npm - @workos/mcp-docs-server - Versions diffs - 0.1.0 - Mend

@workos/mcp-docs-server 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (455) hide show

package/.docs/organized/docs/integrations/auth0-enterprise-connection.mdx ADDED Viewed

@@ -0,0 +1,92 @@
+---
+title: Auth0 Enterprise Connection
+description: Learn how to use WorkOS with your existing Auth0 applications.
+icon: auth0
+breadcrumb:
+  title: Integrations
+  url: /integrations
+originalPath: >-
+  .tmp-workos-clone/packages/docs/content/integrations/auth0-enterprise-connection.mdx
+---
+## Introduction
+This guide outlines the steps to make WorkOS SSO connections available to Auth0 applications without requiring changes to your existing Auth0 application code.
+> The Auth0 Enterprise Connection integration is in feature preview. Reach out to [WorkOS support](mailto:support@workos.com?subject=WorkOS%20Support) if you want early access.
+---
+## (1) Configure Auth0 API Access
+WorkOS uses Auth0 credentials you provide to manage the Auth0 Enterprise Connection automatically. The first step is authorizing an application in Auth0 to access the Management API.
+In the Auth0 dashboard, navigate to **Applications** → **APIs** → **Auth0 Management API**:
+![A screenshot showing the "Auth0 Management API" entry on the Auth0 APIs page.](https://images.workoscdn.com/images/e2baba2e-a442-4449-90db-d1be8db41ef2.png?auto=format&fit=clip&q=50)
+Click on the **Machine To Machine Applications** tab and expand the section for your Auth0 application. Then, toggle the **Authorized** switch to enable the API.
+Under **Permissions**, ensure the following scopes are granted to the application:
+- `create:connections`
+- `read:connections`
+- `update:connections`
+Your permissions configuration should match the following screenshot:
+![A screenshot a correctly configured API application in the Auth0 dashboard.](https://images.workoscdn.com/images/13b5acb2-b5c6-4cd5-a032-0dd7afedc81a.png?auto=format&fit=clip&q=50)
+Next, navigate to **Applications** → **_Your App_** → **Settings**. You should see three fields under **Basic Information**: "Domain", "Client ID", and "Client Secret".
+![A screenshot showing application credentials in the Auth0 dashboard.](https://images.workoscdn.com/images/c8303868-de12-40e5-a0cc-27bec508131c.png?auto=format&fit=clip&q=50)
+Record this information in a safe place, as you will provide it to the WorkOS dashboard in the next step.
+---
+## (2) Connect WorkOS to Auth0
+In the WorkOS dashboard, navigate to **Configuration** → **Settings** and scroll to the **Auth0 Credentials** section. Click **Set Auth0 Credentials**:
+![A screenshot showing the "Auth0 Credentials" section in the WorkOS dashboard.](https://images.workoscdn.com/images/16b3ea51-8564-4ced-86fb-f3ab9fad8d28.png?auto=format&fit=clip&q=50)
+In the modal, enter the credentials you obtained in the previous step: "API Domain", "Client ID", and "Client Secret".
+![A screenshot showing the "Auth0 Credentials" form in the WorkOS dashboard.](https://images.workoscdn.com/images/3e915c68-97c0-4d1e-88e9-cda8bff7fd31.png?auto=format&fit=clip&q=50)
+Click **Save**. In the final step, you will head back to the Auth0 dashboard one last time to complete the configuration.
+---
+## (3) Enable the Enterprise Connection
+After saving your credentials, WorkOS will create an Enterprise Connection in your Auth0 environment. This connection is the entry point into WorkOS SSO from Auth0. The next step is to enable the connection for your Auth0 application.
+In the Auth0 dashboard, navigate to **Applications** → **_Your App_** → **Connections**. You should see a connection with a `workos-sso-` prefix in its name. Enable it for your application.
+![A screenshot showing enabled connections for an application in the Auth0 dashboard.](https://images.workoscdn.com/images/4cd3dbec-7ccc-462a-a101-5f8fc29aa332.png?auto=format&fit=clip&q=50)
+---
+## (4) Enable "Identifier First" Login Flow
+In the Auth0 dashboard, navigate to **Authentication** → **Authentication Profile**. You should see three options for configuring login flow. Select **Identifier First**.
+![A screenshot showing "Identifier First" selected in the Auth0 dashboard.](https://images.workoscdn.com/images/b30e3808-b978-4f86-9443-8e2e7d588a90.png?auto=format&fit=clip&q=80)
+This configures the Auth0 Universal Login page to begin by prompting the user for their email address. This is necessary as it allows Auth0 to select the WorkOS SSO Enterprise Connection if the user’s email domain matches one of your WorkOS organizations. Non-enterprise users will still be prompted for their password.
+> [IdP-initiated SSO](/sso/login-flows/idp-initiated-sso) is currently not supported when using the Auth0 Enterprise Connection integration.
+---
+## Summary
+Your WorkOS SSO connections are now available to your Auth0 application! You are ready to use WorkOS features like [Admin Portal](admin-portal), allowing IT admins to configure their SSO setup for your application directly.
+As you create [organizations](/reference/organization), WorkOS will keep the Auth0 Enterprise Connection's [Home Realm Discovery](https://auth0.com/docs/authenticate/login/auth0-universal-login/identifier-first#define-home-realm-discovery-identity-providers) list updated with the organization's domains – ensuring correct routing of enterprise users to WorkOS for authentication.
+When users enter their email address into the Auth0 Universal Login, which matches a domain associated with a WorkOS organization, Auth0 redirects users to their WorkOS-enabled IdP sign-in page for their organization. Once the authentication process is complete with the IdP, WorkOS redirects to your Auth0 app callback URL.
+> Since email domains are used to route users to the correct IdP when using Auth0, WorkOS will enforce that [organization domains](/reference/organization-domain) are unique, and therefore a domain cannot be assigned to more than one organization.

