REST Resource: inboundSsoAssignments

Resource: InboundSsoAssignment

Targets with "set" SSO assignments and their respective assignments.

JSON representation 
{
  "name": string,
  "customer": string,
  "rank": integer,
  "ssoMode": enum (SsoMode),
  "samlSsoInfo": {
    object (SamlSsoInfo)
  },
  "signInBehavior": {
    object (SignInBehavior)
  },

  // Union field target can be only one of the following:
  "targetGroup": string,
  "targetOrgUnit": string
  // End of list of possible types for union field target.
}
Fields
name

string

Output only. Resource name of the Inbound SSO Assignment.
customer

string

Immutable. The customer.

For example: customers/C0123abc.
rank

integer

Must be zero (which is the default value so it can be omitted) for assignments with targetOrgUnit set and must be greater-than-or-equal-to one for assignments with targetGroup set.
ssoMode

enum (SsoMode)

Inbound SSO behavior.
samlSsoInfo

object (SamlSsoInfo)

SAML SSO details. Must be set if and only if ssoMode is set to SAML_SSO.
signInBehavior

object (SignInBehavior)

Assertions about users assigned to an IdP will always be accepted from that IdP. This controls whether/when Google should redirect a user to the IdP. Unset (defaults) is the recommended configuration.

Union field target. Target of the assignment.

When multiple assignments apply to a given user, precedence is as follows:

1) The applicable group-targeting assignment with the numerically-lowest rank takes precedence.

2) If no group-targeting assignments apply, the applicable orgUnit-targeting assignment on the innermost-enclosing Organizational Unit takes precedence.


target can be only one of the following:
targetGroup

string

Immutable. Must be of the form groups/{group}.
targetOrgUnit

string

Immutable. Must be of the form orgUnits/{orgUnit}.

SsoMode

Inbound SSO behaviors.

Enums
SSO_MODE_UNSPECIFIED Not allowed.
SSO_OFF Disable SSO for the targeted users.
SAML_SSO Use an external SAML Identity Provider for SSO for the targeted users.
DOMAIN_WIDE_SAML_IF_ENABLED Use the domain-wide SAML Identity Provider for the targeted users if one is configured; otherwise, this is equivalent to SSO_OFF. Note that this will also be equivalent to SSO_OFF if/when support for domain-wide SAML is removed. Google may disallow this mode at that point and existing assignments with this mode may be automatically changed to SSO_OFF.

SamlSsoInfo

Details that are applicable when ssoMode == SAML_SSO.

JSON representation 
{
  "inboundSamlSsoProfile": string
}
Fields
inboundSamlSsoProfile

string

Required. Name of the InboundSamlSsoProfile to use. Must be of the form inboundSamlSsoProfiles/{inboundSamlSsoProfile}.

SignInBehavior

Controls sign-in behavior.

JSON representation 
{
  "redirectCondition": enum (RedirectCondition)
}
Fields
redirectCondition

enum (RedirectCondition)

When to redirect sign-ins to the IdP.

RedirectCondition

Controls redirection to the IdP.

Enums
REDIRECT_CONDITION_UNSPECIFIED Default and means "always"
NEVER Sign-in flows where the user is prompted for their identity will not redirect to the IdP (so the user will most likely be prompted by Google for a password), but special flows like IdP-initiated SAML and sign-in following automatic redirection to the IdP by domain-specific service URLs will accept the IdP's assertion of the user's identity.

Methods

create

 Creates an InboundSsoAssignment for users and devices in a Customer under a given Group or OrgUnit.

delete

 Deletes an InboundSsoAssignment.

get

 Gets an InboundSsoAssignment.

list

 Lists the InboundSsoAssignments for a Customer.

patch

 Updates an InboundSsoAssignment.