auth.group.sso.policy
The auth.group.sso.admin.policy namespace manages group SSO behavior for an SSO
connection. Use it to configure how OIDC and SAML account linking works, how
SCIM-provisioned users are reused, whether JIT membership is created on sign-in,
and how deprovisioning behaves.
This page documents the server-side helper API:
auth.group.sso.policy.*. Public RPC likeapi.auth.group.updatePolicyonly exists after your app exposes app-owned group SSO wrappers.
This policy surface is deliberately small today. Keep connector mechanics in auth.group.sso.admin.oidc, auth.group.sso.admin.saml, and auth.group.sso.scim.admin, and keep broader tenant access rules in your
application until dedicated policy fields land.
Methods
| Method | Signature | Returns | Description |
|---|---|---|---|
get | (ctx, connectionId) | EnterprisePolicy | Returns the canonical policy for a connection. |
update | (ctx, connectionId, patch) | EnterprisePolicy | Applies a partial update and returns the new policy. |
validate | (ctx, connectionId) | { checks: [...] } | Validates the policy document for a connection. Each check has its own ok field. |
Default policy
const policy = await auth.group.sso.policy.get(ctx, connectionId);
policy.identity.accountLinking.oidc; // "verifiedEmail"
policy.identity.accountLinking.saml; // "verifiedEmail"
policy.provisioning.scimReuse.user; // "externalId"
policy.provisioning.jit.mode; // "createUserAndMembership"
policy.provisioning.jit.defaultRoleIds; // ["member"]
policy.provisioning.deprovision.mode; // "soft"Example
await auth.group.sso.policy.update(ctx, connectionId, {
identity: {
accountLinking: {
saml: "none",
},
},
provisioning: {
jit: {
mode: "createUser",
defaultRoleIds: ["member"],
},
deprovision: {
mode: "hard",
},
},
});What belongs here
- account linking behavior
- SCIM user reuse behavior
- JIT provisioning behavior
- deprovision behavior
Not first-class yet:
- allowed auth methods
- role or group mapping
- domain restrictions
- session or token policy
Connector settings such as OIDC issuer URLs, client secrets, SAML metadata, and
SCIM bearer tokens remain in their respective auth.group.sso.admin.oidc, auth.group.sso.admin.saml, and auth.group.sso.scim.admin configuration APIs.