# SSO Configurations ## CreateSSOConfiguration `client.Organizations.SSOConfigurations.New(ctx, body) (*OrganizationSSOConfigurationNewResponse, error)` **post** `/gitpod.v1.OrganizationService/CreateSSOConfiguration` Creates or updates SSO configuration for organizational authentication. Use this method to: - Configure OIDC-based SSO providers - Set up built-in providers (Google, GitHub, etc.) - Define custom identity providers - Manage authentication policies ### Examples - Configure built-in Google SSO: Sets up SSO using Google Workspace. ```yaml organizationId: "b0e12f6c-4c67-429d-a4a6-d9838b5da047" clientId: "012345678-abcdefghijklmnopqrstuvwxyz.apps.googleusercontent.com" clientSecret: "GOCSPX-abcdefghijklmnopqrstuvwxyz123456" issuerUrl: "https://accounts.google.com" emailDomain: "acme-corp.com" ``` - Configure custom OIDC provider: Sets up SSO with a custom identity provider. ```yaml organizationId: "b0e12f6c-4c67-429d-a4a6-d9838b5da047" clientId: "acme-corp-gitpod" clientSecret: "secret-token-value" issuerUrl: "https://sso.acme-corp.com" emailDomain: "acme-corp.com" ``` ### Parameters - `body OrganizationSSOConfigurationNewParams` - `ClientID param.Field[string]` client_id is the client ID of the OIDC application set on the IdP - `ClientSecret param.Field[string]` client_secret is the client secret of the OIDC application set on the IdP - `IssuerURL param.Field[string]` issuer_url is the URL of the IdP issuer - `OrganizationID param.Field[string]` - `AdditionalScopes param.Field[[]string]` additional_scopes are extra OIDC scopes to request from the identity provider during sign-in. These are appended to the default scopes (openid, email, profile). - `ClaimsExpression param.Field[string]` claims_expression is an optional CEL expression evaluated against OIDC token claims during login. When set, the expression must evaluate to true for the login to succeed. Example: `claims.email_verified && claims.email.endsWith("@example.com")` - `DisplayName param.Field[string]` - `EmailDomain param.Field[string]` email_domain is the domain that is allowed to sign in to the organization - `EmailDomains param.Field[[]string]` ### Returns - `type OrganizationSSOConfigurationNewResponse struct{…}` - `SSOConfiguration SSOConfiguration` sso_configuration is the created SSO configuration - `ID string` id is the unique identifier of the SSO configuration - `IssuerURL string` issuer_url is the URL of the IdP issuer - `OrganizationID string` - `ProviderType ProviderType` provider_type defines the type of the SSO configuration - `const ProviderTypeUnspecified ProviderType = "PROVIDER_TYPE_UNSPECIFIED"` - `const ProviderTypeBuiltin ProviderType = "PROVIDER_TYPE_BUILTIN"` - `const ProviderTypeCustom ProviderType = "PROVIDER_TYPE_CUSTOM"` - `State SSOConfigurationState` state is the state of the SSO configuration - `const SSOConfigurationStateUnspecified SSOConfigurationState = "SSO_CONFIGURATION_STATE_UNSPECIFIED"` - `const SSOConfigurationStateInactive SSOConfigurationState = "SSO_CONFIGURATION_STATE_INACTIVE"` - `const SSOConfigurationStateActive SSOConfigurationState = "SSO_CONFIGURATION_STATE_ACTIVE"` - `AdditionalScopes []string` additional_scopes are extra OIDC scopes requested from the identity provider during sign-in. - `Claims map[string, string]` claims are key/value pairs that defines a mapping of claims issued by the IdP. - `ClaimsExpression string` claims_expression is a CEL (Common Expression Language) expression evaluated against the OIDC token claims during login. When set, the expression must evaluate to true for the login to succeed. The expression has access to a `claims` variable containing all token claims as a map. Example: `claims.email_verified && claims.email.endsWith("@example.com")` - `ClientID string` client_id is the client ID of the OIDC application set on the IdP - `DisplayName string` - `EmailDomain