SaaS Application Accounts

The SaaS App Accounts API provides operations to manage SaaS app accounts for Okta Privileged Access teams

List all SaaS app accounts
Admin roles:
  • security_admin

Lists all SaaS app accounts

SecuritybearerAuth
Request
path Parameters
team_name
required
string

The name of your team

query Parameters
contains
string

Only return results that include the specified value

managed
boolean

If true, only return SaaS app accounts that support password rotation. If false, only return SaaS app accounts that do not support password rotation.

Responses
200

OK

get/v1/teams/{team_name}/all_saas_app_accounts
Request samples 
Response samples 
application/json
{
  • "list": [
    • {
      }
    ]
}
Get a Okta Universal Directory service account user has access to
Admin roles: 
  • end_user
Gets a Okta Universal Directory service account user has access to based on the security policies


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
okta_universal_directory_account_id
required
string
The UUID of a Universal Directory account


 
Responses 
200
OK


get/v1/teams/{team_name}/okta_universal_directory_accounts/{okta_universal_directory_account_id}
Request samples 
Response samples 
application/json
{
  • "account": {
    • "id": "a747a818-a4c4-4446-8a87-704216495a08",
    • "name": "superadmin account for test instance",
    • "username": "superadmin@okta.com",
    • "lcm_sync_possible": true,
    • "availability_status": "available",
    • "account_status": "NO_ISSUES",
    • "account_status_detail": "ROTATED"
    },
  • "checkout_details": {
    • "checkout_enabled": true
    }
}
List all SaaS app accounts in a resource group
Admin roles: 
  • security_admin
  • delegated_security_admin
Lists all SaaS app accounts in a resource group


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
resource_group_id
required
string
The UUID of a resource group


 
query Parameters
contains
string
Only return results that include the specified value


 
managed
boolean
If true, only return SaaS app accounts that support password rotation. If false, only return SaaS app accounts that do not support password rotation.


 
Responses 
200
OK


get/v1/teams/{team_name}/resource_groups/{resource_group_id}/all_saas_app_accounts
Request samples 
Response samples 
application/json
{
  • "list": [
    • {
      }
    ]
}
List all SaaS app accounts in a project
Admin roles: 
  • resource_admin
  • delegated_resource_admin
Lists all SaaS app accounts in a project in a resource group


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
resource_group_id
required
string
The UUID of a resource group


 
project_id
required
string
The UUID of a project


 
query Parameters
contains
string
Only return results that include the specified value


 
managed
boolean
If true, only return SaaS app accounts that support password rotation. If false, only return SaaS app accounts that do not support password rotation.


 
Responses 
200
OK


get/v1/teams/{team_name}/resource_groups/{resource_group_id}/projects/{project_id}/saas_app_accounts
Request samples 
Response samples 
application/json
{
  • "list": [
    • {
      }
    ]
}
List SaaS Application instances accessible to the end user
Admin roles: 
  • end_user
List SaaS Application instances that an end user has access to through at least one account based on the security policies.


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
query Parameters
count
integer <int32> 
The number of objects per page


 
prev
boolean
The direction of paging


 
offset
string
The offset value for pagination. The rel="next" and rel="prev" Link headers define the offset for subsequent or previous pages.


 
descending
boolean
The object order


 
Responses 
200
OK


get/v1/teams/{team_name}/saas_apps
Request samples 
Response samples 
application/json
{}
Get a SaaS Application instance accessible to the end user
Admin roles: 
  • end_user
Gets a SaaS app instance that an end user has access to through at least one account based on the security policies


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
saas_app_instance_id
required
string
The App Instance ID of SaaS App provisioned to an Okta org


 
Responses 
200
OK


get/v1/teams/{team_name}/saas_apps/{saas_app_instance_id}
Request samples 
Response samples 
application/json
{}
List SaaS application service accounts the user has access to
Admin roles: 
  • end_user
List SaaS application service accounts the user has access to based on the security policies.


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
saas_app_instance_id
required
string
The App Instance ID of SaaS App provisioned to an Okta org


 
query Parameters
count
integer <int32> 
The number of objects per page


 
prev
boolean
The direction of paging


 
offset
string
The offset value for pagination. The rel="next" and rel="prev" Link headers define the offset for subsequent or previous pages.


 
descending
boolean
The object order


 
Responses 
200
OK


get/v1/teams/{team_name}/saas_apps/{saas_app_instance_id}/accounts
Request samples 
Response samples 
application/json
{
  • "list": [
    • {
      },
    • {
      },
    • {
      }
    ]
}
Get a SaaS application service account that the user has access to
Admin roles: 
  • end_user
Gets a SaaS application service account that the user has access to based on the security policies


