> ## Documentation Index
> Fetch the complete documentation index at: https://stytch.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Update SAML Connection by Metadata URL

> Update an existing SAML Connection using an IdP metadata URL

export const action_0 = "update"

export const resource_0 = "stytch.sso"

<Note>
  **RBAC Enforced API**

  If a Member Session is passed in the Authorization headers, Stytch will enforce that the Member has permission to take the **{action_0} Action** on the **{resource_0} Resource** prior to honoring the request.

  To learn more, see the [RBAC guide](/multi-tenant-auth/enterprise-ready/rbac).
</Note>

A newly created connection will not become active until all the following are provided:

* `idp_sso_url`
* `attribute_mapping` (must be supplied via [Update SAML Connection](./update-saml-connection))
* `idp_identity_id`
* `x509_certificates`


## OpenAPI

````yaml PUT /v1/b2b/sso/saml/{organization_id}/connections/{connection_id}/url
openapi: 3.0.3
info:
  title: Stytch API
  description: The Stytch API provides endpoints for authentication and user management.
  version: 2.1.1
  contact:
    name: Stytch Support
    url: https://stytch.com/docs
    email: support@stytch.com
servers:
  - url: https://api.stytch.com
    description: Production server
  - url: https://test.stytch.com
    description: Test server
security:
  - basicAuth: []
paths:
  /v1/b2b/sso/saml/{organization_id}/connections/{connection_id}/url:
    put:
      tags:
        - Sso
      summary: Updatebyurl
      description: >-
        Used to update an existing SAML connection using an IDP metadata URL.


        A newly created connection will not become active until all the
        following are provided:

        * `idp_sso_url`

        * `idp_entity_id`

        * `x509_certificate`

        * `attribute_mapping` (must be supplied using [Update SAML
        Connection](update-saml-connection))
      operationId: api_sso_v1_sso_saml_UpdateByURL
      parameters:
        - name: organization_id
          in: path
          required: true
          schema:
            type: string
            description: >-
              Globally unique UUID that identifies a specific Organization. The
              `organization_id` is critical to perform operations on an
              Organization, so be sure to preserve this value. You may also use
              the organization_slug or organization_external_id here as a
              convenience.
          description: >-
            Globally unique UUID that identifies a specific Organization. The
            `organization_id` is critical to perform operations on an
            Organization, so be sure to preserve this value. You may also use
            the organization_slug or organization_external_id here as a
            convenience.
        - name: connection_id
          in: path
          required: true
          schema:
            type: string
            description: >-
              Globally unique UUID that identifies a specific SSO
              `connection_id` for a Member.
          description: >-
            Globally unique UUID that identifies a specific SSO `connection_id`
            for a Member.
        - name: X-Stytch-Member-Session
          in: header
          required: false
          description: >-
            A Stytch session that can be used to run the request with the given
            member's permissions.
          schema:
            type: string
        - name: X-Stytch-Member-SessionJWT
          in: header
          required: false
          description: >-
            A Stytch Session JSON Web Token (JWT) that can be used to run the
            request with the given member's permissions.
          schema:
            type: string
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/api_sso_v1_sso_saml_UpdateByURLRequest'
      responses:
        '200':
          description: Successful response
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/api_sso_v1_sso_saml_UpdateByURLResponse'
        '400':
          description: Bad request
        '401':
          description: Unauthorized
          content:
            application/json:
              example:
                status_code: 401
                request_id: request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141
                error_type: unauthorized_credentials
                error_message: Unauthorized credentials.
                error_url: https://stytch.com/docs/api/errors/401
        '429':
          description: Too Many Requests
          content:
            application/json:
              example:
                status_code: 429
                request_id: request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141
                error_type: too_many_requests
                error_message: Too many requests have been made.
                error_url: https://stytch.com/docs/api/errors/429
        '500':
          description: Internal server error
          content:
            application/json:
              example:
                status_code: 500
                request_id: request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141
                error_type: internal_server_error
                error_message: >-
                  Oops, something seems to have gone wrong, please reach out to
