Identity Providers

The Identity Providers API provides operations to manage federations with external Identity Providers (IdP). For example, your app can support signing in with credentials from Apple, Facebook, Google, LinkedIn, Microsoft, an enterprise IdP using SAML 2.0, or an IdP using the OpenID Connect (OIDC) protocol.

List all Identity Providers
OAuth 2.0: okta.idps.read

Lists all identity provider integrations with pagination. A subset of IdPs can be returned that match a supported filter expression or query.

Request
query Parameters
q
string

Searches the name property of IdPs for matching value

after
string

Specifies the pagination cursor for the next page of IdPs

limit
integer <int32>
Default: 20

Specifies the number of IdP results in a page

type
string

Filters IdPs by type

Responses
200

Success

403

Forbidden

429

Too Many Requests

get/api/v1/idps
Request samples
Response samples
application/json
[
  • {
    • "created": "2019-08-24T14:15:22Z",
    • "id": "string",
    • "issuerMode": "CUSTOM_URL",
    • "lastUpdated": "2019-08-24T14:15:22Z",
    • "name": "string",
    • "policy": {
      },
    • "properties": {
      },
    • "protocol": {
      },
    • "status": "ACTIVE",
    • "type": "AgentlessDSSO",
    • "_links": {
      }
    }
]

Create an Identity Provider
OAuth 2.0: okta.idps.manage

Creates a new identity provider integration

Request
Request Body schema: application/json
issuerMode
string (IssuerMode)
Enum: "CUSTOM_URL" "DYNAMIC" "ORG_URL"
name
string
object (IdentityProviderPolicy)
description
string
name
string
priority
integer
status
string (LifecycleStatus)
Enum: "ACTIVE" "INACTIVE"
system
boolean
type
string (PolicyType)
object (PolicyRuleConditions)
object (AppAndInstancePolicyRuleCondition)
object (AppInstancePolicyRuleCondition)
object (PolicyRuleAuthContextCondition)
object (PasswordPolicyAuthenticationProviderCondition)
object (BeforeScheduledActionPolicyRuleCondition)
object (ClientPolicyCondition)
object (ContextPolicyRuleCondition)
object (DevicePolicyRuleCondition)
object (GrantTypePolicyRuleCondition)
object (GroupPolicyRuleCondition)
object (IdentityProviderPolicyRuleCondition)
object (MDMEnrollmentPolicyRuleCondition)
object (PolicyNetworkCondition)
object (PolicyPeopleCondition)
object (PlatformPolicyRuleCondition)
object (RiskPolicyRuleCondition)
object (RiskScorePolicyRuleCondition)
object (OAuth2ScopesMediationPolicyRuleCondition)
object (UserIdentifierPolicyRuleCondition)
object (UserPolicyRuleCondition)
object (UserStatusPolicyRuleCondition)
object or null (IdentityProviderProperties)
additionalAmr
Array of strings or null
object (Protocol)
object (ProtocolAlgorithms)
object (ProtocolAlgorithmType)
object (ProtocolAlgorithmType)
object (IdentityProviderCredentials)
object (IdentityProviderCredentialsClient)
object (IdentityProviderCredentialsSigning)
object (IdentityProviderCredentialsTrust)
object (ProtocolEndpoints)
object (ProtocolEndpoint)
object (ProtocolEndpoint)
object (ProtocolEndpoint)
object (ProtocolEndpoint)
object (ProtocolEndpoint)
object (ProtocolEndpoint)
object (ProtocolEndpoint)
object (ProtocolEndpoint)
object (ProtocolEndpoint)
binding
string (ProtocolEndpointBinding)
Enum: "HTTP-POST" "HTTP-REDIRECT"
destination
string
type
string (ProtocolEndpointType)
Enum: "INSTANCE" "ORG"
url
string
object (ProtocolRelayState)
format
string (ProtocolRelayStateFormat)
Enum: "FROM_URL" "OPAQUE"
scopes
Array of strings
object (ProtocolSettings)
nameFormat
string
type
string (ProtocolType)
Enum: "MTLS" "OAUTH2" "OIDC" "SAML2"
status
string (LifecycleStatus)
Enum: "ACTIVE" "INACTIVE"
type
string (IdentityProviderType)
Enum: "AgentlessDSSO" "FACEBOOK" "GOOGLE" "IWA" "LINKEDIN" "MICROSOFT" "OIDC" "OKTA" "SAML2" "X509"
Responses
200

