Identity Providers

The Identity Providers API provides operations to manage federations with external identity providers (IdPs). For example, your app can support signing in with credentials from Apple, Facebook, Google, LinkedIn, Microsoft, an enterprise IdP using SAML 2.0, or an IdP using the OpenID Connect (OIDC) protocol.

List all IdPs
OAuth 2.0:
  • okta.idps.read

Lists all identity provider (IdP) integrations with pagination. A subset of IdPs can be returned that match a supported filter expression or query.

Request
query Parameters
q
string

Searches the name property of IdPs for matching value

Example: q=Example SAML
after
string

The cursor used for pagination. It represents the last privileged resource ID returned in the previous fetch operation.

Example: after=oprbuthToCeLWOBwh0g4
limit
integer <int32> <= 1000
Default: 200

Specifies the batch size of the results to be returned

type
string (IdentityProviderType)

Filters IdPs by type

Enum: "AMAZON" "APPLE" "DISCORD" "FACEBOOK" "GITHUB" "GITLAB" "GOOGLE" "IDV_CLEAR" "IDV_INCODE" "IDV_PERSONA" "LINKEDIN" "LOGINGOV" "LOGINGOV_SANDBOX" "MICROSOFT" "OIDC" "PAYPAL" "PAYPAL_SANDBOX" "SALESFORCE" "SAML2" "SPOTIFY" "X509" "XERO" "YAHOO" "YAHOOJP"
Responses
200

Success

403

Forbidden

429

Too Many Requests

get/api/v1/idps
Request samples 
Response samples 
application/json
[]
Create an IdP
OAuth 2.0: 
  • okta.idps.manage
Creates a new identity provider (IdP) integration.


SAML 2.0 IdP


You must first add the IdP's signature certificate to the IdP key store before you can add a SAML 2.0 IdP with a kid credential reference. 


Don't use fromURI to automatically redirect a user to a particular app after successfully authenticating with a third-party IdP. Instead, use SAML deep links. Using fromURI isn't tested or supported. For more information about using deep links when signing users in using an SP-initiated flow, see Understanding SP-Initiated Login flow.


Use SAML deep links to automatically redirect the user to an app after successfully authenticating with a third-party IdP. To use deep links, assemble these three parts into a URL:


    

  • SP ACS URL
    
For example: https://${yourOktaDomain}/sso/saml2/:idpId
    • 

  • The app to which the user is automatically redirected after successfully authenticating with the IdP 
    
For example: /app/:app-location/:appId/sso/saml
    • 

  • Optionally, if the app is an outbound SAML app, you can specify the relayState passed to it.
    
For example: ?RelayState=:anyUrlEncodedValue
    • 



The deep link for the above three parts is:

https://${yourOktaDomain}/sso/saml2/:idpId/app/:app-location/:appId/sso/saml?RelayState=:anyUrlEncodedValue


Smart Card X509 IdP


You must first add the IdP's server certificate to the IdP key store before you can add a Smart Card X509 IdP with a kid credential reference.
You need to upload the whole trust chain as a single key using the Key Store API.
Depending on the information stored in the smart card, select the proper template idpuser.subjectAltNameEmail or idpuser.subjectAltNameUpn.


Identity verification vendors as identity providers


Identity verification vendors (IDVs) work like IdPs, with a few key differences. IDVs verify your user's identities by requiring them to submit a proof of identity. There are many ways to verify user identities. For example, a proof of identity can be a selfie to determine liveliness or it can be requiring users to submit a photo of their driver's license and matching that information with a database.


There are three IDVs that you can configure as IdPs in your org by creating an account with the vendor, and then creating an IdP integration. Control how the IDVs verify your users by using Okta account management policy rules.



