Identity Providers

The Identity Providers API provides operations to manage federations with external Identity Providers (IdP). For example, your app can support signing in with credentials from Apple, Facebook, Google, LinkedIn, Microsoft, an enterprise IdP using SAML 2.0, or an IdP using the OpenID Connect (OIDC) protocol.

List all Identity Providers
OAuth 2.0: okta.idps.read

Lists all identity provider integrations with pagination. A subset of IdPs can be returned that match a supported filter expression or query.

Request
query Parameters
q
string

Searches the name property of IdPs for matching value

after
string

Specifies the pagination cursor for the next page of IdPs

limit
integer <int32>
Default: 20

Specifies the number of IdP results in a page

type
string

Filters IdPs by type

Responses
200

Success

403

Forbidden

429

Too Many Requests

get/api/v1/idps
Request samples 
Response samples 
application/json
[
  • {
    • "created": "2019-08-24T14:15:22Z",
    • "id": "string",
    • "issuerMode": "CUSTOM_URL",
    • "lastUpdated": "2019-08-24T14:15:22Z",
    • "name": "string",
    • "policy": {
      },
    • "properties": {
      },
    • "protocol": {
      },
    • "status": "ACTIVE",
    • "type": "AgentlessDSSO",
    • "_links": {
      }
    }
]
Create an Identity Provider
OAuth 2.0: okta.idps.manage
Creates a new identity provider integration


Request 
Request Body schema: application/json
issuerMode
string (IssuerMode) 
 Enum: "CUSTOM_URL" "DYNAMIC" "ORG_URL"  
name
string
 
object (IdentityProviderPolicy) 
 
description
string
 
name
string
 
priority
integer
 
status
string (LifecycleStatus) 
 Enum: "ACTIVE" "INACTIVE"  
system
boolean
 
type
string (PolicyType) 
 
object (PolicyRuleConditions) 
 
object (AppAndInstancePolicyRuleCondition) 
 
object (AppInstancePolicyRuleCondition) 
 
object (PolicyRuleAuthContextCondition) 
 
object (PasswordPolicyAuthenticationProviderCondition) 
 
object (BeforeScheduledActionPolicyRuleCondition) 
 
object (ClientPolicyCondition) 
 
object (ContextPolicyRuleCondition) 
 
object (DevicePolicyRuleCondition) 
 
object (GrantTypePolicyRuleCondition) 
 
object (GroupPolicyRuleCondition) 
 
object (IdentityProviderPolicyRuleCondition) 
 
object (MDMEnrollmentPolicyRuleCondition) 
 
object (PolicyNetworkCondition) 
 
object (PolicyPeopleCondition) 
 
object (PlatformPolicyRuleCondition) 
 
object (RiskPolicyRuleCondition) 
 
object (RiskScorePolicyRuleCondition) 
 
object (OAuth2ScopesMediationPolicyRuleCondition) 
 
object (UserIdentifierPolicyRuleCondition) 
 
object (UserPolicyRuleCondition) 
 
object (UserStatusPolicyRuleCondition) 
 
object or null (IdentityProviderProperties) 
 
additionalAmr
Array of strings or null
 
object (Protocol) 
 
object (ProtocolAlgorithms) 
 
object (ProtocolAlgorithmType) 
 
object (ProtocolAlgorithmType) 
 
object (IdentityProviderCredentials) 
 
object (IdentityProviderCredentialsClient) 
 
object (IdentityProviderCredentialsSigning) 
 
object (IdentityProviderCredentialsTrust) 
 
object (ProtocolEndpoints) 
 
object (ProtocolEndpoint) 
 
object (ProtocolEndpoint) 
 
object (ProtocolEndpoint) 
 
object (ProtocolEndpoint) 
 
object (ProtocolEndpoint) 
 
object (ProtocolEndpoint) 
 
object (ProtocolEndpoint) 
 
object (ProtocolEndpoint) 
 
object (ProtocolEndpoint) 
 
binding
string (ProtocolEndpointBinding) 
 Enum: "HTTP-POST" "HTTP-REDIRECT"  
destination
string
 
type
string (ProtocolEndpointType) 
 Enum: "INSTANCE" "ORG"  
url
string
 
object (ProtocolRelayState) 
 
format
string (ProtocolRelayStateFormat) 
 Enum: "FROM_URL" "OPAQUE"  
scopes
Array of strings
 
object (ProtocolSettings) 
 
nameFormat
string
 
type
string (ProtocolType) 
 Enum: "MTLS" "OAUTH2" "OIDC" "SAML2"  
status
string (LifecycleStatus) 
 Enum: "ACTIVE" "INACTIVE"  
type
string (IdentityProviderType) 
 Enum: "AgentlessDSSO" "FACEBOOK" "GOOGLE" "IWA" "LINKEDIN" "MICROSOFT" "OIDC" "OKTA" "SAML2" "X509"  
Responses 
200
Success


