sso

Single Sign-On operations

📄️ Validate SSO credential creation

Validate that the requesting identity has permission to SSO into the given SP. Notifies the client user agent that the request to SSO has been successfully initiated or not.

📄️ Initialize SSO credential creation

Associates a given verification_public_key to the SSO enrollment entry for the requesting identity and the given session_id. If successful, notifies the client's user agent to create a corresponding Passkey.

📄️ Start SSO authentication flow

Handle incoming requests issued by the Service Provider (SP). Returns a web page that initiates the end-user authentication. Requires a base64-encoded SAMLRequest query parameter containing data needed to produce a matching SAML Response.

📄️ Start SSO authentication flow (POST)

Same as GET but accepts parameters in form data

📄️ Subscribe to SSO enrollment events

Browsers subscribe to this event stream to be notified about enrollment events regarding their device_id.

📄️ Get SSO enrollment status

Returns the SSO enrollment status for a given session_id. The session_id should be signed by the verification public key provided by the phone. Any error (non-existent session-id, non-existent verification public key, invalid verification, etc) is reported as a 400 error to avoid leaking information about the current state of the DB.

📄️ Finalize SSO credential enrollment

Finalizes the process of enrolling a SSO credential (identified by the given session_id) by updating the DB entry with data from the provided attestation.

📄️ Authenticate with passkey

Authenticates the requesting user and creates a corresponding (success/failure) SAMLResponse object to be sent back to the SP.

📄️ Authenticate with challenge

Authenticate a SSO client with the session's challenge signed by a verified public key.