Skip to main content

Get a resource rule

GET 
/api/web/v2/resourcerules/:id

Get the specified resource rule. Caller requires the CONTEXTRULES:VIEW permission.

Request

Path Parameters

    id stringrequired

    The UUID of the resource rule to be returned.

Responses

Successful

Schema

    apiVersion int32

    Possible values: [1, 2]

    The resource rules API version used to create or last update this resource rule. If the resource rule is at version 2, then it cannot be updated using a version 1 API.

    dateTimeContext

    object

    The DateTimeContext context specifies an allowed or disallowed date or time range. Only a date range or a time range can be specified. Risk is applied to the authentication if the current time is outside an allowed range or inside a disallowed range. A date range specifies a start and end date. For example 2019/01/01 to 2019/03/01. A time range species a start and end time and days of the week. For example Monday to Friday, 8am to 5pm.

    allowedDateTime boolean

    If true, the startDateTime and endDateTime define the allowed range. If false, the startDateTime and endDateTime define the denied range.

    allowedTime boolean

    If true, the startTime and endTime define the allowed time range. If false, the startTime and endTime define the denied time range.

    denyAccess booleanrequired

    If true, the resource rule evaluating the context will return Access Denied.

    endDateTime date-time

    If specifying a date range, the end date of the range.

    endTime string

    If specifying a time range, the end time of the range. The value should be of the form hh:mm:ss

    riskPoint int32required

    Possible values: <= 100

    The number of risk points that apply if this context applies.

    startDateTime date-time

    If specifying a date range, the start date of the range.

    startTime string

    If specifying a time range, the start time of the range. The value should be of the form hh:mm:ss

    weekDays string[]

    Possible values: [Mon, Tue, Wed, Thu, Fri, Sat, Sun]

    If specifying a time range, the days of the week to which the time range will apply.

    zoneId

    object

    The timezone offset in which dates and times are considered. For example, a value like -05:00 to specify EST. Set the timezone value if you want to allow times 8am to 5pm in the customer's time zone and not the time zone of the service. If not specified, the default is Z for UTC.

    id string

    rules

    object

    fixedOffset boolean

    transitionRules

    object[]

  • Array [

    • dayOfMonthIndicator int32
    dayOfWeek string

    Possible values: [MONDAY, TUESDAY, WEDNESDAY, THURSDAY, FRIDAY, SATURDAY, SUNDAY]

    localTime string
    midnightEndOfDay boolean
    month string

    Possible values: [JANUARY, FEBRUARY, MARCH, APRIL, MAY, JUNE, JULY, AUGUST, SEPTEMBER, OCTOBER, NOVEMBER, DECEMBER]

    offsetAfter

    object

    id string
    rules
    totalSeconds int32

    offsetBefore

    object

    id string
    rules
    totalSeconds int32

    standardOffset

    object

    id string
    rules
    totalSeconds int32
    timeDefinition string

    Possible values: [UTC, WALL, STANDARD]

  • ]

    • transitions

    object[]

  • Array [

    • dateTimeAfter date-time
    dateTimeBefore date-time

    duration

    object

    nano int32
    negative boolean
    positive boolean
    seconds int64

    units

    object[]

  • Array [

    • dateBased boolean
    duration
    durationEstimated boolean
    timeBased boolean

  • ]

    • zero boolean
    gap boolean
    instant date-time

    offsetAfter

    object

    id string
    rules
    totalSeconds int32

    offsetBefore

    object

    id string
    rules
    totalSeconds int32
    overlap boolean

  • ]

    • description string

    The description of the resource rule.

    deviceCertificateContext

    object

    Device Certificate checks to see if the user presented a trusted device certificate that's valid. If not found, risk is applied.

    denyAccess booleanrequired

    If true, the resource rule evaluating the context will return Access Denied.

    riskPoint int32required

    Possible values: <= 100

    The number of risk points that apply if this context applies.

    disableSSO booleanrequired

    A flag indicating if single-sign on is disabled for this resource rule.

    enabled boolean

    A flag indicating if this resource rule is enabled or not. Only enabled resource rules are considered during authentication.

    groups

    object[]

    required

    The groups associated with this resource rule. The resource rule only applies to users in one of the specified groups. A resource rule must specify at least one group which can be the default All Groups if you want the resource rule to apply to all users.

