> ## Documentation Index > Fetch the complete documentation index at: https://docs.prelude.so/llms.txt > Use this file to discover all available pages before exploring further. # Initiate SAML login (resolve by email) > Start an SP-initiated SAML SSO flow, resolving the connection from the email's domain. The domain must match exactly one enabled connection's `email_domain_allowlist`. On success, returns the IdP URL the SDK navigates the user to; the IdP eventually posts a `SAMLResponse` back to the connection's [ACS endpoint](/session/api-reference/frontend/saml-acs). ## OpenAPI ````yaml get /v1/session/login/saml/initiate openapi: 3.1.1 info: title: Prelude Auth Frontend API version: 0.0.1 description: The Prelude Frontend API for Authentication and Session Management contact: email: support@prelude.so servers: - url: https://{appId}.session.prelude.dev description: Production server variables: appId: default: changeme description: The appID security: [] tags: - name: Login OTP description: Login and step-up via OTP (phone or email) - name: Login Email Password description: Login via email and password - name: Login OAuth description: Login via OAuth providers - name: Login SAML description: Login via SAML 2.0 SSO connections (Okta, Google Workspace) - name: Login Finalize description: Finalize a login flow and create a session - name: Login Migration description: Migrate sessions from a legacy authentication system - name: Session description: Session refresh and revocation - name: Session Management description: Authenticated session and identifier management - name: Step-Up description: Step-up authentication flow - name: Well-Known description: Public key discovery endpoints - name: Password description: Password compliancy and change password - name: Passkey Login description: >- Primary-factor (passwordless) sign-in via WebAuthn discoverable credentials - name: Passkey Management description: >- Register / list / rename / delete the authenticated user's passkey credentials paths: /v1/session/login/saml/initiate: get: tags: - Login SAML summary: Initiate SAML login (resolve by email) description: > Start an SP-initiated SAML SSO flow, resolving the connection from the email's domain. The domain must match exactly one enabled connection's `email_domain_allowlist`. On success, returns the IdP URL the SDK navigates the user to; the IdP eventually posts a `SAMLResponse` back to the connection's [ACS endpoint](/session/api-reference/frontend/saml-acs). operationId: samlInitiateByEmail parameters: - name: email in: query required: true schema: type: string format: email examples: - jane@acme.com description: The email whose domain resolves the SAML connection. - name: redirect_uri in: query schema: type: string examples: - https://app.acme.com/callback description: | URI to redirect to after authentication. Must be allowlisted for the app. Falls back to the connection's `default_redirect_uri` when omitted. - name: code_challenge in: query schema: type: string examples: - E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM description: PKCE code challenge (S256) bound to the eventual login finalize. - name: dispatch_id in: query schema: type: string examples: - 123e4567-e89b-12d3-a456-426614174000 description: The identifier of the dispatch from the front-end SDK. responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/SAMLInitiateResponse' '400': description: Bad Request content: application/json: schema: oneOf: - $ref: '#/components/schemas/BadRequestError' - $ref: '#/components/schemas/InvalidIdentifierError' - $ref: '#/components/schemas/InvalidRedirectURIError' '404': description: Not Found content: application/json: schema: $ref: '#/components/schemas/SAMLNoConnectionForEmailError' '500': description: Internal Error content: application/json: schema: $ref: '#/components/schemas/InternalError' components: schemas: SAMLInitiateResponse: type: object properties: redirect_url: type: string description: The Identity Provider URL to redirect the user to. examples: - >- https://acme.okta.com/app/abc/sso/saml?SAMLRequest=...&RelayState=... required: - redirect_url BadRequestError: type: object properties: code: type: string enum: - bad_request type: type: string enum: - bad_request InvalidIdentifierError: type: object properties: code: type: string enum: - invalid_identifier type: type: string enum: - bad_request InvalidRedirectURIError: type: object properties: code: type: string enum: - invalid_redirect_uri type: type: string enum: - bad_request SAMLNoConnectionForEmailError: type: object description: The email domain is not in any enabled connection's allowlist. properties: code: type: string enum: - saml_no_connection_for_email type: type: string enum: - not_found InternalError: type: object properties: code: type: string enum: - internal type: type: string enum: - internal ````