package/.docs/organized/docs/integrations/auth0-saml.mdx ADDED Viewed

@@ -0,0 +1,81 @@
+---
+title: Auth0
+description: "Learn how to configure a connection to\_Auth0 via SAML."
+icon: auth0
+breadcrumb:
+  title: Integrations
+  url: /integrations
+originalPath: .tmp-workos-clone/packages/docs/content/integrations/auth0-saml.mdx
+---
+## Introduction
+Each SSO Identity Provider requires specific information to create and configure a new [Connection](/glossary/connection). Often, the information required to create a Connection will differ by Identity Provider.
+To create a Auth0 SAML Connection, you’ll need the Identity Provider metadata that is available from the organization's Auth0 instance.
+Start by logging in to your WorkOS dashboard and browse to the “Organizations” tab on the left hand navigation bar.
+Select the organization you’d like to configure an Auth0 SAML Connection for, and select “Manually Configure Connection” under “Identity Provider”.
+![A screenshot showing where to find "Manually Configure Connection" in the WorkOS Dashboard.](https://images.workoscdn.com/images/2c3eff01-e84c-4e65-9739-ae72facb9eaa.png?auto=format&fit=clip&q=50)
+Select "Auth0 SAML” from the Identity Provider dropdown, enter a descriptive name for the connection, and then select the “Create Connection” button.
+![A screenshot showing "Create Connection" details in the WorkOS Dashboard.](https://images.workoscdn.com/images/6e0f49c0-06fb-4a18-b805-31e3a10b27bb.png?auto=format&fit=clip&q=50)
+---
+## What WorkOS Provides
+WorkOS provides the [ACS URL](/glossary/acs-url) and [SP Entity ID](/glossary/sp-entity-id), which are readily available in your Connection Settings in the [WorkOS Dashboard](https://dashboard.workos.com/).
+![A screenshot showing where to find the ACS URL and SP Entity ID in the WorkOS Dashboard.](https://images.workoscdn.com/images/ec8cb8f8-b440-47d5-9a80-7b51ca9950bd.png?auto=format&fit=clip&q=50)
+The ACS URL is the location an Identity Provider redirects its authentication response to. In Auth0’s case, the ACS URL needs to be set by the organization when configuring your application in their Auth0 instance.
+The SP Entity ID is a URI used to identify the issuer of a SAML request and the audience of a SAML response. In this case, the SP Entity ID is used to communicate that WorkOS will be the party performing SAML requests to the organization's Auth0 instance, and that WorkOS is the intended audience of the SAML responses from the Auth0 instance.
+Specifically, the ACS URL will need to be set as the “Application Callback URL” on the SAML2 Web App Settings page found under the “Addons” tab in an Auth0 application. You will need to toggle on the SAML2 Web App for the settings modal to appear where you can add the ACS URL under the Application Callback URL input.
+![A screenshot showing a toggle to turn on the SAML2 web app addon for Auth0 applications.](https://images.workoscdn.com/images/63ffadf6-ed3b-429d-a4a7-a5294b1a3a0d.png?auto=format&fit=clip&q=50)
+![A screenshot showing where to set the ACS URL in the SAML2 web app settings for Auth0 applications.](https://images.workoscdn.com/images/294645cc-18d2-4969-a9ed-6ec69f2bca3d.png?auto=format&fit=clip&q=50)
+The SP Entity ID will need to be set as the "audience" value in the Settings JSON object on the SAML2 Web App Settings page.
+After the Application Callback URL and Audience have been added, scroll to the bottom and click "Enable".
+![A screenshot showing where to set the SP Entity ID in the SAML2 web app settings for Auth0 applications.](https://images.workoscdn.com/images/4fd65ff7-6296-43d8-8e65-0bd528028f70.png?auto=format&fit=clip&q=50)
+---
+## What you’ll need
+In order to integrate you’ll need the Auth0 IdP Metadata URL.
+Normally, this information will come from the organization's IT Management team when they set up your application’s SAML 2.0 configuration in their Auth0 admin dashboard. Here’s how to obtain them:
+---
+## (1) Log In and Select Your Application
+Log in to [Auth0](https://auth0.com/auth/login), go to the admin dashboard, select “Applications” in the sidebar, and then select the “Applications” menu option. Next, select your application from the list of applications.
+![A screenshot showing where to find the web application in Auth0 Dashboard.](https://images.workoscdn.com/images/e4bb38d9-fa10-4caa-b097-05a8d83a4e2b.png?auto=format&fit=clip&q=50)
+---
+## (2) Obtain Identity Provider Metadata
+On the application’s Settings page, scroll down to the bottom and expand the “Advanced Settings” section. Select the “Endpoints” tab and copy the SAML Metadata URL. You’ll need this in the next step.
+![A screenshot of the IdP Metadata XML URL in the Auth0 Dashboard.](https://images.workoscdn.com/images/6288c6a6-ab57-4608-8a1e-872bbd7eb2bd.png?auto=format&fit=clip&q=50)
+---
+## (3) Upload Metadata URL
+Finally, upload the SAML Metadata URL you saved earlier in your WorkOS Connection settings. Your Connection will then be linked and good to go!
+![A screenshot showing where to place the Auth0 IdP Metadata URL in the WorkOS Dashboard.](https://images.workoscdn.com/images/f1cb1c5c-8554-48a5-89a1-31a42d356690.png?auto=format&fit=clip&q=50)

