createOrgSso

POST https://{{host}}/api/v1/orgs/:org_id/ssos

Body Parameters

NameTypeDescription
namestringname
issuerstringIDP issuer URL
idp_certstringIDP Cert (used to verify the signed response)
idp_sso_urlstringIDP Single-Sign-On URL
idp_sign_algostringsigning algorithm for SAML Assertion
nameid_formatstringemail (default) / unspecified
ignore_unmatched_rolesbooleanignore any unmatched roles provided in assertion. By default, an assertion is treated as invalid for any unmatched role
default_rolestringdefault role to assign if there’s no match. By default, an assertion is treated as invalid when there’s no role matched
role_attr_fromstringoptional, name of the attribute in SAML Assertion to extract role from (defaults to Role)
role_attr_extractionstringoptional, user defined role parsing scheme. See Supported Role Parsing Schemes
custom_logout_urlstringoptional, a URL we will redirect the user after user logout from Mist (for some IdP which supports a custom logout URL that is different from SP-initiated SLO process)

Supported Role Parsing Schemes

NameScheme
cn
  • The expected role attribute format in SAML Assertion is “CN=cn,OU=ou1,OU=ou2,…”

  • CN (the key) is case insensitive and exactly 1 CN is expected (or the entire entry will be ignored)

  • E.g. if role attribute is “CN=cn,OU=ou1,OU=ou2” then parsed role value is “cn”

Request Body

{"name"=>"onelogin", "idp_type"=>"saml", "issuer"=>"https://app.onelogin.com/saml/metadata/138130", "idp_cert"=>"-----BEGIN CERTIFICATE-----\nMIIFZjCCA06gAwIBAgIIP61/1qm/uDowDQYJKoZIhvcNAQELBQE\n-----END CERTIFICATE-----", "idp_sign_algo"=>"sha256", "idp_sso_url"=>"https://yourorg.onelogin.com/trust/saml2/http-post/sso/138130", "nameid_format"=>"email", "custom_logout_url"=>"https://6.4.5.7/saml/idp/SingleLogoutService.php?param1=value1", "ldap_type"=>"azure", "ldap_server_hosts"=>["hostname", "63.1.3.5"], "ldap_base_dn"=>"DC=abc,DC=com", "ldap_bind_dn"=>"CN=nas,CN=users,DC=abc,DC=com", "ldap_bind_password"=>"credential_for_nas", "ldap_cacerts"=>["-----BEGIN CERTIFICATE-----\nMIIFZjCCA06gAwIBAgIIP61/1qm/uDowDQYJKoZIhvcNAQELBQE\n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----\nBhMCRVMxFDASBgNVBAoMC1N0YXJ0Q29tIENBMSwwKgYDVn-----END CERTIFICATE-----"], "ldap_client_cert"=>"-----BEGIN CERTIFICATE-----\nMIIFZjCCA06gAwIBAgIIP61/1qm/uDowDQYJKoZIhvcNAQELBQE\n-----END CERTIFICATE-----", "ldap_client_key"=>"-----BEGIN PRI...", "ldap_resolve_groups"=>false, "oauth_type"=>"azure", "oauth_tenant_id"=>"1e6ae660-b7d3-4a6c-9efd-1fa606fc7304", "oauth_cc_client_id"=>"e60da615-7def-4c5a-8196-43675f45e174", "oauth_cc_client_secret"=>"akL8Q~5kWFMVFYl4TFZ3fi~7cMdyDONi6cj01cpH", "oauth_ropc_client_id"=>"9ce04c97-b5b1-4ec8-af17-f5ed42d2daf7", "oauth_ropc_client_secret"=>"blM9R~6kWFMVFYl4TFZ3fi~8cMdyDONi6cj01dqI", "scim_enabled"=>false, "scim_secret_token"=>"secret token", "mxedge_proxy"=>{"mxcluster_id"=>"572586b7-f97b-a22b-526c-8b97a3f609c4", "proxy_hosts"=>["mxedge1.corp.com", "63.1.3.5"], "ssids"=>["eduroam_test, eduroam_main"], "operator_name"=>"1dartmouth.edu", "auth_servers"=>[{"host"=>"1.2.3.4", "port"=>1812, "secret"=>"testing123"}, {"host"=>"radius.internal", "port"=>1812, "secret"=>"testing123"}], "acct_servers"=>[{"host"=>"1.2.3.4", "port"=>1812, "secret"=>"testing123"}]}, "ignore_unmatched_roles"=>false, "default_role"=>nil}

HEADERS

KeyDatatypeRequiredDescription
Acceptstring
X-CSRFTokenstring
Content-Typestring