  • Array [

    • created date-time

    When the group was created.

    externalId string

    The externalId of this group.

    id string

    The UUID of this group. This value is generated when the group is created.

    lastModified date-time

    When the group was last modified.

    name stringrequired

    The name of this group.

    type string

    Possible values: [LDAP_AD, MGMT_UI]

    The type of group indicating if this group was synchronized from a directory (LDAP_AD) or was created in Identity as a Service (MGMT_UI).

  • ]

    • highRiskAuthenticationFlow

    object

    An AuthenticationFlow defines the authentication options available for a given risk level.

    applications

    object[]

    List of applications using this authentication flow.

  • Array [

    • id string

    The UUID of the application.

    name string

    The name of the application.

    resourceRules

    object[]

    required

    List of resource rules associated to this application.

  • Array [

    • id stringrequired

    The unique UUID assigned to the resource rule when it is created.

    name stringrequired

    The name of the resource rule.

  • ]

  • ]

    • id stringrequired

    The unique UUID assigned to the authentication flow when it is created.

    idpDomainBased boolean

    A flag indicating if the authentication flow will be using only domain-based IDPs.

    idpLoginSecondStep string[]

    Possible values: [NONE, KBA, TEMP_ACCESS_CODE, OTP, GRID, TOKEN, TOKENPUSH, FIDO, USER_CERTIFICATE, SMARTCREDENTIALPUSH, FACE]

    The authenticator type to use during in the second step of a two-step authentication scenario when the OIDC identity provider Login flow is enabled and requires a second factor.

    loginFlows

    object[]

    required

    List of login flows.

  • Array [

    • enabled booleanrequired

    Whether the login flow is enabled or not.

    loginFlowType stringrequired

    Possible values: [USER_LOGIN, SMART_LOGIN, IDP_LOGIN, PASSKEY_LOGIN, USER_CERTIFICATE_LOGIN]

    Identifies the login flow type.

  • ]

    • name stringrequired

    The name of the authentication flow.

    oidcIdentityProviders

    object[]

    The OIDC identity providers supported when the IDP login flow is enabled--limited info is returned.

  • Array [

    • acrValues string

    The space separated list of authentication context request values to request as part of the external OIDC identity provider user authentication or user verification request.

    amrValues string

    The space separated list of authentication method request values to request as part of the external OIDC identity provider user authentication or user verification request.

    authenticationEnabled boolean

    A flag indicating if the external OIDC identity provider can be used for user authentication.

    authorizationEndpoint string

    The authorization endpoint for the external OIDC identity provider.

    buttonImage string

    The URI of the logo to display on the login button for this external OIDC identity provider.

    buttonText string

    The unique text to display on the login button for this external OIDC identity provider.

    clientAuthenticationMethod string

    Possible values: [CLIENT_SECRET_BASIC, CLIENT_SECRET_POST]

    The client authentication method to use with the external OIDC identity provider.

    clientId string

    The client identifier provided by the external OIDC identity provider.

    clientSecret string

    The client secret provided by the external OIDC identity provider. Currently this value is not returned.

    createUser boolean

    A flag indicating if the user should be created after authenticating to the external OIDC identity provider if it doesn't exist. The user attributes specified by the userAttributeMappings attribute are used to populate the user in IDaaS. This value is used if authenticationEnabled is true.

    domains string

    The space separated list of domains associated with the external OIDC identity provider for use with user authentication.

    fields string

    The value of user fields that need to be set the external OIDC identity provider when acquiring user information. This value is used with a TWITTER IDP.

    groupIds string[]

    The UUIDs of groups that will be assigned to users created after an external OIDC identity provider user authentication. An empty list means the user will be assigned to All Groups. If configured, the full set of groups must be configured. This value is used if createUser is true.

    groupMapping string

    The association between a specified claim returned from the external OIDC identity provider and IDaaS groups. This mapping is used to associated IDaaS groups when a user is created or modified based on an external OIDC identity provider user authentication or when it is modified based on an external OIDC identity provider user verification. This value is used if createUser, updateUser, or updateVerificationUser is true.

    id string

    The UUID of the external OIDC identity provider.

    idTokenClaims string

    The space separated list of id token claims to request as part of the external OIDC identity provider user authentication or user verification request.

    issuer string

    The issuer URI for the external OIDC identity provider.

    jwksUri string

    The JWKS URI endpoint for the external OIDC identity provider used to verify a token signature.

    maxAge int32

    Possible values: >= -1 and <= 2592000

    The max age to request as part of the external OIDC identity provider user authentication or user verification request. If -1, the value will not be included in the request.