Request 
Request Body schema: application/json
required
IdP settings


issuerMode
string (IdentityProviderIssuerMode) 
 Default:  "DYNAMIC"
Indicates whether Okta uses the original Okta org domain URL or a custom domain URL in the request to the social IdP


 Enum: Description
ORG_URL
In the authorize request to the social IdP, Okta uses the Okta org's original domain URL (https://${yourOktaDomain}) as the domain in the redirect_uri.


CUSTOM_URL
In the authorize request to the social IdP, Okta uses the custom domain URL as the domain in the redirect_uri. You can set issuerMode to CUSTOM_URL only if you have a custom URL domain configured.


DYNAMIC
In the authorize request to the social IdP, Okta uses the custom domain URL as the domain in the redirect_uri if the request was made from the custom domain URL. Otherwise, Okta uses the Okta org's original domain URL if the request was made from the Okta org domain.


 
name
string  <= 100 characters 
Unique name for the IdP


 
object (IdentityProviderPolicy) 
Policy settings for the IdP.
The following provisioning and account linking actions are supported by each IdP provider:






IdP type
User provisioning actions
Group provisioning actions
Account link actions
Account link filters





SAML2
AUTO or DISABLED
NONE, ASSIGN, APPEND, or SYNC
AUTO, DISABLED
groups, users




X509, IDV_PERSONA, IDV_INCODE, and IDV_CLEAR
DISABLED
No support for JIT provisioning






All other IdP types
AUTO, DISABLED
NONE or ASSIGN
AUTO, DISABLED
groups, users





 
object (PolicyAccountLink) 
Specifies the behavior for linking an IdP user to an existing Okta user


 
action
string (PolicyAccountLinkAction) 
Specifies the account linking action for an IdP user


 Enum: Description
AUTO
The IdP user is automatically linked to an Okta user when the transformed IdP user matches an existing Okta user according to subject match rules.


DISABLED
Okta never attempts to link the IdP user to an existing Okta user, but may still attempt to provision a new Okta user according to the provisioning action type.


 
object (PolicyAccountLinkFilter) 
Specifies filters on which users are available for account linking by an IdP


 
maxClockSkew
integer
Maximum allowable clock skew when processing messages from the IdP


 
object (Provisioning) 
Specifies the behavior for just-in-time (JIT) provisioning of an IdP user as a new Okta user and their group memberships


 
action
string (ProvisioningAction) 
Specifies the user provisioning action during authentication when an IdP user isn't linked to an existing Okta user.


    

  • To successfully provision a new Okta user, you must enable just-in-time (JIT) provisioning in your org security settings.
    • 

  • If the target username isn't unique or the resulting Okta user profile is missing a required profile attribute, JIT provisioning may fail.
    • 

  • New Okta users are provisioned with either a FEDERATION or SOCIAL authentication provider depending on the IdP type.
    • 



 Enum: Description
AUTO
The IdP user profile is transformed through defined universal directory profile mappings to an Okta user profile and automatically provisioned as an Okta user.


DISABLED
Okta rejects the authentication request and skips provisioning of a new Okta user if the IdP user isn't linked to an existing Okta user.


 
object (ProvisioningConditions) 
Conditional behaviors for an IdP user during authentication


 
object (ProvisioningGroups) 
Provisioning settings for a user's group memberships


 
profileMaster
boolean
Determines if the IdP should act as a source of truth for user profile attributes


 
object (PolicySubject) 
Specifies the behavior for establishing, validating, and matching a username for an IdP user


 
filter
string  <= 1024 characters 
Optional regular expression pattern used to filter untrusted IdP usernames.


