Single sign-on module
/
SSO Settings

Single Sign-On Overview

Frontegg’s Single Sign-On (SSO) enables users to sign in using their existing credentials, removing the need to create new usernames and passwords specifically for your application.

Our SSO solution supports two popular protocols: SAML and OpenID Connect (OIDC). These protocols facilitate user authentication across multiple applications and can be configured via Frontegg’s Management Portal or the Self-Service menu within your application.

This section lists all relevant API endpoints, organized into Management and Self-Service categories:

Management Endpoints: Require environment-level authorization and provide comprehensive control over SSO (SAML and OIDC) resources.

Self-Service Endpoints: Accessible with a user token (JWT), allowing users with appropriate permissions to create, update, and delete SSO connections on their accounts.

Download OpenAPI description
Users, Auth and Security
Single Sign-On
SCIM Provisioning
Entitlements
Entitlements Agent
Accounts (Tenants)
Languages
Servers
EU Region
https://api.frontegg.com/team/
US Region
https://api.us.frontegg.com/team/
CA Region
https://api.ca.frontegg.com/team/
AU Region
https://api.au.frontegg.com/team/
Frontegg sub-domain for use with user tokens
https://{domain}.frontegg.com/team/

SSO Settings

Operations

Get service provider metadata

Request

Get service provider metadata

Headers
frontegg-tenant-idstringrequired

The tenant ID identifier

curl -i -X GET \
  https://api.frontegg.com/team/resources/sso/v1/saml/configurations/sp-metadata \
  -H 'frontegg-tenant-id: string'

Responses

Exclude email from SSO

Request

Exclude email from SSO

Bodyapplication/jsonrequired
emailstringrequired
curl -i -X POST \
  https://api.frontegg.com/team/resources/sso/v1/configurations/excluded-emails \
  -H 'Content-Type: application/json' \
  -d '{
    "email": "string"
  }'

Responses

Get SSO excluded emails

Request

Get SSO excluded emails

curl -i -X GET \
  https://api.frontegg.com/team/resources/sso/v1/configurations/excluded-emails

Responses

Delete SSO excluded email

Request

Delete SSO excluded email

Path
emailstringrequired
curl -i -X DELETE \
  'https://api.frontegg.com/team/resources/sso/v1/configurations/excluded-emails/{email}'

Responses

Vendor only - Force SSO domain validation

Request

Vendor only - Force SSO domain validation

Path
domainstringrequired
Bodyapplication/jsonrequired
object(ForceValidateDomainRequestDto)
curl -i -X PUT \
  'https://api.frontegg.com/team/resources/sso/v1/configurations/domains/{domain}/force-validate' \
  -H 'Content-Type: application/json' \
  -d '{}'

Responses

Get SSO per tenant configuration

Request

Get SSO per tenant configuration

curl -i -X GET \
  https://api.frontegg.com/team/resources/sso/v1/configurations/multiple-sso-per-domain

Responses

Create or update SSO per tenant configuration

Request

Create or update SSO per tenant configuration

Bodyapplication/jsonrequired
unspecifiedTenantStrategystringrequired
activebooleanrequired
useActiveTenantbooleanrequired
curl -i -X PUT \
  https://api.frontegg.com/team/resources/sso/v1/configurations/multiple-sso-per-domain \
  -H 'Content-Type: application/json' \
  -d '{
    "unspecifiedTenantStrategy": "string",
    "active": true,
    "useActiveTenant": true
  }'

Responses

Configure OIDC

Request

Configure OIDC

Bodyapplication/jsonrequired
activebooleanrequired
redirectUristring

Redirect URI that the user will be redirected. Should match the redirect URI you set on your application. Leave it empty if you didn't change it on your application

curl -i -X POST \
  https://api.frontegg.com/team/resources/sso/v1/oidc/configurations \
  -H 'Content-Type: application/json' \
  -d '{
    "active": true,
    "redirectUri": "string"
  }'

Responses

SAML Configurations Details

Operations

OIDC Configurations Details

Operations

SSO Configurations

Operations