    name string

    The unique name of the external OIDC identity provider.

    organizationIds string[]

    The UUIDs of organizations that will be assigned to users created after an external OIDC identity provider user authentication. If configured, the full set of organizations must be configured. This value is used if createUser is true.

    requireUserinfoSignature boolean

    A flag indicating if the user information endpoint of the external OIDC identity provider should be signed and verified.

    revocationEndpoint string

    The revocation endpoint for the external OIDC identity provider.

    roleMapping string

    The association between a specified claim returned from the external OIDC identity provider and an IDaaS role. This mapping is used to associated an IDaaS role when a user is created or modified based on an external OIDC identity provider user authentication or when it is modified based on an external OIDC identity provider user verification. This value is used if createUser, updateUser, or updateVerificationUser is true.

    scopes string

    The space separated list of scopes to request as part of the external OIDC identity provider user authentication or user verification request.

    tokenEndpoint string

    The token endpoint for the external OIDC identity provider.

    type string

    Possible values: [FACEBOOK, GENERIC, GOOGLE, IDV, MICROSOFT, SP, TWITTER]

    The type of the external OIDC identity provider. Once created, this value cannot be updated.

    updateUser boolean

    A flag indicating if the user should be updated after authenticating to the external OIDC identity provider if it exists. The user attributes specified by the userAttributeMappings attribute are used to populate the user in IDaaS. This value is used if authenticationEnabled is true.

    updateUserVerification boolean

    A flag indicating if the user should be updated after user verification to the external OIDC identity provider if it exists. The user attributes specified by the userAttributeMappings attribute are used to populate the user in IDaaS. This value is used if verificationEnabled is true.

    userAttributeId string

    The IDaaS user attribute ID used to find IDaaS users associated with an external OIDC identity provider user authentication. This value is used if authenticationEnabled is true.

    userAttributeMappings

    object[]

    The association between the claims returned from the external OIDC identity provider and IDaaS user attributes. These attributes are used to populate user attributes when it is created or modified based on an external OIDC identity provider user authentication or when it is modified based on an external OIDC identity provider user verification. If configured, the full set of mappings must be configured. This value is used if createUser, updateUser, or updateVerificationUser is true.

  • Array [

    • claim stringrequired

    The name of the claim being mapped. This value must be provided when creating or modifying an attribute mapping.

    id string

    The UUID of the OIDC identity provider attribute mapping.

    oidcIdentityProviderId string

    The UUID of the OIDC identity provider the attribute mapping belongs to.

    userAttribute

    object

    Information about user attribute definitions.

    id string

    The UUID for this user attribute. Generated when the user attribute is created.

    mandatory booleanrequired

    A flag indicating if users must have a value for this user attribute.

    name stringrequired

    The name of this user attribute.

    systemDefined booleanrequired

    A flag indicating if this user attribute is one of the system defined user attributes.

    type string

    Possible values: [NONE, OTP_EMAIL, OTP_SMS, OTP_VOICE]

    Type of user attribute. Currently only used to specify the type of contact if the attribute is to be used for OTP delivery.

    unique booleanrequired

    A flag indicating if this attribute is intended to be unique.

    userAttributeId stringrequired

    The UUID of the IDaaS user attribute being mapped to. This value must be provided when creating or modifying an attribute mapping.

  • ]

    • userAuthMatchMappings

    object[]

    The association between the claims returned from the external OIDC identity provider and IDaaS user attributes. These attributes are used to match an existing IDaaS user based on an external OIDC identity provider user authentication. If configured, the full set of mappings must be configured. This value is used if authenticationEnabled is true.

  • Array [

    • claim stringrequired

    The name of the claim being mapped. This value must be provided when creating or modifying a user authentication match mapping.

    id string

    The UUID of the OIDC identity provider user authentication match mapping.

    oidcIdentityProviderId string

    The UUID of the OIDC identity provider the user authentication match mapping belongs to.

    userAttribute

    object

    Information about user attribute definitions.

    id string

    The UUID for this user attribute. Generated when the user attribute is created.

    mandatory booleanrequired

    A flag indicating if users must have a value for this user attribute.

    name stringrequired

    The name of this user attribute.

    systemDefined booleanrequired

    A flag indicating if this user attribute is one of the system defined user attributes.

    type string

    Possible values: [NONE, OTP_EMAIL, OTP_SMS, OTP_VOICE]

    Type of user attribute. Currently only used to specify the type of contact if the attribute is to be used for OTP delivery.

    unique booleanrequired

    A flag indicating if this attribute is intended to be unique.

    userAttributeId stringrequired

    The UUID of the IDaaS user attribute being mapped to. This value must be provided when creating or modifying a user authentication match mapping.

