Okta Universal Directory Accounts

The Universal Directory Accounts API provides operations to manage Universal Directory accounts for Okta Privileged Access teams

List all Universal Directory accounts
Admin roles:
  • security_admin

Lists all Universal Directory accounts

SecuritybearerAuth
Request
path Parameters
team_name
required
string

The name of your team

query Parameters
contains
string

Only return results that include the specified value

Responses
200

OK

get/v1/teams/{team_name}/all_okta_universal_directory_accounts
Request samples 
Response samples 
application/json
{
  • "list": [
    • {
      }
    ]
}
List Okta Universal Directory service accounts user has access to
Admin roles: 
  • end_user
List Okta Universal Directory service accounts the user has access to based on the security policies.


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
query Parameters
count
integer <int32> 
The number of objects per page


 
prev
boolean
The direction of paging


 
offset
string
The offset value for pagination. The rel="next" and rel="prev" Link headers define the offset for subsequent or previous pages.


 
descending
boolean
The object order


 
Responses 
200
OK


get/v1/teams/{team_name}/okta_universal_directory_accounts
Request samples 
Response samples 
application/json
{
  • "list": [
    • {
      },
    • {
      }
    ]
}
Reveal the password for Universal Directory account.
Admin roles: 
  • end_user
Reveals the password belonging to a Universal Directory account (managed and unmanaged) that the end user has access to.


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
okta_universal_directory_account_id
required
string
The UUID of a Universal Directory account


 
Request Body schema: application/json
required
required
object (RawJSONWebKey) 
A JSON Web Key formatted in accordance with RFC 7517.


 
alg
string (alg) 
The algorithm of the key


 Value: "RSA-OAEP-256"  
crv
string (curve) 
The curve used by the key


 Enum: "P-256" "P-384" "P-521"  
d
string <byte> 
The exponent of the private key


 
dp
string <byte> 
The first factor CRT exponent of the private key


 
dq
string <byte> 
The second factor CRT exponent of the private key


 
e
string <byte> 
The exponent of the public key


 
k
string <byte> 
The key


 
kid
string <regex> ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-...
The key ID


 
kty
string (kty) 
The key type


 Enum: "EC" "OKP" "RSA" "oct"  
n
string <byte> 
The modulus of the public key


 
p
string <byte> 
The first prime factor of the private key


 
q
string <byte> 
The second prime factor of the private key


 
qi
string <byte> 
The first CRT coefficient of the private key


 
use
string
The intended use of the key


 
x
string <byte> 
The x coordinate of the key


 
x5c
Array of strings
A list of X.509 certificates


 
x5t
string
The SHA-1 thumbprint of the X.509 certificate


 
x5t#S256
string
The SHA-256 thumbprint of the X.509 certificate


 
x5u
string
The URL of the X.509 certificates


 
y
string <byte> 
The y coordinate of the key


 
required
object (UserAccessMethod) 
 
access_credential
string
The user credential used to access the resource


 
brokered
boolean
If true, the connection is brokered by the server agent


 
Array of objects (UserAccessConditional) 
A list of required conditions. Each condition must be met to use this access method


 
 Array 
access_request_type_id
string
Used by access_request conditionals to define the ID of a specific Request Type


 
access_request_type_name
string
Used by access_request conditionals to define the name of a specific Request Type


 
acr_values
string (ConditionsMFAACRValues) 
Defines the authentication context class reference (ACR) for this policy. See Step-up authentication using ACR values.


