> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cantina.xyz/llms.txt
> Use this file to discover all available pages before exploring further.

# Create an SSO enforcement rule for a company.

> Creates a rule that enforces SSO for a specific domain.
Domain must be unique and cannot overlap with SSO connection domains.
Requires same permissions and domain validation as SSO connections.

# Access Control Rules

- Company manager of the company OR admin with `manage_companies` permissions.
- For company managers: domain must have at least one verified company user email.



## OpenAPI

````yaml POST /api/v0/companies/{company_id}/sso-enforcement-rules
openapi: 3.1.0
info:
  title: Cantina Client API
  description: >-
    Endpoints available to client organizations. For an overview and
    authentication, see
    https://docs.cantina.xyz/for-organizations/getting-started/api-access.
  license:
    name: Cantina
    identifier: Cantina
  version: 0.1.0
servers: []
security: []
paths:
  /api/v0/companies/{company_id}/sso-enforcement-rules:
    post:
      tags:
        - companies
      summary: Create an SSO enforcement rule for a company.
      description: >-
        Creates a rule that enforces SSO for a specific domain.

        Domain must be unique and cannot overlap with SSO connection domains.

        Requires same permissions and domain validation as SSO connections.


        # Access Control Rules


        - Company manager of the company OR admin with `manage_companies`
        permissions.

        - For company managers: domain must have at least one verified company
        user email.
      operationId: create_company_sso_enforcement_rule
      parameters:
        - name: company_id
          in: path
          required: true
          schema:
            type: string
            format: uuid
      requestBody:
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/CreateCompanySsoEnforcementRule'
        required: true
      responses:
        '201':
          description: SSO enforcement rule created successfully
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/CompanySsoEnforcementRule'
        '400':
          description: Bad request
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/CantinaError'
        '401':
          description: Access not authorised
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/CantinaError'
        '403':
          description: Access forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/CantinaError'
        '404':
          description: Not found
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/CantinaError'
        '500':
          description: Error creating SSO enforcement rule
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/CantinaError'
components:
  schemas:
    CreateCompanySsoEnforcementRule:
      type: object
      required:
        - domain
      properties:
        domain:
          type: string
    CompanySsoEnforcementRule:
      type: object
      description: >-
        Ensures that company users can't sign in with email+password auth with
        email

        from a specified domain. Such users can sign in through a Google SSO
        only.
      required:
        - id
        - companyId
        - domain
        - createdAt
        - createdBy
      properties:
        id:
          type: string
          format: uuid
        companyId:
          type: string
          format: uuid
        domain:
          type: string
          description: >-
            Users with emails registered on those domains will be forced to
            authenticate

            with Google SSO.
        createdAt:
          type: string
          format: date-time
        createdBy:
          $ref: '#/components/schemas/UserProfile'
    CantinaError:
      type: object
      description: Error returned by the Cantina API.
      required:
        - type
        - msg
      properties:
        type:
          $ref: '#/components/schemas/ErrorType'
        msg:
          type: string
          description: Error message for the user.
    UserProfile:
      type: object
      description: Profile info of a user.
      required:
        - userId
        - name
        - username
        - avatar
      properties:
        userId:
          type: string
          format: uuid
        name:
          type: string
        username:
          type: string
        avatar:
          type: string
        disabledAt:
          type:
            - string
            - 'null'
          format: date-time
    ErrorType:
      type: string
      description: Type of error.
      enum:
        - email_not_verified
        - auth_invalid
        - auth_expired
        - auth_token_missing
        - auth_id_missing
        - invalid_password
        - disabled_user
        - tc_not_accepted
        - evicted
        - unauthorized
        - bad_request
        - not_found
        - forbidden
        - gone
        - payload_too_large
        - service_unavailable
        - internal_error

````