The Frontegg Single Sign-On (Team) API manages SAML and OIDC SSO configurations, IdP metadata, JIT provisioning, enterprise connections, and domain claims. Frontegg ships with 5 Enterprise Connections included on the free Pay As You Go tier.
openapi: 3.0.0
paths:
/resources/sso/v1/saml/configurations/vendor-config:
get:
operationId: SamlControllerV1_getVendorSamlConfig
summary: Get Vendor's SAML Config
description: 'Retrieve the environment’s SAML configuration.
Returns the current SAML identity provider settings configured for the environment.'
parameters: []
responses:
'200':
description: ''
content:
application/json:
schema:
$ref: '#/components/schemas/VendorSamlConfigurationResponse'
tags:
- SAML Configurations
/resources/sso/v1/saml/configurations/sp-certificate:
get:
operationId: SamlControllerV1_getSpCertificate
summary: Get Service Provider Certificate
description: Retrieve the service provider (SP) certificate used for SAML authentication.
parameters: []
responses:
'200':
description: ''
tags:
- SAML Configurations
/resources/sso/v1/saml/configurations/sp-metadata:
get:
operationId: SamlControllerV1_getSpMetadata
summary: Get Service Provider Metadata
description: Retrieve the service provider metadata for a specific account (tenant).
parameters:
- name: frontegg-tenant-id
in: header
description: The account (tenant) ID identifier
required: true
schema:
type: string
responses:
'200':
description: ''
tags:
- SSO Settings
/resources/sso/v1/configurations:
post:
operationId: SsoConfigurationControllerV1_createSsoConfiguration
summary: Create SSO Configuration
description: Create a new Single Sign-On (SSO) configuration for the specified account (tenant).
parameters:
- name: frontegg-tenant-id
in: header
description: The account (tenant) ID identifier
required: true
schema:
type: string
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/CreateSSOConfigurationRequestDto'
responses:
'201':
description: ''
tags:
- SSO Configurations
get:
operationId: SsoConfigurationControllerV1_getSsoConfigurations
summary: Get SSO Configurations
description: Retrieve Single Sign-On (SSO) configurations for the specified account (tenant).
parameters:
- name: frontegg-tenant-id
in: header
description: The account (tenant) ID identifier
required: true
schema:
type: string
responses:
'200':
description: ''
tags:
- SSO Configurations
/resources/sso/v1/configurations/{configurationId}:
delete:
operationId: SsoConfigurationControllerV1_deleteSsoConfiguration
summary: Delete SSO Configuration
description: Delete Single Sign-On (SSO) configurations for the specified account (tenant).
parameters:
- name: frontegg-tenant-id
in: header
description: The account (tenant) ID identifier
required: true
schema:
type: string
- name: configurationId
required: true
in: path
schema:
type: string
responses:
'200':
description: ''
tags:
- SSO Configurations
patch:
operationId: SsoConfigurationControllerV1_updateSsoConfiguration
summary: Update SSO Configuration
description: Update SSO configuration
parameters:
- name: frontegg-tenant-id
in: header
description: The account (tenant) ID identifier
required: true
schema:
type: string
- name: configurationId
required: true
in: path
schema:
type: string
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/CreateSSOConfigurationRequestDto'
responses:
'200':
description: ''
tags:
- SSO Configurations
/resources/sso/v1/configurations/metadata:
post:
operationId: SsoConfigurationControllerV1_createSsoConfigurationByMetadata
summary: Create SSO Configuration Using Metadata
description: Create a Single Sign-On (SSO) configuration using identity provider metadata for the specified account (tenant).
parameters:
- name: frontegg-tenant-id
in: header
description: The account (tenant) ID identifier
required: true
schema:
type: string
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/UpdateSSOConfigurationByMetadataRequestDto'
responses:
'201':
description: ''
tags:
- SSO Configurations
/resources/sso/v1/configurations/{configurationId}/metadata:
put:
operationId: SsoConfigurationControllerV1_updateSsoConfigurationByMetadata
summary: Update SSO Configuration Using Metadata
description: Update a Single Sign-On (SSO) configuration using identity provider metadata for the specified account (tenant).
