Skip to main content
organization_id
string
required

Globally unique UUID that identifies a specific Organization. The organization_id is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.

connection_id
string
required

Globally unique UUID that identifies a specific SAML Connection.

status
string
required

The status of the connection. The possible values are pending or active. See the Update SAML Connection endpoint for more details.

idp_entity_id
string
required

A globally unique name for the IdP. This will be provided by the IdP.

display_name
string
required

A human-readable display name for the connection.

idp_sso_url
string
required

The URL for which assertions for login requests will be sent. This will be provided by the IdP.

acs_url
string
required

The URL of the Assertion Consumer Service. This value will be passed to the IdP to redirect the Member back to Stytch after a sign-in attempt. Read our SAML Overview for more info.

audience_uri
string
required

The URL of the Audience Restriction. This value will indicate that Stytch is the intended audience of an assertion. Read our SAML Overview for more info.

signing_certificates
object[]
required

A list of X.509 certificates Stytch will use to sign its assertion requests. Certificates should be uploaded to the IdP.

verification_certificates
object[]
required

A list of X.509 certificates Stytch will use to validate an assertion callback. Certificates should be populated from the IdP.

encryption_private_keys
object[]
required
saml_connection_implicit_role_assignments
object[]
required

All Members who log in with this SAML connection will implicitly receive the specified Roles. See the RBAC guide for more information about role assignment.

saml_group_implicit_role_assignments
object[]
required

Defines the names of the SAML groups that grant specific role assignments. For each group-Role pair, if a Member logs in with this SAML connection and belongs to the specified SAML group, they will be granted the associated Role. See the RBAC guide for more information about role assignment.

alternative_audience_uri
string
required

An alternative URL to use for the Audience Restriction. This value can be used when you wish to migrate an existing SAML integration to Stytch with zero downtime. Read our SSO migration guide for more info.

identity_provider
string
required

Name of the IdP. Enum with possible values: classlink, cyberark, duo, google-workspace, jumpcloud, keycloak, miniorange, microsoft-entra, okta, onelogin, pingfederate, rippling, salesforce, shibboleth, or generic.

Specifying a known provider allows Stytch to handle any provider-specific logic.

nameid_format
string
required

The NameID format the SAML Connection expects to use. Defaults to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.

alternative_acs_url
string
required

An alternative URL to use for the AssertionConsumerServiceURL in SP initiated SAML AuthNRequests. This value can be used when you wish to migrate an existing SAML integration to Stytch with zero downtime. Note that you will be responsible for proxying requests sent to the Alternative ACS URL to Stytch. Read our SSO migration guide for more info.

idp_initiated_auth_disabled
boolean
required

Determines whether IDP initiated auth is allowed for a given SAML connection. Defaults to false (IDP Initiated Auth is enabled).

allow_gateway_callback
boolean
required
attribute_mapping
object

An object that represents the attributes used to identify a Member. This object will map the IdP-defined User attributes to Stytch-specific values. Required attributes: email and one of full_name or first_name and last_name.