Okta Universal Directory Accounts

The Okta Universal Directory Accounts API provides operations to manage Universal Directory accounts for Okta Privileged Access teams

List all Universal Directory accounts
Admin roles:
  • security_admin

Lists all Universal Directory accounts

SecuritybearerAuth
Request
path Parameters
team_name
required
string

The name of your team

query Parameters
contains
string

Only return results that include the specified value

Responses
200

OK

get/v1/teams/{team_name}/all_okta_universal_directory_accounts
Request samples
Response samples
application/json
{
  • "list": [
    • {
      }
    ]
}

List all accessible Universal Directory service accounts

Lists all Universal Directory service accounts that you (as the request user) can access based on the security policies

SecuritybearerAuth
Request
path Parameters
team_name
required
string

The name of your team

query Parameters
count
integer <int32>

The number of objects per page

prev
boolean

The direction of paging

offset
string

The offset value for pagination. The rel="next" and rel="prev" Link headers define the offset for subsequent or previous pages.

descending
boolean

The object order

Responses
200

OK

get/v1/teams/{team_name}/okta_universal_directory_accounts
Request samples
Response samples
application/json
{
  • "list": [
    • {
      },
    • {
      }
    ]
}

Reveal the password for Universal Directory account

Reveals the password for a Universal Directory account (managed and unmanaged) that you (as the request user) can access

SecuritybearerAuth
Request
path Parameters
team_name
required
string

The name of your team

okta_universal_directory_account_id
required
string

The UUID of a Universal Directory account

Request Body schema: application/json
required
required
object (RawJSONWebKey)

A JSON Web Key formatted in accordance with RFC 7517.

alg
string (alg)

The algorithm of the key

Value: "RSA-OAEP-256"
crv
string (curve)

The curve used by the key

Enum: "P-256" "P-384" "P-521"
d
string <byte>

The exponent of the private key

dp
string <byte>

The first factor CRT exponent of the private key

dq
string <byte>

The second factor CRT exponent of the private key

e
string <byte>

The exponent of the public key

k
string <byte>

The key

kid
string <regex> ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-...

The key ID

kty
string (kty)

The key type

Enum: "EC" "OKP" "RSA" "oct"
n
string <byte>

The modulus of the public key

p
string <byte>

The first prime factor of the private key

q
string <byte>

The second prime factor of the private key

qi
string <byte>

The first CRT coefficient of the private key

use
string

The intended use of the key

x
string <byte>

The x coordinate of the key

x5c
Array of strings

A list of X.509 certificates

x5t
string

The SHA-1 thumbprint of the X.509 certificate

x5t#S256
string

The SHA-256 thumbprint of the X.509 certificate

x5u
string

The URL of the X.509 certificates

y
string <byte>

The y coordinate of the key

required
object (UserAccessMethod)
access_credential
required
string

The user credential that's used to access the resource

Enum: "managed" "password" "ssh-certificate" "ssh-certificate-admin" "ssh-certificate-sudo" "rdp-broker-certificate" "rdp-broker-certificate-admin" "encrypted-ssh-password" "encrypted-rdp-password"
availability_details_text
string

This text displays in the user interface (CLI) to show resource availability status with checkout requirements and checkout expiry time. The availability status displays only for the CLI user who previously checked out the resource.

brokered
required
boolean

If true, the connection is brokered by the server agent

object (CheckoutRequirements)

Checkout requirements

max_checkout_duration_in_seconds
integer

The maximum duration (in seconds) that a resource can be checked out. If the security policy checkout duration configuration is overridden, the maximum duration is based on the project's checkout settings.

required
boolean

Indicates if checkout is required

Array of objects (UserAccessConditional)

A list of required conditions to use the user access method

Array
access_request_type_id
string

Used by access_request conditionals to define the ID of a specific request type

access_request_type_name
string

Used by access_request conditionals to define the name of a specific request type

acr_values
string (ConditionsMFAACRValues)

Defines the authentication context class reference (ACR) for this policy. See Step-up authentication using ACR values.

Enum: Description
urn:okta:loa:2fa:any

Any two factors. Allows two factor authentication with no requirements on which factors.

phr

OIE orgs only: Phishing-Resistant. Requires users to provide possession factors that cryptographically verify the sign-in server (the origin). Currently, only FIDO2/WebAuthn satisfies this requirement. Because phishing resistance implies device binding, that constraint is selected automatically when phr is specified.

condition_is_met
boolean

If true, the condition is currently met

description
string

A description of the condition

expires_after_seconds
integer <int64>

Used by access_request conditionals to define the number of seconds the approval remains valid

type
string (UserAccessConditionalType)

The type of condition

Enum: "access_request" "gateway" "gateway_with_session_recording" "mfa"
current_user_checkout_expires_at
string <date-time>

The checkout expiry time for the current user

object

User access method details

Array of objects (SecretPath)

List of secrets

object (SecurityPolicySecretPrivilege)

A list of privileges granted to the user

secret_id
string

The ID of the secret used to access the resource

secret_name
string

The name of the secret used to access the resource

identity
required
string

The user account that's used to access the resource

resource_status
required
string

Resource availability status that's displayed to end users

Enum: "available" "checked_out" "checked_out_by_other_user" "unavailable"
rule_ids
Array of strings

A list of rule IDs that result in identical user access methods

server_host_name
required
string

Server host name

server_id
required
string

The ID of the resource

short_text
string

A short description that's used to identify the access method to the users interface

Array of objects (SudoCommandBundleForConnectionInfo)

Collection of all the sudo-related commands a user can access in a single string format

