stytch 6.4.0 → 9.8.0

data/lib/stytch/b2b_sso.rb

@@ -10,14 +10,53 @@ require_relative 'request_helper'
 
 module StytchB2B
   class SSO
+    class GetConnectionsRequestOptions
+      # Optional authorization object.
+      # Pass in an active Stytch Member session token or session JWT and the request
+      # will be run using that member's permissions.
+      attr_accessor :authorization
+
+      def initialize(
+        authorization: nil
+      )
+        @authorization = authorization
+      end
+
+      def to_headers
+        headers = {}
+        headers.merge!(@authorization.to_headers) if authorization
+        headers
+      end
+    end
+
+    class DeleteConnectionRequestOptions
+      # Optional authorization object.
+      # Pass in an active Stytch Member session token or session JWT and the request
+      # will be run using that member's permissions.
+      attr_accessor :authorization
+
+      def initialize(
+        authorization: nil
+      )
+        @authorization = authorization
+      end
+
+      def to_headers
+        headers = {}
+        headers.merge!(@authorization.to_headers) if authorization
+        headers
+      end
+    end
+
     include Stytch::RequestHelper
-    attr_reader :oidc, :saml
+    attr_reader :oidc, :saml, :external
 
     def initialize(connection)
       @connection = connection
 
       @oidc = StytchB2B::SSO::OIDC.new(@connection)
       @saml = StytchB2B::SSO::SAML.new(@connection)
+      @external = StytchB2B::SSO::External.new(@connection)
     end
 
     # Get all SSO Connections owned by the organization.
@@ -38,15 +77,24 @@ module StytchB2B
     # oidc_connections::
     #   The list of [OIDC Connections](https://stytch.com/docs/b2b/api/oidc-connection-object) owned by this organization.
     #   The type of this field is list of +OIDCConnection+ (+object+).
+    # external_connections::
+    #   The list of [External Connections](https://stytch.com/docs/b2b/api/external-connection-object) owned by this organization.
+    #   The type of this field is list of +Connection+ (+object+).
     # status_code::
     #   The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
     #   The type of this field is +Integer+.
+    #
+    # == Method Options:
+    # This method supports an optional +StytchB2B::SSO::GetConnectionsRequestOptions+ object which will modify the headers sent in the HTTP request.
     def get_connections(
-      organization_id:
+      organization_id:,
+      method_options: nil
     )
+      headers = {}
+      headers = headers.merge(method_options.to_headers) unless method_options.nil?
       query_params = {}
       request = request_with_query_params("/v1/b2b/sso/#{organization_id}", query_params)
-      get_request(request)
+      get_request(request, headers)
     end
 
     # Delete an existing SSO connection.
@@ -56,7 +104,7 @@ module StytchB2B
     #   The organization ID that the SSO connection belongs to.
     #   The type of this field is +String+.
     # connection_id::
-    #   The ID of the SSO connection. Both SAML and OIDC connection IDs can be provided.
+    #   The ID of the SSO connection. SAML, OIDC, and External connection IDs can be provided.
     #   The type of this field is +String+.
     #
     # == Returns:
@@ -70,11 +118,17 @@ module StytchB2B
     # status_code::
     #   The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
     #   The type of this field is +Integer+.
+    #
+    # == Method Options:
+    # This method supports an optional +StytchB2B::SSO::DeleteConnectionRequestOptions+ object which will modify the headers sent in the HTTP request.
     def delete_connection(
       organization_id:,
-      connection_id:
+      connection_id:,
+      method_options: nil
     )
-      delete_request("/v1/b2b/sso/#{organization_id}/connections/#{connection_id}")
+      headers = {}
+      headers = headers.merge(method_options.to_headers) unless method_options.nil?
+      delete_request("/v1/b2b/sso/#{organization_id}/connections/#{connection_id}", headers)
     end
 
