Okta Universal Directory Accounts

The Okta Universal Directory Accounts API provides operations to manage Universal Directory accounts for Okta Privileged Access teams

List all Universal Directory accounts
Admin roles:
  • security_admin

Lists all Universal Directory accounts

SecuritybearerAuth
Request
path Parameters
team_name
required
string

The name of your team

query Parameters
contains
string

Only return results that include the specified value

Responses
200

OK

get/v1/teams/{team_name}/all_okta_universal_directory_accounts
Request samples 
Response samples 
application/json
{
  • "list": [
    • {
      }
    ]
}
List all accessible Universal Directory service accounts
Admin roles: 
  • end_user
Lists all Universal Directory service accounts that you (as the request user) can access based on the security policies


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
query Parameters
count
integer <int32> 
The number of objects per page


 
prev
boolean
The direction of paging


 
offset
string
The offset value for pagination. The rel="next" and rel="prev" Link headers define the offset for subsequent or previous pages.


 
descending
boolean
The object order


 
Responses 
200
OK


get/v1/teams/{team_name}/okta_universal_directory_accounts
Request samples 
Response samples 
application/json
{
  • "list": [
    • {
      },
    • {
      }
    ]
}
Reveal the password for Universal Directory account
Admin roles: 
  • end_user
Reveals the password for a Universal Directory account (managed and unmanaged) that you (as the request user) can access


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
okta_universal_directory_account_id
required
string
The UUID of a Universal Directory account


 
Request Body schema: application/json
required
required
object (RawJSONWebKey) 
A JSON Web Key formatted in accordance with RFC 7517.


 
alg
string (alg) 
The algorithm of the key


 Value: "RSA-OAEP-256"  
crv
string (curve) 
The curve used by the key


 Enum: "P-256" "P-384" "P-521"  
d
string <byte> 
The exponent of the private key


 
dp
string <byte> 
The first factor CRT exponent of the private key


 
dq
string <byte> 
The second factor CRT exponent of the private key


 
e
string <byte> 
The exponent of the public key


 
k
string <byte> 
The key


 
kid
string <regex> ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-...
The key ID


 
kty
string (kty) 
The key type


 Enum: "EC" "OKP" "RSA" "oct"  
n
string <byte> 
The modulus of the public key


 
p
string <byte> 
The first prime factor of the private key


 
q
string <byte> 
The second prime factor of the private key


 
qi
string <byte> 
The first CRT coefficient of the private key


 
use
string
The intended use of the key


 
x
string <byte> 
The x coordinate of the key


 
x5c
Array of strings
A list of X.509 certificates


 
x5t
string
The SHA-1 thumbprint of the X.509 certificate


 
x5t#S256
string
The SHA-256 thumbprint of the X.509 certificate


 
x5u
string
The URL of the X.509 certificates


 
y
string <byte> 
The y coordinate of the key


 
required
object (UserAccessMethod) 
 
access_credential
required
string
The user credential that's used to access the resource


 Enum: "managed" "password" "ssh-certificate" "ssh-certificate-admin" "ssh-certificate-sudo" "rdp-broker-certificate" "rdp-broker-certificate-admin" "encrypted-ssh-password" "encrypted-rdp-password"  
availability_details_text
string
This text displays in the user interface (CLI) to show resource availability status with checkout requirements and checkout expiry time. The availability status displays only for the CLI user who previously checked out the resource.


 
brokered
required
boolean
If true, the connection is brokered by the server agent


 
object (CheckoutRequirements) 
Checkout requirements


 
max_checkout_duration_in_seconds
integer
The maximum duration (in seconds) that a resource can be checked out. If the security policy checkout duration configuration is overridden, the maximum duration is based on the project's checkout settings.


 
required
boolean
Indicates if checkout is required


 
Array of objects (UserAccessConditional) 
A list of required conditions to use the user access method


 
 Array 
access_request_type_id
string
Used by access_request conditionals to define the ID of a specific request type


 
access_request_type_name
string
Used by access_request conditionals to define the name of a specific request type


 
acr_values
string (ConditionsMFAACRValues) 
Defines the authentication context class reference (ACR) for this policy. See Step-up authentication using ACR values.


 Enum: Description
urn:okta:loa:2fa:any
Any two factors. Allows two factor authentication with no requirements on which factors.


phr
OIE orgs only: Phishing-Resistant. Requires users to provide possession factors that cryptographically verify the sign-in server (the origin). Currently, only FIDO2/WebAuthn satisfies this requirement. Because phishing resistance implies device binding, that constraint is selected automatically when phr is specified.


 
condition_is_met
boolean
If true, the condition is currently met


 
description
string
A description of the condition


 
expires_after_seconds
integer <int64> 
Used by access_request conditionals to define the number of seconds the approval remains valid


 
type
string (UserAccessConditionalType) 
The type of condition


 Enum: "access_request" "gateway" "gateway_with_session_recording" "mfa"  
current_user_checkout_expires_at
string <date-time> 
The checkout expiry time for the current user


 
object
User access method details


 
Array of objects (SecretPath) 
List of secrets


 
object (SecurityPolicySecretPrivilege) 
A list of privileges granted to the user


 
secret_id
string
The ID of the secret used to access the resource


 
secret_name
string
The name of the secret used to access the resource


 
identity
required
string
The user account that's used to access the resource


 
resource_status
required
string
Resource availability status that's displayed to end users


 Enum: "available" "checked_out" "checked_out_by_other_user" "unavailable"  
rule_ids
Array of strings
A list of rule IDs that result in identical user access methods


 
server_host_name
required
string
Server host name


 
server_id
required
string
The ID of the resource


 
short_text
string
A short description that's used to identify the access method to the users interface