  • ]

    • userClaim string

    The external OIDC identity provider claim used to find IDaaS users associated with an external OIDC identity provider user authentication. This value is used if authenticationEnabled is true.

    userVerMatchMappings

    object[]

    The association between the claims returned from the external OIDC identity provider and IDaaS user attributes. These attributes are used to match an existing IDaaS user based on an external OIDC identity provider user verification. If configured, the full set of mappings must be configured. This value is used if verificationEnabled is true.

  • Array [

    • claim stringrequired

    The name of the claim being mapped. This value must be provided when creating or modifying a user verification match mapping.

    id string

    The UUID of the OIDC identity provider user verification match mapping.

    oidcIdentityProviderId string

    The UUID of the OIDC identity provider the user verification match mapping belongs to.

    userAttribute

    object

    Information about user attribute definitions.

    id string

    The UUID for this user attribute. Generated when the user attribute is created.

    mandatory booleanrequired

    A flag indicating if users must have a value for this user attribute.

    name stringrequired

    The name of this user attribute.

    systemDefined booleanrequired

    A flag indicating if this user attribute is one of the system defined user attributes.

    type string

    Possible values: [NONE, OTP_EMAIL, OTP_SMS, OTP_VOICE]

    Type of user attribute. Currently only used to specify the type of contact if the attribute is to be used for OTP delivery.

    unique booleanrequired

    A flag indicating if this attribute is intended to be unique.

    userAttributeId stringrequired

    The UUID of the IDaaS user attribute being mapped to. This value must be provided when creating or modifying a user verification match mapping.

  • ]

    • userinfoClaims string

    The space separated list of user information claims to request as part of the external OIDC identity provider user authentication or user verification request.

    userinfoEndpoint string

    The user information endpoint for the external OIDC identity provider.

    verificationEnabled boolean

    A flag indicating if the external OIDC identity provider can be used for user verification.

  • ]

    • readOnly booleanrequired

    A flag indicating if the authentication flow can be modified or deleted.

    userLoginFirstStep string

    Possible values: [NONE, EXTERNAL, PASSWORD, KBA, OTP, TOKEN, TOKENPUSH, SMARTCREDENTIALPUSH, IDP, PASSKEY, SMART_LOGIN, USER_CERTIFICATE, FACE, DENY]

    The authenticator type to use in the first step of a two-step authentication scenario when the User Login flow is enabled.

    userLoginSecondStep string[]

    Possible values: [NONE, KBA, TEMP_ACCESS_CODE, OTP, GRID, TOKEN, TOKENPUSH, FIDO, USER_CERTIFICATE, SMARTCREDENTIALPUSH, FACE]

    The authenticator type to use during in the second step of a two-step authentication scenario when the User Login flow is enabled.

    highRiskEnableSmartLogin booleandeprecated

    A flag indicating if Smart Login is enabled for High risk. This parameter is deprecated, use the highRiskAuthenticationFlow attribute with v2 APIs.

    highRiskFirstStep stringdeprecated

    Possible values: [NONE, EXTERNAL, PASSWORD, KBA, OTP, TOKEN, TOKENPUSH, SMARTCREDENTIALPUSH, IDP, PASSKEY, SMART_LOGIN, USER_CERTIFICATE, FACE, DENY]

    The authenticator type to use in the first step of a two-step authentication scenario when the risk score is High. This parameter is deprecated, use the highRiskAuthenticationFlow attribute with v2 APIs.

    highRiskSecondStep string[]deprecated

    Possible values: [NONE, KBA, TEMP_ACCESS_CODE, OTP, GRID, TOKEN, TOKENPUSH, FIDO, USER_CERTIFICATE, SMARTCREDENTIALPUSH, FACE]

    The authenticator type to use during in the second step of a two-step authentication scenario when the risk score is High. This parameter is deprecated, use the highRiskAuthenticationFlow attribute with v2 APIs.

    id string

    The unique UUID assigned to the resource rule when it is created.

    ipContext

    object

    The IP context specifies allowed or denied IP address ranges or lists. Risk is applied to the authentication if the current IP address does not match an allowed IP address range/list or does match a denied IP address range/list.

    allowedIpList string

    The UUID of an existing IP List that defines IPs that can access the resource. Risk applies if the given IP address is not found in the IP List. If specified, the allowed IP List takes precedence over the denied IP List.