     # Authenticate a user given a token.
@@ -83,8 +137,9 @@ module StytchB2B
     # If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration.
     # To link this authentication event to an existing Stytch session, include either the `session_token` or `session_jwt` param.
     #
-    # If the Member is required to complete MFA to log in to the Organization, the returned value of `member_authenticated` will be `false`, and an `intermediate_session_token` will be returned.
-    # The `intermediate_session_token` can be passed into the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms) to complete the MFA step and acquire a full member session.
+    # If the is required to complete MFA to log in to the, the returned value of `member_authenticated` will be `false`, and an `intermediate_session_token` will be returned.
+    # The `intermediate_session_token` can be passed into the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp),
+    # or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete the MFA step and acquire a full member session.
     # The `session_duration_minutes` and `session_custom_claims` parameters will be ignored.
     #
     # If a valid `session_token` or `session_jwt` is passed in, the Member will not be required to complete an MFA step.
@@ -121,7 +176,7 @@ module StytchB2B
     #   Total custom claims size cannot exceed four kilobytes.
     #   The type of this field is nilable +object+.
     # locale::
-    #   If the Member needs to complete an MFA step, and the Member has a phone number, this endpoint will pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be used to determine which language to use when sending the passcode.
+    #   If the needs to complete an MFA step, and the Member has a phone number, this endpoint will pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be used to determine which language to use when sending the passcode.
     #
     # Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`.
     #
@@ -130,6 +185,9 @@ module StytchB2B
     # Request support for additional languages [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")!
     #
     #   The type of this field is nilable +AuthenticateRequestLocale+ (string enum).
+    # intermediate_session_token::
+    #   Adds this primary authentication factor to the intermediate session token. If the resulting set of factors satisfies the organization's primary authentication requirements and MFA requirements, the intermediate session token will be consumed and converted to a member session. If not, the same intermediate session token will be returned.
+    #   The type of this field is nilable +String+.
     #
     # == Returns:
     # An object with the following fields:
@@ -159,9 +217,7 @@ module StytchB2B
     #   The [Organization object](https://stytch.com/docs/b2b/api/organization-object).
     #   The type of this field is +Organization+ (+object+).
     # intermediate_session_token::
-    #   The returned Intermediate Session Token contains an SSO factor associated with the Member.
-    #       The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms) to complete the MFA flow and log in to the Organization.
-    #       SSO factors are not transferable between Organizations, so the intermediate session token is not valid for use with discovery endpoints.
+    #   The returned Intermediate Session Token contains an SSO factor associated with the Member. If this value is non-empty, the member must complete an MFA step to finish logging in to the Organization. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. SSO factors are not transferable between Organizations, so the intermediate session token is not valid for use with discovery endpoints.
     #   The type of this field is +String+.
     # member_authenticated::
     #   Indicates whether the Member is fully authenticated. If false, the Member needs to complete an MFA step to log in to the Organization.
@@ -182,8 +238,10 @@ module StytchB2B
       session_jwt: nil,
       session_duration_minutes: nil,
       session_custom_claims: nil,
-      locale: nil
+      locale: nil,
+      intermediate_session_token: nil
     )
+      headers = {}
       request = {
         sso_token: sso_token
       }
@@ -193,11 +251,50 @@ module StytchB2B
       request[:session_duration_minutes] = session_duration_minutes unless session_duration_minutes.nil?
       request[:session_custom_claims] = session_custom_claims unless session_custom_claims.nil?
       request[:locale] = locale unless locale.nil?
+      request[:intermediate_session_token] = intermediate_session_token unless intermediate_session_token.nil?
 
-      post_request('/v1/b2b/sso/authenticate', request)
+      post_request('/v1/b2b/sso/authenticate', request, headers)
     end
 
     class OIDC
+      class CreateConnectionRequestOptions
+        # Optional authorization object.
+        # Pass in an active Stytch Member session token or session JWT and the request
+        # will be run using that member's permissions.
+        attr_accessor :authorization
+
+        def initialize(
+          authorization: nil
+        )
+          @authorization = authorization
+        end
+
+        def to_headers
+          headers = {}
+          headers.merge!(@authorization.to_headers) if authorization
+          headers
+        end
+      end
+
+      class UpdateConnectionRequestOptions
+        # Optional authorization object.
+        # Pass in an active Stytch Member session token or session JWT and the request
+        # will be run using that member's permissions.
+        attr_accessor :authorization
+
+        def initialize(
+          authorization: nil
+        )
+          @authorization = authorization
+        end
+
+        def to_headers
+          headers = {}
+          headers.merge!(@authorization.to_headers) if authorization
+          headers
+        end
+      end
+
       include Stytch::RequestHelper
 