                  support@stytch.com to let us know what went wrong.
                error_url: https://stytch.com/docs/api/errors/500
      x-code-samples:
        - lang: csharp
          label: C#
          source: >-
            // PUT
            /v1/b2b/sso/saml/{organization_id}/connections/{connection_id}/url

            const stytch = require('stytch');


            const client = new stytch.B2BClient({
              project_id: '${projectId}',
              secret: '${secret}',
            });


            const params = {
              organization_id: "organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931",
              connection_id: "saml-connection-test-51861cbc-d3b9-428b-9761-227f5fb12be9",
              metadata_url: "https://idp.example.com/app/51861cbc-d3b9-428b-9761-227f5fb12be9/sso/saml/metadata",
            };


            const options = {
              authorization: {
                session_token: '${sessionToken}',
              },
            };


            client.SSO.SAML.UpdateByURL(params, options)
              .then(resp => { console.log(resp) })
              .catch(err => { console.log(err) });
        - lang: go
          label: Go
          source: "// PUT /v1/b2b/sso/saml/{organization_id}/connections/{connection_id}/url\npackage main\n\nimport (\n\t\"context\"\n\t\"log\"\n\n\t\"github.com/stytchauth/stytch-go/v18/stytch/b2b/b2bstytchapi\"\n\t\"github.com/stytchauth/stytch-go/v18/stytch/b2b/sso/saml\"\n\t\"github.com/stytchauth/stytch-go/v18/stytch/methodoptions\"\n)\n\nfunc main() {\n\tclient, err := b2bstytchapi.NewClient(\n\t\t\"${projectId}\",\n\t\t\"${secret}\",\n\t)\n\tif err != nil {\n\t\tlog.Fatalf(\"error instantiating client: %v\", err)\n\t}\n\n\tparams := &saml.UpdateByURLParams{\n\t\tOrganizationID: \"organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931\",\n\t\tConnectionID:   \"saml-connection-test-51861cbc-d3b9-428b-9761-227f5fb12be9\",\n\t\tMetadataURL:    \"https://idp.example.com/app/51861cbc-d3b9-428b-9761-227f5fb12be9/sso/saml/metadata\",\n\t}\n\n\toptions := &saml.UpdateByURLParamsOptions{\n\t\tAuthorization: methodoptions.Authorization{\n\t\t\tSessionToken: \"${sessionToken}\",\n\t\t},\n\t}\n\n\tresp, err := client.SSO.SAML.UpdateByURL(context.Background(), params, options)\n\tif err != nil {\n\t\tlog.Fatalf(\"error in method call: %v\", err)\n\t}\n\n\tlog.Println(resp)\n}\n"
        - lang: java
          label: Java
          source: >-
            // PUT
            /v1/b2b/sso/saml/{organization_id}/connections/{connection_id}/url

            package com.example;


            import com.stytch.java.b2b.models.ssosaml.UpdateByURLRequest;

            import com.stytch.java.b2b.models.ssosaml.UpdateByURLRequestOptions;

            import com.stytch.java.b2b.StytchB2BClient;

            import com.stytch.java.common.methodoptions.Authorization;

            import com.stytch.java.common.StytchResult;


            public class Main {
                public static void main(String[] args) {
                    StytchB2BClient.configure("${projectId}", "${secret}");

                    UpdateByURLRequest params = new UpdateByURLRequest();
                    params.setOrganizationId("organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931");
                    params.setConnectionId("saml-connection-test-51861cbc-d3b9-428b-9761-227f5fb12be9");
                    params.setMetadataURL("https://idp.example.com/app/51861cbc-d3b9-428b-9761-227f5fb12be9/sso/saml/metadata");

                    UpdateByURLRequestOptions options = new UpdateByURLRequestOptions();
                    Authorization authorization = new Authorization();
                    authorization.setSessionToken("${sessionToken}");
                    options.setAuthorization(authorization);

                    Object result = StytchB2BClient.getSSO().getSAML().updateByURL(params, options);
                    if (result instanceof StytchResult.Success) {
                      System.out.println(((StytchResult.Success) result).getValue());
                    } else {
                      System.out.println(((StytchResult.Error) result).getException());
                    }
                }
            }
        - lang: kotlin
          label: Kotlin
          source: >
            // PUT
            /v1/b2b/sso/saml/{organization_id}/connections/{connection_id}/url

            package com.example


            import com.stytch.java.b2b.StytchB2BClient

            import com.stytch.java.b2b.models.ssosaml.UpdateByURLRequest

            import com.stytch.java.b2b.models.ssosaml.UpdateByURLRequestOptions

            import com.stytch.java.common.methodoptions.Authorization


            fun main() {
                StytchB2BClient.configure(
                    projectId = "${projectId}",
                    secret = "${secret}",
                )

                when (
                    val result =
                        StytchB2BClient.sso.saml.updateByURL(
                            UpdateByURLRequest(
                                organizationId = "organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931",
                                connectionId = "saml-connection-test-51861cbc-d3b9-428b-9761-227f5fb12be9",
                                metadataURL = "https://idp.example.com/app/51861cbc-d3b9-428b-9761-227f5fb12be9/sso/saml/metadata",
