Skip to content

Single Sign-On

Login users using an external SAML identity provider (IDP). B2B apps can use this to allow their business customers or partners to provide SSO login for their members (see Organizations).

Download OpenAPI description
sso.openapi.json
sso.openapi.yaml
Languages
Servers
Sandbox environment
https://api.sbx.transmitsecurity.io/cis/
Production environment (US)
https://api.transmitsecurity.io/cis/
Production environment (EU)
https://api.eu.transmitsecurity.io/cis/
Production environment (CA)
https://api.ca.transmitsecurity.io/cis/
Production environment (AU)
https://api.au.transmitsecurity.io/cis/

Start SSO

Request

Initiates an SSO login flow with an external identity provider (IDP). This results in a POST redirect to the IDP configured for the organization, which is determined based on the domain of the user's email address. Once the IDP authenticates the user, it will redirect back to the app with the authentication response so the app can complete the SSO flow.

Note:

  • If the user isn't a member of an organization configured for SSO, an error is returned.
  • If public sign-ups are enabled for the app, new users will be added to the app upon login.

Query
client_idstringrequired

Client ID

emailstringrequired

User's email address

redirect_uristringrequired

the client pre-listed redirect uri

org_idstring

Organization ID, used for member login in B2B scenarios

curl -i -X GET \
  'https://api.sbx.transmitsecurity.io/cis/v1/auth/sso/start?client_id=string&email=string&redirect_uri=string&org_id=string'

Responses

POST redirect to IDP with a SSO request

Start SAML SSODeprecated

Request

Initiates an SSO login flow with a SAML identity provider (IDP). This results in a POST redirect to the SAML IDP configured for the organization, which is determined based on the domain of the user's email address. Once the SAML IDP authenticates the user, it will redirect back to the app with the SAML response so the app can complete the SSO flow.

Note:

  • If the user isn't a member of an organization configured for SAML SSO, an error is returned.
  • If public sign-ups are enabled for the app, new users will be added to the app upon login.

Query
client_idstringrequired

Client ID

emailstringrequired

User's email address

org_idstring

Organization ID, used for member login in B2B scenarios

curl -i -X GET \
  'https://api.sbx.transmitsecurity.io/cis/v1/auth/sso/saml/start?client_id=string&email=string&org_id=string'

Responses

POST redirect to SAML IDP with a SAML request

Complete SAML SSODeprecated

Request

Completes the SSO login using the SAML response received directly from the SAML IDP (via your ACS URL). If the user is authenticated and the SAML response is valid, Transmit will redirect to your redirect URI with a code that can be exchanged for a user token. If not, this API returns an error.

This should be called from the backend, using a client access token.

Bodyapplication/jsonrequired
SAMLResponsestringrequired

SAML response from the SAML IDP

RelayStatestring

RelayState returned with the SAML response (only for SP-initiated flows). It's an opaque identifier used to maintain the state of the user session.

organization_idstringrequired

Organization ID. This can be part of your app's ACS URL path.

redirect_uristringrequired

URI to redirect to upon completing the SSO login. This is the server GET endpoint used to call the token endpoint, and should accept code as a query parameter. This URI must also be configured as an allowed redirect URI for this client.

curl -i -X POST \
  https://api.sbx.transmitsecurity.io/cis/v1/auth/sso/saml/complete \
  -H 'Content-Type: application/json' \
  -d '{
    "SAMLResponse": "string",
    "RelayState": "string",
    "organization_id": "string",
    "redirect_uri": "string"
  }'

Responses

Bodyapplication/json
resultstringread-onlyrequired

URI used to complete the flow. Sending a GET request to this URI will redirect the browser to your redirect URI with a code to exchange for user tokens.

Response
application/json
{
  "result": "string"
}