Identity Providers

The Identity Providers API provides operations to manage federations with external Identity Providers (IdP). For example, your app can support signing in with credentials from Apple, Facebook, Google, LinkedIn, Microsoft, an enterprise IdP using SAML 2.0, or an IdP using the OpenID Connect (OIDC) protocol.

List all identity providers
OAuth 2.0: okta.idps.read

Lists all identity provider integrations with pagination. A subset of IdPs can be returned that match a supported filter expression or query.

Request
query Parameters
q
string

Searches the name property of IdPs for matching value

Example: q=Example SAML
after
string

The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the Link response header. See Pagination.

limit
integer [ 1 .. 200 ]
Default: 20

A limit on the number of objects to return

type
string (IdentityProviderType)

Filters IdPs by type

Enum: "AMAZON" "APPLE" "DISCORD" "FACEBOOK" "GITHUB" "GITLAB" "GOOGLE" "LINKEDIN" "LOGINGOV" "LOGINGOV_SANDBOX" "MICROSOFT" "OIDC" "PAYPAL" "PAYPAL_SANDBOX" "SALESFORCE" "SAML2" "SPOTIFY" "X509" "XERO" "YAHOO" "YAHOOJP"
Responses
200

Success

403

Forbidden

429

Too Many Requests

get/api/v1/idps
Request samples
Response samples
application/json
[]

Create an identity provider
OAuth 2.0: okta.idps.manage

Creates a new Identity Provider integration.

SAML 2.0 Identity Provider

You must first add the IdP's signature certificate to the IdP key store before you can add a SAML 2.0 IdP with a kid credential reference.

Don't use fromURI to automatically redirect a user to a particular app after successfully authenticating with a third-party IdP. Instead, use SAML deep links. Using fromURI isn't tested or supported. For more information about using deep links when signing users in using an SP-initiated flow, see Understanding SP-Initiated Login flow.

Use SAML deep links to automatically redirect the user to an app after successfully authenticating with a third-party IdP. To use deep links, assemble these three parts into a URL:

  • SP ACS URL
    For example: https://${yourOktaDomain}/sso/saml2/:idpId
  • The app to which the user is automatically redirected after successfully authenticating with the IdP
    For example: /app/:app-location/:appId/sso/saml
  • Optionally, if the app is an outbound SAML app, you can specify the relayState passed to it.
    For example: ?RelayState=:anyUrlEncodedValue

The deep link for the above three parts is:
https://${yourOktaDomain}/sso/saml2/:idpId/app/:app-location/:appId/sso/saml?RelayState=:anyUrlEncodedValue

Smart Card X509 Identity Provider

You must first add the IdP's server certificate to the IdP key store before you can add a Smart Card X509 IdP with a kid credential reference. You need to upload the whole trust chain as a single key using the Key Store API. Depending on the information stored in the smart card, select the proper template idpuser.subjectAltNameEmail or idpuser.subjectAltNameUpn.

Request
Request Body schema: application/json
required

IdP settings

issuerMode
string (IdentityProviderIssuerMode)
Default: "DYNAMIC"

Indicates whether Okta uses the original Okta org domain URL or a custom domain URL in the request to the social IdP

Enum: Description
ORG_URL

In the authorize request to the social IdP, Okta uses the Okta org's original domain URL (https://${yourOktaDomain}) as the domain in the redirect_uri.

CUSTOM_URL

In the authorize request to the social IdP, Okta uses the custom domain URL as the domain in the redirect_uri. You can set issuerMode to CUSTOM_URL only if you have a custom URL domain configured.

