/SetSSODefaultRoles' responses: '201': description: '' tags: - SSO Configurations get: operationId: SsoRolesControllerV1_getSsoDefaultRoles summary: Get SSO Default Roles description: Retrieve default roles assigned to users authenticated through Single Sign-On (SSO) for the specified account (tenant). parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: true schema: type: string - name: configurationId required: true in: path schema: type: string responses: '200': description: '' tags: - SSO Configurations /resources/sso/v1/configurations/{configurationId}/groups: post: operationId: SsoGroupsControllerV1_createSsoGroup summary: Create an SSO Group description: Create a new SSO group for user management and access control within the specified SSO configuration for the account (tenant). parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: true schema: type: string - name: configurationId required: true in: path schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateSSOGroupRequestDto' responses: '201': description: '' tags: - SSO Configurations get: operationId: SsoGroupsControllerV1_getSsoGroup summary: Get SSO Group description: Retrieve an SSO group from the specified SSO configuration for the account (tenant). parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: true schema: type: string - name: configurationId required: true in: path schema: type: string responses: '200': description: '' tags: - SSO Configurations /resources/sso/v1/configurations/{configurationId}/groups/{groupId}: patch: operationId: SsoGroupsControllerV1_updateSsoGroup summary: Update SSO Group description: Update an existing SSO group within the specified SSO configuration for the account (tenant). parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: true schema: type: string - name: configurationId required: true in: path schema: type: string - name: groupId required: true in: path schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/UpdateSSOGroupRequestDto' responses: '200': description: '' tags: - SSO Configurations delete: operationId: SsoGroupsControllerV1_deleteSsoGroup summary: Delete SSO Group description: Delete an existing SSO group from the specified SSO configuration for the account (tenant). parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: true schema: type: string - name: configurationId required: true in: path schema: type: string - name: groupId required: true in: path schema: type: string responses: '200': description: '' tags: - SSO Configurations /resources/sso/v1/configurations/excluded-emails: post: operationId: ExcludeEmailsFromSSOV1_excludeSSOEmail summary: Exclude Email From SSO description: 'Exclude an email address from SSO enforcement. Provide the email address to exclude in the request body.' parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/ExcludeEmailFromSSORequestDto' responses: '201': description: '' tags: - SSO Settings get: operationId: ExcludeEmailsFromSSOV1_getSSOExcludedEmails summary: Get SSO Excluded Emails description: Retrieve the list of email addresses excluded from SSO enforcement. parameters: [] responses: '200': description: '' tags: - SSO Settings /resources/sso/v1/configurations/excluded-emails/{email}: delete: operationId: ExcludeEmailsFromSSOV1_deleteSSOExcludedEmail summary: Delete SSO Excluded Email description: Remove an email address from the list of SSO-excluded emails. parameters: - name: email required: true in: path schema: type: string responses: '200': description: '' tags: - SSO Settings /resources/sso/v1/configurations/domains/{domain}/force-validate: put: operationId: VendorOnlySsoConfigurationControllerV1_forceSsoDomainValidation summary: Vendor Only - Force SSO Domain Validation description: Force domain validation for SSO configuration in the environment. parameters: - name: domain required: true in: path schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/ForceValidateDomainRequestDto' responses: '200': description: '' tags: - SSO Settings /resources/sso/v1/configurations/multiple-sso-per-domain: get: operationId: SsoPerTenantControllerV1_getSSOPerTenantConfig summary: Get SSO per Account (tenant) Configuration description: Retrieve the SSO configuration for a specific account (tenant). parameters: [] responses: '200': description: '' tags: - SSO Settings put: operationId: SsoPerTenantControllerV1_createOrUpdateSSOPerTenantConfig summary: Create or Update SSO per Account (tenant) Configuration description: Create or update the SSO configuration for a specific account (tenant). parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateSSOPerTenantConfigRequest' responses: '201': description: '' tags: - SSO Settings /resources/sso/v1/configurations/domains: put: operationId: SSODomainsConfigurationControllerV1_createOrUpdateSSODomainsConfiguration summary: Create or Update SSO Domains Configuration description: Create or update the SSO domains configuration for the account (tenant). parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateSSODomainConfigurationRequest' responses: '201': description: '' tags: - SSO Configurations get: operationId: SSODomainsConfigurationControllerV1_getSSODomainsConfiguration summary: Get SSO Domains Configuration description: Retrieve the SSO domains configuration for the account (tenant). parameters: [] responses: '200': description: '' tags: - SSO Configurations /resources/sso/v1/oidc/configurations: get: operationId: OidcControllerV1_getOidcConifguration summary: Get OIDC Configuration description: Retrieve the OpenID Connect (OIDC) configuration for the environment. parameters: [] responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/ConfigureOidcResponse' tags: - OIDC Configurations post: operationId: OidcControllerV1_configureOidc summary: Configure OIDC description: Configure or update an OpenID Connect (OIDC) identity provider for the environment. parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/ConfigureOidcRequest' responses: '201': description: '' tags: - SSO Settings info: title: Single Sign-On Overview description: 'Frontegg’s Single Sign-On (SSO) enables users to sign in using their existing credentials, removing the need to create new usernames and passwords specifically for your application. Our SSO solution supports two popular protocols: SAML and OpenID Connect (OIDC). These protocols facilitate user authentication across multiple applications and can be configured via Frontegg’s Management Portal or the Self-Service menu within your application. This section lists all relevant API endpoints, organized into Management and Self-Service categories: **Management Endpoints**: Require environment-level authorization and provide comprehensive control over SSO (SAML and OIDC) resources.
**Self-Service Endpoints**: Accessible with a user token (JWT), allowing users with appropriate permissions to create, update, and delete SSO connections on their accounts.' version: '1.0' servers: - url: https://api.frontegg.com/team description: EU Region - url: https://api.us.frontegg.com/team description: US Region - url: https://api.ca.frontegg.com/team description: CA Region - url: https://api.au.frontegg.com/team description: AU Region - url: https://{domain}.frontegg.com/team description: Frontegg sub-domain for use with user tokens variables: domain: default: app-xxx components: securitySchemes: bearer: scheme: bearer bearerFormat: JWT type: http schemas: VendorSamlConfigurationResponse: type: object properties: {} CreateSSOConfigurationRequestDto: type: object properties: enabled: type: boolean ssoEndpoint: type: string publicCertificate: type: string signRequest: type: boolean acsUrl: type: string spEntityId: type: string type: type: string oidcClientId: type: string oidcSecret: type: string configMetadata: type: object overrideActiveTenant: type: boolean subAccountAccessLimit: type: number idpClientId: type: string description: SSO app client ID used to authenticate group fetch requests idpClientSecret: type: string description: SSO app client secret used with the client ID for authentication required: - enabled - ssoEndpoint - publicCertificate - signRequest - acsUrl - spEntityId - type - oidcClientId - oidcSecret - configMetadata - overrideActiveTenant - subAccountAccessLimit - idpClientId - idpClientSecret UpdateSSOConfigurationByMetadataRequestDto: type: object properties: metadata: type: string required: - metadata CreateSSODomainRequestDto: type: object properties: {} SetSSODefaultRoles: type: object properties: roleIds: type: array items: type: string required: - roleIds CreateSSOGroupRequestDto: type: object properties: group: type: string roleIds: type: array items: type: string required: - group - roleIds UpdateSSOGroupRequestDto: type: object properties: group: type: string roleIds: type: array items: type: string required: - group - roleIds ExcludeEmailFromSSORequestDto: type: object properties: email: type: string required: - email ForceValidateDomainRequestDto: type: object properties: {} CreateSSOPerTenantConfigRequest: type: object properties: unspecifiedTenantStrategy: type: string active: type: boolean useActiveTenant: type: boolean required: - unspecifiedTenantStrategy - active - useActiveTenant CreateSSODomainConfigurationRequest: type: object properties: allowVerifiedUsersToAddDomains: type: boolean skipDomainVerification: type: boolean bypassDomainCrossValidation: type: boolean required: - allowVerifiedUsersToAddDomains - skipDomainVerification - bypassDomainCrossValidation ConfigureOidcResponse: type: object properties: {} ConfigureOidcRequest: type: object properties: active: type: boolean redirectUri: type: string description: Redirect URI that the user will be redirected. Should match the redirect URI you set on your application. Leave it empty if you didn't change it on your application required: - active x-tagGroups: - name: Management tags: - SSO settings - name: Self-Service tags: - SAML configurations - OIDC configurations - SSO configurations