# SSO Configurations ## CreateSSOConfiguration `organizations.sso_configurations.create(SSOConfigurationCreateParams**kwargs) -> SSOConfigurationCreateResponse` **post** `/gitpod.v1.OrganizationService/CreateSSOConfiguration` Creates or updates SSO configuration for organizational authentication. Use this method to: - Configure OIDC-based SSO providers - Set up built-in providers (Google, GitHub, etc.) - Define custom identity providers - Manage authentication policies ### Examples - Configure built-in Google SSO: Sets up SSO using Google Workspace. ```yaml organizationId: "b0e12f6c-4c67-429d-a4a6-d9838b5da047" clientId: "012345678-abcdefghijklmnopqrstuvwxyz.apps.googleusercontent.com" clientSecret: "GOCSPX-abcdefghijklmnopqrstuvwxyz123456" issuerUrl: "https://accounts.google.com" emailDomain: "acme-corp.com" ``` - Configure custom OIDC provider: Sets up SSO with a custom identity provider. ```yaml organizationId: "b0e12f6c-4c67-429d-a4a6-d9838b5da047" clientId: "acme-corp-gitpod" clientSecret: "secret-token-value" issuerUrl: "https://sso.acme-corp.com" emailDomain: "acme-corp.com" ``` ### Parameters - `client_id: str` client_id is the client ID of the OIDC application set on the IdP - `client_secret: str` client_secret is the client secret of the OIDC application set on the IdP - `issuer_url: str` issuer_url is the URL of the IdP issuer - `organization_id: str` - `additional_scopes: Optional[Sequence[str]]` additional_scopes are extra OIDC scopes to request from the identity provider during sign-in. These are appended to the default scopes (openid, email, profile). - `claims_expression: Optional[str]` claims_expression is an optional CEL expression evaluated against OIDC token claims during login. When set, the expression must evaluate to true for the login to succeed. Example: `claims.email_verified && claims.email.endsWith("@example.com")` - `display_name: Optional[str]` - `email_domain: Optional[str]` email_domain is the domain that is allowed to sign in to the organization - `email_domains: Optional[Sequence[str]]` ### Returns - `class SSOConfigurationCreateResponse: …` - `sso_configuration: SSOConfiguration` sso_configuration is the created SSO configuration - `id: str` id is the unique identifier of the SSO configuration - `issuer_url: str` issuer_url is the URL of the IdP issuer - `organization_id: str` - `provider_type: ProviderType` provider_type defines the type of the SSO configuration - `"PROVIDER_TYPE_UNSPECIFIED"` - `"PROVIDER_TYPE_BUILTIN"` - `"PROVIDER_TYPE_CUSTOM"` - `state: SSOConfigurationState` state is the state of the SSO configuration - `"SSO_CONFIGURATION_STATE_UNSPECIFIED"` - `"SSO_CONFIGURATION_STATE_INACTIVE"` - `"SSO_CONFIGURATION_STATE_ACTIVE"` - `additional_scopes: Optional[List[str]]` additional_scopes are extra OIDC scopes requested from the identity provider during sign-in. - `claims: Optional[Dict[str, str]]` claims are key/value pairs that defines a mapping of claims issued by the IdP. - `claims_expression: Optional[str]` claims_expression is a CEL (Common Expression Language) expression evaluated against the OIDC token claims during login. When set, the expression must evaluate to true for the login to succeed. The expression has access to a `claims` variable containing all token claims as a map. Example: `claims.email_verified && claims.email.endsWith("@example.com")` - `client_id: Optional[str]` client_id is the client ID of the OIDC application set on the IdP - `display_name: Optional[str]` - `email_domain: Optional[str]` - `email_domains: Optional[List[str]]` ### Example ```python import os from gitpod import Gitpod client = Gitpod( bearer_token=os.environ.get("GITPOD_API_KEY"), # This is the default and can be omitted ) sso_configuration = client.organizations.sso_configurations.create( client_id="012345678-abcdefghijklmnopqrstuvwxyz.apps.googleusercontent.com", client_secret="GOCSPX-abcdefghijklmnopqrstuvwxyz123456", issuer_url="https://accounts.google.com", organization_id="b0e12f6c-4c67-429d-a4a6-d9838b5da047", email_domain="acme-corp.com", ) print(sso_configuration.sso_configuration) ``` #### Response ```json { "ssoConfiguration": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "issuerUrl": "issuerUrl", "organizationId": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "providerType": "PROVIDER_TYPE_UNSPECIFIED", "state": "SSO_CONFIGURATION_STATE_UNSPECIFIED", "additionalScopes": [ "string" ], "claims": { "foo": "string" }, "claimsExpression": "claimsExpression", "clientId": "clientId", "displayName": "displayName", "emailDomain": "emailDomain", "emailDomains": [ "sfN2.l.iJR-BU.u9JV9.a.m.o2D-4b-Jd.0Z-kX.L.n.S.f.UKbxB" ] } } ``` ## DeleteSSOConfiguration `organizations.sso_configurations.delete(SSOConfigurationDeleteParams**kwargs) -> object` **post** `/gitpod.v1.OrganizationService/DeleteSSOConfiguration` Removes an SSO configuration from an organization. Use this method to: - Disable SSO authentication - Remove outdated providers - Clean up unused configurations ### Examples - Delete SSO configuration: Removes a specific SSO configuration. ```yaml ssoConfigurationId: "d2c94c27-3b76-4a42-b88c-95a85e392c68" ``` ### Parameters - `sso_configuration_id: str` ### Returns - `object` ### Example ```python import os from gitpod import Gitpod client = Gitpod( bearer_token=os.environ.get("GITPOD_API_KEY"), # This is the default and can be omitted ) sso_configuration = client.organizations.sso_configurations.delete( sso_configuration_id="d2c94c27-3b76-4a42-b88c-95a85e392c68", ) print(sso_configuration) ``` #### Response ```json {} ``` ## ListSSOConfigurations `organizations.sso_configurations.list(SSOConfigurationListParams**kwargs) -> SyncSSOConfigurationsPage[SSOConfiguration]` **post** `/gitpod.v1.OrganizationService/ListSSOConfigurations` Lists and filters SSO configurations for an organization. Use this method to: - View all SSO providers - Monitor authentication status - Audit security settings - Manage provider configurations ### Examples - List active configurations: Shows all active SSO providers. ```yaml organizationId: "b0e12f6c-4c67-429d-a4a6-d9838b5da047" pagination: pageSize: 20 ``` - List by provider type: Shows custom SSO configurations. ```yaml organizationId: "b0e12f6c-4c67-429d-a4a6-d9838b5da047" pagination: pageSize: 20 token: "next-page-token-from-previous-response" ``` ### Parameters - `organization_id: str` organization_id is the ID of the organization to list SSO configurations for. - `token: Optional[str]` - `page_size: Optional[int]` - `pagination: Optional[Pagination]` - `token: Optional[str]` Token for the next set of results that was returned as next_token of a PaginationResponse - `page_size: Optional[int]` Page size is the maximum number of results to retrieve per page. Defaults to 25. Maximum 100. ### Returns - `class SSOConfiguration: …` - `id: str` id is the unique identifier of the SSO configuration - `issuer_url: str` issuer_url is the URL of the IdP issuer - `organization_id: str` - `provider_type: ProviderType` provider_type defines the type of the SSO configuration - `"PROVIDER_TYPE_UNSPECIFIED"` - `"PROVIDER_TYPE_BUILTIN"` - `"PROVIDER_TYPE_CUSTOM"` - `state: SSOConfigurationState` state is the state of the SSO configuration - `"SSO_CONFIGURATION_STATE_UNSPECIFIED"` - `"SSO_CONFIGURATION_STATE_INACTIVE"` - `"SSO_CONFIGURATION_STATE_ACTIVE"` - `additional_scopes: Optional[List[str]]` additional_scopes are extra OIDC scopes requested from the identity provider during sign-in. - `claims: Optional[Dict[str, str]]` claims are key/value pairs that defines a mapping of claims issued by the IdP. - `claims_expression: Optional[str]` claims_expression is a CEL (Common Expression Language) expression evaluated against the OIDC token claims during login. When set, the expression must evaluate to true for the login to succeed. The expression has access to a `claims` variable containing all token claims as a map. Example: `claims.email_verified && claims.email.endsWith("@example.com")` - `client_id: Optional[str]` client_id is the client ID of the OIDC application set on the IdP - `display_name: Optional[str]` - `email_domain: Optional[str]` - `email_domains: Optional[List[str]]` ### Example ```python import os from gitpod import Gitpod client = Gitpod( bearer_token=os.environ.get("GITPOD_API_KEY"), # This is the default and can be omitted ) page = client.organizations.sso_configurations.list( organization_id="b0e12f6c-4c67-429d-a4a6-d9838b5da047", pagination={ "page_size": 20 }, ) page = page.sso_configurations[0] print(page.id) ``` #### Response ```json { "pagination": { "nextToken": "nextToken" }, "ssoConfigurations": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "issuerUrl": "issuerUrl", "organizationId": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "providerType": "PROVIDER_TYPE_UNSPECIFIED", "state": "SSO_CONFIGURATION_STATE_UNSPECIFIED", "additionalScopes": [ "string" ], "claims": { "foo": "string" }, "claimsExpression": "claimsExpression", "clientId": "clientId", "displayName": "displayName", "emailDomain": "emailDomain", "emailDomains": [ "sfN2.l.iJR-BU.u9JV9.a.m.o2D-4b-Jd.0Z-kX.L.n.S.f.UKbxB" ] } ] } ``` ## GetSSOConfiguration `organizations.sso_configurations.retrieve(SSOConfigurationRetrieveParams**kwargs) -> SSOConfigurationRetrieveResponse` **post** `/gitpod.v1.OrganizationService/GetSSOConfiguration` Retrieves a specific SSO configuration. Use this method to: - View SSO provider details - Check configuration status - Verify SSO settings ### Examples - Get SSO configuration: Retrieves details of a specific SSO configuration. ```yaml ssoConfigurationId: "d2c94c27-3b76-4a42-b88c-95a85e392c68" ``` ### Parameters - `sso_configuration_id: str` sso_configuration_id is the ID of the SSO configuration to get ### Returns - `class SSOConfigurationRetrieveResponse: …` - `sso_configuration: SSOConfiguration` sso_configuration is the SSO configuration identified by the ID - `id: str` id is the unique identifier of the SSO configuration - `issuer_url: str` issuer_url is the URL of the IdP issuer - `organization_id: str` - `provider_type: ProviderType` provider_type defines the type of the SSO configuration - `"PROVIDER_TYPE_UNSPECIFIED"` - `"PROVIDER_TYPE_BUILTIN"` - `"PROVIDER_TYPE_CUSTOM"` - `state: SSOConfigurationState` state is the state of the SSO configuration - `"SSO_CONFIGURATION_STATE_UNSPECIFIED"` - `"SSO_CONFIGURATION_STATE_INACTIVE"` - `"SSO_CONFIGURATION_STATE_ACTIVE"` - `additional_scopes: Optional[List[str]]` additional_scopes are extra OIDC scopes requested from the identity provider during sign-in. - `claims: Optional[Dict[str, str]]` claims are key/value pairs that defines a mapping of claims issued by the IdP. - `claims_expression: Optional[str]` claims_expression is a CEL (Common Expression Language) expression evaluated against the OIDC token claims during login. When set, the expression must evaluate to true for the login to succeed. The expression has access to a `claims` variable containing all token claims as a map. Example: `claims.email_verified && claims.email.endsWith("@example.com")` - `client_id: Optional[str]` client_id is the client ID of the OIDC application set on the IdP - `display_name: Optional[str]` - `email_domain: Optional[str]` - `email_domains: Optional[List[str]]` ### Example ```python import os from gitpod import Gitpod client = Gitpod( bearer_token=os.environ.get("GITPOD_API_KEY"), # This is the default and can be omitted ) sso_configuration = client.organizations.sso_configurations.retrieve( sso_configuration_id="d2c94c27-3b76-4a42-b88c-95a85e392c68", ) print(sso_configuration.sso_configuration) ``` #### Response ```json { "ssoConfiguration": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "issuerUrl": "issuerUrl", "organizationId": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "providerType": "PROVIDER_TYPE_UNSPECIFIED", "state": "SSO_CONFIGURATION_STATE_UNSPECIFIED", "additionalScopes": [ "string" ], "claims": { "foo": "string" }, "claimsExpression": "claimsExpression", "clientId": "clientId", "displayName": "displayName", "emailDomain": "emailDomain", "emailDomains": [ "sfN2.l.iJR-BU.u9JV9.a.m.o2D-4b-Jd.0Z-kX.L.n.S.f.UKbxB" ] } } ``` ## UpdateSSOConfiguration `organizations.sso_configurations.update(SSOConfigurationUpdateParams**kwargs) -> object` **post** `/gitpod.v1.OrganizationService/UpdateSSOConfiguration` Updates SSO provider settings and authentication rules. Use this method to: - Rotate client credentials - Update provider endpoints - Modify claim mappings - Change authentication policies - Toggle SSO enforcement ### Examples - Update credentials: Rotates client ID and secret. ```yaml ssoConfigurationId: "d2c94c27-3b76-4a42-b88c-95a85e392c68" clientId: "new-client-id" clientSecret: "new-client-secret" ``` - Update provider status: Activates or deactivates SSO provider. ```yaml ssoConfigurationId: "d2c94c27-3b76-4a42-b88c-95a85e392c68" state: SSO_CONFIGURATION_STATE_ACTIVE ``` ### Parameters - `sso_configuration_id: str` sso_configuration_id is the ID of the SSO configuration to update - `additional_scopes: Optional[AdditionalScopesUpdateParam]` additional_scopes replaces the configured OIDC scopes when present. When absent (nil), scopes are left unchanged. When present with an empty scopes list, all additional scopes are cleared. - `scopes: Optional[List[str]]` - `claims: Optional[Dict[str, str]]` claims are key/value pairs that defines a mapping of claims issued by the IdP. - `claims_expression: Optional[str]` claims_expression is a CEL expression evaluated against OIDC token claims during login. When set, the expression must evaluate to true for the login to succeed. When present with an empty string, the expression is cleared. - `client_id: Optional[str]` client_id is the client ID of the SSO provider - `client_secret: Optional[str]` client_secret is the client secret of the SSO provider - `display_name: Optional[str]` - `email_domain: Optional[str]` - `email_domains: Optional[Sequence[str]]` - `issuer_url: Optional[str]` issuer_url is the URL of the IdP issuer - `state: Optional[SSOConfigurationState]` state is the state of the SSO configuration - `"SSO_CONFIGURATION_STATE_UNSPECIFIED"` - `"SSO_CONFIGURATION_STATE_INACTIVE"` - `"SSO_CONFIGURATION_STATE_ACTIVE"` ### Returns - `object` ### Example ```python import os from gitpod import Gitpod client = Gitpod( bearer_token=os.environ.get("GITPOD_API_KEY"), # This is the default and can be omitted ) sso_configuration = client.organizations.sso_configurations.update( sso_configuration_id="d2c94c27-3b76-4a42-b88c-95a85e392c68", client_id="new-client-id", client_secret="new-client-secret", ) print(sso_configuration) ``` #### Response ```json {} ``` ## Domain Types ### Additional Scopes Update - `class AdditionalScopesUpdate: …` AdditionalScopesUpdate wraps a list of OIDC scopes so that the update request can distinguish "not changing scopes" (field absent) from "clearing all scopes" (field present, empty list). - `scopes: Optional[List[str]]` ### Provider Type - `Literal["PROVIDER_TYPE_UNSPECIFIED", "PROVIDER_TYPE_BUILTIN", "PROVIDER_TYPE_CUSTOM"]` - `"PROVIDER_TYPE_UNSPECIFIED"` - `"PROVIDER_TYPE_BUILTIN"` - `"PROVIDER_TYPE_CUSTOM"` ### SSO Configuration - `class SSOConfiguration: …` - `id: str` id is the unique identifier of the SSO configuration - `issuer_url: str` issuer_url is the URL of the IdP issuer - `organization_id: str` - `provider_type: ProviderType` provider_type defines the type of the SSO configuration - `"PROVIDER_TYPE_UNSPECIFIED"` - `"PROVIDER_TYPE_BUILTIN"` - `"PROVIDER_TYPE_CUSTOM"` - `state: SSOConfigurationState` state is the state of the SSO configuration - `"SSO_CONFIGURATION_STATE_UNSPECIFIED"` - `"SSO_CONFIGURATION_STATE_INACTIVE"` - `"SSO_CONFIGURATION_STATE_ACTIVE"` - `additional_scopes: Optional[List[str]]` additional_scopes are extra OIDC scopes requested from the identity provider during sign-in. - `claims: Optional[Dict[str, str]]` claims are key/value pairs