    allowedIpRanges string[]

    List of IP Address ranges (in CIDR notation) that are allowed access the resource. Risk applies if the given IP address is not in one of the allowed IP ranges. If specified, the allowed IP values take precedence over the denied IP values.

    deniedIpList string

    The UUID of an existing IP List that defines IPs that cannot access the resource. Risk applies if the given IP address is found in the IP List. The denied IP List is ignored if an allowed IP List is specified.

    deniedIpRanges string[]

    List of IP Address ranges (in CIDR notation) that cannot access the resource. Risk applies if the given IP address is in one of the denied IP ranges. The denied IP values are ignored if allowed IP ranges are specified.

    denyAccess booleanrequired

    If true, the resource rule evaluating the context will return Access Denied.

    riskPoint int32required

    Possible values: <= 100

    The number of risk points that apply if this context applies.

    type string

    Possible values: [CUSTOM, IPLIST]

    The type of IpContext. If not specified, this value defaults to CUSTOM.

    kbaContext

    object

    The KBA context allows the settings for knowledge-based authentication to be overridden for a particular resource rule. For example, a different challenge size can be specified.

    challengeSize int32

    Number of questions that the user must answer. If not provided, the default QA challenge size in the KBA settings is used.

    denyAccess booleanrequired

    If true, the resource rule evaluating the context will return Access Denied.

    wrongAnswersAllowed int32

    Number of questions that the user could answer incorrectly and still be considered a valid response. If not provided, the default wrong answers allowed in the KBA settings is used.

    locationContext

    object

    The location context specifies allowed or denied country codes. Risk is applied to the authentication if the location of the current IP address does not match an allowed country or matches a disallowed country.

    allowed booleanrequired

    If true, the list of countries defines allowed countries. If false, the list of countries defines denied countries.

    anonymousAllowed booleanrequired

    If true, then allows anonymous/TOR IP addresses. If false, then denies anonymous/TOR IP addresses.

    countryCodes string[]required

    List of country codes (ISO alpha-2) that can access(allowed=true) or not access (allowed=false).

    denyAccess booleanrequired

    If true, the resource rule evaluating the context will return Access Denied.

    riskPoint int32required

    Possible values: <= 100

    The number of risk points that apply if this context applies.

    locationHistoryContext

    object

    Location history checks to see if the location of the current IP address matches a location from a previous authentication. If the current location does not match history, risk is applied.

    denyAccess booleanrequired

    If true, the resource rule evaluating the context will return Access Denied.

    riskPoint int32required

    Possible values: <= 100

    The number of risk points that apply if this context applies.

    lowRiskAuthenticationFlow

    object

    An AuthenticationFlow defines the authentication options available for a given risk level.

    applications

    object[]

    List of applications using this authentication flow.

  • Array [

    • id string

    The UUID of the application.

    name string

    The name of the application.

    resourceRules

    object[]

    required

    List of resource rules associated to this application.

  • Array [

    • id stringrequired

    The unique UUID assigned to the resource rule when it is created.

    name stringrequired

    The name of the resource rule.

  • ]

  • ]

    • id stringrequired

    The unique UUID assigned to the authentication flow when it is created.

    idpDomainBased boolean

    A flag indicating if the authentication flow will be using only domain-based IDPs.

    idpLoginSecondStep string[]

    Possible values: [NONE, KBA, TEMP_ACCESS_CODE, OTP, GRID, TOKEN, TOKENPUSH, FIDO, USER_CERTIFICATE, SMARTCREDENTIALPUSH, FACE]

    The authenticator type to use during in the second step of a two-step authentication scenario when the OIDC identity provider Login flow is enabled and requires a second factor.

    loginFlows

    object[]

    required

    List of login flows.

  • Array [

    • enabled booleanrequired

    Whether the login flow is enabled or not.

    loginFlowType stringrequired

    Possible values: [USER_LOGIN, SMART_LOGIN, IDP_LOGIN, PASSKEY_LOGIN, USER_CERTIFICATE_LOGIN]

    Identifies the login flow type.

  • ]

    • name stringrequired

    The name of the authentication flow.

    oidcIdentityProviders

    object[]

    The OIDC identity providers supported when the IDP login flow is enabled--limited info is returned.