Array
ent_type
required
string

Entitlement type

sudo_add_env
Array of strings

Additional environmental variables

sudo_commands
Array of strings

List of sudo commands

sudo_group_name
required
string

Sudo group name

sudo_id
required
string

Sudo ID

sudo_login_username
required
string

Sudo login username

sudo_name
required
string

Sudo name

sudo_noexec
required
boolean

If sudo has noexec configuration set

sudo_nopasswd
required
boolean

If sudo can be used without password

sudo_runas
required
string

Sudo run as

sudo_setenv
required
boolean

If setenv is allowed

sudo_sub_env
Array of strings

A list of environment variables to be used to substitute your current environment

user_access_type
required
string

The type of access method

Responses
200

Success

401

Unauthorized

403

Forbidden

404

Not found

post/v1/teams/{team_name}/okta_universal_directory_accounts/{okta_universal_directory_account_id}/reveal_credentials
Request samples
application/json
{
  • "public_key": {
    • "alg": "RSA-OAEP-256",
    • "crv": "P-256",
    • "d": "string",
    • "dp": "string",
    • "dq": "string",
    • "e": "string",
    • "k": "string",
    • "kid": "/regex/",
    • "kty": "EC",
    • "n": "string",
    • "p": "string",
    • "q": "string",
    • "qi": "string",
    • "use": "string",
    • "x": "string",
    • "x5c": [
      ],
    • "x5t": "string",
    • "x5t#S256": "string",
    • "x5u": "string",
    • "y": "string"
    },
  • "user_access_method": {
    • "access_credential": "managed",
    • "availability_details_text": "string",
    • "brokered": true,
    • "checkout_requirements": {
      },
    • "conditionals": [
      ],
    • "current_user_checkout_expires_at": "2019-08-24T14:15:22Z",
    • "details": {
      },
    • "identity": "string",
    • "resource_status": "available",
    • "rule_ids": [
      ],
    • "server_host_name": "string",
    • "server_id": "string",
    • "short_text": "string",
    • "sudo_command_bundles": [
      ],
    • "user_access_type": "string"
    }
}
Response samples
application/json
{
  • "password_jwe": "string"
}

List the Universal Directory account user access methods

Lists the user access methods for a Universal Directory account based on the security policies

SecuritybearerAuth
Request
path Parameters
team_name
required
string

The name of your team

okta_universal_directory_account_id
required
string

The UUID of a Universal Directory account

Responses
200

OK

get/v1/teams/{team_name}/okta_universal_directory_accounts/{okta_universal_directory_account_id}/user_access_methods
Request samples
Response samples
application/json
{
  • "list": [
    • {
      }
    ]
}

List all Universal Directory account in a resource group
Admin roles:
  • security_admin
  • delegated_security_admin

Lists all Universal Directory accounts in a resource group

SecuritybearerAuth
Request
path Parameters
team_name
required
string

The name of your team

resource_group_id
required
string

The UUID of a resource group

query Parameters
contains
string

Only return results that include the specified value

Responses
200

OK

get/v1/teams/{team_name}/resource_groups/{resource_group_id}/all_okta_universal_directory_accounts
Request samples
Response samples
application/json
{
  • "list": [
    • {
      }
    ]
}

List all Universal Directory accounts in a resource group project
Admin roles:
  • resource_admin
  • delegated_resource_admin

Lists all Universal Directory accounts in a resource group project

SecuritybearerAuth
Request
path Parameters
team_name
required
string

The name of your team

resource_group_id
required
string

The UUID of a resource group

project_id
required
string

The UUID of a project

query Parameters
contains
string

Only return results that include the specified value

Responses
200

OK

get/v1/teams/{team_name}/resource_groups/{resource_group_id}/projects/{project_id}/okta_universal_directory_accounts
Request samples
Response samples
application/json
{
  • "list": [
    • {
      }
    ]
}

Retrieve a Universal Directory account
Admin roles:
  • resource_admin
  • security_admin
  • delegated_resource_admin
  • delegated_security_admin

Retrieves a Universal Directory account from a resource group project

SecuritybearerAuth
Request
path Parameters
team_name
required
string

The name of your team

resource_group_id
required
string

The UUID of a resource group

project_id
required
string

The UUID of a project

okta_universal_directory_account_id
required
string

The UUID of a Universal Directory account

Responses
200

OK

get/v1/teams/{team_name}/resource_groups/{resource_group_id}/projects/{project_id}/okta_universal_directory_accounts/{okta_universal_directory_account_id}
Request samples
Response samples
application/json
{
  • "account_name": "AWS Prod-5 account",
  • "checkout_enabled": true,
  • "checkout_expiry_at": "2019-08-24T14:15:22Z",
  • "checkout_status": "checked_out",
  • "created_at": "2019-08-24T14:15:22Z",
  • "id": "d1b65a78-21ed-429b-8ea3-eec96f2748d6",
  • "last_checkout_user": "string",
  • "next_scheduled_password_rotation_reason": "string",
  • "next_scheduled_password_rotation_timestamp": "2019-08-24T14:15:22Z",
  • "project_id": "string",
  • "team_id": "string",
  • "username": "OpsCaliforniaShared",
  • "last_password_change_error_metadata": "string",
  • "last_password_change_error_report_timestamp": "2019-08-24T14:15:22Z",
  • "last_password_change_error_system_timestamp": "2019-08-24T14:15:22Z",
  • "last_password_change_error_type": "string",
  • "last_password_change_success_report_timestamp": "2019-08-24T14:15:22Z",
  • "last_password_change_system_timestamp": "2019-08-24T14:15:22Z",
  • "password_change_error_count": 0,
  • "password_change_error_count_since_last_success": 0,
  • "password_change_success_count": 0
}