SAML IdP (be an SSO source)
Qeet ID as a SAML Identity Provider — register downstream service providers, publish IdP metadata, and serve SP-initiated and IdP-initiated SSO.
Qeet ID can act as a SAML Identity Provider (IdP) — the SSO source that downstream service providers (your own apps, or third-party SaaS) authenticate against. This is the inverse of SAML SP.
Being the IdP is rarer — and implemented
Many CIAM products consume SAML but can't be a SAML IdP. Qeet ID does both. Assertions are signed RSA-SHA256 and served from the hosted-login SSO session.
Register a downstream SP
Register each service provider that will trust Qeet ID, with its entity ID and ACS URL.
/v1/tenants/{tenantID}/saml-providersRegister a downstream SP/v1/tenants/{tenantID}/saml-providersList downstream SPs/v1/tenants/{tenantID}/saml-providers/{id}Update an SPThe admin dashboard exposes this as a Service-Provider registry (with metadata).
IdP metadata
Give the downstream SP your IdP metadata XML (entity ID, SSO URL, signing certificate).
/saml/idp/metadataIdP metadata XMLSingle Sign-On
The IdP SingleSignOnService accepts the SP's SAMLRequest. If the user has a
hosted-login SSO session it returns an auto-submitting POST form with a signed
SAMLResponse to the SP's ACS; otherwise it redirects to the hosted login first. Both
HTTP-Redirect and HTTP-POST bindings are supported. IdP-initiated SSO works the same
way from the hosted-login session.
/saml/idp/ssoSSO (HTTP-Redirect binding)/saml/idp/ssoSSO (HTTP-POST binding, CSRF-exempt)Because IdP SSO is served from the hosted-login SSO session, the same session can drive OIDC, SAML-IdP, and the device grant — a single sign-on across protocols.
SAML SP (consume external IdPs)
Let your customers sign in with their own SAML IdP — connection registry, SP metadata, SP-initiated login, ACS, and JIT provisioning.
SCIM 2.0 (Users + Groups)
Okta/Entra-style provisioning and deprovisioning — SCIM Users, Groups, and PatchOp membership sync, with per-tenant bearer tokens.