Updates an existing SAML connection.
Note that a newly created connection will not become active until all of the following are provided:
- idp_sso_url
- attribute_mapping
- idp_entity_id
- x509_certificate
Updates an existing SAML connection.
Note that a newly created connection will not become active until all of the following are provided:
RBAC Enforced API
When a Member Session is passed in the Authorization headers, Stytch will enforce that the Member has permission to take the update Action on the stytch.sso Resource prior to honoring the request.
To learn more, see our RBAC guide.
Globally unique UUID that identifies a specific Organization. The organization_id is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.
Globally unique UUID that identifies a specific SSO connection_id for a Member.
A globally unique name for the IdP. This will be provided by the IdP.
A human-readable display name for the connection.
An object that represents the attributes used to identify a Member. This object will map the IdP-defined User attributes to Stytch-specific values. Required attributes: email and one of full_name or first_name and last_name.
The key that will be sent by the IdP to indicate the member's email. If your IdP is configured to have email as its Name ID format, you should use NameID for the value here.
The key that will be sent by the IdP to indicate the member's full name.
The key that will be sent by the IdP to indicate the member's group memberships. This field is required if you would like to use SAML group implicit role assignments.
The ID of the member in the IdP. This is optional, but recommended, as it provides us with a stable identifier that can be used to correctly identify the Member and log them into their existing account after an IdP-driven email update.
An alternative URL to use for the Audience Restriction. This value can be used when you wish to migrate an existing SAML integration to Stytch with zero downtime. Read our SSO migration guide for more info.
An alternative URL to use for the AssertionConsumerServiceURL in SP initiated SAML AuthNRequests. This value can be used when you wish to migrate an existing SAML integration to Stytch with zero downtime. Note that you will be responsible for proxying requests sent to the Alternative ACS URL to Stytch. Read our SSO migration guide for more info.
The NameID format the SAML Connection expects to use. Defaults to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
The URL for which assertions for login requests will be sent. This will be provided by the IdP.
A certificate that Stytch will use to verify the sign-in assertion sent by the IdP, in PEM format. See our X509 guide for more info.
All Members who log in with this SAML connection will implicitly receive the specified Roles. See the RBAC guide for more information about role assignment.
The unique identifier of the RBAC Role, provided by the developer and intended to be human-readable.
Reserved role_ids that are predefined by Stytch include:
Check out the guide on Stytch default Roles for a more detailed explanation.
Defines the names of the SAML groups that grant specific role assignments. For each group-Role pair, if a Member logs in with this SAML connection and belongs to the specified SAML group, they will be granted the associated Role. See the RBAC guide for more information about role assignment. Before adding any group implicit role assignments, you must add a "groups" key to your SAML connection's attribute_mapping. Make sure that your IdP is configured to correctly send the group information.
The name of the group that grants the specified role assignment.
The unique identifier of the RBAC Role, provided by the developer and intended to be human-readable.
Reserved role_ids that are predefined by Stytch include:
Check out the guide on Stytch default Roles for a more detailed explanation.
Name of the IdP. Enum with possible values: classlink, cyberark, duo, google-workspace, jumpcloud, keycloak, miniorange, microsoft-entra, okta, onelogin, pingfederate, rippling, salesforce, shibboleth, or generic.
Specifying a known provider allows Stytch to handle any provider-specific logic.
A PKCS1 format RSA private key used for signing SAML requests. Only PKCS1 format (starting with "-----BEGIN RSA PRIVATE KEY-----") is supported. When provided, Stytch will generate a new x509 certificate from this key and return it in the signing_certificates array.
Determines whether IDP initiated auth is allowed for a given SAML connection. Defaults to false (IDP Initiated Auth is enabled).
The secret token for a Member Session that should be used to perform an authorization check for this endpoint. If neither session header is passed, no authorization check will be performed. If one is passed, we will check that the Member Session contains a Role that satisfies the permission needed to call this endpoint. If it does not, or if the Member's Organization does not match the organization_id passed in the request, a 403 error will be thrown. Otherwise, the request will proceed as normal.