parameters:
- name: frontegg-tenant-id
in: header
description: The account (tenant) ID identifier
required: true
schema:
type: string
- name: configurationId
required: true
in: path
schema:
type: string
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/UpdateSSOConfigurationByMetadataRequestDto'
responses:
'200':
description: ''
tags:
- SSO Configurations
/resources/sso/v1/configurations/{configurationId}/domains:
post:
operationId: SsoDomainControllerV1_createSsoDomain
summary: Create SSO Domain
description: Add a domain to a Single Sign-On (SSO) configuration for the specified account (tenant).
parameters:
- name: frontegg-tenant-id
in: header
description: The account (tenant) ID identifier
required: true
schema:
type: string
- name: configurationId
required: true
in: path
schema:
type: string
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/CreateSSODomainRequestDto'
responses:
'201':
description: ''
tags:
- SSO Configurations
/resources/sso/v1/configurations/{configurationId}/domains/{domainId}:
delete:
operationId: SsoDomainControllerV1_deleteSsoDomain
summary: Delete SSO Domain
description: Remove a domain from a Single Sign-On (SSO) configuration for the specified account (tenant).
parameters:
- name: frontegg-tenant-id
in: header
description: The account (tenant) ID identifier
required: true
schema:
type: string
- name: configurationId
required: true
in: path
schema:
type: string
- name: domainId
required: true
in: path
schema:
type: string
responses:
'200':
description: ''
tags:
- SSO Configurations
/resources/sso/v1/configurations/{configurationId}/domains/{domainId}/validate/email:
put:
operationId: SsoDomainControllerV1_validateSsoDomainByEmail
summary: Validate SSO Domain by Email
description: Validate a domain in a Single Sign-On (SSO) configuration using the user's email domain.
parameters:
- name: frontegg-tenant-id
in: header
description: The account (tenant) ID identifier
required: true
schema:
type: string
- name: configurationId
required: true
in: path
schema:
type: string
- name: domainId
required: true
in: path
schema:
type: string
responses:
'200':
description: ''
tags:
- SSO Configurations
/resources/sso/v2/configurations/{configurationId}/domains/{domainId}/validate:
put:
operationId: SsoDomainControllerV2_validateSsoDomain
summary: Validate SSO Domain
description: Validate a domain in a Single Sign-On (SSO) configuration for the specified account (tenant).
parameters:
- name: frontegg-tenant-id
in: header
description: The account (tenant) ID identifier
required: true
schema:
type: string
- name: configurationId
required: true
in: path
schema:
type: string
- name: domainId
required: true
in: path
schema:
type: string
responses:
'200':
description: ''
tags:
- SSO Configurations
/resources/sso/v1/configurations/{configurationId}/roles:
put:
operationId: SsoRolesControllerV1_setSsoDefaultRoles
summary: Set SSO Default Roles
description: Set default roles assigned to users authenticated through Single Sign-On (SSO) for the specified account (tenant).
parameters:
- name: frontegg-tenant-id
in: header
description: The account (tenant) ID identifier
required: true
schema:
type: string
- name: configurationId
required: true
in: path
schema:
type: string
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/SetSSODefaultRoles'
responses:
'201':
description: ''
tags:
- SSO Configurations
get:
operationId: SsoRolesControllerV1_getSsoDefaultRoles
summary: Get SSO Default Roles
description: Retrieve default roles assigned to users authenticated through Single Sign-On (SSO) for the specified account (tenant).
parameters:
- name: frontegg-tenant-id
in: header
description: The account (tenant) ID identifier
required: true
schema:
type: string
- name: configurationId
required: true
in: path
schema:
type: string
responses:
'200':
description: ''
tags:
- SSO Configurations
/resources/sso/v1/configurations/{configurationId}/groups:
post:
operationId: SsoGroupsControllerV1_createSsoGroup
summary: Create an SSO Group
description: Create a new SSO group for user management and access control within the specified SSO configuration for the account (tenant).
parameters:
- name: frontegg-tenant-id
in: header
description: The account (tenant) ID identifier
required: true
schema:
type: string
- name: configurationId
required: true
in: path
schema:
type: string
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/CreateSSOGroupRequestDto'
responses:
'201':
description: ''
tags:
- SSO Configurations
get:
operationId: SsoGroupsControllerV1_getSsoGroup
summary: Get SSO Group
description: Retrieve an SSO group from the specified SSO configuration for the account (tenant).
