Resource: InboundSsoAssignment
Targets with "set" SSO assignments and their respective assignments.
| JSON representation |
|---|
{ "name" : string , "customer" : string , "rank" : integer , "ssoMode" : enum ( |
name
string
Output only. Resource name of the Inbound SSO Assignment.
customer
string
Immutable. The customer.
For example: customers/C0123abc
.
rank
integer
Must be zero (which is the default value so it can be omitted) for assignments with targetOrgUnit
set and must be greater-than-or-equal-to one for assignments with targetGroup
set.
ssoMode
enum (
SsoMode
)
Inbound SSO behavior.
samlSsoInfo
object (
SamlSsoInfo
)
SAML SSO details. Must be set if and only if ssoMode
is set to SAML_SSO
.
oidcSsoInfo
object (
OidcSsoInfo
)
OpenID Connect SSO details. Must be set if and only if ssoMode
is set to OIDC_SSO
.
signInBehavior
object (
SignInBehavior
)
Assertions about users assigned to an IdP will always be accepted from that IdP. This controls whether/when Google should redirect a user to the IdP. Unset (defaults) is the recommended configuration.
Union field target
. Target of the assignment.
When multiple assignments apply to a given user, precedence is as follows:
1) The applicable group-targeting assignment with the numerically-lowest rank
takes precedence.
2) If no group-targeting assignments apply, the applicable orgUnit-targeting assignment on the innermost-enclosing Organizational Unit takes precedence.
target
can be only one of the following:
targetGroup
string
Immutable. Must be of the form groups/{group}
.
targetOrgUnit
string
Immutable. Must be of the form orgUnits/{orgUnit}
.
SsoMode
Inbound SSO behaviors.
| Enums | |
|---|---|
SSO_MODE_UNSPECIFIED
|
Not allowed. |
SSO_OFF
|
Disable SSO for the targeted users. |
SAML_SSO
|
Use an external SAML Identity Provider for SSO for the targeted users. |
OIDC_SSO
|
Use an external OIDC Identity Provider for SSO for the targeted users. |
DOMAIN_WIDE_SAML_IF_ENABLED
|
Use the domain-wide SAML Identity Provider for the targeted users if one is configured; otherwise, this is equivalent to SSO_OFF
. Note that this will also be equivalent to SSO_OFF
if/when support for domain-wide SAML is removed. Google may disallow this mode at that point and existing assignments with this mode may be automatically changed to SSO_OFF
. |
SamlSsoInfo
Details that are applicable when ssoMode
== SAML_SSO
.
| JSON representation |
|---|
{ "inboundSamlSsoProfile" : string } |
| Fields | |
|---|---|
inboundSamlSsoProfile
|
Required. Name of the |
OidcSsoInfo
Details that are applicable when ssoMode
is set to OIDC_SSO
.
| JSON representation |
|---|
{ "inboundOidcSsoProfile" : string } |
| Fields | |
|---|---|
inboundOidcSsoProfile
|
Required. Name of the |
SignInBehavior
Controls sign-in behavior.
| JSON representation |
|---|
{
"redirectCondition"
:
enum (
|
| Fields | |
|---|---|
redirectCondition
|
When to redirect sign-ins to the IdP. |
RedirectCondition
Controls redirection to the IdP.
| Enums | |
|---|---|
REDIRECT_CONDITION_UNSPECIFIED
|
Default and means "always" |
NEVER
|
Sign-in flows where the user is prompted for their identity will not redirect to the IdP (so the user will most likely be prompted by Google for a password), but special flows like IdP-initiated SAML and sign-in following automatic redirection to the IdP by domain-specific service URLs will accept the IdP's assertion of the user's identity. |
Methods |
|
|---|---|
|
Creates an InboundSsoAssignment
for users and devices in a Customer
under a given Group
or OrgUnit
. |
|
Deletes an InboundSsoAssignment
. |
|
Gets an InboundSsoAssignment
. |
|
Lists the InboundSsoAssignment
s for a Customer
. |
|
Updates an InboundSsoAssignment
. |
