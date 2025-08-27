acs string AssertionConsumerService is a URL for assertion consumer service on the service provider (Teleport's side).

allow_idp_initiated boolean AllowIDPInitiated is a flag that indicates if the connector can be used for IdP-initiated logins.

assertion_key_pair object EncryptionKeyPair is a key pair used for decrypting SAML assertions.

attributes_to_roles []object AttributesToRoles is a list of mappings of attribute statements to roles.

audience string Audience uniquely identifies our service provider.

cert string Cert is the identity provider certificate PEM. IDP signs <Response> responses using this certificate.

client_redirect_settings object ClientRedirectSettings defines which client redirect URLs are allowed for non-browser SSO logins other than the standard localhost ones.

display string Display controls how this connector is displayed.

entity_descriptor string EntityDescriptor is XML with descriptor. It can be used to supply configuration parameters in one XML file rather than supplying them in the individual elements.

entity_descriptor_url string EntityDescriptorURL is a URL that supplies a configuration XML.

force_authn string or integer ForceAuthn specified whether re-authentication should be forced on login. UNSPECIFIED is treated as NO. Can be either the string or the integer representation of each option.

issuer string Issuer is the identity provider issuer.

mfa object MFASettings contains settings to enable SSO MFA checks through this auth connector.

preferred_request_binding string PreferredRequestBinding is a preferred SAML request binding method. Value must be either "http-post" or "http-redirect". In general, the SAML identity provider lists request binding methods it supports. And the SAML service provider uses one of the IdP supported request binding method that it prefers. But we never honored request binding value provided by the IdP and always used http-redirect binding as a default. Setting up PreferredRequestBinding value lets us preserve existing auth connector behavior and only use http-post binding if it is explicitly configured.

provider string Provider is the external identity provider.

service_provider_issuer string ServiceProviderIssuer is the issuer of the service provider (Teleport).

signing_key_pair object SigningKeyPair is an x509 key pair used to sign AuthnRequest.

single_logout_url string SingleLogoutURL is the SAML Single log-out URL to initiate SAML SLO (single log-out). If this is not provided, SLO is disabled.