                            ),
                            UpdateByURLRequestOptions(
                                Authorization(
                                    sessionToken = "${sessionToken}",
                                ),
                            ),
                        )
                ) {
                    is StytchResult.Success -> println(result.value)
                    is StytchResult.Error -> println(result.exception)
                }
            }
        - lang: javascript
          label: Node.js
          source: >-
            // PUT
            /v1/b2b/sso/saml/{organization_id}/connections/{connection_id}/url

            const stytch = require('stytch');


            const client = new stytch.B2BClient({
              project_id: '${projectId}',
              secret: '${secret}',
            });


            const params = {
              organization_id: "organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931",
              connection_id: "saml-connection-test-51861cbc-d3b9-428b-9761-227f5fb12be9",
              metadata_url: "https://idp.example.com/app/51861cbc-d3b9-428b-9761-227f5fb12be9/sso/saml/metadata",
            };


            const options = {
              authorization: {
                session_token: '${sessionToken}',
              },
            };


            client.sso.saml.updateByURL(params, options)
              .then(resp => { console.log(resp) })
              .catch(err => { console.log(err) });
        - lang: php
          label: PHP
          source: |-
            $response = $client->sso->saml->update_by_url([
                'organization_id' => 'organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931',
                'connection_id' => 'saml-connection-test-51861cbc-d3b9-428b-9761-227f5fb12be9',
                'metadata_url' => 'https://idp.example.com/app/51861cbc-d3b9-428b-9761-227f5fb12be9/sso/saml/metadata',
            ], [
                    'authorization' => ['session_token' => '${sessionToken}'],

            ]);
        - lang: python
          label: Python
          source: >
            # PUT
            /v1/b2b/sso/saml/{organization_id}/connections/{connection_id}/url

            from stytch import B2BClient

            from stytch.b2b.models.sso_saml import UpdateByURLRequestOptions

            from stytch.shared.method_options import Authorization


            client = B2BClient(
                project_id="${projectId}",
                secret="${secret}",
            )


            resp = client.sso.saml.update_by_url(
                organization_id="organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931",
                connection_id="saml-connection-test-51861cbc-d3b9-428b-9761-227f5fb12be9",
                metadata_url="https://idp.example.com/app/51861cbc-d3b9-428b-9761-227f5fb12be9/sso/saml/metadata",
                method_options=UpdateByURLRequestOptions(
                    authorization=Authorization(
                        session_token="${sessionToken}",
                    ),
                ),
            )


            print(resp)
        - lang: ruby
          label: Ruby
          source: >-
            # frozen_string_literal: true


            # PUT
            /v1/b2b/sso/saml/{organization_id}/connections/{connection_id}/url

            require 'stytch'


            client = StytchB2B::Client.new(
              project_id: "${projectId}",
              secret: "${secret}"
            )


            resp = client.sso.saml.update_by_url(
              organization_id: "organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931",
              connection_id: "saml-connection-test-51861cbc-d3b9-428b-9761-227f5fb12be9",
              metadata_url: "https://idp.example.com/app/51861cbc-d3b9-428b-9761-227f5fb12be9/sso/saml/metadata",
              method_options: StytchB2B::SSO::SAML::UpdateByURLRequestOptions.new(
                authorization: Stytch::MethodOptions::Authorization.new(session_token: '${sessionToken}')
              )
            )


            puts resp
        - lang: rust
          label: Rust
          source: >-
            // PUT
            /v1/b2b/sso/saml/{organization_id}/connections/{connection_id}/url

            use stytch::b2b::client::Client;

            use stytch::b2b::sso_saml::UpdateByURLRequest;


            fn main() {
                let client = Client::new("${projectId}", "${secret}").unwrap();
                let resp = client.sso.saml.update_by_url(
                    UpdateByURLRequest{
                        organization_id: "organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931",
                        connection_id: "saml-connection-test-51861cbc-d3b9-428b-9761-227f5fb12be9",
                        metadata_url: "https://idp.example.com/app/51861cbc-d3b9-428b-9761-227f5fb12be9/sso/saml/metadata",
                        ..Default::default()
                    }
                ).await;
                println!("The response is {:?}", resp);
            }
        - lang: bash
          label: cURL
          source: >-
            # PUT
            /v1/b2b/sso/saml/{organization_id}/connections/{connection_id}/url

            curl --request PUT \
              --url https://test.stytch.com/v1/b2b/sso/saml/organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931/connections/saml-connection-test-51861cbc-d3b9-428b-9761-227f5fb12be9/url \
