import { Authorization } from "../shared/method_options"; import { DeviceInfo } from "../b2c/device_history"; import { External } from "./sso_external"; import { fetchConfig } from "../shared"; import { Member, Organization } from "./organizations"; import { MemberSession, PrimaryRequired } from "./sessions"; import { MfaRequired } from "./mfa"; import { OIDC } from "./sso_oidc"; import { SAML } from "./sso_saml"; export interface B2BSSODeleteConnectionRequestOptions { /** * Optional authorization object. * Pass in an active Stytch Member session token or session JWT and the request * will be run using that member's permissions. */ authorization?: Authorization; } export interface B2BSSOGetConnectionsRequestOptions { /** * Optional authorization object. * Pass in an active Stytch Member session token or session JWT and the request * will be run using that member's permissions. */ authorization?: Authorization; } export interface Connection { /** * Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to * perform operations on an Organization, so be sure to preserve this value. You may also use the * organization_slug or organization_external_id here as a convenience. */ organization_id: string; connection_id: string; external_organization_id: string; /** * Globally unique UUID that identifies a specific SSO connection configured for a different Organization * in your Project. */ external_connection_id: string; display_name: string; status: string; /** * All Members who log in with this External connection will implicitly receive the specified Roles. See * the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) for more information about * role assignment. Implicit role assignments are not supported for External connections if the underlying * SSO connection is an OIDC connection. */ external_connection_implicit_role_assignments: ConnectionImplicitRoleAssignment[]; /** * Defines the names of the groups * that grant specific role assignments. For each group-Role pair, if a Member logs in with this external * connection and * belongs to the specified group, they will be granted the associated Role. See the * [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) for more information about role * assignment. */ external_group_implicit_role_assignments: GroupImplicitRoleAssignment[]; } export interface ConnectionImplicitRoleAssignment { /** * The unique identifier of the RBAC Role, provided by the developer and intended to be human-readable. * * Reserved `role_id`s that are predefined by Stytch include: * * * `stytch_member` * * `stytch_admin` * * Check out the [guide on Stytch default Roles](https://stytch.com/docs/b2b/guides/rbac/stytch-default) * for a more detailed explanation. * * */ role_id: string; } export interface EncryptionPrivateKey { private_key_id: string; private_key: string; created_at?: string; } export interface GroupImplicitRoleAssignment { role_id: string; group: string; } export interface OIDCConnection { /** * Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to * perform operations on an Organization, so be sure to preserve this value. You may also use the * organization_slug or organization_external_id here as a convenience. */ organization_id: string; connection_id: string; /** * The status of the connection. The possible values are pending or active. See the * [Update OIDC Connection endpoint](https://stytch.com/docs/b2b/api/update-oidc-connection) for more * details. */ status: string; display_name: string; /** * The callback URL for this OIDC connection. This value will be passed to the IdP to redirect the Member * back to Stytch after a sign-in attempt. */ redirect_url: string; client_id: string; /** * The secret belonging to the OAuth2.0 client used to authenticate login attempts. This will be provided * by the IdP. */ client_secret: string; issuer: string; authorization_url: string; /** * The location of the URL that issues OAuth2.0 access tokens and OIDC ID tokens. This will be provided by * the IdP. */ token_url: string; /** * The location of the IDP's * [UserInfo Endpoint](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo). This will be * provided by the IdP. */ userinfo_url: string; /** * The location of the IdP's JSON Web Key Set, used to verify credentials issued by the IdP. This will be * provided by the IdP. */ jwks_url: string; /** * Name of the IdP. Enum with possible values: `classlink`, `cyberark`, `duo`, `google-workspace`, * `jumpcloud`, `keycloak`, `miniorange`, `microsoft-entra`, `okta`, `onelogin`, `pingfederate`, * `rippling`, `salesforce`, `shibboleth`, or `generic`. * * Specifying a known provider allows Stytch to handle any provider-specific logic. */ identity_provider: string; /** * A space-separated list of custom scopes that will be requested on every SSOStart