       def initialize(connection)
@@ -213,6 +310,9 @@ module StytchB2B
       # display_name::
       #   A human-readable display name for the connection.
       #   The type of this field is nilable +String+.
+      # identity_provider::
+      #   The identity provider of this connection. For OIDC, the accepted values are `generic`, `okta`, and `microsoft-entra`. For SAML, the accepted values are `generic`, `okta`, `microsoft-entra`, and `google-workspace`.
+      #   The type of this field is nilable +CreateConnectionRequestIdentityProvider+ (string enum).
       #
       # == Returns:
       # An object with the following fields:
@@ -225,14 +325,22 @@ module StytchB2B
       # connection::
       #   The `OIDC Connection` object affected by this API call. See the [OIDC Connection Object](https://stytch.com/docs/b2b/api/oidc-connection-object) for complete response field details.
       #   The type of this field is nilable +OIDCConnection+ (+object+).
+      #
+      # == Method Options:
+      # This method supports an optional +StytchB2B::SSO::OIDC::CreateConnectionRequestOptions+ object which will modify the headers sent in the HTTP request.
       def create_connection(
         organization_id:,
-        display_name: nil
+        display_name: nil,
+        identity_provider: nil,
+        method_options: nil
       )
+        headers = {}
+        headers = headers.merge(method_options.to_headers) unless method_options.nil?
         request = {}
         request[:display_name] = display_name unless display_name.nil?
+        request[:identity_provider] = identity_provider unless identity_provider.nil?
 
-        post_request("/v1/b2b/sso/oidc/#{organization_id}", request)
+        post_request("/v1/b2b/sso/oidc/#{organization_id}", request, headers)
       end
 
       # Updates an existing OIDC connection.
@@ -285,6 +393,15 @@ module StytchB2B
       # jwks_url::
       #   The location of the IdP's JSON Web Key Set, used to verify credentials issued by the IdP. This will be provided by the IdP.
       #   The type of this field is nilable +String+.
+      # identity_provider::
+      #   The identity provider of this connection. For OIDC, the accepted values are `generic`, `okta`, and `microsoft-entra`. For SAML, the accepted values are `generic`, `okta`, `microsoft-entra`, and `google-workspace`.
+      #   The type of this field is nilable +UpdateConnectionRequestIdentityProvider+ (string enum).
+      # custom_scopes::
+      #   Include a space-separated list of custom scopes that you'd like to include. Note that this list must be URL encoded, e.g. the spaces must be expressed as %20.
+      #   The type of this field is nilable +String+.
+      # attribute_mapping::
+      #   An object that represents the attributes used to identify a Member. This object will map the IdP-defined User attributes to Stytch-specific values, which will appear on the member's Trusted Metadata.
+      #   The type of this field is nilable +object+.
       #
       # == Returns:
       # An object with the following fields:
@@ -300,6 +417,9 @@ module StytchB2B
       # warning::
       #   If it is not possible to resolve the well-known metadata document from the OIDC issuer, this field will explain what went wrong if the request is successful otherwise. In other words, even if the overall request succeeds, there could be relevant warnings related to the connection update.
       #   The type of this field is nilable +String+.
+      #
+      # == Method Options:
+      # This method supports an optional +StytchB2B::SSO::OIDC::UpdateConnectionRequestOptions+ object which will modify the headers sent in the HTTP request.
       def update_connection(
         organization_id:,
         connection_id:,
@@ -310,8 +430,14 @@ module StytchB2B
         authorization_url: nil,
         token_url: nil,
         userinfo_url: nil,
-        jwks_url: nil
+        jwks_url: nil,
+        identity_provider: nil,
+        custom_scopes: nil,
+        attribute_mapping: nil,
+        method_options: nil
       )
+        headers = {}
+        headers = headers.merge(method_options.to_headers) unless method_options.nil?
         request = {}
         request[:display_name] = display_name unless display_name.nil?
         request[:client_id] = client_id unless client_id.nil?
@@ -321,12 +447,91 @@ module StytchB2B
         request[:token_url] = token_url unless token_url.nil?
         request[:userinfo_url] = userinfo_url unless userinfo_url.nil?
         request[:jwks_url] = jwks_url unless jwks_url.nil?
+        request[:identity_provider] = identity_provider unless identity_provider.nil?
+        request[:custom_scopes] = custom_scopes unless custom_scopes.nil?
+        request[:attribute_mapping] = attribute_mapping unless attribute_mapping.nil?
 