              -u '${projectId}:${secret}' \
              -H 'Content-Type: application/json' \
              -H "X-Stytch-Member-Session: ${sessionToken}" \
              -d '{
                "metadata_url": "https://idp.example.com/app/51861cbc-d3b9-428b-9761-227f5fb12be9/sso/saml/metadata"
              }'
components:
  schemas:
    api_sso_v1_sso_saml_UpdateByURLRequest:
      type: object
      properties:
        metadata_url:
          type: string
          description: >-
            A URL that points to the IdP metadata. This will be provided by the
            IdP.
      description: Request type
      required:
        - metadata_url
    api_sso_v1_sso_saml_UpdateByURLResponse:
      type: object
      properties:
        request_id:
          type: string
          description: >-
            Globally unique UUID that is returned with every API call. This
            value is important to log for debugging purposes; we may ask for
            this value to help identify a specific API call when helping you
            debug an issue.
        status_code:
          type: integer
          format: int32
          description: >-
            The HTTP status code of the response. Stytch follows standard HTTP
            response status code patterns, e.g. 2XX values equate to success,
            3XX values are redirects, 4XX are client errors, and 5XX are server
            errors.
        connection:
          $ref: '#/components/schemas/api_sso_v1_SAMLConnection'
          description: >-
            The [SAML Connection
            Object](https://stytch.com/docs/b2b/api/saml-connection-object)
      required:
        - request_id
        - status_code
    api_sso_v1_SAMLConnection:
      type: object
      properties:
        organization_id:
          type: string
          description: >-
            Globally unique UUID that identifies a specific Organization. The
            `organization_id` is critical to perform operations on an
            Organization, so be sure to preserve this value. You may also use
            the organization_slug or organization_external_id here as a
            convenience.
        connection_id:
          type: string
          description: Globally unique UUID that identifies a specific SAML Connection.
        status:
          type: string
          description: >-
            The status of the connection. The possible values are pending or
            active. See the [Update SAML Connection
            endpoint](https://stytch.com/docs/b2b/api/update-saml-connection)
            for more details.
        idp_entity_id:
          type: string
          description: >-
            A globally unique name for the IdP. This will be provided by the
            IdP.
        display_name:
          type: string
          description: A human-readable display name for the connection.
        idp_sso_url:
          type: string
          description: >-
            The URL for which assertions for login requests will be sent. This
            will be provided by the IdP.
        acs_url:
          type: string
          description: >-
            The URL of the Assertion Consumer Service. This value will be passed
            to the IdP to redirect the Member back to Stytch after a sign-in
            attempt. Read our [SAML
            Overview](https://stytch.com/docs/b2b/api/saml-overview) for more
            info.
        audience_uri:
          type: string
          description: >-
            The URL of the Audience Restriction. This value will indicate that
            Stytch is the intended audience of an assertion. Read our [SAML
            Overview](https://stytch.com/docs/b2b/api/saml-overview) for more
            info.
        signing_certificates:
          type: array
          items:
            $ref: '#/components/schemas/api_sso_v1_X509Certificate'
          description: >-
            A list of X.509 certificates Stytch will use to sign its assertion
            requests. Certificates should be uploaded to the IdP.
        verification_certificates:
          type: array
          items:
            $ref: '#/components/schemas/api_sso_v1_X509Certificate'
          description: >-
            A list of X.509 certificates Stytch will use to validate an
            assertion callback. Certificates should be populated from the IdP.
        encryption_private_keys:
          type: array
          items:
            $ref: '#/components/schemas/api_sso_v1_EncryptionPrivateKey'
        saml_connection_implicit_role_assignments:
          type: array
          items:
            $ref: >-
              #/components/schemas/api_sso_v1_SAMLConnectionImplicitRoleAssignment
          description: >-
            All Members who log in with this SAML connection will implicitly
            receive the specified Roles. See the [RBAC
            guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) for
            more information about role assignment.
        saml_group_implicit_role_assignments:
          type: array
          items:
            $ref: '#/components/schemas/api_sso_v1_SAMLGroupImplicitRoleAssignment'
          description: |-
            Defines the names of the SAML groups
             that grant specific role assignments. For each group-Role pair, if a Member logs in with this SAML connection and