package/.docs/organized/docs/integrations/aws-cognito.mdx ADDED Viewed

@@ -0,0 +1,81 @@
+---
+title: AWS Cognito
+description: Learn how to use WorkOS with your existing AWS Cognito applications.
+icon: aws
+breadcrumb:
+  title: Integrations
+  url: /integrations
+originalPath: .tmp-workos-clone/packages/docs/content/integrations/aws-cognito.mdx
+---
+## Introduction
+This guide outlines the steps to make WorkOS SSO Connections available to AWS Cognito applications without requiring changes to your existing application code.
+The integration works by configuring WorkOS connections as third-party [Identity Providers](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation.html) inside a Cognito User Pool which enables users to sign in to a Cognito application leveraging all SSO integrations supported by WorkOS.
+> The AWS Cognito integration is in feature preview. Reach out to [WorkOS support](mailto:support@workos.com?subject=AWS%20Cognito%20Integration) if you want early access.
+---
+## (1) Configure AWS IAM role
+WorkOS manages the configuration of the Cognito Identity Providers by leveraging AWS role delegation. You will need to create an IAM role in your AWS account that grants permissions to the WorkOS AWS account. This is can be easily accomplished through the AWS Console.
+![Create AWS IAM role](https://images.workoscdn.com/images/0a36c5ff-505e-46ba-805a-66d13c9150ed.png?auto=format&fit=clip&q=50)
+The external ID will be provided by the WorkOS support team upon request. The AWS account ID should be `611361754156` which is the ID of a dedicated WorkOS AWS account used for Cognito integrations.
+You will need to attach the following policy to the role so that the Identity Providers can be managed when the role is assumed by WorkOS.
+```json language="json" title="IAM Policy"
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "VisualEditor",
+      "Effect": "Allow",
+      "Action": ["cognito-idp:*"],
+      "Resource": "*"
+    }
+  ]
+}
+```
+Complete the creation of the role and take note of the name you provide as it will be used in the following step.
+## (2) Provide AWS details to WorkOS
+Once the role has been configured you will need to provide the following details from your AWS account to the WorkOS support team.
+- Account ID
+- Role name
+- User pool ID
+Once the WorkOS support team has configured your AWS details, you should see Identity Providers configured in the specified User Pool for every connection configured in WorkOS. Newly added WorkOS connections will automatically be created in the specified User Pool.
+## (3) Enable Identity Providers for App Client
+Now that the Identity Providers have been configured, they will need to be enabled for the App Client you wish to use the WorkOS Connections with.
+From the user pool navigate to **App integration** → **_Your App Client_** → **Edit hosted UI settings** and select the newly created Identity Providers.
+![App Client Identity Provider settings](https://images.workoscdn.com/images/e0f4a7c1-4131-4110-a6a3-9f5466110745.png?auto=format&fit=clip&q=50)
+> If you do not complete this step you will receive a **Login option is not available** error from Cognito upon sign in.
+## (4) Configure redirect URI
+Locate the domain of the Cognito User Pool and configure the following redirect URI in the WorkOS Dashboard under **Configuration** → **Settings** → **Redirect URIs**.
+```plain title="Cognito callback URI"
+https://<cognito-user-pool-domain>/oauth2/idpresponse
+```
+## (5) Sign in with WorkOS connection
+Once an Identity Provider has been created in the Cognito User Pool, you may initiate authentication by passing the `idp_identifier` query parameter to the [OAuth2 Authorize endpoint](https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html) provided by Cognito using the details from the App Client that was previously configured with the Identity Providers.
+You may pass either a WorkOS [Organization](/reference/organization) or [Connection](/reference/sso/connection) ID as the `idp_identifier`. Passing this query parameter will result in Cognito bypassing it’s standard sign-in page and immediately redirecting the user to the appropriate sign-in page of the upstream identity provider configured in the WorkOS Connection.
+Once the user is authenticated they will be redirected to your Cognito App Client redirect URL with the Cognito `code` query parameter.