-        put_request("/v1/b2b/sso/oidc/#{organization_id}/connections/#{connection_id}", request)
+        put_request("/v1/b2b/sso/oidc/#{organization_id}/connections/#{connection_id}", request, headers)
       end
     end
 
     class SAML
+      class CreateConnectionRequestOptions
+        # Optional authorization object.
+        # Pass in an active Stytch Member session token or session JWT and the request
+        # will be run using that member's permissions.
+        attr_accessor :authorization
+
+        def initialize(
+          authorization: nil
+        )
+          @authorization = authorization
+        end
+
+        def to_headers
+          headers = {}
+          headers.merge!(@authorization.to_headers) if authorization
+          headers
+        end
+      end
+
+      class UpdateConnectionRequestOptions
+        # Optional authorization object.
+        # Pass in an active Stytch Member session token or session JWT and the request
+        # will be run using that member's permissions.
+        attr_accessor :authorization
+
+        def initialize(
+          authorization: nil
+        )
+          @authorization = authorization
+        end
+
+        def to_headers
+          headers = {}
+          headers.merge!(@authorization.to_headers) if authorization
+          headers
+        end
+      end
+
+      class UpdateByURLRequestOptions
+        # Optional authorization object.
+        # Pass in an active Stytch Member session token or session JWT and the request
+        # will be run using that member's permissions.
+        attr_accessor :authorization
+
+        def initialize(
+          authorization: nil
+        )
+          @authorization = authorization
+        end
+
+        def to_headers
+          headers = {}
+          headers.merge!(@authorization.to_headers) if authorization
+          headers
+        end
+      end
+
+      class DeleteVerificationCertificateRequestOptions
+        # Optional authorization object.
+        # Pass in an active Stytch Member session token or session JWT and the request
+        # will be run using that member's permissions.
+        attr_accessor :authorization
+
+        def initialize(
+          authorization: nil
+        )
+          @authorization = authorization
+        end
+
+        def to_headers
+          headers = {}
+          headers.merge!(@authorization.to_headers) if authorization
+          headers
+        end
+      end
+
       include Stytch::RequestHelper
 
       def initialize(connection)
@@ -342,6 +547,9 @@ module StytchB2B
       # display_name::
       #   A human-readable display name for the connection.
       #   The type of this field is nilable +String+.
+      # identity_provider::
+      #   The identity provider of this connection. For OIDC, the accepted values are `generic`, `okta`, and `microsoft-entra`. For SAML, the accepted values are `generic`, `okta`, `microsoft-entra`, and `google-workspace`.
+      #   The type of this field is nilable +CreateConnectionRequestIdentityProvider+ (string enum).
       #
       # == Returns:
       # An object with the following fields:
@@ -354,14 +562,22 @@ module StytchB2B
       # connection::
       #   The `SAML Connection` object affected by this API call. See the [SAML Connection Object](https://stytch.com/docs/b2b/api/saml-connection-object) for complete response field details.
       #   The type of this field is nilable +SAMLConnection+ (+object+).
+      #
+      # == Method Options:
+      # This method supports an optional +StytchB2B::SSO::SAML::CreateConnectionRequestOptions+ object which will modify the headers sent in the HTTP request.
       def create_connection(
         organization_id:,
-        display_name: nil
+        display_name: nil,
+        identity_provider: nil,
+        method_options: nil
       )
+        headers = {}
+        headers = headers.merge(method_options.to_headers) unless method_options.nil?
         request = {}
         request[:display_name] = display_name unless display_name.nil?
+        request[:identity_provider] = identity_provider unless identity_provider.nil?
 