400
Bad Request


403
Forbidden


429
Too Many Requests


post/api/v1/idps
Request samples 
application/json
{
  • "issuerMode": "CUSTOM_URL",
  • "name": "string",
  • "policy": {
    • "description": "string",
    • "name": "string",
    • "priority": 0,
    • "status": "ACTIVE",
    • "system": true,
    • "type": "ACCESS_POLICY",
    • "accountLink": {
      },
    • "conditions": {
      },
    • "mapAMRClaims": false,
    • "maxClockSkew": 0,
    • "provisioning": {
      },
    • "subject": {
      }
    },
  • "properties": {
    • "additionalAmr": [
      ]
    },
  • "protocol": {
    • "algorithms": {
      },
    • "credentials": {
      },
    • "endpoints": {
      },
    • "issuer": {
      },
    • "relayState": {
      },
    • "scopes": [
      ],
    • "settings": {
      },
    • "type": "MTLS"
    },
  • "status": "ACTIVE",
  • "type": "AgentlessDSSO"
}
Response samples 
application/json
{
  • "created": "2019-08-24T14:15:22Z",
  • "id": "string",
  • "issuerMode": "CUSTOM_URL",
  • "lastUpdated": "2019-08-24T14:15:22Z",
  • "name": "string",
  • "policy": {
    • "created": "2019-08-24T14:15:22Z",
    • "description": "string",
    • "id": "string",
    • "lastUpdated": "2019-08-24T14:15:22Z",
    • "name": "string",
    • "priority": 0,
    • "status": "ACTIVE",
    • "system": true,
    • "type": "ACCESS_POLICY",
    • "_embedded": {
      },
    • "_links": {
      },
    • "accountLink": {
      },
    • "conditions": {
      },
    • "mapAMRClaims": false,
    • "maxClockSkew": 0,
    • "provisioning": {
      },
    • "subject": {
      }
    },
  • "properties": {
    • "additionalAmr": [
      ]
    },
  • "protocol": {
    • "algorithms": {
      },
    • "credentials": {
      },
    • "endpoints": {
      },
    • "issuer": {
      },
    • "relayState": {
      },
    • "scopes": [
      ],
    • "settings": {
      },
    • "type": "MTLS"
    },
  • "status": "ACTIVE",
  • "type": "AgentlessDSSO",
  • "_links": {
    • "self": {
      }
    }
}
List all Credential Keys
OAuth 2.0: okta.idps.read
Lists all IdP key credentials


Request 
query Parameters
after
string
Specifies the pagination cursor for the next page of keys


 
limit
integer <int32> 
 Default:  20
Specifies the number of key results in a page


 
Responses 
200
Success


403
Forbidden


429
Too Many Requests


get/api/v1/idps/credentials/keys
Request samples 
Response samples 
application/json
[
  • {
    • "alg": "string",
    • "created": "2019-08-24T14:15:22Z",
    • "e": "string",
    • "expiresAt": "2019-08-24T14:15:22Z",
    • "key_ops": [
      ],
    • "kid": "string",
    • "kty": "string",
    • "lastUpdated": "2019-08-24T14:15:22Z",
    • "n": "string",
    • "status": "string",
    • "use": "string",
    • "x5c": [
      ],
    • "x5t": "string",
    • "x5t#S256": "string",
    • "x5u": "string",
    • "_links": {
      }
    }
]
Create an X.509 Certificate Public Key
OAuth 2.0: okta.idps.manage
Creates a new X.509 certificate credential to the IdP key store.


