Skip to content

security

Intended Documentation

Identity Provider Operations

Check identity readiness state, execute SSO flows, and operate SCIM provisioning endpoints.

intermediate1 min readimplemented

Identity Provider Operations#

Intended identity runtime includes:

  • enterprise identity state endpoint
  • portal/backoffice SSO endpoints (OIDC + SAML)
  • SCIM v2 user/group provisioning routes

Inspect Tenant Identity State#

  • GET /admin/identity?tenantId=<tenant>
bash
curl "https://api.intended.so/admin/identity?tenantId=tenant_acme_prod" \
  -H "Authorization: Bearer mrt_live_abc123" \
  -H "x-tenant-id: tenant_acme_prod"

Response includes readiness and provider metadata (not_configured | partial | ready).

SSO Runtime Endpoints#

Portal SSO flow:

  • GET /amp/auth/sso/start
  • GET /amp/auth/sso/callback
  • POST /amp/auth/sso/saml/acs

Backoffice SSO flow:

  • GET /ebo/auth/sso/start
  • GET /ebo/auth/sso/callback

Info

OIDC and SAML callback handling is active when tenant identity readiness is ready.

SCIM v2 Provisioning#

SCIM routes:

  • GET /scim/v2/Users
  • POST /scim/v2/Users
  • PATCH /scim/v2/Users/:id
  • GET /scim/v2/Groups
  • POST /scim/v2/Groups
  • PATCH /scim/v2/Groups/:id

SCIM routes require verified tenant context and enforce fail-closed authorization.

Create User Example#

bash
curl -X POST https://api.intended.so/scim/v2/Users \
  -H "Authorization: Bearer mrt_live_abc123" \
  -H "x-tenant-id: tenant_acme_prod" \
  -H "Content-Type: application/json" \
  -d '{
    "userName": "alice@acme.com",
    "externalId": "idp-user-123",
    "name": { "givenName": "Alice", "familyName": "Ng" },
    "emails": [{ "value": "alice@acme.com", "primary": true }],
    "active": true
  }'

Next Steps#