that defines a mapping of claims issued by the IdP. - `claims_expression: Optional[str]` claims_expression is a CEL (Common Expression Language) expression evaluated against the OIDC token claims during login. When set, the expression must evaluate to true for the login to succeed. The expression has access to a `claims` variable containing all token claims as a map. Example: `claims.email_verified && claims.email.endsWith("@example.com")` - `client_id: Optional[str]` client_id is the client ID of the OIDC application set on the IdP - `display_name: Optional[str]` - `email_domain: Optional[str]` - `email_domains: Optional[List[str]]` ### SSO Configuration State - `Literal["SSO_CONFIGURATION_STATE_UNSPECIFIED", "SSO_CONFIGURATION_STATE_INACTIVE", "SSO_CONFIGURATION_STATE_ACTIVE"]` - `"SSO_CONFIGURATION_STATE_UNSPECIFIED"` - `"SSO_CONFIGURATION_STATE_INACTIVE"` - `"SSO_CONFIGURATION_STATE_ACTIVE"` ### SSO Configuration Create Response - `class SSOConfigurationCreateResponse: …` - `sso_configuration: SSOConfiguration` sso_configuration is the created SSO configuration - `id: str` id is the unique identifier of the SSO configuration - `issuer_url: str` issuer_url is the URL of the IdP issuer - `organization_id: str` - `provider_type: ProviderType` provider_type defines the type of the SSO configuration - `"PROVIDER_TYPE_UNSPECIFIED"` - `"PROVIDER_TYPE_BUILTIN"` - `"PROVIDER_TYPE_CUSTOM"` - `state: SSOConfigurationState` state is the state of the SSO configuration - `"SSO_CONFIGURATION_STATE_UNSPECIFIED"` - `"SSO_CONFIGURATION_STATE_INACTIVE"` - `"SSO_CONFIGURATION_STATE_ACTIVE"` - `additional_scopes: Optional[List[str]]` additional_scopes are extra OIDC scopes requested from the identity provider during sign-in. - `claims: Optional[Dict[str, str]]` claims are key/value pairs that defines a mapping of claims issued by the IdP. - `claims_expression: Optional[str]` claims_expression is a CEL (Common Expression Language) expression evaluated against the OIDC token claims during login. When set, the expression must evaluate to true for the login to succeed. The expression has access to a `claims` variable containing all token claims as a map. Example: `claims.email_verified && claims.email.endsWith("@example.com")` - `client_id: Optional[str]` client_id is the client ID of the OIDC application set on the IdP - `display_name: Optional[str]` - `email_domain: Optional[str]` - `email_domains: Optional[List[str]]` ### SSO Configuration Retrieve Response - `class SSOConfigurationRetrieveResponse: …` - `sso_configuration: SSOConfiguration` sso_configuration is the SSO configuration identified by the ID - `id: str` id is the unique identifier of the SSO configuration - `issuer_url: str` issuer_url is the URL of the IdP issuer - `organization_id: str` - `provider_type: ProviderType` provider_type defines the type of the SSO configuration - `"PROVIDER_TYPE_UNSPECIFIED"` - `"PROVIDER_TYPE_BUILTIN"` - `"PROVIDER_TYPE_CUSTOM"` - `state: SSOConfigurationState` state is the state of the SSO configuration - `"SSO_CONFIGURATION_STATE_UNSPECIFIED"` - `"SSO_CONFIGURATION_STATE_INACTIVE"` - `"SSO_CONFIGURATION_STATE_ACTIVE"` - `additional_scopes: Optional[List[str]]` additional_scopes are extra OIDC scopes requested from the identity provider during sign-in. - `claims: Optional[Dict[str, str]]` claims are key/value pairs that defines a mapping of claims issued by the IdP. - `claims_expression: Optional[str]` claims_expression is a CEL (Common Expression Language) expression evaluated against the OIDC token claims during login. When set, the expression must evaluate to true for the login to succeed. The expression has access to a `claims` variable containing all token claims as a map. Example: `claims.email_verified && claims.email.endsWith("@example.com")` - `client_id: Optional[str]` client_id is the client ID of the OIDC application set on the IdP - `display_name: Optional[str]` - `email_domain: Optional[str]` - `email_domains: Optional[List[str]]`