Stytch - Auth platform for developers

The Get SSO Connections method wraps the Get SSO Connections API endpoint. The organization_id will be automatically inferred from the logged-in Member's session. This method cannot be used to get SSO connections from other Organizations.

Authenticated Method

This method requires valid Session for a Member with permission to perform the get Action on the stytch.sso Resource.

Before using this method, enable Member actions & organization modifications in the Frontend SDK page. To learn more, see our RBAC guide.

Response fields

request_id string

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.

status_code int

The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.

saml_connections array[Object]

The list of SAML Connections owned by this organization.

organization_id string

Globally unique UUID that identifies a specific Organization. The organization_id is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.

connection_id string

Globally unique UUID that identifies a specific SAML Connection.

display_name string

A human-readable display name for the connection.

acs_url string

The URL of the Assertion Consumer Service. This value will be passed to the IdP to redirect the Member back to Stytch after a sign-in attempt. Read our SAML Overview for more info.

audience_uri string

The URL of the Audience Restriction. This value will indicate that Stytch is the intended audience of an assertion. Read our SAML Overview for more info.

attribute_mapping object

An object that represents the attributes used to identify a Member. This object will map the IdP-defined User attributes to Stytch-specific values. Required attributes: email and one of full_name or first_name and last_name.

email* string

The key that will be sent by the IdP to indicate the member's email. If your IdP is configured to have email as its Name ID format, you should use NameID for the value here.

full_name string

The key that will be sent by the IdP to indicate the member's full name.

groups string

The key that will be sent by the IdP to indicate the member's group memberships. This field is required if you would like to use SAML group implicit role assignments.

idp_user_id string

The ID of the member in the IdP. This is optional, but recommended, as it provides us with a stable identifier that can be used to correctly identify the Member and log them into their existing account after an IdP-driven email update.

idp_entity_id string

A globally unique name for the IdP. This will be provided by the IdP.

alternative_audience_uri string

An alternative URL to use for the Audience Restriction. This value can be used when you wish to migrate an existing SAML integration to Stytch with zero downtime. Read our SSO migration guide for more info.

alternative_acs_url string

An alternative URL to use for the AssertionConsumerServiceURL in SP initiated SAML AuthNRequests. This value can be used when you wish to migrate an existing SAML integration to Stytch with zero downtime. Note that you will be responsible for proxying requests sent to the Alternative ACS URL to Stytch. Read our SSO migration guide for more info.

nameid_format string

The NameID format the SAML Connection expects to use. Defaults to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.

idp_sso_url string

The URL for which assertions for login requests will be sent. This will be provided by the IdP.

signing_certificates array

A list of X.509 certificates Stytch will use to sign its assertion requests. Certificates should be uploaded to the IdP.

certificate string

The certificate, in PEM format.

created_at string

A timestamp that indicates when the certificate was created.

updated_at string

A timestamp that indicates when the certificate was updated.

expires_at string

A timestamp that indicates when the certificate will expire.

certificate_id string

The ID of the certificate.

issuer string

The issuer of the certificate. For signing certificates, this value will be "Stytch".

verification_certificates array

A list of X.509 certificates Stytch will use to validate an assertion callback. Certificates should be populated from the IdP.

certificate string

The certificate, in PEM format.

created_at string

A timestamp that indicates when the certificate was created.

updated_at string

A timestamp that indicates when the certificate was updated.

expires_at string

A timestamp that indicates when the certificate will expire.

certificate_id string

The ID of the certificate.

issuer string

The issuer of the certificate. For signing certificates, this value will be "Stytch".

saml_encryption_private_keys array

A list of encryption private keys Stytch will use to decrypt encrypted SAML assertions.

private_key string

A PKCS1 format RSA private key used to decrypt encrypted SAML assertions. Only PKCS1 format (starting with "-----BEGIN RSA PRIVATE KEY-----") is supported.

created_at string

A timestamp that indicates when the certificate was created.

private_key_id string

The ID of the encryption private key.

saml_connection_implicit_role_assignments array[object]

All Members who log in with this SAML connection will implicitly receive the specified Roles. See the RBAC guide for more information about role assignment.

role_id string

The unique identifier of the RBAC Role, provided by the developer and intended to be human-readable.