call. If set, this * value will replace the default set of OIDC scopes requested: `openid email profile`. Additional scopes * can be requested using the `custom_scopes` query parameter on individual SSOStart calls. */ custom_scopes: string; /** * An object that represents the attributes used to identify a Member. This object will map the IdP-defined * User attributes to Stytch-specific values, which will appear on the member's Trusted Metadata. */ attribute_mapping?: Record; } export interface SAMLConnection { /** * Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to * perform operations on an Organization, so be sure to preserve this value. You may also use the * organization_slug or organization_external_id here as a convenience. */ organization_id: string; connection_id: string; /** * The status of the connection. The possible values are pending or active. See the * [Update SAML Connection endpoint](https://stytch.com/docs/b2b/api/update-saml-connection) for more * details. */ status: string; idp_entity_id: string; display_name: string; idp_sso_url: string; /** * The URL of the Assertion Consumer Service. This value will be passed to the IdP to redirect the Member * back to Stytch after a sign-in attempt. Read our * [SAML Overview](https://stytch.com/docs/b2b/api/saml-overview) for more info. */ acs_url: string; /** * The URL of the Audience Restriction. This value will indicate that Stytch is the intended audience of an * assertion. Read our [SAML Overview](https://stytch.com/docs/b2b/api/saml-overview) for more info. */ audience_uri: string; /** * A list of X.509 certificates Stytch will use to sign its assertion requests. Certificates should be * uploaded to the IdP. */ signing_certificates: X509Certificate[]; /** * A list of X.509 certificates Stytch will use to validate an assertion callback. Certificates should be * populated from the IdP. */ verification_certificates: X509Certificate[]; encryption_private_keys: EncryptionPrivateKey[]; /** * All Members who log in with this SAML connection will implicitly receive the specified Roles. See the * [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) for more information about role * assignment. */ saml_connection_implicit_role_assignments: SAMLConnectionImplicitRoleAssignment[]; /** * Defines the names of the SAML groups * that grant specific role assignments. For each group-Role pair, if a Member logs in with this SAML * connection and * belongs to the specified SAML group, they will be granted the associated Role. See the * [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) for more information about role * assignment. */ saml_group_implicit_role_assignments: SAMLGroupImplicitRoleAssignment[]; /** * An alternative URL to use for the Audience Restriction. This value can be used when you wish to migrate * an existing SAML integration to Stytch with zero downtime. Read our * [SSO migration guide](https://stytch.com/docs/b2b/guides/migrations/additional-migration-considerations) * for more info. */ alternative_audience_uri: string; /** * Name of the IdP. Enum with possible values: `classlink`, `cyberark`, `duo`, `google-workspace`, * `jumpcloud`, `keycloak`, `miniorange`, `microsoft-entra`, `okta`, `onelogin`, `pingfederate`, * `rippling`, `salesforce`, `shibboleth`, or `generic`. * * Specifying a known provider allows Stytch to handle any provider-specific logic. */ identity_provider: string; /** * The NameID format the SAML Connection expects to use. Defaults to * `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`. */ nameid_format: string; /** * An alternative URL to use for the `AssertionConsumerServiceURL` in SP initiated SAML AuthNRequests. This * value can be used when you wish to migrate an existing SAML integration to Stytch with zero downtime. * Note that you will be responsible for proxying requests sent to the Alternative ACS URL to Stytch. Read * our * [SSO migration guide](https://stytch.com/docs/b2b/guides/migrations/additional-migration-considerations) * for more info. */ alternative_acs_url: string; /** * Determines whether IDP initiated auth is allowed for a given SAML connection. Defaults to false (IDP * Initiated Auth is enabled). */ idp_initiated_auth_disabled: boolean; allow_gateway_callback: boolean; /** * An object that represents the attributes used to identify a Member. This object will map the IdP-defined * User attributes to Stytch-specific values. Required attributes: `email` and one of `full_name` or * `first_name` and `last_name`. */ attribute_mapping?: Record; } export interface SAMLConnectionImplicitRoleAssignment { /** * The unique identifier of the RBAC Role, provided by the developer and intended to be human-readable. * * Reserved `role_id`s that are predefined by Stytch include: * * * `stytch_member` * * `stytch_admin` * * Check