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
saas_app_instance_id
required
string
The App Instance ID of SaaS App provisioned to an Okta org


 
saas_app_account_id
required
string
The UUID of a SaaS app account


 
Responses 
200
OK


get/v1/teams/{team_name}/saas_apps/{saas_app_instance_id}/accounts/{saas_app_account_id}
Request samples 
Response samples 
application/json
{
  • "account": {
    • "id": "b747a818-a4c4-4446-8a87-704216495a08",
    • "name": "admin account for test instance",
    • "username": "admin@test.app",
    • "lcm_sync_possible": true,
    • "availability_status": "checked_out",
    • "account_status": "NO_ISSUES",
    • "account_status_detail": "ROTATED"
    },
  • "checkout_details": {
    • "current_user_checkout_expires_at": "2024-09-12T14:30:00Z",
    • "checkout_enabled": true
    }
}
Update the password for SaaS app account.
Admin roles: 
  • end_user
Updates the password belonging to a SaaS app account (managed and unmanaged) that the end user has access to.


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
saas_app_instance_id
required
string
The App Instance ID of SaaS App provisioned to an Okta org


 
saas_app_account_id
required
string
The UUID of a SaaS app account


 
Request Body schema: application/json
required
password_jwe
required
string
 
required
object (UserAccessMethod) 
 
access_credential
string
The user credential used to access the resource


 
brokered
boolean
If true, the connection is brokered by the server agent


 
Array of objects (UserAccessConditional) 
A list of required conditions. Each condition must be met to use this access method


 
 Array 
access_request_type_id
string
Used by access_request conditionals to define the ID of a specific Request Type


 
access_request_type_name
string
Used by access_request conditionals to define the name of a specific Request Type


 
acr_values
string (ConditionsMFAACRValues) 
Defines the authentication context class reference (ACR) for this policy. See Step-up authentication using ACR values.


 Enum: Description
urn:okta:loa:2fa:any
Any two factors. Allows two factor authentication with no requirements on which factors.


phr
OIE orgs only: Phishing-Resistant. Requires users to provide possession factors that cryptographically verify the sign-in server (the origin). Currently, only FIDO2/WebAuthn satisfies this requirement. Because phishing resistance implies device binding, that constraint is selected automatically when phr is specified.


 
condition_is_met
boolean
If true, the condition is currently met


 
description
string
A human-readable description of the condition


 
expires_after_seconds
integer <int64> 
Used by access_request conditionals to define the number of seconds the approval remains valid


 
type
string (UserAccessConditionalType) 
The type of condition


 Enum: "access_request" "gateway" "gateway_with_session_recording" "mfa"  
object
 
Array of objects (SecretPath) 
 
object (SecurityPolicySecretPrivilege) 
A list of privileges granted to the user


 
secret_id
string
The ID of the secret used to access the resource


 
secret_name
string
The name of the secret used to access the resource


 
identity
string
The user account that will be used to access the resource


 
rule_ids
Array of strings
A list of rule IDs that result in identical user access methods


 
security_policy_rule_id
string
The ID of an existing security policy rule used to filter user access methods


 
server_id
string
The ID of the resource


 
short_text
string
A short description used to identify the access method to users interface to help the user pick this access method vs other ones


 
sudo_command_bundles
string
Collection of all the sudo-related commands a user can access in a single string format


 
user_access_type
string
The type of access method


 
Responses 
204
No Content


401
Unauthorized


403
Forbidden


404
Not found


put/v1/teams/{team_name}/saas_apps/{saas_app_instance_id}/accounts/{saas_app_account_id}/credentials
Request samples 
application/json
{
  • "password_jwe": "string",
  • "user_access_method": {
    • "access_credential": "string",
    • "brokered": true,
    • "conditionals": [
      ],
    • "details": {
      },
    • "identity": "string",
    • "rule_ids": [
      ],
    • "security_policy_rule_id": "string",
    • "server_id": "string",
    • "short_text": "string",
    • "sudo_command_bundles": "string",
    • "user_access_type": "string"
    }
}
Response samples 
application/json
{
  • "code": 401,
  • "message": "Missing capability: role",
  • "nottype": "authorization_error"
}
Reveal the password for SaaS app account.
Admin roles: 
  • end_user
Reveals the password belonging to a SaaS app account (managed and unmanaged) that the end user has access to.