    

  • As a best security practice, you should define a regular expression pattern to filter untrusted IdP usernames. This is especially important if multiple IdPs are connected to your org. The filter prevents an IdP from issuing an assertion for any user, including partners or directory users in your Okta org.
    • 

  • For example, the filter pattern (\S+@example\.com) allows only Users that have an @example.com username suffix. It rejects assertions that have any other suffix such as @corp.example.com or @partner.com.
    • 

  • Only SAML2 and OIDC IdP providers support the filter property.
    • 



 
matchAttribute
string
Okta user profile attribute for matching a transformed IdP username. Only for matchType CUSTOM_ATTRIBUTE.
The matchAttribute must be a valid Okta user profile attribute of one of the following types:


    

  • String (with no format or 'email' format only)
    • 

  • Integer
    • 

  • Number
    • 



 
matchType
string (PolicySubjectMatchType) 
Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username


 Enum: "CUSTOM_ATTRIBUTE" "EMAIL" "USERNAME" "USERNAME_OR_EMAIL"  
object (PolicyUserNameTemplate) 
Okta Expression Language (EL) expression to generate or transform a unique username for the IdP user.


    

  • IdP user profile attributes can be referenced with the idpuser prefix such as idpuser.subjectNameId.
    • 

  • You must define an IdP user profile attribute before it can be referenced in an Okta EL expression. To define an IdP user attribute policy, you may need to create a new IdP instance without a base profile property. Then edit the IdP user profile to update the IdP instance with an expression that references the IdP user profile attribute that you just created.
    • 



 
object or null (IdentityProviderProperties) 
The properties in the IdP properties object vary depending on the IdP type


 
inquiryTemplateId
required
string
The ID of the inquiry template from your Persona dashboard. The inquiry template always starts with itmpl. Applies to the IDV_PERSONA IdP type.


 
aalValue
string or null
The authentication assurance level (AAL) value for the Login.gov IdP. 
See Add a Login.gov IdP. Applies to LOGINGOV and LOGINGOV_SANDBOX IdP types.


 
additionalAmr
Array of strings or null
The additional Assurance Methods References (AMR) values for Smart Card IdPs. Applies to X509 IdP type.


 Enum: Description
sc
Smart card


hwk
Hardware-secured key


pin
Personal identification number


mfa
Multifactor authentication


 
ialValue
string or null
The type of identity verification (IAL) value for the Login.gov IdP. 
See Add a Login.gov IdP. Applies to LOGINGOV and LOGINGOV_SANDBOX IdP types.


 
SAML 2.0 Protocol (object) or OAuth 2.0 Protocol (object) or OpenID Connect Protocol (object) or Mutual TLS Protocol (object) or ID Verification (object)
IdP-specific protocol settings for endpoints, bindings, and algorithms used to connect with the IdP and validate messages


 
One of:
Protocol settings for the SAML 2.0 Authentication Request Protocol


object (SamlAlgorithms) 
Settings for signing and verifying SAML messages


 
object (SamlRequestAlgorithm) 
Algorithm settings used to secure an <AuthnRequest> message


 
object (SamlResponseAlgorithm) 
Algorithm settings for verifying <SAMLResponse> messages and <Assertion> elements from the IdP


 
object (SamlCredentials) 
Federation Trust Credentials for verifying assertions from the IdP and signing requests to the IdP


 
object (SamlSigningCredentials) 
Key used for signing requests to the IdP


 
object (SamlTrustCredentials) 
Federation Trust Credentials for verifying assertions from the IdP


 
object (SamlEndpoints) 
SAML 2.0 HTTP binding settings for IdP and SP (Okta)


 
object (SamlAcsEndpoint) 
Okta's SPSSODescriptor endpoint where the IdP sends a <SAMLResponse> message


 
object (SamlSsoEndpoint) 
IdP's SingleSignOnService endpoint where Okta sends an <AuthnRequest> message


 
object (SamlRelayState) 
Relay state settings for IdP


 
format
string (SamlRelayStateFormat) 
The format used to generate the relayState in the SAML request. The FROM_URL format is used if this value is null.


