auth.group.sso.saml
The auth.group.sso.admin.saml namespace configures SAML 2.0 identity providers for
SSO connections.
This page documents the server-side helper API:
auth.group.sso.saml.*. Public RPC likeapi.auth.group.configureSamlonly exists after your app exposes app-owned group SSO wrappers.
Use the connectionId returned by auth.group.sso.connection.create(...) when configuring
SAML.
Methods
| Method | Signature | Returns | Description |
|---|---|---|---|
configure | (ctx, { connectionId, metadataXml?, metadataUrl?, domains?, signAuthnRequests?, attributeMapping?, sp? }) | { connectionId, groupId } | Configures SAML settings for a connection. Accepts a metadata URL or raw XML. |
metadata | (ctx, { connectionId, entityId?, acsUrl?, sloUrl? }) | string | Returns the SP metadata XML for the connection via auth.group.sso.client.metadata(...). |
validate | (ctx, connectionId) | { checks: [...] } | Validates that the SAML configuration is complete and the IdP metadata is parseable. Each check has its own ok field. |
Example
Configure with a metadata URL
await auth.group.sso.saml.configure(ctx, {
connectionId,
metadataUrl: "https://idp.acme.com/metadata.xml",
});Configure with raw XML
await auth.group.sso.saml.configure(ctx, {
connectionId,
metadataXml: "<EntityDescriptor ...>...</EntityDescriptor>",
});Get SP metadata
Provide this to the customer’s IdP admin so they can set up the trust:
const spMetadata = await auth.group.sso.client.metadata(ctx, { connectionId });
// Returns XML string — serve this at a public URL or provide for downloadValidate configuration
const { checks } = await auth.group.sso.saml.validate(ctx, connectionId);
const failures = checks.filter((check) => !check.ok);
if (failures.length > 0) {
console.error("SAML validation failed:", failures);
}