package/.docs/organized/docs/integrations/bamboohr.mdx ADDED Viewed

@@ -0,0 +1,90 @@
+---
+title: BambooHR
+description: "Learn about syncing your user list with\_BambooHR."
+icon: bamboohr
+breadcrumb:
+  title: Integrations
+  url: /integrations
+originalPath: .tmp-workos-clone/packages/docs/content/integrations/bamboohr.mdx
+---
+## Introduction
+This guide outlines how to synchronize your application’s BambooHR directories.
+To synchronize an organization’s users and groups provisioned for your application, you’ll need the following information from the organization:
+- The BambooHR subdomain.
+- A BambooHR API key to authenticate requests.
+> Note: The BambooHR integration isn't enabled by default in the WorkOS Dashboard or Admin Portal. Please reach out to [support@workos.com](mailto:support@workos.com) or via your team’s WorkOS Slack channel if you would like BambooHR enabled.
+---
+## (1) Create your Directory Sync Connection
+Login to your WorkOS Dashboard and select “Organizations” from the left hand navigation bar.
+Select the organization you’ll be configuring a new Directory Sync Connection with.
+Click “Manually Configure Connection”.
+![A screenshot showing where to find “Manually Configure Connection” for an Organization in the WorkOS Dashboard.](https://images.workoscdn.com/images/60d14679-0ff2-4b7b-9e75-82ea0ae158f5.png?auto=format&fit=clip&q=50)
+Input the Name, and select “BambooHR” as the directory type.
+Click the “Create Directory” button.
+![A screenshot showing "Create Directory" details in the WorkOS Dashboard.](https://images.workoscdn.com/images/e696881c-64b9-40c4-aa8e-593913179c92.png?auto=format&fit=clip&q=50)
+You will now see your BambooHR directory sync has created successfully with an [Endpoint](/glossary/endpoint), as well as fields to input your subdomain and API Key from BambooHR.
+---
+## (2) Retrieve the details from an organization IT Admin
+To generate an API key, an IT Admin should log into BambooHR and click their name in the upper right-hand corner of the BambooHR console. Select "API Keys" from the list.
+![A screenshot showing where to find the "API Keys" option in the BambooHR Dashboard.](https://images.workoscdn.com/images/6165e109-527d-4960-adc2-b7882262e526.png?auto=format&fit=clip&q=80)
+Next, the IT Admin should click “Add New Key”.
+![A screenshot showing where to find the "Add New Key" in the BambooHR Dashboard.](https://images.workoscdn.com/images/eb6b50be-6a2c-478b-aa3f-0d7b69240ddd.png?auto=format&fit=clip&q=80)
+Give your key a descriptive name and select "Generate Key."
+![A screenshot showing where to find "Generate Key" in the BambooHR Dashboard.](https://images.workoscdn.com/images/a176f1f3-10a0-4803-acd2-fbbe69fb9719.png?auto=format&fit=clip&q=80)
+Select "Copy Key" and save this API key, which you’ll upload in the next step.
+![A screenshot showing where to find "Copy Key" in the BambooHR Dashboard.](https://images.workoscdn.com/images/69c5bff2-023f-4a1e-8cdf-48edc4609a29.png?auto=format&fit=clip&q=80)
+---
+## (3) Set up your Directory Sync Connection
+Click “Update Directory”.
+There are two fields to enter, one is the API key you created in step 2.
+The other is “Subdomain” which is the subdomain name of the Company’s BambooHR instance.
+![A screenshot showing where to find the "Update Directory" button in the WorkOS Dashboard.](https://images.workoscdn.com/images/f562e95e-faf9-4658-ac27-1d1396abcccb.png?auto=format&fit=clip&q=50)
+---
+## (4) Sync Users and Groups to Your Application
+When the connection is successfully made, you will see the green “Linked” icon appear. Now, whenever your customer assigns users or groups to your application, you’ll receive Dashboard updates based on changes in their directory.
+A detailed guide to integrate the WorkOS API with your application can be found [here](/directory-sync)
+## Frequently Asked Questions
+### How do I add BambooHR's custom fields?
+For BambooHR's custom fields, please contact [support@workos.com](mailto:support@workos.com) with your directory ID and a list of the custom fields you would like to be added.
+### How often do BambooHR directories perform a sync?
+BambooHR directories poll every 30 minutes starting from the time of the initial sync.

