Settings - SSO Configuration
SSO and SCIM configuration for the organization.
ποΈ Get SSO Configuration
Retrieve the current tenant's SSO configuration (mode, SAML, OIDC, attribute and role mappings). The encrypted OIDC client secret is redacted in the response. Returns 404 if no SSO configuration exists.
ποΈ Create or Update SSO Configuration
Create or update the tenant's SSO configuration. SSO_ENFORCED mode requires a successful dry-run within the last 24 hours.
ποΈ Delete SSO Configuration
Permanently remove the tenant's SSO configuration and emit an audit event recording the change. Returns 404 if no SSO configuration exists.
ποΈ Get SSO Public Slug
Return the tenant's public SSO login slug that users type in the SSO login box. Falls back to the client ID when no custom slug has been configured.
ποΈ Update SSO Login Slug
Set a human-readable slug (e.g. 'hazent.com') that users type in the SSO login box. The slug must be globally unique across all tenants.
ποΈ Validate SSO Configuration (Dry-Run)
Validate SAML or OIDC configuration without persisting. On success, sets last_dry_run_at.
ποΈ Parse IdP SAML metadata
Parse IdP metadata (fetched from a URL or pasted as XML) and return a suggested SAML configuration block. Exactly one of 'url' or 'xml' must be provided. Nothing is persisted.
ποΈ Stage or Rotate IdP Certificate
Stage a new IdP certificate for dual-cert acceptance window (rotate_now=false, default), or immediately promote it to primary (rotate_now=true). During the staging window both idp_x509_cert and idp_x509_cert_next are accepted for SAML signature validation, allowing zero-downtime IdP certificate rotation.
ποΈ Promote Staged IdP Certificate
Promote a previously staged idp_x509_cert_next to primary (idp_x509_cert), clearing the staging slot. This completes the dual-cert rotation window.
ποΈ Rotate OIDC Client Secret Encryption
Decrypt and re-encrypt the stored OIDC client secret with fresh key material, emitting an audit event. Returns 404 if no OIDC configuration exists and 400 if no encrypted secret is stored.
ποΈ Get SSO Migration Status
Return migration statistics: current mode, user counts, last dry-run timestamp.
ποΈ List SCIM Tokens
List all SCIM bearer tokens for the tenant (prefix only, secret redacted).
ποΈ Create SCIM Token
Create a new SCIM bearer token. The plaintext token is returned ONCE.
ποΈ Rotate SCIM Token
Generate a new SCIM token while keeping the old one valid for a 7-day overlap window. The new plaintext token is returned ONCE.
ποΈ Delete SCIM Token
Permanently revoke a SCIM bearer token by its ID. Only tokens belonging to the authenticated tenant can be deleted; returns 404 if the token is not found.