 Enum: "FROM_URL" "OPAQUE"  
object (SamlSettings) 
Advanced settings for the SAML 2.0 protocol


 
honorPersistentNameId
boolean
 Default:  true
Determines if the IdP should persist account linking when the incoming assertion NameID format is urn:oasis:names:tc:SAML:2.0:nameid-format:persistent


 
nameFormat
string (SamlNameIdFormat) 
 Default:  "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
SAML 2.0 Name Identifier formats


 Enum: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"  
type
string
SAML 2.0 protocol


 Value: "SAML2"  
status
string (LifecycleStatus) 
 Enum: "ACTIVE" "INACTIVE"  
type
string (IdentityProviderType) 
The IdP object's type property identifies the social or enterprise IdP used for authentication. 
Each IdP uses a specific protocol, therefore the protocol object must correspond with the IdP type. 
If the protocol is OAuth 2.0-based, the protocol object's scopes property must also correspond with the scopes supported by the IdP type. 
For policy actions supported by each IdP type, see IdP type policy actions.






Type
Description
Corresponding protocol
Corresponding protocol scopes





AMAZON
Amazon as the IdP
OpenID Connect
profile, profile:user_id




APPLE
Apple as the IdP
OpenID Connect
names, email, openid




DISCORD
Discord as the IdP
OAuth 2.0
identify, email




FACEBOOK
Facebook as the IdP
OAuth 2.0
public_profile, email




GITHUB
GitHub as the IdP
OAuth 2.0
user




GITLAB
GitLab as the IdP
OpenID Connect
openid, read_user, profile, email




GOOGLE
Google as the IdP
OpenID Connect
openid, email, profile




IDV_PERSONA
Persona as the IDV IdP
ID verification





IDV_CLEAR
CLEAR Verified as the IDV IdP
ID verification
openid, profile, identity_assurance




IDV_INCODE
Incode as the IDV IdP
ID verification
openid, profile, identity_assurance




LINKEDIN
LinkedIn as the IdP
OAuth 2.0
r_emailaddress, r_liteprofile




LOGINGOV
Login.gov as the IdP
OpenID Connect
email, profile, profile:name




LOGINGOV_SANDBOX
Login.gov's identity sandbox as the IdP
OpenID Connect
email, profile, profile:name




MICROSOFT
Microsoft Enterprise SSO as the IdP
OpenID Connect
openid, email, profile, https://graph.microsoft.com/User.Read




OIDC
IdP that supports OpenID Connect
OpenID Connect
openid, email, profile




PAYPAL
Paypal as the IdP
OpenID Connect
openid, email, profile




PAYPAL_SANDBOX
Paypal Sandbox as the IdP
OpenID Connect
openid, email, profile




SALESFORCE
SalesForce as the IdP
OAuth 2.0
id, email, profile




SAML2
Enterprise IdP that supports the SAML 2.0 Web Browser SSO Profile
SAML 2.0





SPOTIFY
Spotify as the IdP
OpenID Connect
user-read-email, user-read-private




X509
Smart Card IdP
Mutual TLS





XERO
Xero as the IdP
OpenID Connect
openid, profile, email




YAHOO
Yahoo as the IdP
OpenID Connect
openid, profile, email




YAHOOJP
Yahoo Japan as the IdP
OpenID Connect
openid, profile, email





 Enum: "AMAZON" "APPLE" "DISCORD" "FACEBOOK" "GITHUB" "GITLAB" "GOOGLE" "IDV_CLEAR" "IDV_INCODE" "IDV_PERSONA" "LINKEDIN" "LOGINGOV" "LOGINGOV_SANDBOX" "MICROSOFT" "OIDC" "PAYPAL" "PAYPAL_SANDBOX" "SALESFORCE" "SAML2" "SPOTIFY" "X509" "XERO" "YAHOO" "YAHOOJP"  
Responses 
200
Success


400
Bad Request


403
Forbidden


429
Too Many Requests


post/api/v1/idps
Request samples 
application/json
{
  • "type": "OIDC",
  • "name": "Example OpenID Connect IdP",
  • "protocol": {},
  • "policy": {
    • "accountLink": {
      },
    • "provisioning": {
      },
    • "mapAMRClaims": false,
    • "maxClockSkew": 120000,
    • "subject": {
      }
    }
}
Response samples 
application/json
{}
Retrieve an IdP
OAuth 2.0: 
  • okta.idps.read
Retrieves an identity provider (IdP) integration by idpId