DYNAMIC

In the authorize request to the social IdP, Okta uses the custom domain URL as the domain in the redirect_uri if the request was made from the custom domain URL. Otherwise, Okta uses the Okta org's original domain URL if the request was made from the Okta org domain.

name
string <= 100 characters

Unique name for the IdP

object (IdentityProviderPolicy)

Policy settings for the IdP. The following provisioning and account linking actions are supported by each IdP provider:

IdP type User provisioning actions Group provisioning actions Account link actions Account link filters
SAML2 AUTO or DISABLED NONE, ASSIGN, APPEND, or SYNC AUTO, DISABLED groups, users
X509 DISABLED No support for JIT provisioning
All social IdP types (any IdP type that isn't SAML2 or X509) AUTO, DISABLED NONE or ASSIGN AUTO, DISABLED groups, users
object (PolicyAccountLink)

Specifies the behavior for linking an IdP User to an existing Okta User

action
string (PolicyAccountLinkAction)

Specifies the account linking action for an IdP User

Enum: Description
AUTO

The IdP User is automatically linked to an Okta User when the transformed IdP User matches an existing Okta User according to subject match rules.

DISABLED

Okta never attempts to link the IdP User to an existing Okta User, but may still attempt to provision a new Okta User according to the provisioning action type.

object (PolicyAccountLinkFilter)

Specifies filters on which users are available for account linking by an IdP

maxClockSkew
integer

Maximum allowable clock skew when processing messages from the IdP

object (Provisioning)

Specifies the behavior for just-in-time (JIT) provisioning of an IdP User as a new Okta User and their Group memberships

action
string (ProvisioningAction)

Specifies the User provisioning action during authentication when an IdP User isn't linked to an existing Okta User.

  • To successfully provision a new Okta User, you must enable just-in-time (JIT) provisioning in your org security settings.
  • If the target username isn't unique or the resulting Okta User profile is missing a required profile attribute, JIT provisioning may fail.
  • New Okta Users are provisioned with either a FEDERATION or SOCIAL authentication provider depending on the IdP type.
Enum: Description
AUTO

The IdP User profile is transformed through defined universal directory profile mappings to an Okta User profile and automatically provisioned as an Okta User.

DISABLED

Okta rejects the authentication request and skips provisioning of a new Okta User if the IdP User isn't linked to an existing Okta User.

object (ProvisioningConditions)

Conditional behaviors for an IdP User during authentication

object (ProvisioningGroups)

Provisioning settings for a User's Group memberships

profileMaster
boolean

Determines if the IdP should act as a source of truth for User profile attributes

object (PolicySubject)

Specifies the behavior for establishing, validating, and matching a username for an IdP User

filter
string <= 1024 characters

Optional regular expression pattern used to filter untrusted IdP usernames.

  • As a best security practice, you should define a regular expression pattern to filter untrusted IdP usernames. This is especially important if multiple IdPs are connected to your org. The filter prevents an IdP from issuing an assertion for any User, including partners or directory Users in your Okta org.
  • For example, the filter pattern (\S+@example\.com) allows only Users that have an @example.com username suffix. It rejects assertions that have any other suffix such as @corp.example.com or @partner.com.
  • Only SAML2 and OIDC IdP providers support the filter property.
matchAttribute
string

Okta User profile attribute for matching a transformed IdP username. Only for matchType CUSTOM_ATTRIBUTE. The matchAttribute must be a valid Okta User profile attribute of one of the following types:

  • String (with no format or 'email' format only)
  • Integer
  • Number
matchType
string (PolicySubjectMatchType)

Determines the Okta User profile attribute match conditions for account linking and authentication of the transformed IdP username

Enum: "CUSTOM_ATTRIBUTE" "EMAIL" "USERNAME" "USERNAME_OR_EMAIL"
object (PolicyUserNameTemplate)

Okta Expression Language (EL) expression to generate or transform a unique username for the IdP User.

  • IdP User profile attributes can be referenced with the idpuser prefix such as idpuser.subjectNameId.
  • You must define an IdP User profile attribute before it can be referenced in an Okta EL expression. To define an IdP User attribute policy, you may need to create a new IdP instance without a base profile property. Then edit the IdP User profile to update the IdP instance with an expression that references the IdP User profile attribute that you just created.
object or null (IdentityProviderProperties)

The properties in the Identity Provider Properties object vary depending on the IdP type

aalValue
string or null

The authentication assurance level (AAL) value for the Login.gov IdP. See Add a Login.gov IdP. Applies to LOGINGOV and LOGINGOV_SANDBOX IdP types.

additionalAmr
Array of strings or null

The additional Assurance Methods References (AMR) values for Smart Card IdPs. Applies to X509 IdP type.