package/.docs/organized/docs/integrations/breathe-hr.mdx ADDED Viewed

@@ -0,0 +1,89 @@
+---
+title: Breathe HR
+description: "Learn about syncing your user list with\_Breathe HR."
+icon: breathe-hr
+breadcrumb:
+  title: Integrations
+  url: /integrations
+originalPath: .tmp-workos-clone/packages/docs/content/integrations/breathe-hr.mdx
+---
+## Introduction
+This guide outlines how to synchronize your application’s Breathe HR directories.
+To synchronize an organization’s users and groups provisioned for your application, you’ll need the following information from the organization:
+- Breathe HR API key
+> Note: The Breathe HR integration isn't enabled by default in the WorkOS Dashboard or Admin Portal. Please reach out to [support@workos.com](mailto:support@workos.com) or via your team’s WorkOS Slack channel if you would like Breathe HR enabled.
+---
+## (1) Create an API Key
+The organization will need to create an API key for you. An API key can be generated from the Admin Settings menu.
+![A screenshot showing where to select "Settings" in the Breathe HR dashboard.](https://images.workoscdn.com/images/3defb6ef-fe7d-458f-8639-d0410fc11f51.png)
+Under "Integrations", select "API Setup".
+![A screenshot showing where to select "API Setup" in the Breathe HR dashboard settings.](https://images.workoscdn.com/images/d6c8d0e9-1d71-428e-b368-4bcd5240432c.png)
+Next, select "Enable API".
+![A screenshot showing where to select "Enable API" on the "API Setup" page in the Breathe HR dashboard.](https://images.workoscdn.com/images/890c4a8e-4217-433f-b67f-037dda40a7c5.png)
+Verify that you’d like to enable the API to access user information.
+![A screenshot showing to mark the checkbox denoting "I understand and want to continue" in the "Warning" modal in the Breathe HR dashboard.](https://images.workoscdn.com/images/e6623c61-c520-4636-a029-c91fb2b5a33f.png)
+Save the production API key – this will be used in the next step.
+![A screenshot showing where to select the production API key in the "API Setup" section of the Breathe HR dashboard.](https://images.workoscdn.com/images/d66a8ba2-bcf6-44bf-a714-e08164cdf632.png)
+---
+## (2) Create your Directory Sync Connection
+Login to your WorkOS dashboard and select “Organizations” from the left hand Navigation bar
+Select the Organization you’d like to enable a Breathe HR Directory Sync connection for.
+On the Organization’s page click “Add Directory”.
+![A screenshot showing where to select "Add Directory" in the WorkOS dashboard.](https://images.workoscdn.com/images/f6bdcf89-cfc4-46e6-a67c-d2f428e6052a.png)
+Select “Breathe HR” as the Directory Provider, and then provide a descriptive name for the connection. Select “Create Directory”.
+![A screenshot showing the configuration of the "Create Directory" modal to create a Breathe HR Directory in the WorkOS dashboard.](https://images.workoscdn.com/images/32c361da-6bf7-428b-84c0-5b1f27db5c51.png)
+---
+## (3) Set up your Directory Sync Connection
+Click “Update Directory” on the Directory details page.
+![A screenshot showing where to select "Update Directory" in the WorkOS dashboard.](https://images.workoscdn.com/images/d2f1bfb0-f119-4582-8c6c-83e11bbbbd87.png)
+Input the Breathe HR API key and click “Save Directory Details”.
+![A screenshot showing the input of the Breathe HR API key into the "Directory Details" modal in the WorkOS dashboard.](https://images.workoscdn.com/images/12ede429-9f2b-4cff-8e30-00e2b3594a85.png)
+---
+## (4) Sync Users and Groups to Your Application
+Now, you should see users and groups synced over from Breathe HR.
+Departments from Breathe HR are synced as groups in WorkOS. All users are synced, but only those marked as “Current employee” or "Pending leaver" are active.
+![A screenshot showing a successfully linked Breathe HR Directory in the WorkOS dashboard.](https://images.workoscdn.com/images/26b9a26a-1abc-4517-9251-104da59f7251.png)
+A detailed guide to integrate the WorkOS API with your application can be found [here](/directory-sync)
+## Frequently asked questions
+### How often do Breathe HR directories perform a sync?
+Breathe HR directories poll every 30 minutes starting from the time of the initial sync.