Reserved role_ids that are predefined by Stytch include:

stytch_member
stytch_admin

Check out the guide on Stytch default Roles for a more detailed explanation.

saml_group_implicit_role_assignments array[object]

Defines the names of the SAML groups that grant specific role assignments. For each group-Role pair, if a Member logs in with this SAML connection and belongs to the specified SAML group, they will be granted the associated Role. See the RBAC guide for more information about role assignment.

group string

The name of the group that grants the specified role assignment.

role_id string

The unique identifier of the RBAC Role, provided by the developer and intended to be human-readable.

Reserved role_ids that are predefined by Stytch include:

stytch_member
stytch_admin

Check out the guide on Stytch default Roles for a more detailed explanation.

identity_provider string

Name of the IdP. Enum with possible values: classlink, cyberark, duo, google-workspace, jumpcloud, keycloak, miniorange, microsoft-entra, okta, onelogin, pingfederate, rippling, salesforce, shibboleth, or generic.

Specifying a known provider allows Stytch to handle any provider-specific logic.

idp_initiated_auth_disabled boolean

Determines whether IDP initiated auth is allowed for a given SAML connection. Defaults to false (IDP Initiated Auth is enabled).

status string

The status of the connection. The possible values are pending or active. See the Update SAML Connection endpoint for more details.

oidc_connections array[Object]

The list of OIDC Connections owned by this organization.

organization_id string

connection_id string

Globally unique UUID that identifies a specific OIDC Connection.

display_name string

A human-readable display name for the connection.

redirect_url string

The callback URL for this OIDC connection. This value will be passed to the IdP to redirect the Member back to Stytch after a sign-in attempt.

status string

The status of the connection. The possible values are pending or active. See the Update OIDC Connection endpoint for more details.

issuer string

A case-sensitive https:// URL that uniquely identifies the IdP. This will be provided by the IdP.

client_id string

The OAuth2.0 client ID used to authenticate login attempts. This will be provided by the IdP.

client_secret string

The secret belonging to the OAuth2.0 client used to authenticate login attempts. This will be provided by the IdP.

authorization_url string

The location of the URL that starts an OAuth login at the IdP. This will be provided by the IdP.

token_url string

The location of the URL that issues OAuth2.0 access tokens and OIDC ID tokens. This will be provided by the IdP.

userinfo_url string

The location of the IDP's UserInfo Endpoint. This will be provided by the IdP.

jwks_url string

The location of the IdP's JSON Web Key Set, used to verify credentials issued by the IdP. This will be provided by the IdP.

identity_provider string

Specifying a known provider allows Stytch to handle any provider-specific logic.

custom_scopes string

A space-separated list of custom scopes that will be requested on every SSOStart call. If set, this value will replace the default set of OIDC scopes requested: openid email profile. Additional scopes can be requested using the custom_scopes query parameter on individual SSOStart calls.

attribute_mapping object

An object that represents the attributes used to identify a Member. This object will map the IdP-defined User attributes to Stytch-specific values, which will appear on the member's Trusted Metadata.

external_connections array[Object]

The list of External Connections owned by this organization.

organization_id string

connection_id string

Globally unique UUID that identifies a specific External SSO Connection.

display_name string

A human-readable display name for the connection.

external_organization_id string

Globally unique UUID that identifies a different Organization within your Project.

external_connection_id string

Globally unique UUID that identifies a specific SSO connection configured for a different Organization in your Project.

external_connection_implicit_role_assignments array[object]

All Members who log in with this External connection will implicitly receive the specified Roles. See the RBAC guide for more information about role assignment. Implicit role assignments are not supported for External connections if the underlying SSO connection is an OIDC connection.

role_id string

The unique identifier of the RBAC Role, provided by the developer and intended to be human-readable.

Reserved role_ids that are predefined by Stytch include:

stytch_member
stytch_admin

Check out the guide on Stytch default Roles for a more detailed explanation.

external_group_implicit_role_assignments array[object]

Defines the names of the groups that grant specific role assignments. For each group-Role pair, if a Member logs in with this external connection and belongs to the specified group, they will be granted the associated Role. See the RBAC guide for more information about role assignment.

group string

The name of the group that grants the specified role assignment.

role_id string

The unique identifier of the RBAC Role, provided by the developer and intended to be human-readable.

Reserved role_ids that are predefined by Stytch include:

stytch_member
stytch_admin

Check out the guide on Stytch default Roles for a more detailed explanation.

status string

The status of the connection. External connections are always active.

One-Time Passcodes

Time-Based One-Time Passcodes

Recovery Codes

Get SSO Connections

Response fields