Request 
path Parameters
idpId
required
string
id of IdP


 
 Example:  0oa62bfdjnK55Z5x80h7
Responses 
200
Success


403
Forbidden


404
Not Found


429
Too Many Requests


get/api/v1/idps/{idpId}
Request samples 
Response samples 
application/json
{}
Replace an IdP
OAuth 2.0: 
  • okta.idps.manage
Replaces an identity provider (IdP) integration by idpId


Request 
path Parameters
idpId
required
string
id of IdP


 
 Example:  0oa62bfdjnK55Z5x80h7
Request Body schema: application/json
required
Updated configuration for the IdP


issuerMode
string (IdentityProviderIssuerMode) 
 Default:  "DYNAMIC"
Indicates whether Okta uses the original Okta org domain URL or a custom domain URL in the request to the social IdP


 Enum: Description
ORG_URL
In the authorize request to the social IdP, Okta uses the Okta org's original domain URL (https://${yourOktaDomain}) as the domain in the redirect_uri.


CUSTOM_URL
In the authorize request to the social IdP, Okta uses the custom domain URL as the domain in the redirect_uri. You can set issuerMode to CUSTOM_URL only if you have a custom URL domain configured.


DYNAMIC
In the authorize request to the social IdP, Okta uses the custom domain URL as the domain in the redirect_uri if the request was made from the custom domain URL. Otherwise, Okta uses the Okta org's original domain URL if the request was made from the Okta org domain.


 
name
string  <= 100 characters 
Unique name for the IdP


 
object (IdentityProviderPolicy) 
Policy settings for the IdP.
The following provisioning and account linking actions are supported by each IdP provider:






IdP type
User provisioning actions
Group provisioning actions
Account link actions
Account link filters





SAML2
AUTO or DISABLED
NONE, ASSIGN, APPEND, or SYNC
AUTO, DISABLED
groups, users




X509, IDV_PERSONA, IDV_INCODE, and IDV_CLEAR
DISABLED
No support for JIT provisioning






All other IdP types
AUTO, DISABLED
NONE or ASSIGN
AUTO, DISABLED
groups, users





 
object (PolicyAccountLink) 
Specifies the behavior for linking an IdP user to an existing Okta user


 
action
string (PolicyAccountLinkAction) 
Specifies the account linking action for an IdP user


 Enum: Description
AUTO
The IdP user is automatically linked to an Okta user when the transformed IdP user matches an existing Okta user according to subject match rules.


DISABLED
Okta never attempts to link the IdP user to an existing Okta user, but may still attempt to provision a new Okta user according to the provisioning action type.


 
object (PolicyAccountLinkFilter) 
Specifies filters on which users are available for account linking by an IdP


 
maxClockSkew
integer
Maximum allowable clock skew when processing messages from the IdP


 
object (Provisioning) 
Specifies the behavior for just-in-time (JIT) provisioning of an IdP user as a new Okta user and their group memberships


 
action
string (ProvisioningAction) 
Specifies the user provisioning action during authentication when an IdP user isn't linked to an existing Okta user.


    

  • To successfully provision a new Okta user, you must enable just-in-time (JIT) provisioning in your org security settings.
    • 

  • If the target username isn't unique or the resulting Okta user profile is missing a required profile attribute, JIT provisioning may fail.
    • 

  • New Okta users are provisioned with either a FEDERATION or SOCIAL authentication provider depending on the IdP type.
    • 



 Enum: Description
AUTO
The IdP user profile is transformed through defined universal directory profile mappings to an Okta user profile and automatically provisioned as an Okta user.


