## CreateSSOConfiguration

`organizations.sso_configurations.create(SSOConfigurationCreateParams**kwargs)  -> SSOConfigurationCreateResponse`

**post** `/gitpod.v1.OrganizationService/CreateSSOConfiguration`

Creates or updates SSO configuration for organizational authentication.

Use this method to:

- Configure OIDC-based SSO providers
- Set up built-in providers (Google, GitHub, etc.)
- Define custom identity providers
- Manage authentication policies

### Examples

- Configure built-in Google SSO:

  Sets up SSO using Google Workspace.

  ```yaml
  organizationId: "b0e12f6c-4c67-429d-a4a6-d9838b5da047"
  clientId: "012345678-abcdefghijklmnopqrstuvwxyz.apps.googleusercontent.com"
  clientSecret: "GOCSPX-abcdefghijklmnopqrstuvwxyz123456"
  issuerUrl: "https://accounts.google.com"
  emailDomain: "acme-corp.com"
  ```

- Configure custom OIDC provider:

  Sets up SSO with a custom identity provider.

  ```yaml
  organizationId: "b0e12f6c-4c67-429d-a4a6-d9838b5da047"
  clientId: "acme-corp-gitpod"
  clientSecret: "secret-token-value"
  issuerUrl: "https://sso.acme-corp.com"
  emailDomain: "acme-corp.com"
  ```

### Parameters

- `client_id: str`

  client_id is the client ID of the OIDC application set on the IdP

- `client_secret: str`

  client_secret is the client secret of the OIDC application set on the IdP

- `issuer_url: str`

  issuer_url is the URL of the IdP issuer

- `organization_id: str`

- `additional_scopes: Optional[Sequence[str]]`

  additional_scopes are extra OIDC scopes to request from the identity provider during sign-in.
  These are appended to the default scopes (openid, email, profile).

- `claims_expression: Optional[str]`

  claims_expression is an optional CEL expression evaluated against OIDC token claims during login.
  When set, the expression must evaluate to true for the login to succeed.
  Example: `claims.email_verified && claims.email.endsWith("@example.com")`

- `display_name: Optional[str]`

- `email_domain: Optional[str]`

  email_domain is the domain that is allowed to sign in to the organization

- `email_domains: Optional[Sequence[str]]`

### Returns

- `class SSOConfigurationCreateResponse: …`

  - `sso_configuration: SSOConfiguration`

    sso_configuration is the created SSO configuration

    - `id: str`

      id is the unique identifier of the SSO configuration

    - `issuer_url: str`

      issuer_url is the URL of the IdP issuer

    - `organization_id: str`

    - `provider_type: ProviderType`

      provider_type defines the type of the SSO configuration

      - `"PROVIDER_TYPE_UNSPECIFIED"`

      - `"PROVIDER_TYPE_BUILTIN"`

      - `"PROVIDER_TYPE_CUSTOM"`

    - `state: SSOConfigurationState`

      state is the state of the SSO configuration

      - `"SSO_CONFIGURATION_STATE_UNSPECIFIED"`

      - `"SSO_CONFIGURATION_STATE_INACTIVE"`

      - `"SSO_CONFIGURATION_STATE_ACTIVE"`

    - `additional_scopes: Optional[List[str]]`

      additional_scopes are extra OIDC scopes requested from the identity provider during sign-in.

    - `claims: Optional[Dict[str, str]]`

      claims are key/value pairs that defines a mapping of claims issued by the IdP.

    - `claims_expression: Optional[str]`

      claims_expression is a CEL (Common Expression Language) expression evaluated against
      the OIDC token claims during login. When set, the expression must evaluate to true
      for the login to succeed. The expression has access to a `claims` variable containing
      all token claims as a map. Example: `claims.email_verified && claims.email.endsWith("@example.com")`

    - `client_id: Optional[str]`

      client_id is the client ID of the OIDC application set on the IdP

    - `display_name: Optional[str]`

    - `email_domain: Optional[str]`

    - `email_domains: Optional[List[str]]`

### Example

```python
import os
from gitpod import Gitpod

client = Gitpod(
    bearer_token=os.environ.get("GITPOD_API_KEY"),  # This is the default and can be omitted
)
sso_configuration = client.organizations.sso_configurations.create(
    client_id="012345678-abcdefghijklmnopqrstuvwxyz.apps.googleusercontent.com",
    client_secret="GOCSPX-abcdefghijklmnopqrstuvwxyz123456",
    issuer_url="https://accounts.google.com",
    organization_id="b0e12f6c-4c67-429d-a4a6-d9838b5da047",
    email_domain="acme-corp.com",
)
print(sso_configuration.sso_configuration)
```

#### Response

```json
{
  "ssoConfiguration": {
    "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e",
    "issuerUrl": "issuerUrl",
    "organizationId": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e",
    "providerType": "PROVIDER_TYPE_UNSPECIFIED",
    "state": "SSO_CONFIGURATION_STATE_UNSPECIFIED",
    "additionalScopes": [
      "string"
    ],
    "claims": {
      "foo": "string"
    },
    "claimsExpression": "claimsExpression",
    "clientId": "clientId",
    "displayName": "displayName",
    "emailDomain": "emailDomain",
    "emailDomains": [
      "sfN2.l.iJR-BU.u9JV9.a.m.o2D-4b-Jd.0Z-kX.L.n.S.f.UKbxB"
    ]
  }
}
```