RecomlyRecomlyRecomlyDocs
Single Sign-On

Update SSO provider

Partially update an existing SSO provider.

PATCH /app/sso/providers/{providerId}

Partially updates an SSO provider. Only the fields you include are changed. Requires the admin role and the SSO plan feature.

  • providerType is immutable — you cannot switch a provider between SAML and OIDC.
  • If domains is provided, it replaces the entire domain set atomically. Domains already owned by this provider are accepted freely; domains owned by another provider return 409.
  • For OIDC providers, send oidcClientSecret as an empty string to leave the existing secret unchanged; send a non-empty value to update it.
  • When samlMetadataXml is updated, idpLogoutUrl is re-extracted automatically. When oidcIssuer is updated, the discovery document is re-fetched to refresh idpLogoutUrl.

Path parameters

ParameterDescription
providerIdThe UUID of the SSO provider.

Request

See API Basics for required headers.

All request body fields are optional. Include only the fields you want to update.

FieldTypeDescription
namestringDisplay name for the provider. Max 100 characters.
enabledbooleanWhether the provider is active for SSO login.
domainsstring[]Replacement domain set (1–5 domains). Replaces the full existing set.
samlMetadataXmlstringUpdated IdP federation metadata XML (SAML only). Max 50,000 characters.
oidcIssuerstringIssuer URL (OIDC only).
oidcClientIdstringClient ID (OIDC only).
oidcClientSecretstringClient secret (OIDC only). Send empty string to keep existing.
oidcAuthorizationEndpointstringAuthorization endpoint URL (OIDC only).
oidcTokenEndpointstringToken endpoint URL (OIDC only).
oidcUserInfoEndpointstringUserInfo endpoint URL (OIDC only).
oidcJwksUristringJWKS URI (OIDC only).

Sample request

curl -X PATCH https://api.recomly.com/app/sso/providers/a1b2c3d4-e5f6-7890-abcd-ef1234567890 \
  -H "Authorization: Bearer rk_live_abc123:def456" \
  -H "Content-Type: application/json" \
  -d '{
    "enabled": false,
    "domains": ["acme.com"]
  }'

Sample response

Status: 200 OK

Returns the full updated provider record. Shape is identical to Get SSO provider.

{
  "providerId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "name": "Acme SAML",
  "providerType": "SAML",
  "cognitoProviderName": "PLATFORM-a1b2c3d4-ef123456",
  "enabled": false,
  "domains": ["acme.com"],
  "samlMetadataXml": "<?xml version=\"1.0\"?>...",
  "idpLogoutUrl": "https://idp.acme.com/saml/logout",
  "createdAt": "2026-01-10T12:00:00.000Z",
  "updatedAt": "2026-05-01T10:00:00.000Z"
}

Error responses

See API Basics for standard status codes and error response format.

StatusMeaning
400Validation error, or the SAML metadata is invalid or contains expired certificates. See error in the response body.
403SSO feature not enabled on the plan.
404SSO provider not found or does not belong to the caller's organization.
409One or more of the specified domains is already in use by another provider.

Create SSO provider

Create a new SAML or OIDC SSO provider for your organization.

Delete SSO provider

Permanently delete an SSO provider and all its domain mappings.

On this page

Path parametersRequestSample requestSample responseError responses

We use cookies

We use essential cookies to keep the site working, and optional analytics cookies to understand how it's used. Read our Privacy Policy.