Success

400

Bad Request

403

Forbidden

429

Too Many Requests

post/api/v1/idps
Request samples
application/json
{
  • "issuerMode": "CUSTOM_URL",
  • "name": "string",
  • "policy": {
    • "description": "string",
    • "name": "string",
    • "priority": 0,
    • "status": "ACTIVE",
    • "system": true,
    • "type": "ACCESS_POLICY",
    • "accountLink": {
      },
    • "conditions": {
      },
    • "mapAMRClaims": false,
    • "maxClockSkew": 0,
    • "provisioning": {
      },
    • "subject": {
      }
    },
  • "properties": {
    • "additionalAmr": [
      ]
    },
  • "protocol": {
    • "algorithms": {
      },
    • "credentials": {
      },
    • "endpoints": {
      },
    • "issuer": {
      },
    • "relayState": {
      },
    • "scopes": [
      ],
    • "settings": {
      },
    • "type": "MTLS"
    },
  • "status": "ACTIVE",
  • "type": "AgentlessDSSO"
}
Response samples
application/json
{
  • "created": "2019-08-24T14:15:22Z",
  • "id": "string",
  • "issuerMode": "CUSTOM_URL",
  • "lastUpdated": "2019-08-24T14:15:22Z",
  • "name": "string",
  • "policy": {
    • "created": "2019-08-24T14:15:22Z",
    • "description": "string",
    • "id": "string",
    • "lastUpdated": "2019-08-24T14:15:22Z",
    • "name": "string",
    • "priority": 0,
    • "status": "ACTIVE",
    • "system": true,
    • "type": "ACCESS_POLICY",
    • "_embedded": {
      },
    • "_links": {
      },
    • "accountLink": {
      },
    • "conditions": {
      },
    • "mapAMRClaims": false,
    • "maxClockSkew": 0,
    • "provisioning": {
      },
    • "subject": {
      }
    },
  • "properties": {
    • "additionalAmr": [
      ]
    },
  • "protocol": {
    • "algorithms": {
      },
    • "credentials": {
      },
    • "endpoints": {
      },
    • "issuer": {
      },
    • "relayState": {
      },
    • "scopes": [
      ],
    • "settings": {
      },
    • "type": "MTLS"
    },
  • "status": "ACTIVE",
  • "type": "AgentlessDSSO",
  • "_links": {
    • "self": {
      }
    }
}

List all Credential Keys
OAuth 2.0: okta.idps.read

Lists all IdP key credentials

Request
query Parameters
after
string

Specifies the pagination cursor for the next page of keys

limit
integer <int32>
Default: 20

Specifies the number of key results in a page

Responses
200

Success

403

Forbidden

429

Too Many Requests

get/api/v1/idps/credentials/keys
Request samples
Response samples
application/json
[
  • {
    • "alg": "string",
    • "created": "2019-08-24T14:15:22Z",
    • "e": "string",
    • "expiresAt": "2019-08-24T14:15:22Z",
    • "key_ops": [
      ],
    • "kid": "string",
    • "kty": "string",
    • "lastUpdated": "2019-08-24T14:15:22Z",
    • "n": "string",
    • "status": "string",
    • "use": "string",
    • "x5c": [
      ],
    • "x5t": "string",
    • "x5t#S256": "string",
    • "x5u": "string",
    • "_links": {
      }
    }
]

Create an X.509 Certificate Public Key
OAuth 2.0: okta.idps.manage

Creates a new X.509 certificate credential to the IdP key store.

Request
Request Body schema: application/json
alg
string
created
string <date-time>
e
string
expiresAt
string <date-time>
key_ops
Array of strings
kid
string
kty
string
lastUpdated
string <date-time>
n
string
status
string
use
string
x5c
Array of strings
x5t
string
x5t#S256
string
x5u
string
Responses
200

