# Single Sign-On

Login users using an external SAML identity provider (IDP). B2B apps can use this to allow their business customers or partners to provide SSO login for their members (see [Organizations](/openapi/user/organizations.openapi.json)).


## Servers

Sandbox environment
```
https://api.sbx.transmitsecurity.io/cis
```

Production environment (US)
```
https://api.transmitsecurity.io/cis
```

Production environment (EU)
```
https://api.eu.transmitsecurity.io/cis
```

Production environment (CA)
```
https://api.ca.transmitsecurity.io/cis
```

Production environment (AU)
```
https://api.au.transmitsecurity.io/cis
```

## Security

### bearer

Type: http
Scheme: bearer
Bearer Format: JWT

### UserAccessToken

A token returned upon end-user authentication, which provides access to resources and data for the user and app for which it was generated

Type: http
Scheme: bearer
Bearer Format: JWT

### AdminAccessToken

A token generated by a management application using the [token endpoint](/openapi/token.openapi/other/getaccesstoken). It provides access to all resources for the tenant and its apps

Type: oauth2

### ClientAccessToken

A token generated by an end-user application using the [token endpoint](/openapi/token.openapi/other/getaccesstoken). It provides access to resources and data on the tenant level or associated with the specific application (but not other apps in the tenant)

Type: oauth2

### OrgAdminAccessToken

A token returned upon B2B authentication for a user that has the organizationAdmin or organizationCreator role.

Type: oauth2

## Download OpenAPI description

[Single Sign-On](https://developer.transmitsecurity.com/_bundle/openapi/user/sso.openapi.yaml)

## Other

### Start SSO

 - [GET /v1/auth/sso/start](https://developer.transmitsecurity.com/openapi/user/sso.openapi/other/startssologin.md): Initiates an SSO login flow with an external identity provider (IDP). This results in a POST redirect to the IDP configured for the organization, which is determined based on the domain of the user's email address. Once the IDP authenticates the user, it will redirect back to the app with the authentication response so the app can complete the SSO flow. Note:   If the user isn't a member of an organization configured for SSO, an error is returned. If public sign-ups are enabled for the app, new users will be added to the app upon login.

### Start SAML SSO (deprecated)

 - [GET /v1/auth/sso/saml/start](https://developer.transmitsecurity.com/openapi/user/sso.openapi/other/startsamllogin.md): Initiates an SSO login flow with a SAML identity provider (IDP). This results in a POST redirect to the SAML IDP configured for the organization, which is determined based on the domain of the user's email address. Once the SAML IDP authenticates the user, it will redirect back to the app with the SAML response so the app can complete the SSO flow. Note:   If the user isn't a member of an organization configured for SAML SSO, an error is returned. If public sign-ups are enabled for the app, new users will be added to the app upon login.

### Complete SAML SSO (deprecated)

 - [POST /v1/auth/sso/saml/complete](https://developer.transmitsecurity.com/openapi/user/sso.openapi/other/completesamllogin.md): Completes the SSO login using the SAML response received directly from the SAML IDP (via your ACS URL). If the user is authenticated and the SAML response is valid, Transmit will redirect to your redirect URI with a code that can be exchanged for a user token. If not, this API returns an error. This should be called from the backend, using a client access token.