Add SAML Identity Provider

POST 
https://$CUSTOM-DOMAIN/management/v1/idps/saml

Add SAML Identity Provider

Request

Header Parameters

x-zitadel-orgid string

The default is always the organization of the requesting user. If you like to get/set a result of another organization include the header. Make sure the user has permission to access the requested data.

application/json

Body

required

name string
metadataXml byte

Metadata of the SAML identity provider.

metadataUrl string

Url to the metadata of the SAML identity provider.

binding string

Possible values: [SAML_BINDING_UNSPECIFIED, SAML_BINDING_POST, SAML_BINDING_REDIRECT, SAML_BINDING_ARTIFACT]

Default value: SAML_BINDING_UNSPECIFIED

Binding which defines the type of communication with the identity provider.

withSignedRequest boolean

Boolean which defines if the authentication requests are signed.

providerOptions

object

isLinkingAllowed boolean

Enable if users should be able to manually link an existing ZITADEL user with an external account. Disable if users should only be allowed to link the proposed account in case of active auto_linking.

isCreationAllowed boolean

Enable if users should be able to manually create a new account in ZITADEL when using an external account. Disable if users should not be able to edit account information when auto_creation is enabled.

isAutoCreation boolean

Enable if a new account in ZITADEL should be created automatically when login with an external account.

isAutoUpdate boolean

Enable if a the ZITADEL account fields should be updated automatically on each login.

autoLinking string

Possible values: [AUTO_LINKING_OPTION_UNSPECIFIED, AUTO_LINKING_OPTION_USERNAME, AUTO_LINKING_OPTION_EMAIL]

Default value: AUTO_LINKING_OPTION_UNSPECIFIED

Enable if users should get prompted to link an existing ZITADEL user to an external account if the selected attribute matches.

nameIdFormat string

Possible values: [SAML_NAME_ID_FORMAT_UNSPECIFIED, SAML_NAME_ID_FORMAT_EMAIL_ADDRESS, SAML_NAME_ID_FORMAT_PERSISTENT, SAML_NAME_ID_FORMAT_TRANSIENT]

Default value: SAML_NAME_ID_FORMAT_UNSPECIFIED

Optionally specify the nameid-format requested.

transientMappingAttributeName string

Optionally specify the name of the attribute, which will be used to map the user in case the nameid-format returned is urn:oasis:names:tc:SAML:2.0:nameid-format:transient.

application/grpc

Body

required

name string
metadataXml byte

Metadata of the SAML identity provider.

metadataUrl string

Url to the metadata of the SAML identity provider.

binding string

Possible values: [SAML_BINDING_UNSPECIFIED, SAML_BINDING_POST, SAML_BINDING_REDIRECT, SAML_BINDING_ARTIFACT]

Default value: SAML_BINDING_UNSPECIFIED

Binding which defines the type of communication with the identity provider.

withSignedRequest boolean

Boolean which defines if the authentication requests are signed.

providerOptions

object

isLinkingAllowed boolean

Enable if users should be able to manually link an existing ZITADEL user with an external account. Disable if users should only be allowed to link the proposed account in case of active auto_linking.

isCreationAllowed boolean

Enable if users should be able to manually create a new account in ZITADEL when using an external account. Disable if users should not be able to edit account information when auto_creation is enabled.

isAutoCreation boolean

Enable if a new account in ZITADEL should be created automatically when login with an external account.

isAutoUpdate boolean

Enable if a the ZITADEL account fields should be updated automatically on each login.

autoLinking string

Possible values: [AUTO_LINKING_OPTION_UNSPECIFIED, AUTO_LINKING_OPTION_USERNAME, AUTO_LINKING_OPTION_EMAIL]

Default value: AUTO_LINKING_OPTION_UNSPECIFIED

Enable if users should get prompted to link an existing ZITADEL user to an external account if the selected attribute matches.

nameIdFormat string

Possible values: [SAML_NAME_ID_FORMAT_UNSPECIFIED, SAML_NAME_ID_FORMAT_EMAIL_ADDRESS, SAML_NAME_ID_FORMAT_PERSISTENT, SAML_NAME_ID_FORMAT_TRANSIENT]

Default value: SAML_NAME_ID_FORMAT_UNSPECIFIED

Optionally specify the nameid-format requested.

transientMappingAttributeName string

Optionally specify the name of the attribute, which will be used to map the user in case the nameid-format returned is urn:oasis:names:tc:SAML:2.0:nameid-format:transient.

application/grpc-web+proto

Body

required

name string
metadataXml byte

Metadata of the SAML identity provider.

metadataUrl string

Url to the metadata of the SAML identity provider.

binding string

Possible values: [SAML_BINDING_UNSPECIFIED, SAML_BINDING_POST, SAML_BINDING_REDIRECT, SAML_BINDING_ARTIFACT]

Default value: SAML_BINDING_UNSPECIFIED

Binding which defines the type of communication with the identity provider.

withSignedRequest boolean

Boolean which defines if the authentication requests are signed.

providerOptions

object

isLinkingAllowed boolean

Enable if users should be able to manually link an existing ZITADEL user with an external account. Disable if users should only be allowed to link the proposed account in case of active auto_linking.

isCreationAllowed boolean

Enable if users should be able to manually create a new account in ZITADEL when using an external account. Disable if users should not be able to edit account information when auto_creation is enabled.

isAutoCreation boolean

Enable if a new account in ZITADEL should be created automatically when login with an external account.

isAutoUpdate boolean

Enable if a the ZITADEL account fields should be updated automatically on each login.