-        post_request("/v1/b2b/sso/saml/#{organization_id}", request)
+        post_request("/v1/b2b/sso/saml/#{organization_id}", request, headers)
       end
 
       # Updates an existing SAML connection.
@@ -394,6 +610,23 @@ module StytchB2B
       # idp_sso_url::
       #   The URL for which assertions for login requests will be sent. This will be provided by the IdP.
       #   The type of this field is nilable +String+.
+      # saml_connection_implicit_role_assignments::
+      #   All Members who log in with this SAML connection will implicitly receive the specified Roles. See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) for more information about role assignment.
+      #   The type of this field is nilable list of +SAMLConnectionImplicitRoleAssignment+.
+      # saml_group_implicit_role_assignments::
+      #   Defines the names of the SAML groups
+      #  that grant specific role assignments. For each group-Role pair, if a Member logs in with this SAML connection and
+      #  belongs to the specified SAML group, they will be granted the associated Role. See the
+      #  [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) for more information about role assignment.
+      #          Before adding any group implicit role assignments, you must add a "groups" key to your SAML connection's
+      #          `attribute_mapping`. Make sure that your IdP is configured to correctly send the group information.
+      #   The type of this field is nilable list of +SAMLGroupImplicitRoleAssignment+.
+      # alternative_audience_uri::
+      #   An alternative URL to use for the Audience Restriction. This value can be used when you wish to migrate an existing SAML integration to Stytch with zero downtime. Read our [SSO migration guide](https://stytch.com/docs/b2b/guides/migrations/additional-migration-considerations) for more info.
+      #   The type of this field is nilable +String+.
+      # identity_provider::
+      #   The identity provider of this connection. For OIDC, the accepted values are `generic`, `okta`, and `microsoft-entra`. For SAML, the accepted values are `generic`, `okta`, `microsoft-entra`, and `google-workspace`.
+      #   The type of this field is nilable +UpdateConnectionRequestIdentityProvider+ (string enum).
       #
       # == Returns:
       # An object with the following fields:
@@ -406,6 +639,9 @@ module StytchB2B
       # connection::
       #   The `SAML Connection` object affected by this API call. See the [SAML Connection Object](https://stytch.com/docs/b2b/api/saml-connection-object) for complete response field details.
       #   The type of this field is nilable +SAMLConnection+ (+object+).
+      #
+      # == Method Options:
+      # This method supports an optional +StytchB2B::SSO::SAML::UpdateConnectionRequestOptions+ object which will modify the headers sent in the HTTP request.
       def update_connection(
         organization_id:,
         connection_id:,
@@ -413,16 +649,75 @@ module StytchB2B
         display_name: nil,
         attribute_mapping: nil,
         x509_certificate: nil,
-        idp_sso_url: nil
+        idp_sso_url: nil,
+        saml_connection_implicit_role_assignments: nil,
+        saml_group_implicit_role_assignments: nil,
+        alternative_audience_uri: nil,
+        identity_provider: nil,
+        method_options: nil
       )
+        headers = {}
+        headers = headers.merge(method_options.to_headers) unless method_options.nil?
         request = {}
         request[:idp_entity_id] = idp_entity_id unless idp_entity_id.nil?
         request[:display_name] = display_name unless display_name.nil?
         request[:attribute_mapping] = attribute_mapping unless attribute_mapping.nil?
         request[:x509_certificate] = x509_certificate unless x509_certificate.nil?
         request[:idp_sso_url] = idp_sso_url unless idp_sso_url.nil?
+        request[:saml_connection_implicit_role_assignments] = saml_connection_implicit_role_assignments unless saml_connection_implicit_role_assignments.nil?
+        request[:saml_group_implicit_role_assignments] = saml_group_implicit_role_assignments unless saml_group_implicit_role_assignments.nil?
+        request[:alternative_audience_uri] = alternative_audience_uri unless alternative_audience_uri.nil?
+        request[:identity_provider] = identity_provider unless identity_provider.nil?
 
