Qeet Docs
Enterprise

SAML SP (consume external IdPs)

Let your customers sign in with their own SAML IdP — connection registry, SP metadata, SP-initiated login, ACS, and JIT provisioning.

As a Service Provider (SP), Qeet ID consumes your customers' SAML identity providers (Okta, Entra ID / Azure AD, Google Workspace, OneLogin, ADFS, …). Their employees sign in with credentials they already have, and Qeet ID JIT-provisions the user on first login.

Register a connection

Each external IdP is a per-tenant SAML connection.

POST/v1/tenants/{tenantID}/samlCreate an external-IdP SAML connection
GET/v1/tenants/{tenantID}/samlList connections
PUT/v1/tenants/{tenantID}/saml/{id}Update a connection

SP metadata

Hand your customer's IdP admin the per-connection SP metadata XML (entity ID, ACS URL, certificate) so they can configure their side.

GET/saml/metadata/{id}SP metadata XML for a connection

Sign-in flow

SP-initiated login

Send the user to the connection's login endpoint; Qeet ID issues a signed AuthnRequest and redirects to the external IdP.

GET/saml/login/{id}Redirect to the external IdP

Assertion consumer (ACS)

The IdP posts a signed assertion back to Qeet ID's ACS. The endpoint is CSRF-exempt and signature-validated; on success it produces a one-time login code.

POST/saml/acs/{id}Assertion Consumer Service

Exchange for a token pair

Your app exchanges the one-time SAML login code for a standard token pair.

POST/saml/exchangeSAML login code → token pair

JIT provisioning

On a first successful assertion, Qeet ID creates the user (if needed) and records a SAML external identity, mapped to the tenant. Combine with SCIM to keep users and group membership in sync over time (and to deprovision on offboard).

Assertion signatures are validated against an independent SP implementation. Clock skew on the IdP is the most common cause of validation failures — keep NTP in sync.

Enterprise

Full B2B federation — SAML 2.0 as both Service Provider and Identity Provider, SCIM 2.0 Users + Groups, and LDAP — open-source, no SSO tax.

SAML IdP (be an SSO source)

Qeet ID as a SAML Identity Provider — register downstream service providers, publish IdP metadata, and serve SP-initiated and IdP-initiated SSO.

On this page

Register a connectionSP metadataSign-in flowSP-initiated loginAssertion consumer (ACS)Exchange for a token pairJIT provisioning