string` - `EmailDomains []string` ### Example ```go package main import ( "context" "fmt" "github.com/gitpod-io/gitpod-sdk-go" "github.com/gitpod-io/gitpod-sdk-go/option" ) func main() { client := gitpod.NewClient( option.WithBearerToken("My Bearer Token"), ) ssoConfiguration, err := client.Organizations.SSOConfigurations.New(context.TODO(), gitpod.OrganizationSSOConfigurationNewParams{ ClientID: gitpod.F("012345678-abcdefghijklmnopqrstuvwxyz.apps.googleusercontent.com"), ClientSecret: gitpod.F("GOCSPX-abcdefghijklmnopqrstuvwxyz123456"), IssuerURL: gitpod.F("https://accounts.google.com"), OrganizationID: gitpod.F("b0e12f6c-4c67-429d-a4a6-d9838b5da047"), EmailDomain: gitpod.F("acme-corp.com"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", ssoConfiguration.SSOConfiguration) } ``` #### Response ```json { "ssoConfiguration": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "issuerUrl": "issuerUrl", "organizationId": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "providerType": "PROVIDER_TYPE_UNSPECIFIED", "state": "SSO_CONFIGURATION_STATE_UNSPECIFIED", "additionalScopes": [ "string" ], "claims": { "foo": "string" }, "claimsExpression": "claimsExpression", "clientId": "clientId", "displayName": "displayName", "emailDomain": "emailDomain", "emailDomains": [ "sfN2.l.iJR-BU.u9JV9.a.m.o2D-4b-Jd.0Z-kX.L.n.S.f.UKbxB" ] } } ``` ## DeleteSSOConfiguration `client.Organizations.SSOConfigurations.Delete(ctx, body) (*OrganizationSSOConfigurationDeleteResponse, error)` **post** `/gitpod.v1.OrganizationService/DeleteSSOConfiguration` Removes an SSO configuration from an organization. Use this method to: - Disable SSO authentication - Remove outdated providers - Clean up unused configurations ### Examples - Delete SSO configuration: Removes a specific SSO configuration. ```yaml ssoConfigurationId: "d2c94c27-3b76-4a42-b88c-95a85e392c68" ``` ### Parameters - `body OrganizationSSOConfigurationDeleteParams` - `SSOConfigurationID param.Field[string]` ### Returns - `type OrganizationSSOConfigurationDeleteResponse interface{…}` ### Example ```go package main import ( "context" "fmt" "github.com/gitpod-io/gitpod-sdk-go" "github.com/gitpod-io/gitpod-sdk-go/option" ) func main() { client := gitpod.NewClient( option.WithBearerToken("My Bearer Token"), ) ssoConfiguration, err := client.Organizations.SSOConfigurations.Delete(context.TODO(), gitpod.OrganizationSSOConfigurationDeleteParams{ SSOConfigurationID: gitpod.F("d2c94c27-3b76-4a42-b88c-95a85e392c68"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", ssoConfiguration) } ``` #### Response ```json {} ``` ## ListSSOConfigurations `client.Organizations.SSOConfigurations.List(ctx, params) (*SSOConfigurationsPage[SSOConfiguration], error)` **post** `/gitpod.v1.OrganizationService/ListSSOConfigurations` Lists and filters SSO configurations for an organization. Use this method to: - View all SSO providers - Monitor authentication status - Audit security settings - Manage provider configurations ### Examples - List active configurations: Shows all active SSO providers. ```yaml organizationId: "b0e12f6c-4c67-429d-a4a6-d9838b5da047" pagination: pageSize: 20 ``` - List by provider type: Shows custom SSO configurations. ```yaml organizationId: "b0e12f6c-4c67-429d-a4a6-d9838b5da047" pagination: pageSize: 20 token: "next-page-token-from-previous-response" ``` ### Parameters - `params OrganizationSSOConfigurationListParams` - `OrganizationID param.Field[string]` Body param: organization_id is the ID of the organization to list SSO configurations for. - `Token param.Field[string]` Query param - `PageSize param.Field[int64]` Query param - `Pagination param.Field[OrganizationSSOConfigurationListParamsPagination]` Body param - `Token string` Token for the next set of results that was returned as next_token of a PaginationResponse - `PageSize int64` Page size is the maximum number of results to retrieve