-        put_request("/v1/b2b/sso/saml/#{organization_id}/connections/#{connection_id}", request)
+        put_request("/v1/b2b/sso/saml/#{organization_id}/connections/#{connection_id}", request, headers)
+      end
+
+      # Used to update an existing SAML connection using an IDP metadata URL.
+      #
+      # A newly created connection will not become active until all the following are provided:
+      # * `idp_sso_url`
+      # * `idp_entity_id`
+      # * `x509_certificate`
+      # * `attribute_mapping` (must be supplied using [Update SAML Connection](update-saml-connection))
+      #
+      # == Parameters:
+      # organization_id::
+      #   Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value.
+      #   The type of this field is +String+.
+      # connection_id::
+      #   Globally unique UUID that identifies a specific SSO `connection_id` for a Member.
+      #   The type of this field is +String+.
+      # metadata_url::
+      #   A URL that points to the IdP metadata. This will be provided by the IdP.
+      #   The type of this field is +String+.
+      #
+      # == Returns:
+      # An object with the following fields:
+      # request_id::
+      #   Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
+      #   The type of this field is +String+.
+      # status_code::
+      #   The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
+      #   The type of this field is +Integer+.
+      # connection::
+      #   The `SAML Connection` object affected by this API call. See the [SAML Connection Object](https://stytch.com/docs/b2b/api/saml-connection-object) for complete response field details.
+      #   The type of this field is nilable +SAMLConnection+ (+object+).
+      #
+      # == Method Options:
+      # This method supports an optional +StytchB2B::SSO::SAML::UpdateByURLRequestOptions+ object which will modify the headers sent in the HTTP request.
+      def update_by_url(
+        organization_id:,
+        connection_id:,
+        metadata_url:,
+        method_options: nil
+      )
+        headers = {}
+        headers = headers.merge(method_options.to_headers) unless method_options.nil?
+        request = {
+          metadata_url: metadata_url
+        }
+
+        put_request("/v1/b2b/sso/saml/#{organization_id}/connections/#{connection_id}/url", request, headers)
       end
 