autoLinking string

Possible values: [AUTO_LINKING_OPTION_UNSPECIFIED, AUTO_LINKING_OPTION_USERNAME, AUTO_LINKING_OPTION_EMAIL]

Default value: AUTO_LINKING_OPTION_UNSPECIFIED

Enable if users should get prompted to link an existing ZITADEL user to an external account if the selected attribute matches.

nameIdFormat string

Possible values: [SAML_NAME_ID_FORMAT_UNSPECIFIED, SAML_NAME_ID_FORMAT_EMAIL_ADDRESS, SAML_NAME_ID_FORMAT_PERSISTENT, SAML_NAME_ID_FORMAT_TRANSIENT]

Default value: SAML_NAME_ID_FORMAT_UNSPECIFIED

Optionally specify the nameid-format requested.

transientMappingAttributeName string

Optionally specify the name of the attribute, which will be used to map the user in case the nameid-format returned is urn:oasis:names:tc:SAML:2.0:nameid-format:transient.

Responses

200

A successful response.

application/json

Schema

Schema

details

object

sequence uint64

on read: the sequence of the last event reduced by the projection

on manipulation: the timestamp of the event(s) added by the manipulation

creationDate date-time

on read: the timestamp of the first event of the object

on create: the timestamp of the event(s) added by the manipulation

changeDate date-time

on read: the timestamp of the last event reduced by the projection

on manipulation: the

resourceOwner resource_owner is the organization an object belongs to (string)
id string

Example (from schema)

{
  "details": {
    "sequence": "2",
    "creationDate": "2025-03-04T15:26:58.604Z",
    "changeDate": "2025-03-04T15:26:58.604Z",
    "resourceOwner": "69629023906488334"
  },
  "id": "string"
}

application/grpc

Schema

Schema

details

object

sequence uint64

on read: the sequence of the last event reduced by the projection

on manipulation: the timestamp of the event(s) added by the manipulation

creationDate date-time

on read: the timestamp of the first event of the object

on create: the timestamp of the event(s) added by the manipulation

changeDate date-time

on read: the timestamp of the last event reduced by the projection

on manipulation: the

resourceOwner resource_owner is the organization an object belongs to (string)
id string

Example (from schema)

{
  "details": {
    "sequence": "2",
    "creationDate": "2025-03-04T15:26:58.604Z",
    "changeDate": "2025-03-04T15:26:58.604Z",
    "resourceOwner": "69629023906488334"
  },
  "id": "string"
}

application/grpc-web+proto

Schema

Schema

details

object

sequence uint64

on read: the sequence of the last event reduced by the projection

on manipulation: the timestamp of the event(s) added by the manipulation

creationDate date-time

on read: the timestamp of the first event of the object

on create: the timestamp of the event(s) added by the manipulation

changeDate date-time

on read: the timestamp of the last event reduced by the projection

on manipulation: the

resourceOwner resource_owner is the organization an object belongs to (string)
id string

Example (from schema)

{
  "details": {
    "sequence": "2",
    "creationDate": "2025-03-04T15:26:58.605Z",
    "changeDate": "2025-03-04T15:26:58.605Z",
    "resourceOwner": "69629023906488334"
  },
  "id": "string"
}

default

An unexpected error response.

application/json

Schema

Schema

code int32
message string

details

object[]

Array [

@type string

]

Example (from schema)

{
  "code": 0,
  "message": "string",
  "details": [
    {
      "@type": "string"
    }
  ]
}

application/grpc

Schema

Schema

code int32
message string

details

object[]

Array [

@type string

]

Example (from schema)

{
  "code": 0,
  "message": "string",
  "details": [
    {
      "@type": "string"
    }
  ]
}

application/grpc-web+proto

Schema

Schema

code int32
message string

details

object[]

Array [

@type string

]

Example (from schema)

{
  "code": 0,
  "message": "string",
  "details": [
    {
      "@type": "string"
    }
  ]
}

• curl
• python
• go
• nodejs
• ruby
• csharp
• php
• java
• powershell

• CURL

curl -L 'https://$CUSTOM-DOMAIN/management/v1/idps/saml' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer <TOKEN>' \
-d '{
  "name": "string",
  "metadataXml": "string",
  "metadataUrl": "https://test.com/saml/metadata",
  "binding": "SAML_BINDING_UNSPECIFIED",
  "withSignedRequest": true,
  "providerOptions": {
    "isLinkingAllowed": true,
    "isCreationAllowed": true,
    "isAutoCreation": true,
    "isAutoUpdate": true,
    "autoLinking": "AUTO_LINKING_OPTION_UNSPECIFIED"
  },
  "nameIdFormat": "SAML_NAME_ID_FORMAT_UNSPECIFIED",
  "transientMappingAttributeName": "string"
}'

Request Collapse all

Base URL

https://$CUSTOM-DOMAIN/management/v1

Auth

Bearer Token

Parameters

x-zitadel-orgid — header

Body required

Content-Type

application/jsonapplication/grpcapplication/grpc-web+proto

{
  "name": "string",
  "metadataXml": "string",
  "metadataUrl": "https://test.com/saml/metadata",
  "binding": "SAML_BINDING_UNSPECIFIED",
  "withSignedRequest": true,
  "providerOptions": {
    "isLinkingAllowed": true,
    "isCreationAllowed": true,
    "isAutoCreation": true,
    "isAutoUpdate": true,
    "autoLinking": "AUTO_LINKING_OPTION_UNSPECIFIED"
  },
  "nameIdFormat": "SAML_NAME_ID_FORMAT_UNSPECIFIED",
  "transientMappingAttributeName": "string"
}

ResponseClear

Click the Send API Request button above and see the response here!