  • Array [

    • acrValues string

    The space separated list of authentication context request values to request as part of the external OIDC identity provider user authentication or user verification request.

    amrValues string

    The space separated list of authentication method request values to request as part of the external OIDC identity provider user authentication or user verification request.

    authenticationEnabled boolean

    A flag indicating if the external OIDC identity provider can be used for user authentication.

    authorizationEndpoint string

    The authorization endpoint for the external OIDC identity provider.

    buttonImage string

    The URI of the logo to display on the login button for this external OIDC identity provider.

    buttonText string

    The unique text to display on the login button for this external OIDC identity provider.

    clientAuthenticationMethod string

    Possible values: [CLIENT_SECRET_BASIC, CLIENT_SECRET_POST]

    The client authentication method to use with the external OIDC identity provider.

    clientId string

    The client identifier provided by the external OIDC identity provider.

    clientSecret string

    The client secret provided by the external OIDC identity provider. Currently this value is not returned.

    createUser boolean

    A flag indicating if the user should be created after authenticating to the external OIDC identity provider if it doesn't exist. The user attributes specified by the userAttributeMappings attribute are used to populate the user in IDaaS. This value is used if authenticationEnabled is true.

    domains string

    The space separated list of domains associated with the external OIDC identity provider for use with user authentication.

    fields string

    The value of user fields that need to be set the external OIDC identity provider when acquiring user information. This value is used with a TWITTER IDP.

    groupIds string[]

    The UUIDs of groups that will be assigned to users created after an external OIDC identity provider user authentication. An empty list means the user will be assigned to All Groups. If configured, the full set of groups must be configured. This value is used if createUser is true.

    groupMapping string

    The association between a specified claim returned from the external OIDC identity provider and IDaaS groups. This mapping is used to associated IDaaS groups when a user is created or modified based on an external OIDC identity provider user authentication or when it is modified based on an external OIDC identity provider user verification. This value is used if createUser, updateUser, or updateVerificationUser is true.

    id string

    The UUID of the external OIDC identity provider.

    idTokenClaims string

    The space separated list of id token claims to request as part of the external OIDC identity provider user authentication or user verification request.

    issuer string

    The issuer URI for the external OIDC identity provider.

    jwksUri string

    The JWKS URI endpoint for the external OIDC identity provider used to verify a token signature.

    maxAge int32

    Possible values: >= -1 and <= 2592000

    The max age to request as part of the external OIDC identity provider user authentication or user verification request. If -1, the value will not be included in the request.

    name string

    The unique name of the external OIDC identity provider.

    organizationIds string[]

    The UUIDs of organizations that will be assigned to users created after an external OIDC identity provider user authentication. If configured, the full set of organizations must be configured. This value is used if createUser is true.

    requireUserinfoSignature boolean

    A flag indicating if the user information endpoint of the external OIDC identity provider should be signed and verified.

    revocationEndpoint string

    The revocation endpoint for the external OIDC identity provider.

    roleMapping string

    The association between a specified claim returned from the external OIDC identity provider and an IDaaS role. This mapping is used to associated an IDaaS role when a user is created or modified based on an external OIDC identity provider user authentication or when it is modified based on an external OIDC identity provider user verification. This value is used if createUser, updateUser, or updateVerificationUser is true.

    scopes string

    The space separated list of scopes to request as part of the external OIDC identity provider user authentication or user verification request.

    tokenEndpoint string

    The token endpoint for the external OIDC identity provider.

    type string

    Possible values: [FACEBOOK, GENERIC, GOOGLE, IDV, MICROSOFT, SP, TWITTER]

    The type of the external OIDC identity provider. Once created, this value cannot be updated.

    updateUser boolean

    A flag indicating if the user should be updated after authenticating to the external OIDC identity provider if it exists. The user attributes specified by the userAttributeMappings attribute are used to populate the user in IDaaS. This value is used if authenticationEnabled is true.

    updateUserVerification boolean

    A flag indicating if the user should be updated after user verification to the external OIDC identity provider if it exists. The user attributes specified by the userAttributeMappings attribute are used to populate the user in IDaaS. This value is used if verificationEnabled is true.

    userAttributeId string

    The IDaaS user attribute ID used to find IDaaS users associated with an external OIDC identity provider user authentication. This value is used if authenticationEnabled is true.

    userAttributeMappings

    object[]

    The association between the claims returned from the external OIDC identity provider and IDaaS user attributes. These attributes are used to populate user attributes when it is created or modified based on an external OIDC identity provider user authentication or when it is modified based on an external OIDC identity provider user verification. If configured, the full set of mappings must be configured. This value is used if createUser, updateUser, or updateVerificationUser is true.