       # Delete a SAML verification certificate.
@@ -451,12 +746,179 @@ module StytchB2B
       # status_code::
       #   The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
       #   The type of this field is +Integer+.
+      #
+      # == Method Options:
+      # This method supports an optional +StytchB2B::SSO::SAML::DeleteVerificationCertificateRequestOptions+ object which will modify the headers sent in the HTTP request.
       def delete_verification_certificate(
         organization_id:,
         connection_id:,
-        certificate_id:
+        certificate_id:,
+        method_options: nil
       )
-        delete_request("/v1/b2b/sso/saml/#{organization_id}/connections/#{connection_id}/verification_certificates/#{certificate_id}")
+        headers = {}
+        headers = headers.merge(method_options.to_headers) unless method_options.nil?
+        delete_request("/v1/b2b/sso/saml/#{organization_id}/connections/#{connection_id}/verification_certificates/#{certificate_id}", headers)
+      end
+    end
+
+    class External
+      class CreateConnectionRequestOptions
+        # Optional authorization object.
+        # Pass in an active Stytch Member session token or session JWT and the request
+        # will be run using that member's permissions.
+        attr_accessor :authorization
+
+        def initialize(
+          authorization: nil
+        )
+          @authorization = authorization
+        end
+
+        def to_headers
+          headers = {}
+          headers.merge!(@authorization.to_headers) if authorization
+          headers
+        end
+      end
+
+      class UpdateConnectionRequestOptions
+        # Optional authorization object.
+        # Pass in an active Stytch Member session token or session JWT and the request
+        # will be run using that member's permissions.
+        attr_accessor :authorization
+
+        def initialize(
+          authorization: nil
+        )
+          @authorization = authorization
+        end
+
+        def to_headers
+          headers = {}
+          headers.merge!(@authorization.to_headers) if authorization
+          headers
+        end
+      end
+
+      include Stytch::RequestHelper
+
+      def initialize(connection)
+        @connection = connection
+      end
+
+      # Create a new External SSO Connection.
+      #
+      # == Parameters:
+      # organization_id::
+      #   Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value.
+      #   The type of this field is +String+.
+      # external_organization_id::
+      #   Globally unique UUID that identifies a different Organization within your Project.
+      #   The type of this field is +String+.
+      # external_connection_id::
+      #   Globally unique UUID that identifies a specific SSO connection configured for a different Organization in your Project.
+      #   The type of this field is +String+.
+      # display_name::
+      #   A human-readable display name for the connection.
+      #   The type of this field is nilable +String+.
+      # connection_implicit_role_assignments::
+      #   (no documentation yet)
+      #   The type of this field is nilable list of +SAMLConnectionImplicitRoleAssignment+.
+      # group_implicit_role_assignments::
+      #   (no documentation yet)
+      #   The type of this field is nilable list of +SAMLGroupImplicitRoleAssignment+.
+      #
+      # == Returns:
+      # An object with the following fields:
+      # request_id::
+      #   Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
+      #   The type of this field is +String+.
+      # status_code::
+      #   The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
+      #   The type of this field is +Integer+.
+      # connection::
+      #   The `External Connection` object affected by this API call. See the [External Connection Object](https://stytch.com/docs/b2b/api/external-connection-object) for complete response field details.
+      #   The type of this field is nilable +Connection+ (+object+).
+      #
+      # == Method Options:
+      # This method supports an optional +StytchB2B::SSO::External::CreateConnectionRequestOptions+ object which will modify the headers sent in the HTTP request.
+      def create_connection(
+        organization_id:,
+        external_organization_id:,
+        external_connection_id:,
+        display_name: nil,
+        connection_implicit_role_assignments: nil,
+        group_implicit_role_assignments: nil,
+        method_options: nil
+      )
+        headers = {}
+        headers = headers.merge(method_options.to_headers) unless method_options.nil?
+        request = {
+          external_organization_id: external_organization_id,
+          external_connection_id: external_connection_id
+        }
+        request[:display_name] = display_name unless display_name.nil?
+        request[:connection_implicit_role_assignments] = connection_implicit_role_assignments unless connection_implicit_role_assignments.nil?
+        request[:group_implicit_role_assignments] = group_implicit_role_assignments unless group_implicit_role_assignments.nil?
+
+        post_request("/v1/b2b/sso/external/#{organization_id}", request, headers)
+      end
+
+      # Updates an existing External SSO connection.
+      #
+      # == Parameters:
+      # organization_id::
+      #   Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value.
+      #   The type of this field is +String+.
+      # connection_id::
+      #   Globally unique UUID that identifies a specific External SSO Connection.
+      #   The type of this field is +String+.
+      # display_name::
+      #   A human-readable display name for the connection.
+      #   The type of this field is nilable +String+.
+      # external_connection_implicit_role_assignments::
+      #   All Members who log in with this External connection will implicitly receive the specified Roles. See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) for more information about role assignment.Implicit role assignments are not supported for External connections if the underlying SSO connection is an OIDC connection.
+      #   The type of this field is nilable list of +ConnectionImplicitRoleAssignment+.
+      # external_group_implicit_role_assignments::
+      #   Defines the names of the groups
+      #  that grant specific role assignments. For each group-Role pair, if a Member logs in with this external connection and
+      #  belongs to the specified group, they will be granted the associated Role. See the
+      #  [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) for more information about role assignment.
+      #          Before adding any group implicit role assignments to an external connection, you must add a "groups" key to the underlying SAML connection's
+      #          `attribute_mapping`. Make sure that the SAML connection IdP is configured to correctly send the group information. Implicit role assignments are not supported
+      #          for External connections if the underlying SSO connection is an OIDC connection.
+      #   The type of this field is nilable list of +GroupImplicitRoleAssignment+.
+      #
+      # == Returns:
+      # An object with the following fields:
+      # request_id::
+      #   Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
+      #   The type of this field is +String+.
+      # status_code::
+      #   The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
+      #   The type of this field is +Integer+.
+      # connection::
+      #   The `External Connection` object affected by this API call. See the [External Connection Object](https://stytch.com/docs/b2b/api/external-connection-object) for complete response field details.
+      #   The type of this field is nilable +Connection+ (+object+).
+      #
+      # == Method Options:
+      # This method supports an optional +StytchB2B::SSO::External::UpdateConnectionRequestOptions+ object which will modify the headers sent in the HTTP request.
+      def update_connection(
+        organization_id:,
+        connection_id:,
+        display_name: nil,
+        external_connection_implicit_role_assignments: nil,
+        external_group_implicit_role_assignments: nil,
+        method_options: nil
+      )
+        headers = {}
+        headers = headers.merge(method_options.to_headers) unless method_options.nil?
+        request = {}
+        request[:display_name] = display_name unless display_name.nil?
+        request[:external_connection_implicit_role_assignments] = external_connection_implicit_role_assignments unless external_connection_implicit_role_assignments.nil?
+        request[:external_group_implicit_role_assignments] = external_group_implicit_role_assignments unless external_group_implicit_role_assignments.nil?
+
+        put_request("/v1/b2b/sso/external/#{organization_id}/connections/#{connection_id}", request, headers)
       end
     end
   end