The JSON Web Token (JWT) for a Member Session that should be used to perform an authorization check for this endpoint. If neither session header is passed, no authorization check will be performed. If one is passed, we will check that the Member Session contains a Role that satisfies the permission needed to call this endpoint. If it does not, or if the Member's Organization does not match the organization_id passed in the request, a 403 error will be thrown. Otherwise, the request will proceed as normal.
The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
The SAML Connection object affected by this API call. See the SAML Connection Object for complete response field details.
const stytch = require('stytch');
const client = new stytch.B2BClient({
project_id: 'PROJECT_ID',
secret: 'SECRET',
});
const params = {
organization_id: "organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931",
connection_id: "saml-connection-test-51861cbc-d3b9-428b-9761-227f5fb12be9",
x509_certificate: "-----BEGIN CERTIFICATE-----\n...base64 blob...\n-----END CERTIFICATE",
idp_sso_url: "https://idp.example.com/51861cbc-d3b9-428b-9761-227f5fb12be9/sso/saml",
signing_private_key: "-----BEGIN RSA PRIVATE KEY-----\n...base64 blob...\n-----END RSA PRIVATE KEY-----",
};
const options = {
authorization: {
session_token: 'mZAYn5aLEqKUlZ_Ad9U_fWr38GaAQ1oFAhT8ds245v7Q',
},
};
client.sso.saml.updateConnection(params, options)
.then(resp => { console.log(resp) })
.catch(err => { console.log(err) });
{
"connection": {
"acs_url": "https://test.stytch.com/v1/b2b/sso/callback/saml-connection-test-51861cbc-d3b9-428b-9761-227f5fb12be9",
"alternative_acs_url": "",
"attribute_mapping": {
"email": "email",
"full_name": "name"
},
"audience_uri": "https://test.stytch.com/v1/b2b/sso/callback/saml-connection-test-51861cbc-d3b9-428b-9761-227f5fb12be9",
"alternative_audience_uri": "",
"connection_id": "saml-connection-test-51861cbc-d3b9-428b-9761-227f5fb12be9",
"display_name": "Example SAML Connection",
"idp_entity_id": "https://idp.example.com/51861cbc-d3b9-428b-9761-227f5fb12be9",
"idp_sso_url": "https://idp.example.com/51861cbc-d3b9-428b-9761-227f5fb12be9/sso/saml",
"nameid_format": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
"organization_id": "organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931",
"signing_certificates": [
{
"certificate": "-----BEGIN CERTIFICATE-----\n...base64 blob...\n-----END CERTIFICATE",
"created_at": "2023-01-01T00:00:00Z",
"updated_at": "2023-01-01T00:00:00Z",
"expires_at": "2033-01-01T00:00:00Z",
"id": "",
"issuer": "Stytch"
}
],
"status": "active",
"identity_provider": "generic",
"verification_certificates": [
{
"certificate": "-----BEGIN CERTIFICATE-----\n...base64 blob...\n-----END CERTIFICATE",
"created_at": "2023-01-01T00:00:00Z",
"updated_at": "2023-01-01T00:00:00Z",
"expires_at": "2033-01-01T00:00:00Z",
"id": "saml-verification-key-test-5ccbc642-9373-42b8-928f-c1646c868701",
"issuer": ""
}
],
"idp_initiated_auth_disabled": false
},
"request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
"status_code": 200
}
{
"status_code": 401,
"request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
"error_type": "unauthorized_credentials",
"error_message": "Unauthorized credentials.",
"error_url": "https://stytch.com/docs/api/errors/401"
}
{
"status_code": 429,
"request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
"error_type": "too_many_requests",
"error_message": "Too many requests have been made.",
"error_url": "https://stytch.com/docs/api/errors/429"
}
{
"status_code": 500,
"request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
"error_type": "internal_server_error",
"error_message": "Oops, something seems to have gone wrong, please reach out to support@stytch.com to let us know what went wrong.",
"error_url": "https://stytch.com/docs/api/errors/500"
}