Enum: Description
sc

Smart card

hwk

Hardware-secured key

pin

Personal identification number

mfa

Multifactor authentication

ialValue
string or null

The type of identity verification (IAL) value for the Login.gov IdP. See Add a Login.gov IdP. Applies to LOGINGOV and LOGINGOV_SANDBOX IdP types.

SAML 2.0 Protocol (object) or OAuth 2.0 Protocol (object) or OpenID Connect Protocol (object) or Mutual TLS Protocol (object)

IdP-specific protocol settings for endpoints, bindings, and algorithms used to connect with the IdP and validate messages

One of:

Protocol settings for the SAML 2.0 Authentication Request Protocol

object (SamlAlgorithms)

Settings for signing and verifying SAML messages

object (SamlRequestAlgorithm)

Algorithm settings used to secure an <AuthnRequest> message

object (SamlResponseAlgorithm)

Algorithm settings for verifying <SAMLResponse> messages and <Assertion> elements from the IdP

object (SamlCredentials)

Federation Trust Credentials for verifying assertions from the IdP and signing requests to the IdP

object (SamlSigningCredentials)

Key used for signing requests to the IdP

object (SamlTrustCredentials)

Federation Trust Credentials for verifying assertions from the IdP

object (SamlEndpoints)

SAML 2.0 HTTP binding settings for IdP and SP (Okta)

object (SamlAcsEndpoint)

Okta's SPSSODescriptor endpoint where the IdP sends a <SAMLResponse> message

object (SamlSsoEndpoint)

IdP's SingleSignOnService endpoint where Okta sends an <AuthnRequest> message

object (SamlRelayState)

Relay state settings for IdP

format
string (SamlRelayStateFormat)

The format used to generate the relayState in the SAML request. The FROM_URL format is used if this value is null.

Enum: "FROM_URL" "OPAQUE"
object (SamlSettings)

Advanced settings for the SAML 2.0 protocol

honorPersistentNameId
boolean
Default: true

Determines if the IdP should persist account linking when the incoming assertion NameID format is urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

nameFormat
string (SamlNameIdFormat)
Default: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"

SAML 2.0 Name Identifier formats

Enum: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
type
string

SAML 2.0 protocol

Value: "SAML2"
status
string (LifecycleStatus)
Enum: "ACTIVE" "INACTIVE"
type
string (IdentityProviderType)

The Identity Provider object's type property identifies the social or enterprise Identity Provider used for authentication. Each Identity Provider uses a specific protocol, therefore the protocol property must correspond with the IdP type. If the protocol is OAuth 2.0-based, the Protocol object's scopes property must also correspond with the scopes supported by the IdP type. For policy actions supported by each IdP type, see IdP type policy actions.

