Settings - SSO Configuration
SSO and SCIM configuration for the organization.
📄️ Get SSO Configuration
Retrieve the current tenant's SSO configuration (mode, SAML, OIDC, attribute and role mappings). The encrypted OIDC client secret is redacted in the response. Returns 404 if no SSO configuration exists.
📄️ Create or Update SSO Configuration
Create or update the tenant's SSO configuration. SSO_ENFORCED mode requires a successful dry-run within the last 24 hours.
📄️ Delete SSO Configuration
Permanently remove the tenant's SSO configuration and emit an audit event recording the change. Returns 404 if no SSO configuration exists.
📄️ Get SSO Public Slug
Return the tenant's public SSO login slug that users type in the SSO login box. Falls back to the client ID when no custom slug has been configured.
📄️ Update SSO Login Slug
Set a human-readable slug (e.g. 'hazent.com') that users type in the SSO login box. The slug must be globally unique across all tenants.
📄️ Validate SSO Configuration (Dry-Run)
Validate SAML or OIDC configuration without persisting. On success, sets last_dry_run_at.
📄️ Parse IdP SAML metadata
Parse IdP metadata (fetched from a URL or pasted as XML) and return a suggested SAML configuration block. Exactly one of 'url' or 'xml' must be provided. Nothing is persisted.
📄️ Stage or Rotate IdP Certificate
Stage a new IdP certificate for dual-cert acceptance window (rotate_now=false, default), or immediately promote it to primary (rotate_now=true). During the staging window both idp_x509_cert and idp_x509_cert_next are accepted for SAML signature validation, allowing zero-downtime IdP certificate rotation.
📄️ Promote Staged IdP Certificate
Promote a previously staged idp_x509_cert_next to primary (idp_x509_cert), clearing the staging slot. This completes the dual-cert rotation window.
📄️ Rotate OIDC Client Secret Encryption
Decrypt and re-encrypt the stored OIDC client secret with fresh key material, emitting an audit event. Returns 404 if no OIDC configuration exists and 400 if no encrypted secret is stored.
📄️ Get SSO Migration Status
Return migration statistics: current mode, user counts, last dry-run timestamp.
📄️ List SCIM Tokens
List all SCIM bearer tokens for the tenant (prefix only, secret redacted).
📄️ Create SCIM Token
Create a new SCIM bearer token. The plaintext token is returned ONCE.
📄️ Rotate SCIM Token
Generate a new SCIM token while keeping the old one valid for a 7-day overlap window. The new plaintext token is returned ONCE.
📄️ Delete SCIM Token
Permanently revoke a SCIM bearer token by its ID. Only tokens belonging to the authenticated tenant can be deleted; returns 404 if the token is not found.