package/.docs/organized/docs/integrations/bubble.mdx ADDED Viewed

@@ -0,0 +1,129 @@
+---
+title: Bubble Plugin
+description: Add WorkOS features to your Bubble application.
+icon: bubble
+breadcrumb:
+  title: Integrations
+  url: /integrations
+originalPath: .tmp-workos-clone/packages/docs/content/integrations/bubble.mdx
+---
+## Introduction
+The [Bubble plugin for WorkOS](https://bubble.io/plugin/workos-sso-1666727595127x530956156372516860) allows you to easily integrate [WorkOS API](/reference) endpoints in your application's workflows. This plugin includes actions for SSO, Directory Sync, Admin Portal, and webhook validation.
+---
+## Install the WorkOS SSO and API Plugins
+In the **Plugins** tab of your app editor in Bubble, click **Add Plugins**, then search for WorkOS. Install the plugins for both WorkOS SSO and WorkOS API and then click **Done**.
+![A screenshot showing how to install the WorkOS SSO plugin in Bubble.](https://images.workoscdn.com/images/03cf97a8-e0e9-49bc-be67-e21501ff5ab4.png?auto=format&fit=clip&q=50)
+![A screenshot showing how to install the WorkOS API plugin in Bubble.](https://images.workoscdn.com/images/165832c3-88d2-49e5-9153-8fd1009367aa.png?auto=format&fit=clip&q=50)
+The next step is to enter your secret keys/parameters on the **Plugins** settings page as seen below. The API key can be found in your WorkOS dashboard under **API Keys**.
+> In the WorkOS SSO plugin the API Key value can be entered directly.
+![A screenshot showing where to enter environment variables in Bubble for the WorkOS SSO plugin.](https://images.workoscdn.com/images/40fd465f-b73c-4dd2-8478-375eb68757ae.png?auto=format&fit=clip&q=50)
+> In the WorkOS API plugin the API Key value needs to be preceded by **Bearer**.
+![A screenshot showing where to enter environment variables in Bubble for the WorkOS API plugin.](https://images.workoscdn.com/images/4bd64da1-4212-4ef9-a1bc-8064d60eac64.png?auto=format&fit=clip&q=50)
+Now you’re set up to use the plugin directly in your workflows.
+---
+## Single Sign-On
+Whether you are implementing a Single Sign-On authorization flow for your application using a no-code platform or building your app from the ground up, the steps that you need to take on a high level are the same. You can find more information in our [SSO Quickstart Guide](/sso).
+### Use SSO in a Workflow
+To configure SSO, you will need:
+- An active SSO connection, which can be configured manually or by using the [Admin Portal](/admin-portal).
+- A [connection](/reference/sso/connection) ID or [organization](/reference/organization) ID associated with the user logging in. If WorkOS does not handle user management on your application’s behalf, it is necessary to keep track of the association between your users and their WorkOS connection or organization IDs in your database.
+- [Redirect URI](glossary/redirect-uri), which is the URL to redirect the user to when they are authorized. This is provided by Bubble in the **Plugins** tab.
+Navigate to the **Workflow** page in your application and add a new event. Select the action that will trigger the workflow to start. In this case, the workflow is triggered when the submit button is clicked.
+Under the **Account** menu option, select **Signup/login with a social network**, then select **WorkOS SSO** from the **OAuth provider** dropdown menu. Enter either the connection ID, organization ID, or provider.
+> Select whether you will use connection, organization, or provider (OAuth connections only), and delete the other defaults. The value should be entered in the `organization=<organization_id>` format.
+![A screenshot showing how to enter the parameter values in a Bubble workflow.](https://images.workoscdn.com/images/c39e8579-e064-4f79-b6ad-a3ec8d5c1118.png?auto=format&fit=clip&q=50)
+When a user launches this workflow, they will be prompted to log in through the associated WorkOS SSO connection.
+Upon a successful login, if the user does not exist in the application database, a new user will be created and logged in as the current user. If the user already exists, that user will be logged in as the current user.
+---
+## Directory Sync
+To start using [Directory Sync](/directory-sync), you will need to configure a new directory connection between your customer’s directory provider and WorkOS. This can be completed manually or by using the [Admin Portal](/admin-portal).
+Once a directory connection is activated in WorkOS, you can configure webhooks to send events to your Bubble application using the WorkOS plugin through a backend workflow.
