> ## Documentation Index
> Fetch the complete documentation index at: https://openworklabs.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Register organization SAML SSO

> Registers or replaces the active organization SAML SSO provider.



## OpenAPI

````yaml /openapi.json post /v1/sso/saml
openapi: 3.1.0
info:
  title: Den API
  description: >-
    OpenAPI spec for the Den control plane API.


    Authentication:

    - Use `Authorization: Bearer <session-token>` for user-authenticated routes
    that require a Den session.

    - Use `x-api-key: <den-api-key>` for API-key-authenticated routes that
    accept organization API keys.

    - Public routes like health and documentation do not require authentication.


    Swagger tip: use the security schemes in the Authorize dialog to set either
    `bearerAuth` or `denApiKey` before trying protected endpoints.
  version: dev
servers: []
security: []
tags:
  - name: System
    description: Service health and operational routes.
  - name: Organizations
    description: Top-level organization creation and context routes.
  - name: Invitations
    description: Invitation preview, acceptance, creation, and cancellation routes.
  - name: API Keys
    description: Organization API key management routes.
  - name: SCIM
    description: Organization SCIM connector management routes.
  - name: SSO
    description: Organization single sign-on connector management routes.
  - name: Members
    description: Organization member management routes.
  - name: Roles
    description: Organization custom role management routes.
  - name: Teams
    description: Organization team management routes.
  - name: Templates
    description: Organization shared template routes.
  - name: LLM Providers
    description: Organization LLM provider catalog, configuration, and access routes.
  - name: Skills
    description: Organization skill authoring and sharing routes.
  - name: Skill Hubs
    description: Organization skill hub management and access routes.
  - name: Workers
    description: Worker lifecycle, billing, and runtime routes.
  - name: Worker Runtime
    description: Worker runtime inspection and upgrade routes.
  - name: Worker Activity
    description: Worker heartbeat and activity reporting routes.
  - name: Telemetry
    description: Telemetry event ingestion and adoption analytics.
  - name: Admin
    description: Administrative reporting routes.
  - name: Users
    description: Current user and membership routes.
  - name: Bootstrap
    description: Agent-first provisional workspace setup routes.
paths:
  /v1/sso/saml:
    post:
      tags:
        - SSO
      summary: Register organization SAML SSO
      description: Registers or replaces the active organization SAML SSO provider.
      operationId: postV1SsoSaml
      responses:
        '201':
          description: Organization SSO connection created
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/OrganizationSsoConnectionResponse'
        '400':
          description: Invalid request
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/SsoInvalidRequestError'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/SsoUnauthorizedError'
        '402':
          description: SSO management requires an Enterprise plan.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/EnterprisePlanRequiredError'
        '403':
          description: >-
            Only workspace owners or members with security configuration
            permission can manage SSO.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/SsoForbiddenError'
        '404':
          description: Organization not found
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/SsoOrganizationNotFoundError'
      security:
        - bearerAuth: []
components:
  schemas:
    OrganizationSsoConnectionResponse:
      type: object
      properties:
        connection:
          anyOf:
            - $ref: '#/components/schemas/OrganizationSsoConnection'
            - type: 'null'
        domainVerificationToken:
          anyOf:
            - type: string
              minLength: 1
            - type: 'null'
      required:
        - connection
    SsoInvalidRequestError:
      type: object
      properties:
        error:
          type: string
          const: invalid_request
        details:
          type: array
          items:
            type: object
            properties:
              message:
                type: string
              path:
                type: array
                items:
                  anyOf:
                    - type: string
                    - type: number
            required:
              - message
            additionalProperties: {}
      required:
        - error
        - details
    SsoUnauthorizedError:
      type: object
      properties:
        error:
          type: string
          const: unauthorized
      required:
        - error
    EnterprisePlanRequiredError:
      type: object
      properties:
        error:
          type: string
          const: enterprise_plan_required
        feature:
          type: string
        message:
          type: string
      required:
        - error
        - feature
        - message
    SsoForbiddenError:
      type: object
      properties:
        error:
          type: string
          enum:
            - forbidden
            - reauth
        reason:
          type: string
        message:
          type: string
      required:
        - error
        - message
    SsoOrganizationNotFoundError:
      type: object
      properties:
        error:
          type: string
          const: organization_not_found
      required:
        - error
    OrganizationSsoConnection:
      type: object
      properties:
        id:
          type: string
        providerId:
          type: string
        kind:
          type: string
          enum:
            - oidc
            - saml
        issuer:
          type: string
          format: uri
        domain:
          type: string
        status:
          type: string
        signInPath:
          type: string
        signInUrl:
          type: string
          format: uri
        redirectUrl:
          type: string
          format: uri
        acsUrl:
          anyOf:
            - type: string
              format: uri
            - type: 'null'
        metadataUrl:
          anyOf:
            - type: string
              format: uri
            - type: 'null'
        domainVerified:
          type: boolean
        oidc:
          anyOf:
            - $ref: '#/components/schemas/OrganizationOidcSsoConfig'
            - type: 'null'
        saml:
          anyOf:
            - $ref: '#/components/schemas/OrganizationSamlSsoConfig'
            - type: 'null'
        lastTestedAt:
          anyOf:
            - type: string
              format: date-time
              pattern: >-
                ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
            - type: 'null'
        lastError:
          anyOf:
            - type: string
            - type: 'null'
        createdAt:
          type: string
          format: date-time
          pattern: >-
            ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
        updatedAt:
          type: string
          format: date-time
          pattern: >-
            ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
      required:
        - id
        - providerId
        - kind
        - issuer
        - domain
        - status
        - signInPath
        - signInUrl
        - redirectUrl
        - acsUrl
        - metadataUrl
        - domainVerified
        - oidc
        - saml
        - lastTestedAt
        - lastError
        - createdAt
        - updatedAt
    OrganizationOidcSsoConfig:
      type: object
      properties:
        clientId:
          anyOf:
            - type: string
            - type: 'null'
        scopes:
          type: array
          items:
            type: string
        skipDiscovery:
          type: boolean
        authorizationEndpoint:
          anyOf:
            - type: string
              format: uri
            - type: 'null'
        tokenEndpoint:
          anyOf:
            - type: string
              format: uri
            - type: 'null'
        jwksEndpoint:
          anyOf:
            - type: string
              format: uri
            - type: 'null'
        userInfoEndpoint:
          anyOf:
            - type: string
              format: uri
            - type: 'null'
        tokenEndpointAuthentication:
          anyOf:
            - type: string
              enum:
                - client_secret_basic
                - client_secret_post
            - type: 'null'
      required:
        - clientId
        - scopes
        - skipDiscovery
        - authorizationEndpoint
        - tokenEndpoint
        - jwksEndpoint
        - userInfoEndpoint
        - tokenEndpointAuthentication
    OrganizationSamlSsoConfig:
      type: object
      properties:
        entryPoint:
          anyOf:
            - type: string
              format: uri
            - type: 'null'
        audience:
          anyOf:
            - type: string
            - type: 'null'
        wantAssertionsSigned:
          type: boolean
      required:
        - entryPoint
        - audience
        - wantAssertionsSigned
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
      bearerFormat: session-token
      description: >-
        Session token passed as `Authorization: Bearer <session-token>` for
        user-authenticated Den routes.

````