Request 
Request Body schema: application/json
alg
string
 
created
string <date-time> 
 
e
string
 
expiresAt
string <date-time> 
 
key_ops
Array of strings
 
kid
string
 
kty
string
 
lastUpdated
string <date-time> 
 
n
string
 
status
string
 
use
string
 
x5c
Array of strings
 
x5t
string
 
x5t#S256
string
 
x5u
string
 
Responses 
200
Success


400
Bad Request


403
Forbidden


429
Too Many Requests


post/api/v1/idps/credentials/keys
Request samples 
application/json
{
  • "alg": "string",
  • "created": "2019-08-24T14:15:22Z",
  • "e": "string",
  • "expiresAt": "2019-08-24T14:15:22Z",
  • "key_ops": [
    • "string"
    ],
  • "kid": "string",
  • "kty": "string",
  • "lastUpdated": "2019-08-24T14:15:22Z",
  • "n": "string",
  • "status": "string",
  • "use": "string",
  • "x5c": [
    • "string"
    ],
  • "x5t": "string",
  • "x5t#S256": "string",
  • "x5u": "string"
}
Response samples 
application/json
{
  • "alg": "string",
  • "created": "2019-08-24T14:15:22Z",
  • "e": "string",
  • "expiresAt": "2019-08-24T14:15:22Z",
  • "key_ops": [
    • "string"
    ],
  • "kid": "string",
  • "kty": "string",
  • "lastUpdated": "2019-08-24T14:15:22Z",
  • "n": "string",
  • "status": "string",
  • "use": "string",
  • "x5c": [
    • "string"
    ],
  • "x5t": "string",
  • "x5t#S256": "string",
  • "x5u": "string",
  • "_links": {
    • "self": {
      }
    }
}
Retrieve an Credential Key
OAuth 2.0: okta.idps.read
Retrieves a specific IdP Key Credential by kid


Request 
path Parameters
idpKeyId
required
string
id of IdP Key


 
 Example:  KmMo85SSsU7TZzOShcGb
Responses 
200
Success


403
Forbidden


404
Not Found


429
Too Many Requests


get/api/v1/idps/credentials/keys/{idpKeyId}
Request samples 
Response samples 
application/json
{
  • "alg": "string",
  • "created": "2019-08-24T14:15:22Z",
  • "e": "string",
  • "expiresAt": "2019-08-24T14:15:22Z",
  • "key_ops": [
    • "string"
    ],
  • "kid": "string",
  • "kty": "string",
  • "lastUpdated": "2019-08-24T14:15:22Z",
  • "n": "string",
  • "status": "string",
  • "use": "string",
  • "x5c": [
    • "string"
    ],
  • "x5t": "string",
  • "x5t#S256": "string",
  • "x5u": "string",
  • "_links": {
    • "self": {
      }
    }
}
Delete a Signing Credential Key
OAuth 2.0: okta.idps.manage
Deletes a specific IdP Key Credential by kid if it is not currently being used by an Active or Inactive IdP


Request 
path Parameters
idpKeyId
required
string
id of IdP Key


 
 Example:  KmMo85SSsU7TZzOShcGb
Responses 
204
No Content


403
Forbidden


404
Not Found


429
Too Many Requests


delete/api/v1/idps/credentials/keys/{idpKeyId}
Request samples 
Response samples 
application/json
{
  • "errorCode": "E0000006",
  • "errorSummary": "You do not have permission to perform the requested action",
  • "errorLink": "E0000006",
  • "errorId": "sampleNUSD_8fdkFd8fs8SDBK",
  • "errorCauses": [ ]
}
Retrieve an Identity Provider
OAuth 2.0: okta.idps.read
Retrieves an identity provider integration by idpId


Request 
path Parameters
idpId
required
string
id of IdP


 
 Example:  SVHoAOh0l8cPQkVX1LRl
Responses 
200
Success


403
Forbidden


404
Not Found


429
Too Many Requests


get/api/v1/idps/{idpId}
Request samples 
Response samples 
application/json
{
  • "created": "2019-08-24T14:15:22Z",
  • "id": "string",
  • "issuerMode": "CUSTOM_URL",
  • "lastUpdated": "2019-08-24T14:15:22Z",
  • "name": "string",
  • "policy": {
    • "created": "2019-08-24T14:15:22Z",
    • "description": "string",
    • "id": "string",
    • "lastUpdated": "2019-08-24T14:15:22Z",
    • "name": "string",
    • "priority": 0,
    • "status": "ACTIVE",
    • "system": true,
    • "type": "ACCESS_POLICY",
    • "_embedded": {
      },
    • "_links": {
      },
    • "accountLink": {
      },
    • "conditions": {
      },
    • "mapAMRClaims": false,
    • "maxClockSkew": 0,
    • "provisioning": {
      },
    • "subject": {
      }
    },
  • "properties": {
    • "additionalAmr": [
      ]
    },
  • "protocol": {
    • "algorithms": {
      },
    • "credentials": {
      },
    • "endpoints": {
      },
    • "issuer": {
      },
    • "relayState": {
      },
    • "scopes": [
      ],
    • "settings": {
      },
    • "type": "MTLS"
    },
  • "status": "ACTIVE",
  • "type": "AgentlessDSSO",
  • "_links": {
    • "self": {
      }
    }
}
Replace an Identity Provider
OAuth 2.0: okta.idps.manage
Replaces an identity provider integration by idpId