+### Enable backend workflows
+To enable backend workflows, navigate to the **Settings** page of your Bubble app under the **API** tab, and select **Enable Workflow API and backend workflows**. You are now able to configure backend workflows in the **Workflow** section.
+![A screenshot showing how enable backend workflows in Bubble.](https://images.workoscdn.com/images/e3443ee9-38fb-4d1a-98d3-40d0af2bfa3d.png?auto=format&fit=clip&q=50)
+### Create a new workflow to receive webhooks
+To create a new workflow that subscribes to WorkOS webhooks, navigate to the **Workflows** section of your app in Bubble and select **backend workflows** from the page selection dropdown.
+![A screenshot showing how to navigate to and create a new backend workflow in Bubble.](https://images.workoscdn.com/images/ec2377c0-1d06-40a0-9608-710690f539b3.png?auto=format&fit=clip&q=50)
+Create a new API Workflow. In the **detected data option** ensure that **include headers** is selected before clicking **Detect data**.
+![A screenshot showing how to configure a backend workflow to detect data in Bubble.](https://images.workoscdn.com/images/67a1be1b-7ec7-4f6a-8c30-d3804eca2aa7.png?auto=format&fit=clip&q=50)
+A pop-up window will show a test URL to validate the webhook body.
+![A screenshot showing when a backend workflow is ready to detect data in Bubble.](https://images.workoscdn.com/images/070d64e5-899f-499c-9fca-74eb5cbc267a.png?auto=format&fit=clip&q=50)
+Navigate to the **Webhooks** tab in your WorkOS dashboard and enter this test URL as your webhook endpoint.
+![A screenshot showing how to configure a webhook endpoint in the WorkOS dashboard.](https://images.workoscdn.com/images/85e7b624-c107-49d2-82af-9c7a026caeb9.png?auto=format&fit=clip&q=50)
+Then, click the **Send Test Event** button to send a test event.
+![A screenshot showing where to send a test webhook event in the WorkOS dashboard.](https://images.workoscdn.com/images/87937fdf-a9e7-4804-a780-5e5d96b40a18.png?auto=format&fit=clip&q=50)
+Bubble will recognize the event and validate the endpoint. Click save to complete the subscription to WorkOS webhook events for this workflow.
+![A screenshot showing a successfully detected webhook event in Bubble.](https://images.workoscdn.com/images/aa9531f1-7df5-4053-9021-e9cca649dbcc.png?auto=format&fit=clip&q=50)
+### Implement the webhook validation action
+After the new workflow is set up to listen for new events, it is recommended that you use the webhook validation action to verify that the webhooks being received are from WorkOS.
+This action verifies the request is valid by using the webhook body, signature, and secret that you provide from your WorkOS dashboard. To properly define the webhook parameter, you should use the raw body text of the request data. Similarly, the `webhook_signature` should be defined using the `workos-signature` in the request data headers.
+![A screenshot showing how to select the webhook validation action in Bubble.](https://images.workoscdn.com/images/e43720ac-5669-4a8d-8ac3-5a220ed2c730.png?auto=format&fit=clip&q=50)
+After the event is validated, you can use the data from the body to log the webhook and make changes to users.
+### Reconcile the users
+The plugin also includes endpoints, documented under the directory sync section of the [API Reference](/reference), that can be used to reconcile users.
+Periodically calling the [List Directory Users](/reference/directory-sync/directory-user/list) endpoint and verifying that the returned date matches what you have stored in your user table helps ensure your application has up-to-date information about your users, so you can use it with confidence.
+---
+## Admin Portal
+The [Admin Portal](/admin-portal) provides an out-of-the-box UI for organization admins to configure SSO and Directory Sync connections.
+The WorkOS API plugin provides an API call that launches the Admin Portal if you would like to display it on the settings page of your application. You can also copy and paste these links directly from the WorkOS dashboard in the connection settings.
+Upon completing the setup flow with the Admin Portal, the organization admin will be able to test the new connection and validate that it has been configured correctly.
+![A screenshot showing how to select the admin portal action in Bubble.](https://images.workoscdn.com/images/14cafa76-cb94-4880-800c-5b8b2aa93777.png?auto=format&fit=clip&q=50)

