Add SSO Setup Suite settings to tenant mgmt (#713)

Author: dorsha

descope/management/common.py

@@ -1,5 +1,5 @@
 from enum import Enum
-from typing import List, Optional
+from typing import Dict, List, Optional, Any
 
 
 class SessionExpirationUnit(Enum):
@@ -15,6 +15,51 @@ class TenantAuthType(Enum):
     OIDC = "oidc"
 
 
+class SSOSetupSuiteSettingsDisabledFeatures:
+    def __init__(
+        self,
+        saml: bool = False,
+        oidc: bool = False,
+        scim: bool = False,
+        sso_domains: bool = False,
+        group_mapping: bool = False,
+    ):
+        self.saml = saml
+        self.oidc = oidc
+        self.scim = scim
+        self.sso_domains = sso_domains
+        self.group_mapping = group_mapping
+
+    def to_dict(self) -> Dict[str, bool]:
+        return {
+            "saml": self.saml,
+            "oidc": self.oidc,
+            "scim": self.scim,
+            "ssoDomains": self.sso_domains,
+            "groupMapping": self.group_mapping,
+        }
+
+
+class SSOSetupSuiteSettings:
+    def __init__(
+        self,
+        enabled: bool,
+        style_id: Optional[str] = None,
+        disabled_features: Optional[SSOSetupSuiteSettingsDisabledFeatures] = None,
+    ):
+        self.enabled = enabled
+        self.style_id = style_id
+        self.disabled_features = disabled_features
+
+    def to_dict(self) -> Dict[str, Any]:
+        result: Dict[str, Any] = {"enabled": self.enabled}
+        if self.style_id is not None:
+            result["styleId"] = self.style_id
+        if self.disabled_features is not None:
+            result["disabledFeatures"] = self.disabled_features.to_dict()
+        return result
+
+
 class AccessType(Enum):
     OFFLINE = "offline"
     ONLINE = "online"

descope/management/tenant.py

@@ -1,7 +1,12 @@
 from typing import Any, List, Optional
 
 from descope._http_base import HTTPBase
-from descope.management.common import MgmtV1, SessionExpirationUnit, TenantAuthType
+from descope.management.common import (
+    MgmtV1,
+    SessionExpirationUnit,
+    SSOSetupSuiteSettings,
+    TenantAuthType,
+)
 
 
 class Tenant(HTTPBase):
@@ -109,6 +114,7 @@ def update_settings(
         inactivity_time: Optional[int] = None,
         inactivity_time_unit: Optional[SessionExpirationUnit] = None,
         JITDisabled: Optional[bool] = None,
+        sso_setup_suite_settings: Optional[SSOSetupSuiteSettings] = None,
     ):
         """
         Update an existing tenant's session settings.
@@ -120,15 +126,16 @@ def update_settings(
             auth_type (Optional[TenantAuthType]): Authentication type for the tenant.
             session_settings_enabled (Optional[bool]): Whether session settings are enabled.
             refresh_token_expiration (Optional[int]): Expiration time for refresh tokens.
-            refresh_token_expiration_unit (Optional[SessionExiprationUnit]): Unit for refresh token expiration.
+            refresh_token_expiration_unit (Optional[SessionExpirationUnit]): Unit for refresh token expiration.
             session_token_expiration (Optional[int]): Expiration time for session tokens.
-            session_token_expiration_unit (Optional[SessionExiprationUnit]): Unit for session token expiration.
+            session_token_expiration_unit (Optional[SessionExpirationUnit]): Unit for session token expiration.
             stepup_token_expiration (Optional[int]): Expiration time for step-up tokens.
-            stepup_token_expiration_unit (Optional[SessionExiprationUnit]): Unit for step-up token expiration.
+            stepup_token_expiration_unit (Optional[SessionExpirationUnit]): Unit for step-up token expiration.
             enable_inactivity (Optional[bool]): Whether inactivity timeout is enabled.
             inactivity_time (Optional[int]): Inactivity timeout duration.
-            inactivity_time_unit (Optional[SessionExiprationUnit]): Unit for inactivity timeout.
+            inactivity_time_unit (Optional[SessionExpirationUnit]): Unit for inactivity timeout.
             JITDisabled (Optional[bool]): Whether JIT is disabled.
+            sso_setup_suite_settings (Optional[SSOSetupSuiteSettings]): SSO Setup Suite configuration.
 
         Raise:
             AuthException: raised if update operation fails
@@ -149,6 +156,9 @@ def update_settings(
             "inactivityTime": inactivity_time,
             "inactivityTimeUnit": inactivity_time_unit,
             "JITDisabled": JITDisabled,
+            "ssoSetupSuiteSettings": (
+                sso_setup_suite_settings.to_dict() if sso_setup_suite_settings else None
+            ),
         }
 
         body = {k: v for k, v in body.items() if v is not None}
@@ -215,7 +225,7 @@ def load_settings(
              "sessionTokenExpiration":<int>, "sessionTokenExpirationUnit":<str>,
              "stepupTokenExpiration":<int>, "stepupTokenExpirationUnit":<str>,
              "enableInactivity":<bool>, "inactivityTime":<int>, "inactivityTimeUnit":<str>,
-             "JITDisabled":<bool> }
+             "JITDisabled":<bool>, "ssoSetupSuiteSettings":<dict> }
         Containing the loaded tenant session settings.
 