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
saas_app_instance_id
required
string
The App Instance ID of SaaS App provisioned to an Okta org


 
saas_app_account_id
required
string
The UUID of a SaaS app account


 
Request Body schema: application/json
required
required
object (RawJSONWebKey) 
A JSON Web Key formatted in accordance with RFC 7517.


 
alg
string (alg) 
The algorithm of the key


 Value: "RSA-OAEP-256"  
crv
string (curve) 
The curve used by the key


 Enum: "P-256" "P-384" "P-521"  
d
string <byte> 
The exponent of the private key


 
dp
string <byte> 
The first factor CRT exponent of the private key


 
dq
string <byte> 
The second factor CRT exponent of the private key


 
e
string <byte> 
The exponent of the public key


 
k
string <byte> 
The key


 
kid
string <regex> ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-...
The key ID


 
kty
string (kty) 
The key type


 Enum: "EC" "OKP" "RSA" "oct"  
n
string <byte> 
The modulus of the public key


 
p
string <byte> 
The first prime factor of the private key


 
q
string <byte> 
The second prime factor of the private key


 
qi
string <byte> 
The first CRT coefficient of the private key


 
use
string
The intended use of the key


 
x
string <byte> 
The x coordinate of the key


 
x5c
Array of strings
A list of X.509 certificates


 
x5t
string
The SHA-1 thumbprint of the X.509 certificate


 
x5t#S256
string
The SHA-256 thumbprint of the X.509 certificate


 
x5u
string
The URL of the X.509 certificates


 
y
string <byte> 
The y coordinate of the key


 
required
object (UserAccessMethod) 
 
access_credential
string
The user credential used to access the resource


 
brokered
boolean
If true, the connection is brokered by the server agent


 
Array of objects (UserAccessConditional) 
A list of required conditions. Each condition must be met to use this access method


 
 Array 
access_request_type_id
string
Used by access_request conditionals to define the ID of a specific Request Type


 
access_request_type_name
string
Used by access_request conditionals to define the name of a specific Request Type


 
acr_values
string (ConditionsMFAACRValues) 
Defines the authentication context class reference (ACR) for this policy. See Step-up authentication using ACR values.


 Enum: Description
urn:okta:loa:2fa:any
Any two factors. Allows two factor authentication with no requirements on which factors.


phr
OIE orgs only: Phishing-Resistant. Requires users to provide possession factors that cryptographically verify the sign-in server (the origin). Currently, only FIDO2/WebAuthn satisfies this requirement. Because phishing resistance implies device binding, that constraint is selected automatically when phr is specified.


 
condition_is_met
boolean
If true, the condition is currently met


 
description
string
A human-readable description of the condition


 
expires_after_seconds
integer <int64> 
Used by access_request conditionals to define the number of seconds the approval remains valid


 
type
string (UserAccessConditionalType) 
The type of condition


 Enum: "access_request" "gateway" "gateway_with_session_recording" "mfa"  
object
 
Array of objects (SecretPath) 
 
object (SecurityPolicySecretPrivilege) 
A list of privileges granted to the user


 
secret_id
string
The ID of the secret used to access the resource


 
secret_name
string
The name of the secret used to access the resource


 
identity
string
The user account that will be used to access the resource


 
rule_ids
Array of strings
A list of rule IDs that result in identical user access methods


 
security_policy_rule_id
string
The ID of an existing security policy rule used to filter user access methods


 
server_id
string
The ID of the resource


 
short_text
string
A short description used to identify the access method to users interface to help the user pick this access method vs other ones


 
sudo_command_bundles
string
Collection of all the sudo-related commands a user can access in a single string format


 
user_access_type
string
The type of access method


 
Responses 
200
Success


401
Unauthorized


403
Forbidden


404
Not found


post/v1/teams/{team_name}/saas_apps/{saas_app_instance_id}/accounts/{saas_app_account_id}/reveal_credentials
Request samples 
application/json
{
  • "public_key": {
    • "alg": "RSA-OAEP-256",
    • "crv": "P-256",
    • "d": "string",
    • "dp": "string",
    • "dq": "string",
    • "e": "string",
    • "k": "string",
    • "kid": "/regex/",
    • "kty": "EC",
    • "n": "string",
    • "p": "string",
    • "q": "string",
    • "qi": "string",
    • "use": "string",
    • "x": "string",
    • "x5c": [
      ],
    • "x5t": "string",
    • "x5t#S256": "string",
    • "x5u": "string",
    • "y": "string"
    },
  • "user_access_method": {
    • "access_credential": "string",
    • "brokered": true,
    • "conditionals": [
      ],
    • "details": {
      },
    • "identity": "string",
    • "rule_ids": [
      ],
    • "security_policy_rule_id": "string",
    • "server_id": "string",
    • "short_text": "string",
    • "sudo_command_bundles": "string",
    • "user_access_type": "string"
    }
}
Response samples 
application/json
{
  • "password_jwe": "string"
}
List SaaS application account user access methods
Admin roles: 
  • end_user
List SaaS application account user access methods based on the security policies.


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
saas_app_instance_id
required
string
The App Instance ID of SaaS App provisioned to an Okta org


 
saas_app_account_id
required
string
The UUID of a SaaS app account


 
Responses 
200
OK


get/v1/teams/{team_name}/saas_apps/{saas_app_instance_id}/accounts/{saas_app_account_id}/user_access_methods
Request samples 
Response samples 
application/json
{
  • "list": [
    • {
      }
    ]
}