The Single Sign-On APIs allow you to manage your SAML 2.0 SSO configurations. You can also work with your SSO integrations using the SSO section of the Twilio SendGrid App.
The Single Sign-On Teammates API allows you to add and modify SSO Teammates. SSO Teammates are the individual user accounts who will access your Twilio SendGrid account with SSO credentials.
To retrieve or delete an SSO Teammate, you will use the Teammates API.
For more information about managing SSO Teammates, see the Twilio SendGrid SSO documentation.
This endpoint allows you to create an SSO Teammate.
The email address provided for the Teammate will also function as the Teammate's username. Once created, the Teammate's email address cannot be changed.
When creating a Teammate, you will assign it permissions or scopes. These scopes determine which actions the Teammate can perform and which features they can access. Scopes are provided with one of three properties passed to this endpoint: is_admin
, scopes
, and persona
.
You can make a Teammate an administrator by setting is_admin
to true
. Administrators will have all scopes assigned to them. Alternatively, you can assign a persona
to the teammate, which will assign them a block of permissions commonly required for that type of user. See the "Persona scopes" section of Teammate Permissions for a list of permsissions granted by persona. Lastly, you can assign individual permissions with the scopes
property. See Teammate Permissions for a full list of scopes that can be assigned to a Teammate.
SendGrid Teammates may be assigned access to one or more Subusers. Subusers function like SendGrid sub-accounts with their own resources. See Subusers for more information.
When assigning Subuser access to a Teammate, you may set the has_restricted_subuser_access
property to true
to constrain the Teammate so that they can operate only on behalf of the Subusers to which they are assigned. You may further set the level of access the Teammate has to each Subuser with the subuser_access
property.
Bearer <<YOUR_API_KEY_HERE>>
application/json
Set this property to the Teammate's email address. This email address will also function as the Teammate's username and must match the address assigned to the user in your IdP. This address cannot be changed after the Teammate is created.
Set this property to the Teammate's first name.
Set this property to the Teammate's last name.
Set this property to true
if the Teammate has admin permissions. You should not include the scopes
or persona
properties when setting the is_admin
property to true
—an admin will be allocated all scopes. See Teammate Permissions for a complete list of scopes.
A persona represents a group of permissions often required by a type of Teammate such as a developer or marketer. Assigning a persona allows you to allocate a group of pre-defined permissions rather than assigning each scope individually. See Teammate Permissions for a full list of the scopes assigned to each persona.
accountant
developer
marketer
observer
Add or remove permissions from a Teammate using this scopes
property. See Teammate Permissions for a complete list of available scopes. You should not include this propety in the request when using the persona
property or when setting the is_admin
property to true
—assigning a persona
or setting is_admin
to true
will allocate a group of permissions to the Teammate.
Set this property to true
to give the Teammate permissions to operate only on behalf of a Subuser. This property value must be true
if the subuser_access
property is not empty. The subuser_access
property determines which Subusers the Teammate may act on behalf of. If this property is set to true
, you cannot specify individual scopes
, assign a persona
, or set is_admin
to true
—a Teammate cannot specify scopes for the parent account and have restricted Subuser access.
Specify which Subusers the Teammate may access and act on behalf of with this property. If this property is populated, you must set the has_restricted_subuser_access
property to true
.
Successful SSO Teammates POST Response.
The Teammate's first name.
The Teammate's last name.
Teammate's email address. This email address also functions as the Teammate's username and must match the address assigned to the user in your IdP. This address cannot be changed after the Teammate is created.
Indicates if the Teammate has administrator permissions. When set to true
, the Teammate is an admin.
Indicates how the Teammate authenticates with SendGrid. When set to true
, the Teammate will access SendGrid via SSO and their IdP. When set to false
, the Teammate will authenticate directly with SendGrid via a username and password.
The permissions or scopes currently assigned to the Teammate. See Teammate Permissions for a complete list of available scopes.
When this property is set to true
, the Teammate has permissions to operate only on behalf of a Subuser. This property value is true
when the subuser_access
property is not empty. The subuser_access
property determines which Subusers the Teammate may act on behalf of.
Specifies which Subusers the Teammate may access and act on behalf of. If this property is populated, the has_restricted_subuser_access
property will be true
.
1const client = require("@sendgrid/client");2client.setApiKey(process.env.SENDGRID_API_KEY);34const data = {5first_name: "Jane",6last_name: "Doe",7email: "jane_doe@example.com",8is_admin: true,9has_restricted_subuser_access: false,10};1112const request = {13url: `/v3/sso/teammates`,14method: "POST",15body: data,16};1718client19.request(request)20.then(([response, body]) => {21console.log(response.statusCode);22console.log(response.body);23})24.catch((error) => {25console.error(error);26});