descope · dorsha · Jun 12, 2026 · Jun 11, 2026 · Jun 12, 2026 · Jun 12, 2026
diff --git a/descope/management/sso_settings.py b/descope/management/sso_settings.py
@@ -185,8 +185,12 @@ def __init__(
         # NOTICE - the following fields should be overridden only in case of SSO migration, otherwise, do not modify these fields
         sp_acs_url: Optional[str] = None,
         sp_entity_id: Optional[str] = None,
+        # IdP entity ID - set so IdP-initiated login can resolve the tenant by the SAML response issuer.
+        # Appended last to preserve positional compatibility for existing callers.
+        idp_entity_id: Optional[str] = None,
     ):
         self.idp_metadata_url = idp_metadata_url
+        self.idp_entity_id = idp_entity_id
         self.attribute_mapping = attribute_mapping
         self.role_mappings = role_mappings
         self.default_sso_roles = default_sso_roles
@@ -641,6 +645,7 @@ def _compose_configure_saml_settings_by_metadata_body(
             "tenantId": tenant_id,
             "settings": {
                 "idpMetadataUrl": settings.idp_metadata_url,
+                "entityId": settings.idp_entity_id,
                 "spACSUrl": settings.sp_acs_url,
                 "spEntityId": settings.sp_entity_id,
                 "attributeMapping": attr_mapping,

diff --git a/pyproject.toml b/pyproject.toml
@@ -48,7 +48,7 @@ types = [
     # mypy 1.12+ requires Python 3.10+; on 3.9 we stay on the last 1.11.x line.
     # mypy is only run in the lint job (Python 3.13) so 3.9 never installs it in CI.
     "mypy>=1.20.1; python_version >= '3.10'",
-    "mypy==2.1.0; python_version < '3.10'",
+    "mypy==1.11.2; python_version < '3.10'",
 ]
 tests = [
     # pytest 9 requires Python 3.10+; on 3.9 we stay on the last 8.x line.

diff --git a/tests/management/test_sso_settings.py b/tests/management/test_sso_settings.py
@@ -355,6 +355,7 @@ def test_configure_saml_settings_by_metadata(self):
                     "tenant-id",
                     SSOSAMLSettingsByMetadata(
                         idp_metadata_url="http://dummy.com/metadata",
+                        idp_entity_id="https://idp.example.com/entity",
                         attribute_mapping=AttributeMapping(
                             name="name",
                             given_name="givenName",
@@ -387,6 +388,7 @@ def test_configure_saml_settings_by_metadata(self):
                     "tenantId": "tenant-id",
                     "settings": {
                         "idpMetadataUrl": "http://dummy.com/metadata",
+                        "entityId": "https://idp.example.com/entity",
                         "attributeMapping": {
                             "name": "name",
                             "givenName": "givenName",
@@ -659,6 +661,7 @@ def test_configure_saml_settings_by_metadata_with_fga_mappings(self):
                     "tenantId": "tenant-id",
                     "settings": {
                         "idpMetadataUrl": "http://dummy.com/metadata",
+                        "entityId": None,
                         "attributeMapping": None,
                         "roleMappings": [],
                         "spACSUrl": None,

diff --git a/uv.lock b/uv.lock