             belongs to the specified SAML group, they will be granted the associated Role. See the
             [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) for more information about role assignment.
        alternative_audience_uri:
          type: string
          description: >-
            An alternative URL to use for the Audience Restriction. This value
            can be used when you wish to migrate an existing SAML integration to
            Stytch with zero downtime. Read our [SSO migration
            guide](https://stytch.com/docs/b2b/guides/migrations/additional-migration-considerations)
            for more info.
        identity_provider:
          type: string
          description: >-
            Name of the IdP. Enum with possible values: `classlink`, `cyberark`,
            `duo`, `google-workspace`, `jumpcloud`, `keycloak`, `miniorange`,
            `microsoft-entra`, `okta`, `onelogin`, `pingfederate`, `rippling`,
            `salesforce`, `shibboleth`, or `generic`.


            Specifying a known provider allows Stytch to handle any
            provider-specific logic.
        nameid_format:
          type: string
          description: >-
            The NameID format the SAML Connection expects to use. Defaults to
            `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`.
        alternative_acs_url:
          type: string
          description: >-
            An alternative URL to use for the `AssertionConsumerServiceURL` in
            SP initiated SAML AuthNRequests. This value can be used when you
            wish to migrate an existing SAML integration to Stytch with zero
            downtime. Note that you will be responsible for proxying requests
            sent to the Alternative ACS URL to Stytch. Read our [SSO migration
            guide](https://stytch.com/docs/b2b/guides/migrations/additional-migration-considerations)
            for more info.
        idp_initiated_auth_disabled:
          type: boolean
          description: >-
            Determines whether IDP initiated auth is allowed for a given SAML
            connection. Defaults to false (IDP Initiated Auth is enabled).
        allow_gateway_callback:
          type: boolean
        attribute_mapping:
          type: object
          additionalProperties: true
          description: >-
            An object that represents the attributes used to identify a Member.
            This object will map the IdP-defined User attributes to
            Stytch-specific values. Required attributes: `email` and one of
            `full_name` or `first_name` and `last_name`.
      required:
        - organization_id
        - connection_id
        - status
        - idp_entity_id
        - display_name
        - idp_sso_url
        - acs_url
        - audience_uri
        - signing_certificates
        - verification_certificates
        - encryption_private_keys
        - saml_connection_implicit_role_assignments
        - saml_group_implicit_role_assignments
        - alternative_audience_uri
        - identity_provider
        - nameid_format
        - alternative_acs_url
        - idp_initiated_auth_disabled
        - allow_gateway_callback
    api_sso_v1_X509Certificate:
      type: object
      properties:
        certificate_id:
          type: string
          description: The ID of the certificate.
        certificate:
          type: string
          description: >-
            The certificate, in
            [PEM](https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail) format.
        issuer:
          type: string
          description: >-
            The issuer of the certificate. For signing certificates, this value
            will be "Stytch".
        created_at:
          type: string
          description: A timestamp that indicates when the certificate was created.
        expires_at:
          type: string
          description: A timestamp that indicates when the certificate will expire.
        updated_at:
          type: string
          description: A timestamp that indicates when the certificate was updated.
      required:
        - certificate_id
        - certificate
        - issuer
    api_sso_v1_EncryptionPrivateKey:
      type: object
      properties:
        private_key_id:
          type: string
        private_key:
          type: string
        created_at:
          type: string
      required:
        - private_key_id
        - private_key
    api_sso_v1_SAMLConnectionImplicitRoleAssignment:
      type: object
      properties:
        role_id:
          type: string
          description: >-
            The unique identifier of the RBAC Role, provided by the developer
            and intended to be human-readable.

              Reserved `role_id`s that are predefined by Stytch include:

              * `stytch_member`
              * `stytch_admin`

              Check out the [guide on Stytch default Roles](https://stytch.com/docs/b2b/guides/rbac/stytch-default) for a more detailed explanation.

              
      required:
        - role_id
    api_sso_v1_SAMLGroupImplicitRoleAssignment:
      type: object
      properties:
        role_id:
          type: string
        group:
          type: string
      required:
        - role_id
        - group
  securitySchemes:
    basicAuth:
      type: http
      scheme: basic

````