DISABLED
Okta rejects the authentication request and skips provisioning of a new Okta user if the IdP user isn't linked to an existing Okta user.


 
object (ProvisioningConditions) 
Conditional behaviors for an IdP user during authentication


 
object (ProvisioningGroups) 
Provisioning settings for a user's group memberships


 
profileMaster
boolean
Determines if the IdP should act as a source of truth for user profile attributes


 
object (PolicySubject) 
Specifies the behavior for establishing, validating, and matching a username for an IdP user


 
filter
string  <= 1024 characters 
Optional regular expression pattern used to filter untrusted IdP usernames.


    

  • As a best security practice, you should define a regular expression pattern to filter untrusted IdP usernames. This is especially important if multiple IdPs are connected to your org. The filter prevents an IdP from issuing an assertion for any user, including partners or directory users in your Okta org.
    • 

  • For example, the filter pattern (\S+@example\.com) allows only Users that have an @example.com username suffix. It rejects assertions that have any other suffix such as @corp.example.com or @partner.com.
    • 

  • Only SAML2 and OIDC IdP providers support the filter property.
    • 



 
matchAttribute
string
Okta user profile attribute for matching a transformed IdP username. Only for matchType CUSTOM_ATTRIBUTE.
The matchAttribute must be a valid Okta user profile attribute of one of the following types:


    

  • String (with no format or 'email' format only)
    • 

  • Integer
    • 

  • Number
    • 



 
matchType
string (PolicySubjectMatchType) 
Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username


 Enum: "CUSTOM_ATTRIBUTE" "EMAIL" "USERNAME" "USERNAME_OR_EMAIL"  
object (PolicyUserNameTemplate) 
Okta Expression Language (EL) expression to generate or transform a unique username for the IdP user.


    

  • IdP user profile attributes can be referenced with the idpuser prefix such as idpuser.subjectNameId.
    • 

  • You must define an IdP user profile attribute before it can be referenced in an Okta EL expression. To define an IdP user attribute policy, you may need to create a new IdP instance without a base profile property. Then edit the IdP user profile to update the IdP instance with an expression that references the IdP user profile attribute that you just created.
    • 



 
object or null (IdentityProviderProperties) 
The properties in the IdP properties object vary depending on the IdP type


 
inquiryTemplateId
required
string
The ID of the inquiry template from your Persona dashboard. The inquiry template always starts with itmpl. Applies to the IDV_PERSONA IdP type.


 
aalValue
string or null
The authentication assurance level (AAL) value for the Login.gov IdP. 
See Add a Login.gov IdP. Applies to LOGINGOV and LOGINGOV_SANDBOX IdP types.


 
additionalAmr
Array of strings or null
The additional Assurance Methods References (AMR) values for Smart Card IdPs. Applies to X509 IdP type.


 Enum: Description
sc
Smart card


hwk
Hardware-secured key


pin
Personal identification number


mfa
Multifactor authentication


 
ialValue
string or null
The type of identity verification (IAL) value for the Login.gov IdP. 
See Add a Login.gov IdP. Applies to LOGINGOV and LOGINGOV_SANDBOX IdP types.


 
SAML 2.0 Protocol (object) or OAuth 2.0 Protocol (object) or OpenID Connect Protocol (object) or Mutual TLS Protocol (object) or ID Verification (object)
IdP-specific protocol settings for endpoints, bindings, and algorithms used to connect with the IdP and validate messages