Success

400

Bad Request

403

Forbidden

429

Too Many Requests

post/api/v1/idps/credentials/keys
Request samples
application/json
{
  • "alg": "string",
  • "created": "2019-08-24T14:15:22Z",
  • "e": "string",
  • "expiresAt": "2019-08-24T14:15:22Z",
  • "key_ops": [
    • "string"
    ],
  • "kid": "string",
  • "kty": "string",
  • "lastUpdated": "2019-08-24T14:15:22Z",
  • "n": "string",
  • "status": "string",
  • "use": "string",
  • "x5c": [
    • "string"
    ],
  • "x5t": "string",
  • "x5t#S256": "string",
  • "x5u": "string"
}
Response samples
application/json
{
  • "alg": "string",
  • "created": "2019-08-24T14:15:22Z",
  • "e": "string",
  • "expiresAt": "2019-08-24T14:15:22Z",
  • "key_ops": [
    • "string"
    ],
  • "kid": "string",
  • "kty": "string",
  • "lastUpdated": "2019-08-24T14:15:22Z",
  • "n": "string",
  • "status": "string",
  • "use": "string",
  • "x5c": [
    • "string"
    ],
  • "x5t": "string",
  • "x5t#S256": "string",
  • "x5u": "string",
  • "_links": {
    • "self": {
      }
    }
}

Retrieve an Credential Key
OAuth 2.0: okta.idps.read

Retrieves a specific IdP Key Credential by kid

Request
path Parameters
idpKeyId
required
string

id of IdP Key

Example: KmMo85SSsU7TZzOShcGb
Responses
200

Success

403

Forbidden

404

Not Found

429

Too Many Requests

get/api/v1/idps/credentials/keys/{idpKeyId}
Request samples
Response samples
application/json
{
  • "alg": "string",
  • "created": "2019-08-24T14:15:22Z",
  • "e": "string",
  • "expiresAt": "2019-08-24T14:15:22Z",
  • "key_ops": [
    • "string"
    ],
  • "kid": "string",
  • "kty": "string",
  • "lastUpdated": "2019-08-24T14:15:22Z",
  • "n": "string",
  • "status": "string",
  • "use": "string",
  • "x5c": [
    • "string"
    ],
  • "x5t": "string",
  • "x5t#S256": "string",
  • "x5u": "string",
  • "_links": {
    • "self": {
      }
    }
}

Delete a Signing Credential Key
OAuth 2.0: okta.idps.manage

Deletes a specific IdP Key Credential by kid if it is not currently being used by an Active or Inactive IdP

Request
path Parameters
idpKeyId
required
string

id of IdP Key

Example: KmMo85SSsU7TZzOShcGb
Responses
204

No Content

403

Forbidden

404

Not Found

429

Too Many Requests

delete/api/v1/idps/credentials/keys/{idpKeyId}
Request samples
Response samples
application/json
{
  • "errorCode": "E0000006",
  • "errorSummary": "You do not have permission to perform the requested action",
  • "errorLink": "E0000006",
  • "errorId": "sampleNUSD_8fdkFd8fs8SDBK",
  • "errorCauses": [ ]
}

Retrieve an Identity Provider
OAuth 2.0: okta.idps.read

Retrieves an identity provider integration by idpId

Request
path Parameters
idpId
required
string

id of IdP

Example: SVHoAOh0l8cPQkVX1LRl
Responses
200

Success

403

Forbidden

404

Not Found

429

Too Many Requests

get/api/v1/idps/{idpId}
Request samples
Response samples
application/json
{
  • "created": "2019-08-24T14:15:22Z",
  • "id": "string",
  • "issuerMode": "CUSTOM_URL",
  • "lastUpdated": "2019-08-24T14:15:22Z",
  • "name": "string",
  • "policy": {
    • "created": "2019-08-24T14:15:22Z",
    • "description": "string",
    • "id": "string",
    • "lastUpdated": "2019-08-24T14:15:22Z",
    • "name": "string",
    • "priority": 0,
    • "status": "ACTIVE",
    • "system": true,
    • "type": "ACCESS_POLICY",
    • "_embedded": {
      },
    • "_links": {
      },
    • "accountLink": {
      },
    • "conditions": {
      },
    • "mapAMRClaims": false,
    • "maxClockSkew": 0,
    • "provisioning": {
      },
    • "subject": {
      }
    },
  • "properties": {
    • "additionalAmr": [
      ]
    },
  • "protocol": {
    • "algorithms": {
      },
    • "credentials": {
      },
    • "endpoints": {
      },
    • "issuer": {
      },
    • "relayState": {
      },
    • "scopes": [
      ],
    • "settings": {
      },
    • "type": "MTLS"
    },
  • "status": "ACTIVE",
  • "type": "AgentlessDSSO",
  • "_links": {
    • "self": {
      }
    }
}