Request 
path Parameters
idpId
required
string
id of IdP


 
 Example:  SVHoAOh0l8cPQkVX1LRl
Request Body schema: application/json
issuerMode
string (IssuerMode) 
 Enum: "CUSTOM_URL" "DYNAMIC" "ORG_URL"  
name
string
 
object (IdentityProviderPolicy) 
 
description
string
 
name
string
 
priority
integer
 
status
string (LifecycleStatus) 
 Enum: "ACTIVE" "INACTIVE"  
system
boolean
 
type
string (PolicyType) 
 
object (PolicyRuleConditions) 
 
object (AppAndInstancePolicyRuleCondition) 
 
object (AppInstancePolicyRuleCondition) 
 
object (PolicyRuleAuthContextCondition) 
 
object (PasswordPolicyAuthenticationProviderCondition) 
 
object (BeforeScheduledActionPolicyRuleCondition) 
 
object (ClientPolicyCondition) 
 
object (ContextPolicyRuleCondition) 
 
object (DevicePolicyRuleCondition) 
 
object (GrantTypePolicyRuleCondition) 
 
object (GroupPolicyRuleCondition) 
 
object (IdentityProviderPolicyRuleCondition) 
 
object (MDMEnrollmentPolicyRuleCondition) 
 
object (PolicyNetworkCondition) 
 
object (PolicyPeopleCondition) 
 
object (PlatformPolicyRuleCondition) 
 
object (RiskPolicyRuleCondition) 
 
object (RiskScorePolicyRuleCondition) 
 
object (OAuth2ScopesMediationPolicyRuleCondition) 
 
object (UserIdentifierPolicyRuleCondition) 
 
object (UserPolicyRuleCondition) 
 
object (UserStatusPolicyRuleCondition) 
 
object or null (IdentityProviderProperties) 
 
additionalAmr
Array of strings or null
 
object (Protocol) 
 
object (ProtocolAlgorithms) 
 
object (ProtocolAlgorithmType) 
 
object (ProtocolAlgorithmType) 
 
object (IdentityProviderCredentials) 
 
object (IdentityProviderCredentialsClient) 
 
object (IdentityProviderCredentialsSigning) 
 
object (IdentityProviderCredentialsTrust) 
 
object (ProtocolEndpoints) 
 
object (ProtocolEndpoint) 
 
object (ProtocolEndpoint) 
 
object (ProtocolEndpoint) 
 
object (ProtocolEndpoint) 
 
object (ProtocolEndpoint) 
 
object (ProtocolEndpoint) 
 
object (ProtocolEndpoint) 
 
object (ProtocolEndpoint) 
 
object (ProtocolEndpoint) 
 
binding
string (ProtocolEndpointBinding) 
 Enum: "HTTP-POST" "HTTP-REDIRECT"  
destination
string
 
type
string (ProtocolEndpointType) 
 Enum: "INSTANCE" "ORG"  
url
string
 
object (ProtocolRelayState) 
 
format
string (ProtocolRelayStateFormat) 
 Enum: "FROM_URL" "OPAQUE"  
scopes
Array of strings
 
object (ProtocolSettings) 
 
nameFormat
string
 
type
string (ProtocolType) 
 Enum: "MTLS" "OAUTH2" "OIDC" "SAML2"  
status
string (LifecycleStatus) 
 Enum: "ACTIVE" "INACTIVE"  
type
string (IdentityProviderType) 
 Enum: "AgentlessDSSO" "FACEBOOK" "GOOGLE" "IWA" "LINKEDIN" "MICROSOFT" "OIDC" "OKTA" "SAML2" "X509"  
Responses 
200
Success