Type Description Corresponding protocol Corresponding protocol scopes
AMAZON Amazon as the Identity Provider OpenID Connect profile, profile:user_id
APPLE Apple as the Identity Provider OpenID Connect names, email, openid
DISCORD Discord as the Identity Provider OAuth 2.0 identify, email
FACEBOOK Facebook as the Identity Provider OAuth 2.0 public_profile, email
GITHUB GitHub as the Identity Provider OAuth 2.0 user
GITLAB GitLab as the Identity Provider OpenID Connect openid, read_user, profile, email
GOOGLE Google as the Identity Provider OpenID Connect openid, email, profile
LINKEDIN LinkedIn as the Identity Provider OAuth 2.0 r_emailaddress, r_liteprofile
LOGINGOV Login.gov as the Identity Provider OpenID Connect email, profile, profile:name
LOGINGOV_SANDBOX Login.gov's identity sandbox as the Identity Provider OpenID Connect email, profile, profile:name
MICROSOFT Microsoft Enterprise SSO as the Identity Provider OpenID Connect openid, email, profile, https://graph.microsoft.com/User.Read
OIDC IdP provider that supports OpenID Connect OpenID Connect openid, email, profile
PAYPAL Paypal as the Identity Provider OpenID Connect openid, email, profile
PAYPAL_SANDBOX Paypal Sandbox as the Identity Provider OpenID Connect openid, email, profile
SALESFORCE SalesForce as the Identity Provider OAuth 2.0 id, email, profile
SAML2 Enterprise IdP provider that supports the SAML 2.0 Web Browser SSO Profile SAML 2.0
SPOTIFY Spotify as the Identity Provider OpenID Connect user-read-email, user-read-private
X509 Smart Card IdP Mutual TLS
XERO Xero as the Identity Provider OpenID Connect openid, profile, email
YAHOO Yahoo as the Identity Provider OpenID Connect openid, profile, email
YAHOOJP Yahoo Japan as the Identity Provider OpenID Connect openid, profile, email
Enum: "AMAZON" "APPLE" "DISCORD" "FACEBOOK" "GITHUB" "GITLAB" "GOOGLE" "LINKEDIN" "LOGINGOV" "LOGINGOV_SANDBOX" "MICROSOFT" "OIDC" "PAYPAL" "PAYPAL_SANDBOX" "SALESFORCE" "SAML2" "SPOTIFY" "X509" "XERO" "YAHOO" "YAHOOJP"
Responses
200

Success

400

Bad Request

403

Forbidden

429

Too Many Requests

post/api/v1/idps
Request samples
application/json
{
  • "type": "OIDC",
  • "name": "Example OpenID Connect IdP",
  • "protocol": {},
  • "policy": {
    • "accountLink": {
      },
    • "provisioning": {
      },
    • "mapAMRClaims": false,
    • "maxClockSkew": 120000,
    • "subject": {
      }
    }
}
Response samples
application/json
{}

Retrieve an Identity Provider
OAuth 2.0: okta.idps.read

Retrieves an identity provider integration by idpId

Request
path Parameters
idpId
required
string

id of IdP

Example: 0oa62bfdjnK55Z5x80h7
Responses
200

Success

403

Forbidden

404

Not Found

429

Too Many Requests

get/api/v1/idps/{idpId}
Request samples
Response samples
application/json
{}

Replace an identity provider
OAuth 2.0: okta.idps.manage

Replaces an identity provider integration by idpId

Request
path Parameters
idpId
required
string

id of IdP

Example: 0oa62bfdjnK55Z5x80h7
Request Body schema: application/json
required

Updated configuration for the IdP

issuerMode
string (IdentityProviderIssuerMode)
Default: "DYNAMIC"

Indicates whether Okta uses the original Okta org domain URL or a custom domain URL in the request to the social IdP

Enum: Description
ORG_URL

In the authorize request to the social IdP, Okta uses the Okta org's original domain URL (https://${yourOktaDomain}) as the domain in the redirect_uri.

CUSTOM_URL

In the authorize request to the social IdP, Okta uses the custom domain URL as the domain in the redirect_uri. You can set issuerMode to CUSTOM_URL only if you have a custom URL domain configured.

DYNAMIC

In the authorize request to the social IdP, Okta uses the custom domain URL as the domain in the redirect_uri if the request was made from the custom domain URL. Otherwise, Okta uses the Okta org's original domain URL if the request was made from the Okta org domain.

name
string <= 100 characters

Unique name for the IdP

object (IdentityProviderPolicy)

Policy settings for the IdP. The following provisioning and account linking actions are supported by each IdP provider:

IdP type User provisioning actions Group provisioning actions Account link actions Account link filters
SAML2 AUTO or DISABLED NONE, ASSIGN, APPEND, or SYNC AUTO, DISABLED groups, users
X509 DISABLED No support for JIT provisioning
All social IdP types (any IdP type that isn't SAML2 or X509) AUTO, DISABLED NONE or ASSIGN AUTO, DISABLED groups, users
object (PolicyAccountLink)

Specifies the behavior for linking an IdP User to an existing Okta User

action
string (PolicyAccountLinkAction)

Specifies the account linking action for an IdP User

Enum: Description
AUTO

The IdP User is automatically linked to an Okta User when the transformed IdP User matches an existing Okta User according to subject match rules.