  • Array [

    • claim stringrequired

    The name of the claim being mapped. This value must be provided when creating or modifying an attribute mapping.

    id string

    The UUID of the OIDC identity provider attribute mapping.

    oidcIdentityProviderId string

    The UUID of the OIDC identity provider the attribute mapping belongs to.

    userAttribute

    object

    Information about user attribute definitions.

    id string

    The UUID for this user attribute. Generated when the user attribute is created.

    mandatory booleanrequired

    A flag indicating if users must have a value for this user attribute.

    name stringrequired

    The name of this user attribute.

    systemDefined booleanrequired

    A flag indicating if this user attribute is one of the system defined user attributes.

    type string

    Possible values: [NONE, OTP_EMAIL, OTP_SMS, OTP_VOICE]

    Type of user attribute. Currently only used to specify the type of contact if the attribute is to be used for OTP delivery.

    unique booleanrequired

    A flag indicating if this attribute is intended to be unique.

    userAttributeId stringrequired

    The UUID of the IDaaS user attribute being mapped to. This value must be provided when creating or modifying an attribute mapping.

  • ]

    • userAuthMatchMappings

    object[]

    The association between the claims returned from the external OIDC identity provider and IDaaS user attributes. These attributes are used to match an existing IDaaS user based on an external OIDC identity provider user authentication. If configured, the full set of mappings must be configured. This value is used if authenticationEnabled is true.

  • Array [

    • claim stringrequired

    The name of the claim being mapped. This value must be provided when creating or modifying a user authentication match mapping.

    id string

    The UUID of the OIDC identity provider user authentication match mapping.

    oidcIdentityProviderId string

    The UUID of the OIDC identity provider the user authentication match mapping belongs to.

    userAttribute

    object

    Information about user attribute definitions.

    id string

    The UUID for this user attribute. Generated when the user attribute is created.

    mandatory booleanrequired

    A flag indicating if users must have a value for this user attribute.

    name stringrequired

    The name of this user attribute.

    systemDefined booleanrequired

    A flag indicating if this user attribute is one of the system defined user attributes.

    type string

    Possible values: [NONE, OTP_EMAIL, OTP_SMS, OTP_VOICE]

    Type of user attribute. Currently only used to specify the type of contact if the attribute is to be used for OTP delivery.

    unique booleanrequired

    A flag indicating if this attribute is intended to be unique.

    userAttributeId stringrequired

    The UUID of the IDaaS user attribute being mapped to. This value must be provided when creating or modifying a user authentication match mapping.

  • ]

    • userClaim string

    The external OIDC identity provider claim used to find IDaaS users associated with an external OIDC identity provider user authentication. This value is used if authenticationEnabled is true.

    userVerMatchMappings

    object[]

    The association between the claims returned from the external OIDC identity provider and IDaaS user attributes. These attributes are used to match an existing IDaaS user based on an external OIDC identity provider user verification. If configured, the full set of mappings must be configured. This value is used if verificationEnabled is true.

  • Array [

    • claim stringrequired

    The name of the claim being mapped. This value must be provided when creating or modifying a user verification match mapping.

    id string

    The UUID of the OIDC identity provider user verification match mapping.

    oidcIdentityProviderId string

    The UUID of the OIDC identity provider the user verification match mapping belongs to.

    userAttribute

    object

    Information about user attribute definitions.

    id string

    The UUID for this user attribute. Generated when the user attribute is created.

    mandatory booleanrequired

    A flag indicating if users must have a value for this user attribute.

    name stringrequired

    The name of this user attribute.

    systemDefined booleanrequired

    A flag indicating if this user attribute is one of the system defined user attributes.

    type string

    Possible values: [NONE, OTP_EMAIL, OTP_SMS, OTP_VOICE]

    Type of user attribute. Currently only used to specify the type of contact if the attribute is to be used for OTP delivery.

    unique booleanrequired

    A flag indicating if this attribute is intended to be unique.

    userAttributeId stringrequired

    The UUID of the IDaaS user attribute being mapped to. This value must be provided when creating or modifying a user verification match mapping.

  • ]

    • userinfoClaims string

    The space separated list of user information claims to request as part of the external OIDC identity provider user authentication or user verification request.

    userinfoEndpoint string

    The user information endpoint for the external OIDC identity provider.

    verificationEnabled boolean

    A flag indicating if the external OIDC identity provider can be used for user verification.

