Recalculate SSO Mappings (#745)

dorsha · web-flow · commit 89a2a21a107e · 2026-01-19T12:19:45.000+02:00
diff --git a/descope/management/common.py b/descope/management/common.py
@@ -179,6 +179,7 @@ class MgmtV1:
     sso_settings_path = "/v1/mgmt/sso/settings"
     sso_metadata_path = "/v1/mgmt/sso/metadata"
     sso_mapping_path = "/v1/mgmt/sso/mapping"
+    sso_recalculate_mappings_path = "/v1/mgmt/sso/recalculate-mappings"
     sso_load_settings_path = "/v2/mgmt/sso/settings"  # v2 only
     sso_configure_oidc_settings = "/v1/mgmt/sso/oidc"
     sso_configure_saml_settings = "/v1/mgmt/sso/saml"
diff --git a/descope/management/sso_settings.py b/descope/management/sso_settings.py
@@ -199,6 +199,33 @@ def load_settings(
         )
         return response.json()
 
+    def recalculate_sso_mappings(
+        self,
+        tenant_id: str,
+        sso_id: Optional[str] = None,
+    ):
+        """
+        Recalculate SSO group to role mappings for all users in a tenant.
+
+        This method triggers a recalculation of user roles based on the current SSO group mappings.
+        It will update the roles for all users in the tenant who have SSO group mappings.
+
+        Args:
+        tenant_id (str): The tenant ID (required)
+        sso_id (str): Optional, specify to recalculate mappings for a specific SSO configuration
+
+        Raise:
+        AuthException: raised if recalculation operation fails
+        """
+        body = {"tenantId": tenant_id}
+        if sso_id:
+            body["ssoId"] = sso_id
+
+        self._http.post(
+            uri=MgmtV1.sso_recalculate_mappings_path,
+            body=body,
+        )
+
     def delete_settings(
         self,
         tenant_id: str,
diff --git a/samples/management/sso_sample_app.py b/samples/management/sso_sample_app.py
@@ -120,6 +120,12 @@ def main():
         except AuthException as e:
             logging.info(f"Load SSO settings failed {e}")
 
+        try:
+            logging.info("Recalculating SSO mappings for tenant")
+            descope_client.mgmt.sso.recalculate_sso_mappings(tenant_id)
+        except AuthException as e:
+            logging.info(f"Recalculate SSO mappings failed {e}")
+
         # All the following code is DEPRECATED (keeping just for backward compatibility)
         try:
             logging.info("Get SSO settings for tenant")
diff --git a/tests/management/test_sso_settings.py b/tests/management/test_sso_settings.py
@@ -781,3 +781,69 @@ def test_mapping(self):
                 verify=True,
                 timeout=DEFAULT_TIMEOUT_SECONDS,
             )
+
+    def test_recalculate_sso_mappings(self):
+        client = DescopeClient(
+            self.dummy_project_id,
+            self.public_key_dict,
+            False,
+            self.dummy_management_key,
+        )
+
+        # Test failed flows
+        with patch("requests.post") as mock_post:
+            mock_post.return_value.ok = False
+            self.assertRaises(
+                AuthException,
+                client.mgmt.sso.recalculate_sso_mappings,
+                "tenant-id",
+            )
+
+        # Test success flow with sso_id
+        with patch("requests.post") as mock_post:
+            network_resp = mock.Mock()
+            network_resp.ok = True
+            network_resp.json.return_value = {
+                "affectedUserIds": ["user1", "user2", "user3"]
+            }
+            mock_post.return_value = network_resp
+            client.mgmt.sso.recalculate_sso_mappings("tenant-id", "sso-456")
+            mock_post.assert_called_with(
+                f"{common.DEFAULT_BASE_URL}{MgmtV1.sso_recalculate_mappings_path}",
+                headers={
+                    **common.default_headers,
+                    "Authorization": f"Bearer {self.dummy_project_id}:{self.dummy_management_key}",
+                    "x-descope-project-id": self.dummy_project_id,
+                },
+                params=None,
+                json={
+                    "tenantId": "tenant-id",
+                    "ssoId": "sso-456",
+                },
+                allow_redirects=False,
+                verify=True,
+                timeout=DEFAULT_TIMEOUT_SECONDS,
+            )
+
+        # Test success flow without sso_id
+        with patch("requests.post") as mock_post:
+            network_resp = mock.Mock()
+            network_resp.ok = True
+            network_resp.json.return_value = {"affectedUserIds": ["user1"]}
+            mock_post.return_value = network_resp
+            client.mgmt.sso.recalculate_sso_mappings("tenant-id")
+            mock_post.assert_called_with(
+                f"{common.DEFAULT_BASE_URL}{MgmtV1.sso_recalculate_mappings_path}",
+                headers={
+                    **common.default_headers,
+                    "Authorization": f"Bearer {self.dummy_project_id}:{self.dummy_management_key}",
+                    "x-descope-project-id": self.dummy_project_id,
+                },
+                params=None,
+                json={
+                    "tenantId": "tenant-id",
+                },
+                allow_redirects=False,
+                verify=True,
+                timeout=DEFAULT_TIMEOUT_SECONDS,
+            )
