> ## Documentation Index
> Fetch the complete documentation index at: https://tyk.io/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# OAuth / SAML callback (POST)

> Same as the GET callback but accepts a POST body — required for SAML HTTP-POST
binding where the IdP POSTs the `SAMLResponse` form field to the ACS URL.




## OpenAPI

````yaml /swagger/5.13/identity-broker-swagger.yml post /auth/{id}/{provider}/callback
openapi: 3.0.3
info:
  title: Tyk Identity Broker (TIB) API
  description: >
    The Tyk Identity Broker (TIB) acts as a delegated authentication gateway
    between

    external identity providers (OAuth/Social, SAML, LDAP, Reverse Proxy) and
    the

    Tyk ecosystem.


    ## Authentication


    Profile management endpoints (`/api/*`) require an `Authorization` header
    whose

    value must exactly match the `Secret` field in `tib.conf`.


    Auth flow endpoints (`/auth/*`) are public — they are the entry points for

    end-user authentication and are called by browsers or API clients, not by

    back-end services.
  version: v1.7.2
  contact:
    email: support@tyk.io
    name: Tyk Technologies
    url: https://tyk.io/contact
servers:
  - url: http://localhost:3010
    description: Default local TIB instance
security: []
tags:
  - name: Auth
    description: Entry points for identity-provider authentication flows (public)
  - name: Profiles
    description: CRUD management of TIB profiles (requires Authorization header)
  - name: Health
    description: Health check
paths:
  /auth/{id}/{provider}/callback:
    post:
      tags:
        - Auth
      summary: OAuth / SAML callback (POST)
      description: >
        Same as the GET callback but accepts a POST body — required for SAML
        HTTP-POST

        binding where the IdP POSTs the `SAMLResponse` form field to the ACS
        URL.
      operationId: handleAuthCallbackPost
      parameters:
        - $ref: '#/components/parameters/profileId'
        - $ref: '#/components/parameters/providerName'
      requestBody:
        required: false
        content:
          application/x-www-form-urlencoded:
            schema:
              type: object
              properties:
                SAMLResponse:
                  type: string
                  description: Base64-encoded SAML assertion (SAML POST binding).
                RelayState:
                  type: string
                  description: SAML relay state value.
              additionalProperties: true
      responses:
        '302':
          description: Redirect to `ReturnURL` after successful authentication.
        '400':
          description: Bad request.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIErrorMessage'
components:
  parameters:
    profileId:
      name: id
      in: path
      required: true
      description: The unique identifier of the authentication profile.
      schema:
        type: string
      example: github-sso-dashboard
    providerName:
      name: provider
      in: path
      required: true
      description: >
        The provider sub-path. For Social/OIDC providers this is the Goth
        provider

        name (e.g. `github`, `linkedin`, `openid-connect`). For SAML it is
        `saml`.

        For LDAP/Proxy it matches the configured provider identifier.
      schema:
        type: string
      example: github
  schemas:
    APIErrorMessage:
      type: object
      properties:
        Status:
          type: string
          enum:
            - error
          example: error
        Error:
          type: string
          description: Human-readable error message.
          example: Profile not found

````