DISABLED

Okta never attempts to link the IdP User to an existing Okta User, but may still attempt to provision a new Okta User according to the provisioning action type.

object (PolicyAccountLinkFilter)

Specifies filters on which users are available for account linking by an IdP

maxClockSkew
integer

Maximum allowable clock skew when processing messages from the IdP

object (Provisioning)

Specifies the behavior for just-in-time (JIT) provisioning of an IdP User as a new Okta User and their Group memberships

action
string (ProvisioningAction)

Specifies the User provisioning action during authentication when an IdP User isn't linked to an existing Okta User.

  • To successfully provision a new Okta User, you must enable just-in-time (JIT) provisioning in your org security settings.
  • If the target username isn't unique or the resulting Okta User profile is missing a required profile attribute, JIT provisioning may fail.
  • New Okta Users are provisioned with either a FEDERATION or SOCIAL authentication provider depending on the IdP type.
Enum: Description
AUTO

The IdP User profile is transformed through defined universal directory profile mappings to an Okta User profile and automatically provisioned as an Okta User.

DISABLED

Okta rejects the authentication request and skips provisioning of a new Okta User if the IdP User isn't linked to an existing Okta User.

object (ProvisioningConditions)

Conditional behaviors for an IdP User during authentication

object (ProvisioningGroups)

Provisioning settings for a User's Group memberships

profileMaster
boolean

Determines if the IdP should act as a source of truth for User profile attributes

object (PolicySubject)

Specifies the behavior for establishing, validating, and matching a username for an IdP User

filter
string <= 1024 characters

Optional regular expression pattern used to filter untrusted IdP usernames.

  • As a best security practice, you should define a regular expression pattern to filter untrusted IdP usernames. This is especially important if multiple IdPs are connected to your org. The filter prevents an IdP from issuing an assertion for any User, including partners or directory Users in your Okta org.
  • For example, the filter pattern (\S+@example\.com) allows only Users that have an @example.com username suffix. It rejects assertions that have any other suffix such as @corp.example.com or @partner.com.
  • Only SAML2 and OIDC IdP providers support the filter property.
matchAttribute
string

Okta User profile attribute for matching a transformed IdP username. Only for matchType CUSTOM_ATTRIBUTE. The matchAttribute must be a valid Okta User profile attribute of one of the following types:

  • String (with no format or 'email' format only)
  • Integer
  • Number
matchType
string (PolicySubjectMatchType)

Determines the Okta User profile attribute match conditions for account linking and authentication of the transformed IdP username

Enum: "CUSTOM_ATTRIBUTE" "EMAIL" "USERNAME" "USERNAME_OR_EMAIL"
object (PolicyUserNameTemplate)

Okta Expression Language (EL) expression to generate or transform a unique username for the IdP User.

  • IdP User profile attributes can be referenced with the idpuser prefix such as idpuser.subjectNameId.
  • You must define an IdP User profile attribute before it can be referenced in an Okta EL expression. To define an IdP User attribute policy, you may need to create a new IdP instance without a base profile property. Then edit the IdP User profile to update the IdP instance with an expression that references the IdP User profile attribute that you just created.
object or null (IdentityProviderProperties)

The properties in the Identity Provider Properties object vary depending on the IdP type

aalValue
string or null

The authentication assurance level (AAL) value for the Login.gov IdP. See Add a Login.gov IdP. Applies to LOGINGOV and LOGINGOV_SANDBOX IdP types.

additionalAmr
Array of strings or null

The additional Assurance Methods References (AMR) values for Smart Card IdPs. Applies to X509 IdP type.

Enum: Description
sc

Smart card

hwk

Hardware-secured key

pin

Personal identification number

mfa

Multifactor authentication

ialValue
string or null

The type of identity verification (IAL) value for the Login.gov IdP. See Add a Login.gov IdP. Applies to LOGINGOV and LOGINGOV_SANDBOX IdP types.

