Skip to main content

Get all authentication flows

GET 
/api/web/v2/authenticationflows

Get all authentication flows. Caller requires the CONTEXTRULES:VIEW permission.

Responses

Successful

Schema

  • Array [

    • applications

    object[]

    List of applications using this authentication flow.

  • Array [

    • id string

    The UUID of the application.

    name string

    The name of the application.

    resourceRules

    object[]

    required

    List of resource rules associated to this application.

  • Array [

    • id stringrequired

    The unique UUID assigned to the resource rule when it is created.

    name stringrequired

    The name of the resource rule.

  • ]

  • ]

    • id stringrequired

    The unique UUID assigned to the authentication flow when it is created.

    idpDomainBased boolean

    A flag indicating if the authentication flow will be using only domain-based IDPs.

    idpLoginSecondStep string[]

    Possible values: [NONE, KBA, TEMP_ACCESS_CODE, OTP, GRID, TOKEN, TOKENPUSH, FIDO, USER_CERTIFICATE, SMARTCREDENTIALPUSH, FACE]

    The authenticator type to use during in the second step of a two-step authentication scenario when the OIDC identity provider Login flow is enabled and requires a second factor.

    loginFlows

    object[]

    required

    List of login flows.

  • Array [

    • enabled booleanrequired

    Whether the login flow is enabled or not.

    loginFlowType stringrequired

    Possible values: [USER_LOGIN, SMART_LOGIN, IDP_LOGIN, PASSKEY_LOGIN, USER_CERTIFICATE_LOGIN]

    Identifies the login flow type.

  • ]

    • name stringrequired

    The name of the authentication flow.

    oidcIdentityProviders

    object[]

    The OIDC identity providers supported when the IDP login flow is enabled--limited info is returned.

  • Array [

    • acrValues string

    The space separated list of authentication context request values to request as part of the external OIDC identity provider user authentication or user verification request.

    amrValues string

    The space separated list of authentication method request values to request as part of the external OIDC identity provider user authentication or user verification request.

    authenticationEnabled boolean

    A flag indicating if the external OIDC identity provider can be used for user authentication.

    authorizationEndpoint string

    The authorization endpoint for the external OIDC identity provider.

    buttonImage string

    The URI of the logo to display on the login button for this external OIDC identity provider.

    buttonText string

    The unique text to display on the login button for this external OIDC identity provider.

    clientAuthenticationMethod string

    Possible values: [CLIENT_SECRET_BASIC, CLIENT_SECRET_POST]

    The client authentication method to use with the external OIDC identity provider.

    clientId string

    The client identifier provided by the external OIDC identity provider.

    clientSecret string

    The client secret provided by the external OIDC identity provider. Currently this value is not returned.

    createUser boolean

    A flag indicating if the user should be created after authenticating to the external OIDC identity provider if it doesn't exist. The user attributes specified by the userAttributeMappings attribute are used to populate the user in IDaaS. This value is used if authenticationEnabled is true.

    domains string

    The space separated list of domains associated with the external OIDC identity provider for use with user authentication.

    fields string

    The value of user fields that need to be set the external OIDC identity provider when acquiring user information. This value is used with a TWITTER IDP.

    groupIds string[]

    The UUIDs of groups that will be assigned to users created after an external OIDC identity provider user authentication. An empty list means the user will be assigned to All Groups. If configured, the full set of groups must be configured. This value is used if createUser is true.

    groupMapping string

    The association between a specified claim returned from the external OIDC identity provider and IDaaS groups. This mapping is used to associated IDaaS groups when a user is created or modified based on an external OIDC identity provider user authentication or when it is modified based on an external OIDC identity provider user verification. This value is used if createUser, updateUser, or updateVerificationUser is true.

    id string

    The UUID of the external OIDC identity provider.

    idTokenClaims string

    The space separated list of id token claims to request as part of the external OIDC identity provider user authentication or user verification request.