 
One of:
Protocol settings for the SAML 2.0 Authentication Request Protocol


object (SamlAlgorithms) 
Settings for signing and verifying SAML messages


 
object (SamlRequestAlgorithm) 
Algorithm settings used to secure an <AuthnRequest> message


 
object (SamlResponseAlgorithm) 
Algorithm settings for verifying <SAMLResponse> messages and <Assertion> elements from the IdP


 
object (SamlCredentials) 
Federation Trust Credentials for verifying assertions from the IdP and signing requests to the IdP


 
object (SamlSigningCredentials) 
Key used for signing requests to the IdP


 
object (SamlTrustCredentials) 
Federation Trust Credentials for verifying assertions from the IdP


 
object (SamlEndpoints) 
SAML 2.0 HTTP binding settings for IdP and SP (Okta)


 
object (SamlAcsEndpoint) 
Okta's SPSSODescriptor endpoint where the IdP sends a <SAMLResponse> message


 
object (SamlSsoEndpoint) 
IdP's SingleSignOnService endpoint where Okta sends an <AuthnRequest> message


 
object (SamlRelayState) 
Relay state settings for IdP


 
format
string (SamlRelayStateFormat) 
The format used to generate the relayState in the SAML request. The FROM_URL format is used if this value is null.


 Enum: "FROM_URL" "OPAQUE"  
object (SamlSettings) 
Advanced settings for the SAML 2.0 protocol


 
honorPersistentNameId
boolean
 Default:  true
Determines if the IdP should persist account linking when the incoming assertion NameID format is urn:oasis:names:tc:SAML:2.0:nameid-format:persistent


 
nameFormat
string (SamlNameIdFormat) 
 Default:  "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
SAML 2.0 Name Identifier formats


 Enum: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"  
type
string
SAML 2.0 protocol


 Value: "SAML2"  
status
string (LifecycleStatus) 
 Enum: "ACTIVE" "INACTIVE"  
type
string (IdentityProviderType) 
The IdP object's type property identifies the social or enterprise IdP used for authentication. 
Each IdP uses a specific protocol, therefore the protocol object must correspond with the IdP type. 
If the protocol is OAuth 2.0-based, the protocol object's scopes property must also correspond with the scopes supported by the IdP type. 
For policy actions supported by each IdP type, see IdP type policy actions.






Type
Description
Corresponding protocol
Corresponding protocol scopes





AMAZON
Amazon as the IdP
OpenID Connect
profile, profile:user_id




APPLE
Apple as the IdP
OpenID Connect
names, email, openid




DISCORD
Discord as the IdP
OAuth 2.0
identify, email




FACEBOOK
Facebook as the IdP
OAuth 2.0
public_profile, email




GITHUB
GitHub as the IdP
OAuth 2.0
user




GITLAB
GitLab as the IdP
OpenID Connect
openid, read_user, profile, email




GOOGLE
Google as the IdP
OpenID Connect
openid, email, profile




IDV_PERSONA
Persona as the IDV IdP
ID verification





IDV_CLEAR
CLEAR Verified as the IDV IdP
ID verification
openid, profile, identity_assurance




IDV_INCODE
Incode as the IDV IdP
ID verification
openid, profile, identity_assurance




LINKEDIN
LinkedIn as the IdP
OAuth 2.0
r_emailaddress, r_liteprofile




LOGINGOV
Login.gov as the IdP
OpenID Connect
email, profile, profile:name




LOGINGOV_SANDBOX
Login.gov's identity sandbox as the IdP
OpenID Connect
email, profile, profile:name




MICROSOFT
Microsoft Enterprise SSO as the IdP
OpenID Connect
openid, email, profile, https://graph.microsoft.com/User.Read