per page. Defaults to 25. Maximum 100. ### Returns - `type SSOConfiguration struct{…}` - `ID string` id is the unique identifier of the SSO configuration - `IssuerURL string` issuer_url is the URL of the IdP issuer - `OrganizationID string` - `ProviderType ProviderType` provider_type defines the type of the SSO configuration - `const ProviderTypeUnspecified ProviderType = "PROVIDER_TYPE_UNSPECIFIED"` - `const ProviderTypeBuiltin ProviderType = "PROVIDER_TYPE_BUILTIN"` - `const ProviderTypeCustom ProviderType = "PROVIDER_TYPE_CUSTOM"` - `State SSOConfigurationState` state is the state of the SSO configuration - `const SSOConfigurationStateUnspecified SSOConfigurationState = "SSO_CONFIGURATION_STATE_UNSPECIFIED"` - `const SSOConfigurationStateInactive SSOConfigurationState = "SSO_CONFIGURATION_STATE_INACTIVE"` - `const SSOConfigurationStateActive SSOConfigurationState = "SSO_CONFIGURATION_STATE_ACTIVE"` - `AdditionalScopes []string` additional_scopes are extra OIDC scopes requested from the identity provider during sign-in. - `Claims map[string, string]` claims are key/value pairs that defines a mapping of claims issued by the IdP. - `ClaimsExpression string` claims_expression is a CEL (Common Expression Language) expression evaluated against the OIDC token claims during login. When set, the expression must evaluate to true for the login to succeed. The expression has access to a `claims` variable containing all token claims as a map. Example: `claims.email_verified && claims.email.endsWith("@example.com")` - `ClientID string` client_id is the client ID of the OIDC application set on the IdP - `DisplayName string` - `EmailDomain string` - `EmailDomains []string` ### Example ```go package main import ( "context" "fmt" "github.com/gitpod-io/gitpod-sdk-go" "github.com/gitpod-io/gitpod-sdk-go/option" ) func main() { client := gitpod.NewClient( option.WithBearerToken("My Bearer Token"), ) page, err := client.Organizations.SSOConfigurations.List(context.TODO(), gitpod.OrganizationSSOConfigurationListParams{ OrganizationID: gitpod.F("b0e12f6c-4c67-429d-a4a6-d9838b5da047"), Pagination: gitpod.F(gitpod.OrganizationSSOConfigurationListParamsPagination{ PageSize: gitpod.F(int64(20)), }), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "pagination": { "nextToken": "nextToken" }, "ssoConfigurations": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "issuerUrl": "issuerUrl", "organizationId": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "providerType": "PROVIDER_TYPE_UNSPECIFIED", "state": "SSO_CONFIGURATION_STATE_UNSPECIFIED", "additionalScopes": [ "string" ], "claims": { "foo": "string" }, "claimsExpression": "claimsExpression", "clientId": "clientId", "displayName": "displayName", "emailDomain": "emailDomain", "emailDomains": [ "sfN2.l.iJR-BU.u9JV9.a.m.o2D-4b-Jd.0Z-kX.L.n.S.f.UKbxB" ] } ] } ``` ## GetSSOConfiguration `client.Organizations.SSOConfigurations.Get(ctx, body) (*OrganizationSSOConfigurationGetResponse, error)` **post** `/gitpod.v1.OrganizationService/GetSSOConfiguration` Retrieves a specific SSO configuration. Use this method to: - View SSO provider details - Check configuration status - Verify SSO settings ### Examples - Get SSO configuration: Retrieves details of a specific SSO configuration. ```yaml ssoConfigurationId: "d2c94c27-3b76-4a42-b88c-95a85e392c68" ``` ### Parameters - `body OrganizationSSOConfigurationGetParams` - `SSOConfigurationID param.Field[string]` sso_configuration_id is the ID of the SSO configuration to get ### Returns - `type OrganizationSSOConfigurationGetResponse struct{…}` - `SSOConfiguration SSOConfiguration` sso_configuration is the SSO configuration identified by the ID - `ID string` id is the unique identifier of the SSO configuration - `IssuerURL string` issuer_url is the URL of the IdP issuer - `OrganizationID string` - `ProviderType ProviderType` provider_type defines the type