> ## Documentation Index
> Fetch the complete documentation index at: https://docs.prelude.so/llms.txt
> Use this file to discover all available pages before exploring further.

# SAML Assertion Consumer Service (ACS)

> Endpoint the Identity Provider posts the `SAMLResponse` to (HTTP-POST
binding). Both IdP-initiated (no `RelayState`) and SP-initiated (the
`RelayState` issued by the [initiate](/session/api-reference/frontend/saml-initiate)
endpoints) flows land here. On success, redirects to the connection's
redirect URI with a `challenge_token` that can be finalized via
[Finalize login](/session/api-reference/frontend/finalize-login).

This endpoint is called by the IdP, not by your application directly.




## OpenAPI

````yaml post /v1/session/login/saml/{provider_id}/{connection_id}/acs
openapi: 3.1.1
info:
  title: Prelude Auth Frontend API
  version: 0.0.1
  description: The Prelude Frontend API for Authentication and Session Management
  contact:
    email: support@prelude.so
servers:
  - url: https://{appId}.session.prelude.dev
    description: Production server
    variables:
      appId:
        default: changeme
        description: The appID
security: []
tags:
  - name: Login OTP
    description: Login and step-up via OTP (phone or email)
  - name: Login Email Password
    description: Login via email and password
  - name: Login OAuth
    description: Login via OAuth providers
  - name: Login SAML
    description: Login via SAML 2.0 SSO connections (Okta, Google Workspace)
  - name: Login Finalize
    description: Finalize a login flow and create a session
  - name: Login Migration
    description: Migrate sessions from a legacy authentication system
  - name: Session
    description: Session refresh and revocation
  - name: Session Management
    description: Authenticated session and identifier management
  - name: Step-Up
    description: Step-up authentication flow
  - name: Well-Known
    description: Public key discovery endpoints
  - name: Password
    description: Password compliancy and change password
  - name: Passkey Login
    description: >-
      Primary-factor (passwordless) sign-in via WebAuthn discoverable
      credentials
  - name: Passkey Management
    description: >-
      Register / list / rename / delete the authenticated user's passkey
      credentials
paths:
  /v1/session/login/saml/{provider_id}/{connection_id}/acs:
    post:
      tags:
        - Login SAML
      summary: SAML Assertion Consumer Service (ACS)
      description: >
        Endpoint the Identity Provider posts the `SAMLResponse` to (HTTP-POST

        binding). Both IdP-initiated (no `RelayState`) and SP-initiated (the

        `RelayState` issued by the
        [initiate](/session/api-reference/frontend/saml-initiate)

        endpoints) flows land here. On success, redirects to the connection's

        redirect URI with a `challenge_token` that can be finalized via

        [Finalize login](/session/api-reference/frontend/finalize-login).


        This endpoint is called by the IdP, not by your application directly.
      operationId: samlAcs
      parameters:
        - $ref: '#/components/parameters/samlProviderIDParam'
        - $ref: '#/components/parameters/samlConnectionIDParam'
      requestBody:
        required: true
        content:
          application/x-www-form-urlencoded:
            schema:
              type: object
              properties:
                SAMLResponse:
                  type: string
                  description: Base64-encoded SAML response assertion from the IdP.
                RelayState:
                  type: string
                  description: |
                    Opaque token echoed back by the IdP. Present for
                    SP-initiated flows; absent for IdP-initiated flows.
              required:
                - SAMLResponse
      responses:
        '302':
          description: |
            Redirect to the connection's redirect URI with one of:
              * `challenge_token=<jwt>` — login may be finalized via the [Finalize login](/session/api-reference/frontend/finalize-login) endpoint.
              * `error=<code>&error_description=<message>` — SAML validation or provisioning failure (e.g. `saml_authentication_failed`, `saml_user_not_provisioned`, `saml_email_domain_not_allowed`, `email_already_in_use`).
        '400':
          description: Bad Request (missing or malformed SAMLResponse)
        '500':
          description: Internal Server Error
components:
  parameters:
    samlProviderIDParam:
      name: provider_id
      in: path
      required: true
      schema:
        type: string
        examples:
          - okta
          - google
      description: The SAML provider identifier (`okta` or `google`).
    samlConnectionIDParam:
      name: connection_id
      in: path
      required: true
      schema:
        type: string
        examples:
          - samlc_01jqebhswje1ka1z7ahr9rfsgt
      description: The SAML connection identifier (prefixed with `samlc_`).

````