Upon further investigation, I was indeed encoding it wrong.
Here is what I ended up with, for posterity:
return_payload = base64.b64encode(parse.urlencode(kwargs).encode("utf-8"))
h = hmac.new(secret.encode("utf-8"), return_payload, digestmod=hashlib.sha256)
resp = requests.post(
".../admin/users/sync_sso",
data={"sso": return_payload, "sig": h.hexdigest()}
headers={...}
)
And if you’re doing the redirect, be sure to parse.urlencode that {“sso”…}.