of the SSO configuration - `const ProviderTypeUnspecified ProviderType = "PROVIDER_TYPE_UNSPECIFIED"` - `const ProviderTypeBuiltin ProviderType = "PROVIDER_TYPE_BUILTIN"` - `const ProviderTypeCustom ProviderType = "PROVIDER_TYPE_CUSTOM"` - `State SSOConfigurationState` state is the state of the SSO configuration - `const SSOConfigurationStateUnspecified SSOConfigurationState = "SSO_CONFIGURATION_STATE_UNSPECIFIED"` - `const SSOConfigurationStateInactive SSOConfigurationState = "SSO_CONFIGURATION_STATE_INACTIVE"` - `const SSOConfigurationStateActive SSOConfigurationState = "SSO_CONFIGURATION_STATE_ACTIVE"` - `AdditionalScopes []string` additional_scopes are extra OIDC scopes requested from the identity provider during sign-in. - `Claims map[string, string]` claims are key/value pairs that defines a mapping of claims issued by the IdP. - `ClaimsExpression string` claims_expression is a CEL (Common Expression Language) expression evaluated against the OIDC token claims during login. When set, the expression must evaluate to true for the login to succeed. The expression has access to a `claims` variable containing all token claims as a map. Example: `claims.email_verified && claims.email.endsWith("@example.com")` - `ClientID string` client_id is the client ID of the OIDC application set on the IdP - `DisplayName string` - `EmailDomain string` - `EmailDomains []string` ### Example ```go package main import ( "context" "fmt" "github.com/gitpod-io/gitpod-sdk-go" "github.com/gitpod-io/gitpod-sdk-go/option" ) func main() { client := gitpod.NewClient( option.WithBearerToken("My Bearer Token"), ) ssoConfiguration, err := client.Organizations.SSOConfigurations.Get(context.TODO(), gitpod.OrganizationSSOConfigurationGetParams{ SSOConfigurationID: gitpod.F("d2c94c27-3b76-4a42-b88c-95a85e392c68"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", ssoConfiguration.SSOConfiguration) } ``` #### Response ```json { "ssoConfiguration": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "issuerUrl": "issuerUrl", "organizationId": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "providerType": "PROVIDER_TYPE_UNSPECIFIED", "state": "SSO_CONFIGURATION_STATE_UNSPECIFIED", "additionalScopes": [ "string" ], "claims": { "foo": "string" }, "claimsExpression": "claimsExpression", "clientId": "clientId", "displayName": "displayName", "emailDomain": "emailDomain", "emailDomains": [ "sfN2.l.iJR-BU.u9JV9.a.m.o2D-4b-Jd.0Z-kX.L.n.S.f.UKbxB" ] } } ``` ## UpdateSSOConfiguration `client.Organizations.SSOConfigurations.Update(ctx, body) (*OrganizationSSOConfigurationUpdateResponse, error)` **post** `/gitpod.v1.OrganizationService/UpdateSSOConfiguration` Updates SSO provider settings and authentication rules. Use this method to: - Rotate client credentials - Update provider endpoints - Modify claim mappings - Change authentication policies - Toggle SSO enforcement ### Examples - Update credentials: Rotates client ID and secret. ```yaml ssoConfigurationId: "d2c94c27-3b76-4a42-b88c-95a85e392c68" clientId: "new-client-id" clientSecret: "new-client-secret" ``` - Update provider status: Activates or deactivates SSO provider. ```yaml ssoConfigurationId: "d2c94c27-3b76-4a42-b88c-95a85e392c68" state: SSO_CONFIGURATION_STATE_ACTIVE ``` ### Parameters - `body OrganizationSSOConfigurationUpdateParams` - `SSOConfigurationID param.Field[string]` sso_configuration_id is the ID of the SSO configuration to update - `AdditionalScopes param.Field[AdditionalScopesUpdate]` additional_scopes replaces the configured OIDC scopes when present. When absent (nil), scopes are left unchanged. When present with an empty scopes list, all additional scopes are cleared. - `Claims param.Field[map[string, string]]` claims are key/value pairs that defines a mapping of claims issued by the IdP. - `ClaimsExpression param.Field[string]` claims_expression is a CEL expression evaluated against