SAML 2.0 Protocol (object) or OAuth 2.0 Protocol (object) or OpenID Connect Protocol (object) or Mutual TLS Protocol (object)

IdP-specific protocol settings for endpoints, bindings, and algorithms used to connect with the IdP and validate messages

One of:

Protocol settings for the SAML 2.0 Authentication Request Protocol

object (SamlAlgorithms)

Settings for signing and verifying SAML messages

object (SamlRequestAlgorithm)

Algorithm settings used to secure an <AuthnRequest> message

object (SamlResponseAlgorithm)

Algorithm settings for verifying <SAMLResponse> messages and <Assertion> elements from the IdP

object (SamlCredentials)

Federation Trust Credentials for verifying assertions from the IdP and signing requests to the IdP

object (SamlSigningCredentials)

Key used for signing requests to the IdP

object (SamlTrustCredentials)

Federation Trust Credentials for verifying assertions from the IdP

object (SamlEndpoints)

SAML 2.0 HTTP binding settings for IdP and SP (Okta)

object (SamlAcsEndpoint)

Okta's SPSSODescriptor endpoint where the IdP sends a <SAMLResponse> message

object (SamlSsoEndpoint)

IdP's SingleSignOnService endpoint where Okta sends an <AuthnRequest> message

object (SamlRelayState)

Relay state settings for IdP

format
string (SamlRelayStateFormat)

The format used to generate the relayState in the SAML request. The FROM_URL format is used if this value is null.

Enum: "FROM_URL" "OPAQUE"
object (SamlSettings)

Advanced settings for the SAML 2.0 protocol

honorPersistentNameId
boolean
Default: true

Determines if the IdP should persist account linking when the incoming assertion NameID format is urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

nameFormat
string (SamlNameIdFormat)
Default: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"

SAML 2.0 Name Identifier formats

Enum: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
type
string

SAML 2.0 protocol

Value: "SAML2"
status
string (LifecycleStatus)
Enum: "ACTIVE" "INACTIVE"
type
string (IdentityProviderType)

The Identity Provider object's type property identifies the social or enterprise Identity Provider used for authentication. Each Identity Provider uses a specific protocol, therefore the protocol property must correspond with the IdP type. If the protocol is OAuth 2.0-based, the Protocol object's scopes property must also correspond with the scopes supported by the IdP type. For policy actions supported by each IdP type, see IdP type policy actions.

Type Description Corresponding protocol Corresponding protocol scopes
AMAZON Amazon as the Identity Provider OpenID Connect profile, profile:user_id
APPLE Apple as the Identity Provider OpenID Connect names, email, openid
DISCORD Discord as the Identity Provider OAuth 2.0 identify, email
FACEBOOK Facebook as the Identity Provider OAuth 2.0 public_profile, email
GITHUB GitHub as the Identity Provider OAuth 2.0 user
GITLAB GitLab as the Identity Provider OpenID Connect openid, read_user, profile, email
GOOGLE Google as the Identity Provider OpenID Connect openid, email, profile
LINKEDIN LinkedIn as the Identity Provider OAuth 2.0 r_emailaddress, r_liteprofile
LOGINGOV Login.gov as the Identity Provider OpenID Connect email, profile, profile:name
LOGINGOV_SANDBOX Login.gov's identity sandbox as the Identity Provider OpenID Connect email, profile, profile:name
MICROSOFT Microsoft Enterprise SSO as the Identity Provider OpenID Connect openid, email, profile, https://graph.microsoft.com/User.Read
OIDC IdP provider that supports OpenID Connect OpenID Connect openid, email, profile
PAYPAL Paypal as the Identity Provider OpenID Connect openid, email, profile
PAYPAL_SANDBOX Paypal Sandbox as the Identity Provider OpenID Connect openid, email, profile
SALESFORCE SalesForce as the Identity Provider OAuth 2.0 id, email, profile
SAML2 Enterprise IdP provider that supports the SAML 2.0 Web Browser SSO Profile SAML 2.0
SPOTIFY Spotify as the Identity Provider OpenID Connect user-read-email, user-read-private
X509 Smart Card IdP Mutual TLS
XERO Xero as the Identity Provider OpenID Connect openid, profile, email
YAHOO Yahoo as the Identity Provider OpenID Connect openid, profile, email
YAHOOJP Yahoo Japan as the Identity Provider OpenID Connect openid, profile, email
Enum: "AMAZON" "APPLE" "DISCORD" "FACEBOOK" "GITHUB" "GITLAB" "GOOGLE" "LINKEDIN" "LOGINGOV" "LOGINGOV_SANDBOX" "MICROSOFT" "OIDC" "PAYPAL" "PAYPAL_SANDBOX" "SALESFORCE" "SAML2" "SPOTIFY" "X509" "XERO" "YAHOO" "YAHOOJP"
Responses
200