 
Array of objects (SudoCommandBundleForConnectionInfo) 
Collection of all the sudo-related commands a user can access in a single string format


 
 Array 
ent_type
required
string
Entitlement type


 
sudo_add_env
Array of strings
Additional environmental variables


 
sudo_commands
Array of strings
List of sudo commands


 
sudo_group_name
required
string
Sudo group name


 
sudo_id
required
string
Sudo ID


 
sudo_login_username
required
string
Sudo login username


 
sudo_name
required
string
Sudo name


 
sudo_noexec
required
boolean
If sudo has noexec configuration set


 
sudo_nopasswd
required
boolean
If sudo can be used without password


 
sudo_runas
required
string
Sudo run as


 
sudo_setenv
required
boolean
If setenv is allowed


 
sudo_sub_env
Array of strings
A list of environment variables to be used to substitute your current environment


 
user_access_type
required
string
The type of access method


 
Responses 
200
Success


401
Unauthorized


403
Forbidden


404
Not found


post/v1/teams/{team_name}/okta_universal_directory_accounts/{okta_universal_directory_account_id}/reveal_credentials
Request samples 
application/json
{
  • "public_key": {
    • "alg": "RSA-OAEP-256",
    • "crv": "P-256",
    • "d": "string",
    • "dp": "string",
    • "dq": "string",
    • "e": "string",
    • "k": "string",
    • "kid": "/regex/",
    • "kty": "EC",
    • "n": "string",
    • "p": "string",
    • "q": "string",
    • "qi": "string",
    • "use": "string",
    • "x": "string",
    • "x5c": [
      ],
    • "x5t": "string",
    • "x5t#S256": "string",
    • "x5u": "string",
    • "y": "string"
    },
  • "user_access_method": {
    • "access_credential": "managed",
    • "availability_details_text": "string",
    • "brokered": true,
    • "checkout_requirements": {
      },
    • "conditionals": [
      ],
    • "current_user_checkout_expires_at": "2019-08-24T14:15:22Z",
    • "details": {
      },
    • "identity": "string",
    • "resource_status": "available",
    • "rule_ids": [
      ],
    • "server_host_name": "string",
    • "server_id": "string",
    • "short_text": "string",
    • "sudo_command_bundles": [
      ],
    • "user_access_type": "string"
    }
}
Response samples 
application/json
{
  • "password_jwe": "string"
}
List the Universal Directory account user access methods
Admin roles: 
  • end_user
Lists the user access methods for a Universal Directory account based on the security policies


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
okta_universal_directory_account_id
required
string
The UUID of a Universal Directory account


 
Responses 
200
OK


get/v1/teams/{team_name}/okta_universal_directory_accounts/{okta_universal_directory_account_id}/user_access_methods
Request samples 
Response samples 
application/json
{
  • "list": [
    • {
      }
    ]
}
List all Universal Directory account in a resource group
Admin roles: 
  • security_admin
  • delegated_security_admin
Lists all Universal Directory accounts in a resource group


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
resource_group_id
required
string
The UUID of a resource group


 
query Parameters
contains
string
Only return results that include the specified value


 
Responses 
200
OK


get/v1/teams/{team_name}/resource_groups/{resource_group_id}/all_okta_universal_directory_accounts
Request samples 
Response samples 
application/json
{
  • "list": [
    • {
      }
    ]
}
List all Universal Directory accounts in a resource group project
Admin roles: 
  • resource_admin
  • delegated_resource_admin
Lists all Universal Directory accounts in a resource group project


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
resource_group_id
required
string
The UUID of a resource group


 
project_id
required
string
The UUID of a project


 
query Parameters
contains
string
Only return results that include the specified value


 
Responses 
200
OK


get/v1/teams/{team_name}/resource_groups/{resource_group_id}/projects/{project_id}/okta_universal_directory_accounts
Request samples 
Response samples 
application/json
{
  • "list": [
    • {
      }
    ]
}
Retrieve a Universal Directory account
Admin roles: 
  • resource_admin
  • security_admin
  • delegated_resource_admin
  • delegated_security_admin
Retrieves a Universal Directory account from a resource group project


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
resource_group_id
required
string
The UUID of a resource group


 
project_id
required
string
The UUID of a project


 
okta_universal_directory_account_id
required
string
The UUID of a Universal Directory account


 
Responses 
200
OK


get/v1/teams/{team_name}/resource_groups/{resource_group_id}/projects/{project_id}/okta_universal_directory_accounts/{okta_universal_directory_account_id}
Request samples 
Response samples 
application/json
{
  • "account_name": "AWS Prod-5 account",
  • "checkout_enabled": true,
  • "checkout_expiry_at": "2019-08-24T14:15:22Z",
  • "checkout_status": "checked_out",
  • "created_at": "2019-08-24T14:15:22Z",
  • "id": "d1b65a78-21ed-429b-8ea3-eec96f2748d6",
  • "last_checkout_user": "string",
  • "next_scheduled_password_rotation_reason": "string",
  • "next_scheduled_password_rotation_timestamp": "2019-08-24T14:15:22Z",
  • "project_id": "string",
  • "team_id": "string",
  • "username": "OpsCaliforniaShared",
  • "last_password_change_error_metadata": "string",
  • "last_password_change_error_report_timestamp": "2019-08-24T14:15:22Z",
  • "last_password_change_error_system_timestamp": "2019-08-24T14:15:22Z",
  • "last_password_change_error_type": "string",
  • "last_password_change_success_report_timestamp": "2019-08-24T14:15:22Z",
  • "last_password_change_system_timestamp": "2019-08-24T14:15:22Z",
  • "password_change_error_count": 0,
  • "password_change_error_count_since_last_success": 0,
  • "password_change_success_count": 0
}