@spotto/contract 1.0.69-alpha.24 → 1.0.69-alpha.25

package/dist/sso/get/response.d.ts

@@ -1,12 +1,22 @@
 import { SsoConfig } from '../../organisations/sso';
+import { SamlIdpSetup } from '../idp-setup';
 /**
- * Response shape for `GET /sso/orgs/:id`. Always returns a discriminated
- * `SsoConfig` — for orgs without SSO, the response is `{ enabled: false }`
- * rather than 404, so the FE can drive its UI from the discriminator
- * without separate "exists" handling.
+ * Response shape for `GET /sso/orgs/:id`.
+ *
+ * `config` is the persisted SSO config — always a discriminated `SsoConfig`,
+ * with `{ enabled: false }` for orgs that don't have SSO (rather than 404),
+ * so the FE can drive its UI from the discriminator without separate
+ * "exists" handling.
+ *
+ * `samlSetup` is populated only when `config.mode === 'saml'`. Carries the
+ * values the operator needs to paste into their IdP's SAML config dialog.
+ * Absent for OIDC and disabled orgs.
  *
  * Scoped to super-users only (via `sso:admin` + cross-account ancestry).
  * The customer-facing `GET /organisations/:id` deliberately does NOT
  * include this — SSO config is super-user-only data in the short term.
  */
-export declare type GetSsoOrgResponse = SsoConfig;
+export interface GetSsoOrgResponse {
+    config: SsoConfig;
+    samlSetup?: SamlIdpSetup;
+}

package/dist/sso/idp-setup.d.ts

@@ -0,0 +1,32 @@
+/**
+ * IdP-side configuration values an operator needs to plug into their IdP
+ * (e.g. Auth0's SAML2 Web App "Settings" JSON) to complete the SSO setup.
+ *
+ * Returned on the onboard and GET-org-SSO responses so the super-user UI
+ * can render copy-paste blocks. Generic-shaped — the FE renders them in
+ * the IdP-specific format the operator's tool expects (Auth0, Entra,
+ * Okta, etc., all take similar values in slightly different containers).
+ *
+ * The `acsUrl` (where the IdP POSTs the SAML response) is not in this
+ * payload because the FE already knows its Cognito hosted UI domain and
+ * can compose `${domain}/saml2/idpresponse` itself — keeps the backend
+ * free of an extra hosted-UI-domain config knob.
+ */
+export interface SamlIdpSetup {
+    /**
+     * The Cognito SP audience URN. For Auth0 SAML2 Web App, paste into the
+     * "audience" field. For Entra / Okta, the equivalent "Entity ID" /
+     * "Audience" field.
+     */
+    audience: string;
+    /**
+     * SAML attribute name mappings. Key is the Cognito-side user attribute
+     * name; value is the SAML attribute Name the IdP must emit. Auth0
+     * SAML2 Web App's "mappings" field takes this shape directly.
+     */
+    mappings: Record<string, string>;
+    /**
+     * NameID format Cognito expects from the IdP.
+     */
+    nameIdentifierFormat: string;
+}

package/dist/sso/idp-setup.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=idp-setup.js.map

package/dist/sso/idp-setup.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"idp-setup.js","sourceRoot":"","sources":["../../src/sso/idp-setup.ts"],"names":[],"mappings":""}

package/dist/sso/index.d.ts

@@ -1,5 +1,6 @@
 export * from './discover';
 export * from './get';
+export * from './idp-setup';
 export * from './onboard';
 export * from './offboard';
 export * from './revert';

package/dist/sso/index.js

@@ -16,6 +16,7 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
 Object.defineProperty(exports, "__esModule", { value: true });
 __exportStar(require("./discover"), exports);
 __exportStar(require("./get"), exports);
+__exportStar(require("./idp-setup"), exports);
 __exportStar(require("./onboard"), exports);
 __exportStar(require("./offboard"), exports);
 __exportStar(require("./revert"), exports);

package/dist/sso/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/sso/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,6CAA0B;AAC1B,wCAAqB;AACrB,4CAAyB;AACzB,6CAA0B;AAC1B,2CAAwB"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/sso/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,6CAA0B;AAC1B,wCAAqB;AACrB,8CAA2B;AAC3B,4CAAyB;AACzB,6CAA0B;AAC1B,2CAAwB"}

package/dist/sso/onboard/response.d.ts

@@ -1,3 +1,4 @@
+import { SamlIdpSetup } from '../idp-setup';
 /**
  * Response shape for `POST /sso/orgs/:id/onboard`. Returned on the success
  * path; on failure the standard ValidationError / DatabaseError envelope
@@ -10,9 +11,15 @@
  *
  * `correlationId` threads through every audit log entry for this onboard
  * — useful to surface in the UI for ops to copy-paste when investigating.
+ *
+ * `samlSetup` is populated only on SAML onboards. It carries the values
+ * the operator needs to plug into their IdP's SAML config dialog (Auth0
+ * SAML2 Web App, Entra Enterprise Application, Okta SAML app, etc.).
+ * Absent for OIDC onboards.
  */
 export interface OnboardSsoOrgResponse {
     cognitoProviderName: string;
     cognitoClientId: string;
     correlationId: string;
+    samlSetup?: SamlIdpSetup;
 }

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@spotto/contract",
   "license": "ISC",
-  "version": "1.0.69-alpha.24",
+  "version": "1.0.69-alpha.25",
   "description": "Spotto's API Contract type definitions",
   "main": "./dist/index.js",
   "files": [
@@ -18,5 +18,5 @@
     "@types/geojson": "^7946.0.11",
     "shx": "^0.3.4"
   },
-  "gitHead": "892aa327162a98a8547b9e5142afabbe3a814ccd"
+  "gitHead": "2ab8570d50d19b2f98dc4da3708762a2d40eb66a"
 }