Replace an Identity Provider
OAuth 2.0: okta.idps.manage

Replaces an identity provider integration by idpId

Request
path Parameters
idpId
required
string

id of IdP

Example: SVHoAOh0l8cPQkVX1LRl
Request Body schema: application/json
issuerMode
string (IssuerMode)
Enum: "CUSTOM_URL" "DYNAMIC" "ORG_URL"
name
string
object (IdentityProviderPolicy)
description
string
name
string
priority
integer
status
string (LifecycleStatus)
Enum: "ACTIVE" "INACTIVE"
system
boolean
type
string (PolicyType)
object (PolicyRuleConditions)
object (AppAndInstancePolicyRuleCondition)
object (AppInstancePolicyRuleCondition)
object (PolicyRuleAuthContextCondition)
object (PasswordPolicyAuthenticationProviderCondition)
object (BeforeScheduledActionPolicyRuleCondition)
object (ClientPolicyCondition)
object (ContextPolicyRuleCondition)
object (DevicePolicyRuleCondition)
object (GrantTypePolicyRuleCondition)
object (GroupPolicyRuleCondition)
object (IdentityProviderPolicyRuleCondition)
object (MDMEnrollmentPolicyRuleCondition)
object (PolicyNetworkCondition)
object (PolicyPeopleCondition)
object (PlatformPolicyRuleCondition)
object (RiskPolicyRuleCondition)
object (RiskScorePolicyRuleCondition)
object (OAuth2ScopesMediationPolicyRuleCondition)
object (UserIdentifierPolicyRuleCondition)
object (UserPolicyRuleCondition)
object (UserStatusPolicyRuleCondition)
object or null (IdentityProviderProperties)
additionalAmr
Array of strings or null
object (Protocol)
object (ProtocolAlgorithms)
object (ProtocolAlgorithmType)
object (ProtocolAlgorithmType)
object (IdentityProviderCredentials)
object (IdentityProviderCredentialsClient)
object (IdentityProviderCredentialsSigning)
object (IdentityProviderCredentialsTrust)
object (ProtocolEndpoints)
object (ProtocolEndpoint)
object (ProtocolEndpoint)
object (ProtocolEndpoint)
object (ProtocolEndpoint)
object (ProtocolEndpoint)
object (ProtocolEndpoint)
object (ProtocolEndpoint)
object (ProtocolEndpoint)
object (ProtocolEndpoint)
binding
string (ProtocolEndpointBinding)
Enum: "HTTP-POST" "HTTP-REDIRECT"
destination
string
type
string (ProtocolEndpointType)
Enum: "INSTANCE" "ORG"
url
string
object (ProtocolRelayState)
format
string (ProtocolRelayStateFormat)
Enum: "FROM_URL" "OPAQUE"
scopes
Array of strings
object (ProtocolSettings)
nameFormat
string
type
string (ProtocolType)
Enum: "MTLS" "OAUTH2" "OIDC" "SAML2"
status
string (LifecycleStatus)
Enum: "ACTIVE" "INACTIVE"
type
string (IdentityProviderType)
Enum: "AgentlessDSSO" "FACEBOOK" "GOOGLE" "IWA" "LINKEDIN" "MICROSOFT" "OIDC" "OKTA" "SAML2" "X509"
Responses
200