OIDC token claims during login. When set, the expression must evaluate to true for the login to succeed. When present with an empty string, the expression is cleared. - `ClientID param.Field[string]` client_id is the client ID of the SSO provider - `ClientSecret param.Field[string]` client_secret is the client secret of the SSO provider - `DisplayName param.Field[string]` - `EmailDomain param.Field[string]` - `EmailDomains param.Field[[]string]` - `IssuerURL param.Field[string]` issuer_url is the URL of the IdP issuer - `State param.Field[SSOConfigurationState]` state is the state of the SSO configuration ### Returns - `type OrganizationSSOConfigurationUpdateResponse interface{…}` ### Example ```go package main import ( "context" "fmt" "github.com/gitpod-io/gitpod-sdk-go" "github.com/gitpod-io/gitpod-sdk-go/option" ) func main() { client := gitpod.NewClient( option.WithBearerToken("My Bearer Token"), ) ssoConfiguration, err := client.Organizations.SSOConfigurations.Update(context.TODO(), gitpod.OrganizationSSOConfigurationUpdateParams{ SSOConfigurationID: gitpod.F("d2c94c27-3b76-4a42-b88c-95a85e392c68"), ClientID: gitpod.F("new-client-id"), ClientSecret: gitpod.F("new-client-secret"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", ssoConfiguration) } ``` #### Response ```json {} ``` ## Domain Types ### Additional Scopes Update - `type AdditionalScopesUpdate struct{…}` AdditionalScopesUpdate wraps a list of OIDC scopes so that the update request can distinguish "not changing scopes" (field absent) from "clearing all scopes" (field present, empty list). - `Scopes []string` ### Provider Type - `type ProviderType string` - `const ProviderTypeUnspecified ProviderType = "PROVIDER_TYPE_UNSPECIFIED"` - `const ProviderTypeBuiltin ProviderType = "PROVIDER_TYPE_BUILTIN"` - `const ProviderTypeCustom ProviderType = "PROVIDER_TYPE_CUSTOM"` ### SSO Configuration - `type SSOConfiguration struct{…}` - `ID string` id is the unique identifier of the SSO configuration - `IssuerURL string` issuer_url is the URL of the IdP issuer - `OrganizationID string` - `ProviderType ProviderType` provider_type defines the type of the SSO configuration - `const ProviderTypeUnspecified ProviderType = "PROVIDER_TYPE_UNSPECIFIED"` - `const ProviderTypeBuiltin ProviderType = "PROVIDER_TYPE_BUILTIN"` - `const ProviderTypeCustom ProviderType = "PROVIDER_TYPE_CUSTOM"` - `State SSOConfigurationState` state is the state of the SSO configuration - `const SSOConfigurationStateUnspecified SSOConfigurationState = "SSO_CONFIGURATION_STATE_UNSPECIFIED"` - `const SSOConfigurationStateInactive SSOConfigurationState = "SSO_CONFIGURATION_STATE_INACTIVE"` - `const SSOConfigurationStateActive SSOConfigurationState = "SSO_CONFIGURATION_STATE_ACTIVE"` - `AdditionalScopes []string` additional_scopes are extra OIDC scopes requested from the identity provider during sign-in. - `Claims map[string, string]` claims are key/value pairs that defines a mapping of claims issued by the IdP. - `ClaimsExpression string` claims_expression is a CEL (Common Expression Language) expression evaluated against the OIDC token claims during login. When set, the expression must evaluate to true for the login to succeed. The expression has access to a `claims` variable containing all token claims as a map. Example: `claims.email_verified && claims.email.endsWith("@example.com")` - `ClientID string` client_id is the client ID of the OIDC application set on the IdP - `DisplayName string` - `EmailDomain string` - `EmailDomains []string` ### SSO Configuration State - `type SSOConfigurationState string` - `const SSOConfigurationStateUnspecified SSOConfigurationState = "SSO_CONFIGURATION_STATE_UNSPECIFIED"` - `const SSOConfigurationStateInactive SSOConfigurationState = "SSO_CONFIGURATION_STATE_INACTIVE"` - `const SSOConfigurationStateActive SSOConfigurationState = "SSO_CONFIGURATION_STATE_ACTIVE"`