IdP Federation
Configure SAML/OIDC federation and approve it with platform-admin four-eyes review.
IdP Federation
Identity provider federation is configured by a PLATFORM_ADMIN and must be
approved by a second PLATFORM_ADMIN before it becomes public discovery
metadata.
Routes
| Action | Route |
|---|---|
| Read organization IdP metadata | GET /admin/api/v1/organizations/{id}/idp |
| Configure IdP metadata | POST /admin/api/v1/organizations/{id}/idp |
| Approve IdP metadata | POST /admin/api/v1/organizations/{id}/idp/approve |
| Home realm discovery | POST /api/v1/auth/discover |
Configure IdP
Example request:
{
"tenant_id": "11111111-1111-4111-8111-111111111111",
"provider": "saml",
"metadata_url": "https://idp.example/metadata",
"idp_url": "https://idp.example/login",
"entity_id": "https://idp.example/entity",
"display_name": "Example IdP"
}
The backend stores the metadata with status=PENDING_APPROVAL, requested_by,
and requested_at. Pending metadata is not exposed by auth discovery.
Approve IdP
Approval request:
{
"tenant_id": "11111111-1111-4111-8111-111111111111",
"comment": "Reviewed metadata and callback configuration."
}
The approver must be a different platform admin from the requester when
requested_by is present. Approval writes status=APPROVED, approved_by, and
approved_at, then provisions Keycloak when the provisioner is configured.
Outbound URL Policy
IdP URLs pass the same SSRF policy as branding and webhook URLs. By default the backend rejects:
| URL class | Reason |
|---|---|
localhost, loopback, link-local, private IP ranges | Prevents internal network SSRF. |
| Credential-bearing URLs | Prevents secret leakage in metadata. |
| Non-HTTP(S) schemes | Restricts remote fetch surface. |
Use SECURITY_OUTBOUND_ALLOWED_HOSTS for explicit public hosts or controlled
internal hosts. Use private-network overrides only in controlled internal
deployments.
Failure Semantics
| Failure | Backend behavior |
|---|---|
| Unsupported provider | BAD_REQUEST, provider must be saml or oidc. |
| Tenant mismatch | BAD_REQUEST, body tenant_id must match the organization. |
| Self-approval | FORBIDDEN, approval requires a second platform admin. |
| Keycloak provisioning failure | SERVICE_UNAVAILABLE, approval transaction is rolled back. |
| Pending IdP discovery | Discovery does not expose the pending IdP URL. |
Admin Checklist
| Step | Check |
|---|---|
| Configure IdP | Status is PENDING_APPROVAL; requester is correct. |
| Second admin review | Metadata URL, login URL, entity ID, redirect/callback behavior, and display name are correct. |
| Approve | Status is APPROVED; audit record exists. |
| Discover | POST /api/v1/auth/discover returns IdP details only after approval. |