Success

400

Bad Request

403

Forbidden

404

Not Found

429

Too Many Requests

put/api/v1/idps/{idpId}
Request samples
application/json
{
  • "issuerMode": "CUSTOM_URL",
  • "name": "string",
  • "policy": {
    • "description": "string",
    • "name": "string",
    • "priority": 0,
    • "status": "ACTIVE",
    • "system": true,
    • "type": "ACCESS_POLICY",
    • "accountLink": {
      },
    • "conditions": {
      },
    • "mapAMRClaims": false,
    • "maxClockSkew": 0,
    • "provisioning": {
      },
    • "subject": {
      }
    },
  • "properties": {
    • "additionalAmr": [
      ]
    },
  • "protocol": {
    • "algorithms": {
      },
    • "credentials": {
      },
    • "endpoints": {
      },
    • "issuer": {
      },
    • "relayState": {
      },
    • "scopes": [
      ],
    • "settings": {
      },
    • "type": "MTLS"
    },
  • "status": "ACTIVE",
  • "type": "AgentlessDSSO"
}
Response samples
application/json
{
  • "created": "2019-08-24T14:15:22Z",
  • "id": "string",
  • "issuerMode": "CUSTOM_URL",
  • "lastUpdated": "2019-08-24T14:15:22Z",
  • "name": "string",
  • "policy": {
    • "created": "2019-08-24T14:15:22Z",
    • "description": "string",
    • "id": "string",
    • "lastUpdated": "2019-08-24T14:15:22Z",
    • "name": "string",
    • "priority": 0,
    • "status": "ACTIVE",
    • "system": true,
    • "type": "ACCESS_POLICY",
    • "_embedded": {
      },
    • "_links": {
      },
    • "accountLink": {
      },
    • "conditions": {
      },
    • "mapAMRClaims": false,
    • "maxClockSkew": 0,
    • "provisioning": {
      },
    • "subject": {
      }
    },
  • "properties": {
    • "additionalAmr": [
      ]
    },
  • "protocol": {
    • "algorithms": {
      },
    • "credentials": {
      },
    • "endpoints": {
      },
    • "issuer": {
      },
    • "relayState": {
      },
    • "scopes": [
      ],
    • "settings": {
      },
    • "type": "MTLS"
    },
  • "status": "ACTIVE",
  • "type": "AgentlessDSSO",
  • "_links": {
    • "self": {
      }
    }
}

Delete an Identity Provider
OAuth 2.0: okta.idps.manage

Deletes an identity provider integration by idpId

Request
path Parameters
idpId
required
string

id of IdP

Example: SVHoAOh0l8cPQkVX1LRl
Responses
204

No Content

403

Forbidden

404

Not Found

429

Too Many Requests

delete/api/v1/idps/{idpId}
Request samples
Response samples
application/json
{
  • "errorCode": "E0000006",
  • "errorSummary": "You do not have permission to perform the requested action",
  • "errorLink": "E0000006",
  • "errorId": "sampleNUSD_8fdkFd8fs8SDBK",
  • "errorCauses": [ ]
}

List all Certificate Signing Requests
OAuth 2.0: okta.idps.read

Lists all Certificate Signing Requests for an IdP

Request
path Parameters
idpId
required
string

id of IdP

Example: SVHoAOh0l8cPQkVX1LRl
Responses
200

Success

403

Forbidden

404

Not Found

429

Too Many Requests

get/api/v1/idps/{idpId}/credentials/csrs
Request samples
Response samples
application/json
[
  • {
    • "created": "2019-08-24T14:15:22Z",
    • "csr": "string",
    • "id": "string",
    • "kty": "string"
    }
]

Generate a Certificate Signing Request
OAuth 2.0: okta.idps.manage

Generates a new key pair and returns a Certificate Signing Request for it

Request
path Parameters
idpId
required
string

id of IdP

Example: SVHoAOh0l8cPQkVX1LRl
Request Body schema: application/json
object (CsrMetadataSubject)
commonName
string
countryName
string
localityName
string
organizationalUnitName
string
organizationName
string
stateOrProvinceName
string
object (CsrMetadataSubjectAltNames)
dnsNames
Array of strings
Responses
201

Created

400

Bad Request

403

Forbidden

404

Not Found

429

Too Many Requests

post/api/v1/idps/{idpId}/credentials/csrs
Request samples
application/json
{
  • "subject": {
    • "commonName": "string",
    • "countryName": "string",
    • "localityName": "string",
    • "organizationalUnitName": "string",
    • "organizationName": "string",
    • "stateOrProvinceName": "string"
    },
  • "subjectAltNames": {
    • "dnsNames": [
      ]
    }
}
Response samples
application/json
{
  • "created": "2019-08-24T14:15:22Z",
  • "csr": "string",
  • "id": "string",
  • "kty": "string"
}

Retrieve a Certificate Signing Request
OAuth 2.0: okta.idps.read

Retrieves a specific Certificate Signing Request model by id

Request
path Parameters
idpId
required
string

id of IdP

Example: SVHoAOh0l8cPQkVX1LRl
idpCsrId
required
string

id of the IdP CSR

Example: 1uEhyE65oV3H6KM9gYcN
Responses
200

Success

403

Forbidden

404

Not Found

429

Too Many Requests

get/api/v1/idps/{idpId}/credentials/csrs/{idpCsrId}