Success

400

Bad Request

403

Forbidden

404

Not Found

429

Too Many Requests

put/api/v1/idps/{idpId}
Request samples
application/json
{}
Response samples
application/json
{}

Delete an identity provider
OAuth 2.0: okta.idps.manage

Deletes an identity provider integration by idpId

  • All existing IdP users are unlinked with the highest order profile source taking precedence for each IdP user.
  • Unlinked users keep their existing authentication provider such as FEDERATION or SOCIAL.
Request
path Parameters
idpId
required
string

id of IdP

Example: 0oa62bfdjnK55Z5x80h7
Responses
204

No Content

403

Forbidden

404

Not Found

429

Too Many Requests

delete/api/v1/idps/{idpId}
Request samples
Response samples
application/json
{
  • "errorCode": "E0000006",
  • "errorSummary": "You do not have permission to perform the requested action",
  • "errorLink": "E0000006",
  • "errorId": "sampleNUSD_8fdkFd8fs8SDBK",
  • "errorCauses": [ ]
}

Activate an identity provider
OAuth 2.0: okta.idps.manage

Activates an inactive IdP

Request
path Parameters
idpId
required
string

id of IdP

Example: 0oa62bfdjnK55Z5x80h7
Responses
200

Success

403

Forbidden

404

Not Found

429

Too Many Requests

post/api/v1/idps/{idpId}/lifecycle/activate
Request samples
Response samples
application/json
{
  • "id": "0oa62bfdiumsUndnZ0h7",
  • "type": "GOOGLE",
  • "name": "Google",
  • "status": "ACTIVE",
  • "created": "2016-03-24T23:21:49.000Z",
  • "lastUpdated": "2016-03-25T19:14:23.000Z",
  • "protocol": {},
  • "policy": {
    • "provisioning": {
      },
    • "accountLink": {
      },
    • "subject": {
      },
    • "mapAMRClaims": false,
    • "maxClockSkew": 0
    },
  • "_links": {
    • "authorize": {
      },
    • "clientRedirectUri": {}
    }
}

Deactivate an identity provider
OAuth 2.0: okta.idps.manage

Deactivates an active IdP

Request
path Parameters
idpId
required
string

id of IdP

Example: 0oa62bfdjnK55Z5x80h7
Responses
200

Success

403

Forbidden

404

Not Found

429

Too Many Requests

post/api/v1/idps/{idpId}/lifecycle/deactivate
Request samples
Response samples
application/json
{
  • "id": "0oa62bfdiumsUndnZ0h7",
  • "type": "GOOGLE",
  • "name": "Google",
  • "status": "INACTIVE",
  • "created": "2016-03-24T23:21:49.000Z",
  • "lastUpdated": "2016-03-25T19:16:53.000Z",
  • "protocol": {},
  • "policy": {
    • "provisioning": {
      },
    • "accountLink": {
      },
    • "subject": {
      },
    • "mapAMRClaims": false,
    • "maxClockSkew": 0
    },
  • "_links": {
    • "authorize": {
      },
    • "clientRedirectUri": {}
    }
}