out the [guide on Stytch default Roles](https://stytch.com/docs/b2b/guides/rbac/stytch-default) * for a more detailed explanation. * * */ role_id: string; } export interface SAMLGroupImplicitRoleAssignment { role_id: string; group: string; } export interface X509Certificate { certificate_id: string; certificate: string; issuer: string; created_at?: string; expires_at?: string; updated_at?: string; } export interface B2BSSOAuthenticateRequest { sso_token: string; pkce_code_verifier?: string; session_token?: string; session_jwt?: string; /** * Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't * already exist, * returning both an opaque `session_token` and `session_jwt` for this session. Remember that the * `session_jwt` will have a fixed lifetime of * five minutes regardless of the underlying session duration, and will need to be refreshed over time. * * This value must be a minimum of 5 and a maximum of 527040 minutes (366 days). * * If a `session_token` or `session_jwt` is provided then a successful authentication will continue to * extend the session this many minutes. * * If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a * 60 minute duration. If you don't want * to use the Stytch session product, you can ignore the session fields in the response. */ session_duration_minutes?: number; /** * Add a custom claims map to the Session being authenticated. Claims are only created if a Session is * initialized by providing a value in * `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a * key in an existing Session, supply a new value. To * delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, * `exp`, `nbf`, `iat`, `jti`) will be ignored. * Total custom claims size cannot exceed four kilobytes. */ session_custom_claims?: Record; /** * If the Member needs to complete an MFA step, and the Member has a phone number, this endpoint will * pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be * used to determine which language to use when sending the passcode. * * Parameter is an [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), * e.g. `"en"`. * * Currently supported languages are English (`"en"`), Spanish (`"es"`), and Brazilian Portuguese * (`"pt-br"`); if no value is provided, the copy defaults to English. * * Request support for additional languages * [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")! * */ locale?: "en" | "es" | "pt-br" | "fr" | "it" | "de-DE" | "zh-Hans" | "ca-ES" | string; /** * Adds this primary authentication factor to the intermediate session token. If the resulting set of * factors satisfies the organization's primary authentication requirements and MFA requirements, the * intermediate session token will be consumed and converted to a member session. If not, the same * intermediate session token will be returned. */ intermediate_session_token?: string; /** * If the `telemetry_id` is passed, as part of this request, Stytch will call the * [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated * fingerprints and IPGEO information for the Member. Your workspace must be enabled for Device * Fingerprinting to use this feature. */ telemetry_id?: string; } export interface B2BSSOAuthenticateResponse { /** * Globally unique UUID that is returned with every API call. This value is important to log for debugging * purposes; we may ask for this value to help identify a specific API call when helping you debug an issue. */ request_id: string; member_id: string; /** * Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to * perform operations on an Organization, so be sure to preserve this value. */ organization_id: string; member: Member; session_token: string; session_jwt: string; reset_session: boolean; organization: Organization; /** * The returned Intermediate Session Token contains an SSO factor associated with the Member. If this value * is non-empty, the member must complete an MFA step to finish logging in to the Organization. The token * can be used with the * [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), * [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or * [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an * MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. SSO factors are * not transferable between Organizations, so the intermediate session token is not valid for use with * discovery endpoints. */ intermediate_session_token: string; /** * Indicates whether the Member is fully authenticated. If false, the Member needs to complete an MFA step * to log in to the Organization. */ member_authenticated: boolean; /** * The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. * 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors. */ status_code: number; member_session?: MemberSession; mfa_required?: MfaRequired; primary_required?: PrimaryRequired; /** * If a valid `telemetry_id` was passed in the request and the * [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) returned results, the * `member_device` response field will contain information about the member's device attributes. */ member_device?: DeviceInfo; } export interface B2BSSODeleteConnectionRequest { /** * The organization ID that the SSO connection belongs to. You may also use the organization_slug or * organization_external_id here as a convenience. */ organization_id: string; connection_id: string; } export interface B2BSSODeleteConnectionResponse { /** * Globally unique UUID that is returned with every API call. This value is important to log for debugging * purposes; we may ask for this value to help identify a specific API call when helping you debug an issue. */ request_id: string; connection_id: string; /** * The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. * 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors. */ status_code: number; } export interface B2BSSOGetConnectionsRequest { /** * Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to * perform operations on an Organization, so be sure to preserve this value. You may also use the * organization_slug or organization_external_id here as a convenience. */ organization_id: string; } export interface B2BSSOGetConnectionsResponse { /** * Globally unique UUID that is returned with every API call. This value is important to log for debugging * purposes; we may ask for this value to help identify a specific API call when helping you debug an issue. */ request_id: string; /** * The list of [SAML Connections](https://stytch.com/docs/b2b/api/saml-connection-object) owned by this * organization. */ saml_connections: SAMLConnection[]; /** * The list of [OIDC Connections](https://stytch.com/docs/b2b/api/oidc-connection-object) owned by this * organization. */ oidc_connections: OIDCConnection[]; /** * The list of [External Connections](https://stytch.com/docs/b2b/api/external-connection-object) owned by * this organization. */ external_connections: Connection[]; /** * The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. * 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors. */ status_code: number; } export declare class SSO { private fetchConfig; oidc: OIDC; saml: SAML; external: External; constructor(fetchConfig: fetchConfig); /** * Get all SSO Connections owned by the organization. * @param params {@link B2BSSOGetConnectionsRequest} * @param options {@link B2BSSOGetConnectionsRequestOptions} * @returns {@link B2BSSOGetConnectionsResponse} * @async * @throws A {@link StytchError} on a non-2xx response from the Stytch API * @throws A {@link RequestError} when the Stytch API cannot be reached */ getConnections(params: B2BSSOGetConnectionsRequest, options?: B2BSSOGetConnectionsRequestOptions): Promise; /** * Delete an existing SSO connection. * @param data {@link B2BSSODeleteConnectionRequest} * @param options {@link B2BSSODeleteConnectionRequestOptions} * @returns {@link B2BSSODeleteConnectionResponse} * @async * @throws A {@link StytchError} on a non-2xx response from the Stytch API * @throws A {@link RequestError} when the Stytch API cannot be reached */ deleteConnection(data: B2BSSODeleteConnectionRequest, options?: B2BSSODeleteConnectionRequestOptions): Promise; /** * Authenticate a user given a token. * This endpoint verifies that the user completed the SSO Authentication flow by verifying that the token * is valid and hasn't expired. * Provide the `session_duration_minutes` parameter to set the lifetime of the session. * If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 * minute duration. * To link this authentication event to an existing Stytch session, include either the `session_token` or * `session_jwt` param. * * If the Member is required to complete MFA to log in to the Organization, the returned value of * `member_authenticated` will be `false`, and an `intermediate_session_token` will be returned. * The `intermediate_session_token` can be passed into the * [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), * [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), * or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete * the MFA step and acquire a full member session. * The `session_duration_minutes` and `session_custom_claims` parameters will be ignored. * * If a valid `session_token` or `session_jwt` is passed in, the Member will not be required to complete an * MFA step. * @param data {@link B2BSSOAuthenticateRequest} * @returns {@link B2BSSOAuthenticateResponse} * @async * @throws A {@link StytchError} on a non-2xx response from the Stytch API * @throws A {@link RequestError} when the Stytch API cannot be reached */ authenticate(data: B2BSSOAuthenticateRequest): Promise; }