    issuer string

    The issuer URI for the external OIDC identity provider.

    jwksUri string

    The JWKS URI endpoint for the external OIDC identity provider used to verify a token signature.

    maxAge int32

    Possible values: >= -1 and <= 2592000

    The max age to request as part of the external OIDC identity provider user authentication or user verification request. If -1, the value will not be included in the request.

    name string

    The unique name of the external OIDC identity provider.

    organizationIds string[]

    The UUIDs of organizations that will be assigned to users created after an external OIDC identity provider user authentication. If configured, the full set of organizations must be configured. This value is used if createUser is true.

    requireUserinfoSignature boolean

    A flag indicating if the user information endpoint of the external OIDC identity provider should be signed and verified.

    revocationEndpoint string

    The revocation endpoint for the external OIDC identity provider.

    roleMapping string

    The association between a specified claim returned from the external OIDC identity provider and an IDaaS role. This mapping is used to associated an IDaaS role when a user is created or modified based on an external OIDC identity provider user authentication or when it is modified based on an external OIDC identity provider user verification. This value is used if createUser, updateUser, or updateVerificationUser is true.

    scopes string

    The space separated list of scopes to request as part of the external OIDC identity provider user authentication or user verification request.

    tokenEndpoint string

    The token endpoint for the external OIDC identity provider.

    type string

    Possible values: [FACEBOOK, GENERIC, GOOGLE, IDV, MICROSOFT, SP, TWITTER]

    The type of the external OIDC identity provider. Once created, this value cannot be updated.

    updateUser boolean

    A flag indicating if the user should be updated after authenticating to the external OIDC identity provider if it exists. The user attributes specified by the userAttributeMappings attribute are used to populate the user in IDaaS. This value is used if authenticationEnabled is true.

    updateUserVerification boolean

    A flag indicating if the user should be updated after user verification to the external OIDC identity provider if it exists. The user attributes specified by the userAttributeMappings attribute are used to populate the user in IDaaS. This value is used if verificationEnabled is true.

    userAttributeId string

    The IDaaS user attribute ID used to find IDaaS users associated with an external OIDC identity provider user authentication. This value is used if authenticationEnabled is true.

    userAttributeMappings

    object[]

    The association between the claims returned from the external OIDC identity provider and IDaaS user attributes. These attributes are used to populate user attributes when it is created or modified based on an external OIDC identity provider user authentication or when it is modified based on an external OIDC identity provider user verification. If configured, the full set of mappings must be configured. This value is used if createUser, updateUser, or updateVerificationUser is true.

  • Array [

    • claim stringrequired

    The name of the claim being mapped. This value must be provided when creating or modifying an attribute mapping.

    id string

    The UUID of the OIDC identity provider attribute mapping.

    oidcIdentityProviderId string

    The UUID of the OIDC identity provider the attribute mapping belongs to.

    userAttribute

    object

    Information about user attribute definitions.

    id string

    The UUID for this user attribute. Generated when the user attribute is created.

    mandatory booleanrequired

    A flag indicating if users must have a value for this user attribute.

    name stringrequired

    The name of this user attribute.

    systemDefined booleanrequired

    A flag indicating if this user attribute is one of the system defined user attributes.

    type string

    Possible values: [NONE, OTP_EMAIL, OTP_SMS, OTP_VOICE]

    Type of user attribute. Currently only used to specify the type of contact if the attribute is to be used for OTP delivery.

    unique booleanrequired

    A flag indicating if this attribute is intended to be unique.

    userAttributeId stringrequired

    The UUID of the IDaaS user attribute being mapped to. This value must be provided when creating or modifying an attribute mapping.

  • ]

    • userAuthMatchMappings

    object[]

    The association between the claims returned from the external OIDC identity provider and IDaaS user attributes. These attributes are used to match an existing IDaaS user based on an external OIDC identity provider user authentication. If configured, the full set of mappings must be configured. This value is used if authenticationEnabled is true.