package/.docs/organized/docs/integrations/cas-saml.mdx ADDED Viewed

@@ -0,0 +1,65 @@
+---
+title: CAS SAML
+description: "Learn how to configure a connection to\_CAS via SAML."
+icon: cas
+breadcrumb:
+  title: Integrations
+  url: /integrations
+originalPath: .tmp-workos-clone/packages/docs/content/integrations/cas-saml.mdx
+---
+## Introduction
+Each SSO Identity Provider requires specific information to create and configure a new [Connection](/glossary/connection). Often, the information required to create a Connection will differ by Identity Provider.
+To create a CAS SAML Connection, you’ll need the Identity Provider Metadata URL that is available from your customer’s CAS SAML instance.
+---
+## What WorkOS provides
+WorkOS provides the [ACS URL](/glossary/acs-url), the [SP Metadata](/glossary/sp-metadata) link and the [SP Entity ID](/glossary/sp-entity-id). They are readily available in your Connection Settings in the [WorkOS Dashboard](https://dashboard.workos.com/).
+![A screenshot highlighting the "Service Provider Details" of a CAS SAML connection in the WorkOS Dashboard.](https://images.workoscdn.com/images/68f2825e-7787-4100-b7d5-8339ed75b6be.png?auto=format&fit=clip&q=50)
+The ACS URL is the location an Identity Provider redirects its authentication response to. The SP Metadata link contains a metadata file that the organization can use to set up the SAML integration. The SP Entity ID is a URI used to identify the issuer of a SAML request, response, or assertion.
+---
+## What you’ll need
+In order to integrate you’ll need the [IdP Metadata URL](/glossary/idp-metadata).
+Normally, this will come from the organization’s IT Management team when they set up your application’s SAML 2.0 configuration in their CAS instance. But, should that not be the case during your setup, here’s how to obtain it.
+---
+## (1) Enter Service Provider Details
+Copy and paste the “ACS URL” and “SP Entity ID” into the corresponding fields for Service Provider details and configuration. For some setups, you can use the metadata found at the SP Metadata link to configure the SAML connection.
+---
+## (2) Obtain Identity Provider Metadata
+Copy the IdP Metadata URL from your CAS SAML settings and upload it to your WorkOS Connection settings. Your Connection will then be linked and good to go!
+![A screenshot highlighting the "URL Metadata Configuration" input of a CAS SAML Connection in the WorkOS Dashboard.](https://images.workoscdn.com/images/a32e166f-ab97-47f1-988d-6799b303160f.png?auto=format&fit=clip&q=50)
+Alternatively, you can manually configure the connection by providing the IdP URI (Entity ID), [IdP SSO URL](/glossary/idp-sso-url) and X.509 Certificate.
+![A screenshot highlighting the "Switch to Manual Configuration" button on the URL Metadata Configuration modal of a CAS SAML connection in the WorkOS Dashboard.](https://images.workoscdn.com/images/4b40807d-0f4c-4b0f-81a5-05f832b88b25.png?auto=format&fit=clip&q=50)
+![A screenshot showing the input fields for manual configuration of a CAS SAML connection in the WorkOS Dashboard.](https://images.workoscdn.com/images/0eb372eb-551f-4ad8-8d89-9519ce10dfbe.png?auto=format&fit=clip&q=50)
+---
+## (3) Configure Attribute Mapping
+At minimum, the Attribute Statement in the SAML Response should include `id`, `email`, `firstName`, and `lastName` attributes.
+### Role Assignment (optional)
+With [identity provider role assignment](/sso/identity-provider-role-assignment), users can receive roles within your application based on their group memberships. To return this information in the attribute statement, map the groups in your identity provider to a SAML attribute named `groups`.
+Once your SAML app is configured to return groups, navigate to the SSO connection page in the _Organization_ section of the [WorkOS Dashboard](https://dashboard.workos.com/). Create SSO groups by referencing the group IdP ID. Then, assign roles to these SSO groups so group members are automatically granted roles within your application.