 Enum: Description
urn:okta:loa:2fa:any
Any two factors. Allows two factor authentication with no requirements on which factors.


phr
OIE orgs only: Phishing-Resistant. Requires users to provide possession factors that cryptographically verify the sign-in server (the origin). Currently, only FIDO2/WebAuthn satisfies this requirement. Because phishing resistance implies device binding, that constraint is selected automatically when phr is specified.


 
condition_is_met
boolean
If true, the condition is currently met


 
description
string
A human-readable description of the condition


 
expires_after_seconds
integer <int64> 
Used by access_request conditionals to define the number of seconds the approval remains valid


 
type
string (UserAccessConditionalType) 
The type of condition


 Enum: "access_request" "gateway" "gateway_with_session_recording" "mfa"  
object
 
Array of objects (SecretPath) 
 
object (SecurityPolicySecretPrivilege) 
A list of privileges granted to the user


 
secret_id
string
The ID of the secret used to access the resource


 
secret_name
string
The name of the secret used to access the resource


 
identity
string
The user account that will be used to access the resource


 
rule_ids
Array of strings
A list of rule IDs that result in identical user access methods


 
security_policy_rule_id
string
The ID of an existing security policy rule used to filter user access methods


 
server_id
string
The ID of the resource


 
short_text
string
A short description used to identify the access method to users interface to help the user pick this access method vs other ones


 
sudo_command_bundles
string
Collection of all the sudo-related commands a user can access in a single string format


 
user_access_type
string
The type of access method


 
Responses 
200
Success


401
Unauthorized


403
Forbidden


404
Not found


post/v1/teams/{team_name}/okta_universal_directory_accounts/{okta_universal_directory_account_id}/reveal_credentials
Request samples 
application/json
{
  • "public_key": {
    • "alg": "RSA-OAEP-256",
    • "crv": "P-256",
    • "d": "string",
    • "dp": "string",
    • "dq": "string",
    • "e": "string",
    • "k": "string",
    • "kid": "/regex/",
    • "kty": "EC",
    • "n": "string",
    • "p": "string",
    • "q": "string",
    • "qi": "string",
    • "use": "string",
    • "x": "string",
    • "x5c": [
      ],
    • "x5t": "string",
    • "x5t#S256": "string",
    • "x5u": "string",
    • "y": "string"
    },
  • "user_access_method": {
    • "access_credential": "string",
    • "brokered": true,
    • "conditionals": [
      ],
    • "details": {
      },
    • "identity": "string",
    • "rule_ids": [
      ],
    • "security_policy_rule_id": "string",
    • "server_id": "string",
    • "short_text": "string",
    • "sudo_command_bundles": "string",
    • "user_access_type": "string"
    }
}
Response samples 
application/json
{
  • "password_jwe": "string"
}
List user access methods for a Universal Directory account
Admin roles: 
  • end_user
List user access methods for a Universal Directory account based on the security policies.


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
okta_universal_directory_account_id
required
string
The UUID of a Universal Directory account


 
Responses 
200
OK


get/v1/teams/{team_name}/okta_universal_directory_accounts/{okta_universal_directory_account_id}/user_access_methods
Request samples 
Response samples 
application/json
{
  • "list": [
    • {
      }
    ]
}
List all Universal Directory account in a resource group
Admin roles: 
  • security_admin
  • delegated_security_admin
Lists all Universal Directory accounts in a resource group


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
resource_group_id
required
string
The UUID of a resource group


 
query Parameters
contains
string
Only return results that include the specified value


 
Responses 
200
OK


get/v1/teams/{team_name}/resource_groups/{resource_group_id}/all_okta_universal_directory_accounts
Request samples 
Response samples 
application/json
{
  • "list": [
    • {
      }
    ]
}
List all Universal Directory accounts in a project
Admin roles: 
  • resource_admin
  • delegated_resource_admin
Lists all Universal Directory accounts in a project in a resource group.


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
resource_group_id
required
string
The UUID of a resource group


 
project_id
required
string
The UUID of a project


 
query Parameters
contains
string
Only return results that include the specified value


 
Responses 
200
OK


get/v1/teams/{team_name}/resource_groups/{resource_group_id}/projects/{project_id}/okta_universal_directory_accounts
Request samples 
Response samples 
application/json
{
  • "list": [
    • {
      }
    ]
}