  • Array [

    • claim stringrequired

    The name of the claim being mapped. This value must be provided when creating or modifying a user authentication match mapping.

    id string

    The UUID of the OIDC identity provider user authentication match mapping.

    oidcIdentityProviderId string

    The UUID of the OIDC identity provider the user authentication match mapping belongs to.

    userAttribute

    object

    Information about user attribute definitions.

    id string

    The UUID for this user attribute. Generated when the user attribute is created.

    mandatory booleanrequired

    A flag indicating if users must have a value for this user attribute.

    name stringrequired

    The name of this user attribute.

    systemDefined booleanrequired

    A flag indicating if this user attribute is one of the system defined user attributes.

    type string

    Possible values: [NONE, OTP_EMAIL, OTP_SMS, OTP_VOICE]

    Type of user attribute. Currently only used to specify the type of contact if the attribute is to be used for OTP delivery.

    unique booleanrequired

    A flag indicating if this attribute is intended to be unique.

    userAttributeId stringrequired

    The UUID of the IDaaS user attribute being mapped to. This value must be provided when creating or modifying a user authentication match mapping.

  • ]

    • userClaim string

    The external OIDC identity provider claim used to find IDaaS users associated with an external OIDC identity provider user authentication. This value is used if authenticationEnabled is true.

    userVerMatchMappings

    object[]

    The association between the claims returned from the external OIDC identity provider and IDaaS user attributes. These attributes are used to match an existing IDaaS user based on an external OIDC identity provider user verification. If configured, the full set of mappings must be configured. This value is used if verificationEnabled is true.

  • Array [

    • claim stringrequired

    The name of the claim being mapped. This value must be provided when creating or modifying a user verification match mapping.

    id string

    The UUID of the OIDC identity provider user verification match mapping.

    oidcIdentityProviderId string

    The UUID of the OIDC identity provider the user verification match mapping belongs to.

    userAttribute

    object

    Information about user attribute definitions.

    id string

    The UUID for this user attribute. Generated when the user attribute is created.

    mandatory booleanrequired

    A flag indicating if users must have a value for this user attribute.

    name stringrequired

    The name of this user attribute.

    systemDefined booleanrequired

    A flag indicating if this user attribute is one of the system defined user attributes.

    type string

    Possible values: [NONE, OTP_EMAIL, OTP_SMS, OTP_VOICE]

    Type of user attribute. Currently only used to specify the type of contact if the attribute is to be used for OTP delivery.

    unique booleanrequired

    A flag indicating if this attribute is intended to be unique.

    userAttributeId stringrequired

    The UUID of the IDaaS user attribute being mapped to. This value must be provided when creating or modifying a user verification match mapping.

  • ]

    • userinfoClaims string

    The space separated list of user information claims to request as part of the external OIDC identity provider user authentication or user verification request.

    userinfoEndpoint string

    The user information endpoint for the external OIDC identity provider.

    verificationEnabled boolean

    A flag indicating if the external OIDC identity provider can be used for user verification.

  • ]

    • readOnly booleanrequired

    A flag indicating if the authentication flow can be modified or deleted.

    userLoginFirstStep string

    Possible values: [NONE, EXTERNAL, PASSWORD, KBA, OTP, TOKEN, TOKENPUSH, SMARTCREDENTIALPUSH, IDP, PASSKEY, SMART_LOGIN, USER_CERTIFICATE, FACE, DENY]

    The authenticator type to use in the first step of a two-step authentication scenario when the User Login flow is enabled.

    userLoginSecondStep string[]

    Possible values: [NONE, KBA, TEMP_ACCESS_CODE, OTP, GRID, TOKEN, TOKENPUSH, FIDO, USER_CERTIFICATE, SMARTCREDENTIALPUSH, FACE]

    The authenticator type to use during in the second step of a two-step authentication scenario when the User Login flow is enabled.

  • ]

Loading...