400
Bad Request


403
Forbidden


404
Not Found


429
Too Many Requests


put/api/v1/idps/{idpId}
Request samples 
application/json
{
  • "issuerMode": "CUSTOM_URL",
  • "name": "string",
  • "policy": {
    • "description": "string",
    • "name": "string",
    • "priority": 0,
    • "status": "ACTIVE",
    • "system": true,
    • "type": "ACCESS_POLICY",
    • "accountLink": {
      },
    • "conditions": {
      },
    • "mapAMRClaims": false,
    • "maxClockSkew": 0,
    • "provisioning": {
      },
    • "subject": {
      }
    },
  • "properties": {
    • "additionalAmr": [
      ]
    },
  • "protocol": {
    • "algorithms": {
      },
    • "credentials": {
      },
    • "endpoints": {
      },
    • "issuer": {
      },
    • "relayState": {
      },
    • "scopes": [
      ],
    • "settings": {
      },
    • "type": "MTLS"
    },
  • "status": "ACTIVE",
  • "type": "AgentlessDSSO"
}
Response samples 
application/json
{
  • "created": "2019-08-24T14:15:22Z",
  • "id": "string",
  • "issuerMode": "CUSTOM_URL",
  • "lastUpdated": "2019-08-24T14:15:22Z",
  • "name": "string",
  • "policy": {
    • "created": "2019-08-24T14:15:22Z",
    • "description": "string",
    • "id": "string",
    • "lastUpdated": "2019-08-24T14:15:22Z",
    • "name": "string",
    • "priority": 0,
    • "status": "ACTIVE",
    • "system": true,
    • "type": "ACCESS_POLICY",
    • "_embedded": {
      },
    • "_links": {
      },
    • "accountLink": {
      },
    • "conditions": {
      },
    • "mapAMRClaims": false,
    • "maxClockSkew": 0,
    • "provisioning": {
      },
    • "subject": {
      }
    },
  • "properties": {
    • "additionalAmr": [
      ]
    },
  • "protocol": {
    • "algorithms": {
      },
    • "credentials": {
      },
    • "endpoints": {
      },
    • "issuer": {
      },
    • "relayState": {
      },
    • "scopes": [
      ],
    • "settings": {
      },
    • "type": "MTLS"
    },
  • "status": "ACTIVE",
  • "type": "AgentlessDSSO",
  • "_links": {
    • "self": {
      }
    }
}
Delete an Identity Provider
OAuth 2.0: okta.idps.manage
Deletes an identity provider integration by idpId


Request 
path Parameters
idpId
required
string
id of IdP


 
 Example:  SVHoAOh0l8cPQkVX1LRl
Responses 
204
No Content


403
Forbidden


404
Not Found


429
Too Many Requests


delete/api/v1/idps/{idpId}
Request samples 
Response samples 
application/json
{
  • "errorCode": "E0000006",
  • "errorSummary": "You do not have permission to perform the requested action",
  • "errorLink": "E0000006",
  • "errorId": "sampleNUSD_8fdkFd8fs8SDBK",
  • "errorCauses": [ ]
}
List all Certificate Signing Requests
OAuth 2.0: okta.idps.read
Lists all Certificate Signing Requests for an IdP


Request 
path Parameters
idpId
required
string
id of IdP


 
 Example:  SVHoAOh0l8cPQkVX1LRl
Responses 
200
Success


403
Forbidden


404
Not Found


429
Too Many Requests


get/api/v1/idps/{idpId}/credentials/csrs
Request samples 
Response samples 
application/json
[
  • {
    • "created": "2019-08-24T14:15:22Z",
    • "csr": "string",
    • "id": "string",
    • "kty": "string"
    }
]
Generate a Certificate Signing Request
OAuth 2.0: okta.idps.manage
Generates a new key pair and returns a Certificate Signing Request for it


Request 
path Parameters
idpId
required
string
id of IdP


 
 Example:  SVHoAOh0l8cPQkVX1LRl
Request Body schema: application/json
object (CsrMetadataSubject) 
 
commonName
string
 
countryName
string
 
localityName
string
 
organizationalUnitName
string
 
organizationName
string
 
stateOrProvinceName
string
 
object (CsrMetadataSubjectAltNames) 
 
dnsNames
Array of strings
 
Responses 
201
Created


400
Bad Request


403
Forbidden


404
Not Found


429
Too Many Requests


post/api/v1/idps/{idpId}/credentials/csrs
Request samples 
application/json
{
  • "subject": {
    • "commonName": "string",
    • "countryName": "string",
    • "localityName": "string",
    • "organizationalUnitName": "string",
    • "organizationName": "string",
    • "stateOrProvinceName": "string"
    },
  • "subjectAltNames": {
    • "dnsNames": [
      ]
    }
}
Response samples 
application/json
{
  • "created": "2019-08-24T14:15:22Z",
  • "csr": "string",
  • "id": "string",
  • "kty": "string"
}
Retrieve a Certificate Signing Request
OAuth 2.0: okta.idps.read
Retrieves a specific Certificate Signing Request model by id


Request 
path Parameters
idpId
required
string
id of IdP


 
 Example:  SVHoAOh0l8cPQkVX1LRl
idpCsrId
required
string
id of the IdP CSR


 
 Example:  1uEhyE65oV3H6KM9gYcN
Responses 
200
Success


403
Forbidden


404
Not Found


429
Too Many Requests


get/api/v1/idps/{idpId}/credentials/csrs/{idpCsrId}