         Raise:

tests/management/test_tenant.py

@@ -4,7 +4,11 @@
 
 from descope import AuthException, DescopeClient
 from descope.common import DEFAULT_TIMEOUT_SECONDS
-from descope.management.common import MgmtV1
+from descope.management.common import (
+    MgmtV1,
+    SSOSetupSuiteSettings,
+    SSOSetupSuiteSettingsDisabledFeatures,
+)
 
 from .. import common
 
@@ -417,6 +421,58 @@ def test_update_settings(self):
                 timeout=DEFAULT_TIMEOUT_SECONDS,
             )
 
+        # Test success flow with SSO Setup Suite settings
+        with patch("requests.post") as mock_post:
+            mock_post.return_value.ok = True
+            sso_disabled_features = SSOSetupSuiteSettingsDisabledFeatures(
+                saml=True, oidc=False, scim=True, sso_domains=False, group_mapping=True
+            )
+            sso_settings = SSOSetupSuiteSettings(
+                enabled=True,
+                style_id="style123",
+                disabled_features=sso_disabled_features,
+            )
+            self.assertIsNone(
+                client.mgmt.tenant.update_settings(
+                    "t1",
+                    self_provisioning_domains=["domain1.com"],
+                    domains=["domain1.com", "domain2.com"],
+                    auth_type="oidc",
+                    session_settings_enabled=True,
+                    sso_setup_suite_settings=sso_settings,
+                )
+            )
+            mock_post.assert_called_with(
+                f"{common.DEFAULT_BASE_URL}{MgmtV1.tenant_settings_path}",
+                headers={
+                    **common.default_headers,
+                    "Authorization": f"Bearer {self.dummy_project_id}:{self.dummy_management_key}",
+                    "x-descope-project-id": self.dummy_project_id,
+                },
+                json={
+                    "tenantId": "t1",
+                    "selfProvisioningDomains": ["domain1.com"],
+                    "domains": ["domain1.com", "domain2.com"],
+                    "authType": "oidc",
+                    "enabled": True,
+                    "ssoSetupSuiteSettings": {
+                        "enabled": True,
+                        "styleId": "style123",
+                        "disabledFeatures": {
+                            "saml": True,
+                            "oidc": False,
+                            "scim": True,
+                            "ssoDomains": False,
+                            "groupMapping": True,
+                        },
+                    },
+                },
+                allow_redirects=False,
+                params=None,
+                verify=True,
+                timeout=DEFAULT_TIMEOUT_SECONDS,
+            )
+
     def test_load_settings(self):
         client = DescopeClient(
             self.dummy_project_id,
@@ -460,3 +516,54 @@ def test_load_settings(self):
                 verify=True,
                 timeout=DEFAULT_TIMEOUT_SECONDS,
             )
+
+        # Test success flow with SSO Setup Suite settings
+        with patch("requests.get") as mock_get:
+            network_resp = mock.Mock()
+            network_resp.ok = True
+            network_resp.json.return_value = json.loads(
+                """
+                {
+                    "domains": ["domain1.com", "domain2.com"],
+                    "authType": "oidc",
+                    "sessionSettingsEnabled": true,
+                    "ssoSetupSuiteSettings": {
+                        "enabled": true,
+                        "styleId": "style123",
+                        "disabledFeatures": {
+                            "saml": true,
+                            "oidc": false,
+                            "scim": true,
+                            "ssoDomains": false,
+                            "groupMapping": true
+                        }
+                    }
+                }
+                """
+            )
+            mock_get.return_value = network_resp
+            resp = client.mgmt.tenant.load_settings("t1")
+            self.assertEqual(resp["domains"], ["domain1.com", "domain2.com"])
+            self.assertEqual(resp["authType"], "oidc")
+            self.assertEqual(resp["sessionSettingsEnabled"], True)
+            sso_settings = resp["ssoSetupSuiteSettings"]
+            self.assertEqual(sso_settings["enabled"], True)
+            self.assertEqual(sso_settings["styleId"], "style123")
+            disabled_features = sso_settings["disabledFeatures"]
+            self.assertEqual(disabled_features["saml"], True)
+            self.assertEqual(disabled_features["oidc"], False)
+            self.assertEqual(disabled_features["scim"], True)
+            self.assertEqual(disabled_features["ssoDomains"], False)
+            self.assertEqual(disabled_features["groupMapping"], True)
+            mock_get.assert_called_with(
+                f"{common.DEFAULT_BASE_URL}{MgmtV1.tenant_settings_path}",
+                headers={
+                    **common.default_headers,
+                    "Authorization": f"Bearer {self.dummy_project_id}:{self.dummy_management_key}",
+                    "x-descope-project-id": self.dummy_project_id,
+                },
+                params={"id": "t1"},
+                allow_redirects=True,
+                verify=True,
+                timeout=DEFAULT_TIMEOUT_SECONDS,
+            )