parameters:
- name: frontegg-tenant-id
in: header
description: The account (tenant) ID identifier
required: true
schema:
type: string
- name: configurationId
required: true
in: path
schema:
type: string
responses:
'200':
description: ''
tags:
- SSO Configurations
/resources/sso/v1/configurations/{configurationId}/groups/{groupId}:
patch:
operationId: SsoGroupsControllerV1_updateSsoGroup
summary: Update SSO Group
description: Update an existing SSO group within the specified SSO configuration for the account (tenant).
parameters:
- name: frontegg-tenant-id
in: header
description: The account (tenant) ID identifier
required: true
schema:
type: string
- name: configurationId
required: true
in: path
schema:
type: string
- name: groupId
required: true
in: path
schema:
type: string
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/UpdateSSOGroupRequestDto'
responses:
'200':
description: ''
tags:
- SSO Configurations
delete:
operationId: SsoGroupsControllerV1_deleteSsoGroup
summary: Delete SSO Group
description: Delete an existing SSO group from the specified SSO configuration for the account (tenant).
parameters:
- name: frontegg-tenant-id
in: header
description: The account (tenant) ID identifier
required: true
schema:
type: string
- name: configurationId
required: true
in: path
schema:
type: string
- name: groupId
required: true
in: path
schema:
type: string
responses:
'200':
description: ''
tags:
- SSO Configurations
/resources/sso/v1/configurations/excluded-emails:
post:
operationId: ExcludeEmailsFromSSOV1_excludeSSOEmail
summary: Exclude Email From SSO
description: 'Exclude an email address from SSO enforcement.
Provide the email address to exclude in the request body.'
parameters: []
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/ExcludeEmailFromSSORequestDto'
responses:
'201':
description: ''
tags:
- SSO Settings
get:
operationId: ExcludeEmailsFromSSOV1_getSSOExcludedEmails
summary: Get SSO Excluded Emails
description: Retrieve the list of email addresses excluded from SSO enforcement.
parameters: []
responses:
'200':
description: ''
tags:
- SSO Settings
/resources/sso/v1/configurations/excluded-emails/{email}:
delete:
operationId: ExcludeEmailsFromSSOV1_deleteSSOExcludedEmail
summary: Delete SSO Excluded Email
description: Remove an email address from the list of SSO-excluded emails.
parameters:
- name: email
required: true
in: path
schema:
type: string
responses:
'200':
description: ''
tags:
- SSO Settings
/resources/sso/v1/configurations/domains/{domain}/force-validate:
put:
operationId: VendorOnlySsoConfigurationControllerV1_forceSsoDomainValidation
summary: Vendor Only - Force SSO Domain Validation
description: Force domain validation for SSO configuration in the environment.
parameters:
- name: domain
required: true
in: path
schema:
type: string
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/ForceValidateDomainRequestDto'
responses:
'200':
description: ''
tags:
- SSO Settings
/resources/sso/v1/configurations/multiple-sso-per-domain:
get:
operationId: SsoPerTenantControllerV1_getSSOPerTenantConfig
summary: Get SSO per Account (tenant) Configuration
description: Retrieve the SSO configuration for a specific account (tenant).
parameters: []
responses:
'200':
description: ''
tags:
- SSO Settings
put:
operationId: SsoPerTenantControllerV1_createOrUpdateSSOPerTenantConfig
summary: Create or Update SSO per Account (tenant) Configuration
description: Create or update the SSO configuration for a specific account (tenant).
parameters: []
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/CreateSSOPerTenantConfigRequest'
responses:
'201':
description: ''
tags:
- SSO Settings
/resources/sso/v1/configurations/domains:
put:
operationId: SSODomainsConfigurationControllerV1_createOrUpdateSSODomainsConfiguration
summary: Create or Update SSO Domains Configuration
description: Create or update the SSO domains configuration for the account (tenant).
parameters: []
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/CreateSSODomainConfigurationRequest'
responses:
'201':
description: ''
tags:
- SSO Configurations
get:
operationId: SSODomainsConfigurationControllerV1_getSSODomainsConfiguration
summary: Get SSO Domains Configuration
description: Retrieve the SSO domains configuration for the account (tenant).
parameters: []
responses:
'200':
description: ''
tags:
- SSO Configurations
/resources/sso/v1/oidc/configurations:
get:
operationId: OidcControllerV1_getOidcConifguration
summary: Get OIDC Configuration
description: Retrieve the OpenID Connect (OIDC) configuration for the environment.
parameters: []
responses:
'201':
description: ''
content:
application/json:
schema:
$ref: '#/components/schemas/ConfigureOidcResponse'
tags:
- OIDC Configurations
post:
operationId: OidcControllerV1_configureOidc
summary: Configure OIDC
description: Configure or update an OpenID Connect (OIDC) identity provider for the environment.
parameters: []
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/ConfigureOidcRequest'
responses:
'201':
description: ''
tags:
- SSO Settings
info:
title: Single Sign-On Overview
description: 'Frontegg’s Single Sign-On (SSO) enables users to sign in using their existing credentials, removing the need to create new usernames and passwords specifically for your application.