OIDC
IdP that supports OpenID Connect
OpenID Connect
openid, email, profile




PAYPAL
Paypal as the IdP
OpenID Connect
openid, email, profile




PAYPAL_SANDBOX
Paypal Sandbox as the IdP
OpenID Connect
openid, email, profile




SALESFORCE
SalesForce as the IdP
OAuth 2.0
id, email, profile




SAML2
Enterprise IdP that supports the SAML 2.0 Web Browser SSO Profile
SAML 2.0





SPOTIFY
Spotify as the IdP
OpenID Connect
user-read-email, user-read-private




X509
Smart Card IdP
Mutual TLS





XERO
Xero as the IdP
OpenID Connect
openid, profile, email




YAHOO
Yahoo as the IdP
OpenID Connect
openid, profile, email




YAHOOJP
Yahoo Japan as the IdP
OpenID Connect
openid, profile, email





 Enum: "AMAZON" "APPLE" "DISCORD" "FACEBOOK" "GITHUB" "GITLAB" "GOOGLE" "IDV_CLEAR" "IDV_INCODE" "IDV_PERSONA" "LINKEDIN" "LOGINGOV" "LOGINGOV_SANDBOX" "MICROSOFT" "OIDC" "PAYPAL" "PAYPAL_SANDBOX" "SALESFORCE" "SAML2" "SPOTIFY" "X509" "XERO" "YAHOO" "YAHOOJP"  
Responses 
200
Success


400
Bad Request


403
Forbidden


404
Not Found


429
Too Many Requests


put/api/v1/idps/{idpId}
Request samples 
application/json
{}
Response samples 
application/json
{}
Delete an IdP
OAuth 2.0: 
  • okta.idps.manage
Deletes an identity provider (IdP) integration by idpId


    

  • All existing IdP users are unlinked with the highest order profile source taking precedence for each IdP user.
    • 

  • Unlinked users keep their existing authentication provider such as FEDERATION or SOCIAL.
    • 



Request 
path Parameters
idpId
required
string
id of IdP


 
 Example:  0oa62bfdjnK55Z5x80h7
Responses 
204
No Content


403
Forbidden


404
Not Found


429
Too Many Requests


delete/api/v1/idps/{idpId}
Request samples 
Response samples 
application/json
{
  • "errorCode": "E0000006",
  • "errorSummary": "You do not have permission to perform the requested action",
  • "errorLink": "E0000006",
  • "errorId": "sampleNUSD_8fdkFd8fs8SDBK",
  • "errorCauses": [ ]
}
Activate an IdP
OAuth 2.0: 
  • okta.idps.manage
Activates an inactive identity provider (IdP)


Request 
path Parameters
idpId
required
string
id of IdP


 
 Example:  0oa62bfdjnK55Z5x80h7
Responses 
200
Success


403
Forbidden


404
Not Found


429
Too Many Requests


post/api/v1/idps/{idpId}/lifecycle/activate
Request samples 
Response samples 
application/json
{
  • "id": "0oa62bfdiumsUndnZ0h7",
  • "type": "GOOGLE",
  • "name": "Google",
  • "status": "ACTIVE",
  • "created": "2016-03-24T23:21:49.000Z",
  • "lastUpdated": "2016-03-25T19:14:23.000Z",
  • "protocol": {},
  • "policy": {
    • "provisioning": {
      },
    • "accountLink": {
      },
    • "subject": {
      },
    • "mapAMRClaims": false,
    • "maxClockSkew": 0
    },
  • "_links": {
    • "authorize": {
      },
    • "clientRedirectUri": {}
    }
}
Deactivate an IdP
OAuth 2.0: 
  • okta.idps.manage
Deactivates an active identity provider (IdP)


Request 
path Parameters
idpId
required
string
id of IdP


 
 Example:  0oa62bfdjnK55Z5x80h7
Responses 
200
Success


403
Forbidden


404
Not Found


429
Too Many Requests


post/api/v1/idps/{idpId}/lifecycle/deactivate
Request samples 
Response samples 
application/json
{
  • "id": "0oa62bfdiumsUndnZ0h7",
  • "type": "GOOGLE",
  • "name": "Google",
  • "status": "INACTIVE",
  • "created": "2016-03-24T23:21:49.000Z",
  • "lastUpdated": "2016-03-25T19:16:53.000Z",
  • "protocol": {},
  • "policy": {
    • "provisioning": {
      },
    • "accountLink": {
      },
    • "subject": {
      },
    • "mapAMRClaims": false,
    • "maxClockSkew": 0
    },
  • "_links": {
    • "authorize": {
      },
    • "clientRedirectUri": {}
    }
}