Our SSO solution supports two popular protocols: SAML and OpenID Connect (OIDC). These protocols facilitate user authentication across multiple applications and can be configured via Frontegg’s Management Portal or the Self-Service menu within your application.
This section lists all relevant API endpoints, organized into Management and Self-Service categories:
**Management Endpoints**: Require environment-level authorization and provide comprehensive control over SSO (SAML and OIDC) resources.
<br>
**Self-Service Endpoints**: Accessible with a user token (JWT), allowing users with appropriate permissions to create, update, and delete SSO connections on their accounts.'
version: '1.0'
servers:
- url: https://api.frontegg.com/team
description: EU Region
- url: https://api.us.frontegg.com/team
description: US Region
- url: https://api.ca.frontegg.com/team
description: CA Region
- url: https://api.au.frontegg.com/team
description: AU Region
- url: https://{domain}.frontegg.com/team
description: Frontegg sub-domain for use with user tokens
variables:
domain:
default: app-xxx
components:
securitySchemes:
bearer:
scheme: bearer
bearerFormat: JWT
type: http
schemas:
VendorSamlConfigurationResponse:
type: object
properties: {}
CreateSSOConfigurationRequestDto:
type: object
properties:
enabled:
type: boolean
ssoEndpoint:
type: string
publicCertificate:
type: string
signRequest:
type: boolean
acsUrl:
type: string
spEntityId:
type: string
type:
type: string
oidcClientId:
type: string
oidcSecret:
type: string
configMetadata:
type: object
overrideActiveTenant:
type: boolean
subAccountAccessLimit:
type: number
idpClientId:
type: string
description: SSO app client ID used to authenticate group fetch requests
idpClientSecret:
type: string
description: SSO app client secret used with the client ID for authentication
required:
- enabled
- ssoEndpoint
- publicCertificate
- signRequest
- acsUrl
- spEntityId
- type
- oidcClientId
- oidcSecret
- configMetadata
- overrideActiveTenant
- subAccountAccessLimit
- idpClientId
- idpClientSecret
UpdateSSOConfigurationByMetadataRequestDto:
type: object
properties:
metadata:
type: string
required:
- metadata
CreateSSODomainRequestDto:
type: object
properties: {}
SetSSODefaultRoles:
type: object
properties:
roleIds:
type: array
items:
type: string
required:
- roleIds
CreateSSOGroupRequestDto:
type: object
properties:
group:
type: string
roleIds:
type: array
items:
type: string
required:
- group
- roleIds
UpdateSSOGroupRequestDto:
type: object
properties:
group:
type: string
roleIds:
type: array
items:
type: string
required:
- group
- roleIds
ExcludeEmailFromSSORequestDto:
type: object
properties:
email:
type: string
required:
- email
ForceValidateDomainRequestDto:
type: object
properties: {}
CreateSSOPerTenantConfigRequest:
type: object
properties:
unspecifiedTenantStrategy:
type: string
active:
type: boolean
useActiveTenant:
type: boolean
required:
- unspecifiedTenantStrategy
- active
- useActiveTenant
CreateSSODomainConfigurationRequest:
type: object
properties:
allowVerifiedUsersToAddDomains:
type: boolean
skipDomainVerification:
type: boolean
bypassDomainCrossValidation:
type: boolean
required:
- allowVerifiedUsersToAddDomains
- skipDomainVerification
- bypassDomainCrossValidation
ConfigureOidcResponse:
type: object
properties: {}
ConfigureOidcRequest:
type: object
properties:
active:
type: boolean
redirectUri:
type: string
description: Redirect URI that the user will be redirected. Should match the redirect URI you set on your application. Leave it empty if you didn't change it on your application
required:
- active
x-tagGroups:
- name: Management
tags:
- SSO settings
- name: Self-Service
tags:
- SAML configurations
- OIDC configurations
- SSO configurations