  • ]

    • readOnly booleanrequired

    A flag indicating if the authentication flow can be modified or deleted.

    userLoginFirstStep string

    Possible values: [NONE, EXTERNAL, PASSWORD, KBA, OTP, TOKEN, TOKENPUSH, SMARTCREDENTIALPUSH, IDP, PASSKEY, SMART_LOGIN, USER_CERTIFICATE, FACE, DENY]

    The authenticator type to use in the first step of a two-step authentication scenario when the User Login flow is enabled.

    userLoginSecondStep string[]

    Possible values: [NONE, KBA, TEMP_ACCESS_CODE, OTP, GRID, TOKEN, TOKENPUSH, FIDO, USER_CERTIFICATE, SMARTCREDENTIALPUSH, FACE]

    The authenticator type to use during in the second step of a two-step authentication scenario when the User Login flow is enabled.

    lowRiskEnableSmartLogin booleandeprecated

    A flag indicating if Smart Login is enabled for Low risk. This parameter is deprecated, use the lowRiskAuthenticationFlow attribute with v2 APIs.

    lowRiskFirstStep stringdeprecated

    Possible values: [NONE, EXTERNAL, PASSWORD, KBA, OTP, TOKEN, TOKENPUSH, SMARTCREDENTIALPUSH, IDP, PASSKEY, SMART_LOGIN, USER_CERTIFICATE, FACE, DENY]

    The authenticator type to use in the first step of a two-step authentication scenario when the risk score is Low. This parameter is deprecated, use the lowRiskAuthenticationFlow attribute with v2 APIs.

    lowRiskSecondStep string[]deprecated

    Possible values: [NONE, KBA, TEMP_ACCESS_CODE, OTP, GRID, TOKEN, TOKENPUSH, FIDO, USER_CERTIFICATE, SMARTCREDENTIALPUSH, FACE]

    The authenticator type to use during in the second step of a two-step authentication scenario when the risk score is Low. This parameter is deprecated, use the lowRiskAuthenticationFlow attribute with v2 APIs.

    lowRiskThreshold int32

    Possible values: <= 100

    Risk scores below this value are considered Low risk.

    machineContext

    object

    Represents a Machine Authenticator authentication context. When defined, a Machine Authentication authenticator is expected in the authentication request. Risk will apply if the machine authentication authenticator is not present or if the risk for the machine authentication authentication is greater than the risk limit define for the Machine context.

    denyAccess booleanrequired

    If true, the resource rule evaluating the context will return Access Denied.

    riskLimit int32required

    The risk points apply if the machine authenticator risk is below or equal to this value.

    riskPoint int32required

    Possible values: <= 100

    The number of risk points that apply if this context applies.

    mediumRiskAuthenticationFlow

    object

    An AuthenticationFlow defines the authentication options available for a given risk level.

    applications

    object[]

    List of applications using this authentication flow.

  • Array [

    • id string

    The UUID of the application.

    name string

    The name of the application.

    resourceRules

    object[]

    required

    List of resource rules associated to this application.

  • Array [

    • id stringrequired

    The unique UUID assigned to the resource rule when it is created.

    name stringrequired

    The name of the resource rule.

  • ]

  • ]

    • id stringrequired

    The unique UUID assigned to the authentication flow when it is created.

    idpDomainBased boolean

    A flag indicating if the authentication flow will be using only domain-based IDPs.

    idpLoginSecondStep string[]

    Possible values: [NONE, KBA, TEMP_ACCESS_CODE, OTP, GRID, TOKEN, TOKENPUSH, FIDO, USER_CERTIFICATE, SMARTCREDENTIALPUSH, FACE]

    The authenticator type to use during in the second step of a two-step authentication scenario when the OIDC identity provider Login flow is enabled and requires a second factor.

    loginFlows

    object[]

    required

    List of login flows.

  • Array [

    • enabled booleanrequired

    Whether the login flow is enabled or not.

    loginFlowType stringrequired

    Possible values: [USER_LOGIN, SMART_LOGIN, IDP_LOGIN, PASSKEY_LOGIN, USER_CERTIFICATE_LOGIN]

    Identifies the login flow type.

  • ]

    • name stringrequired

    The name of the authentication flow.

    oidcIdentityProviders

    object[]

    The OIDC identity providers supported when the IDP login flow is enabled--limited info is returned.

  • Array [

    • acrValues string

    The space separated list of authentication context request values to request as part of the external OIDC identity provider user authentication or user verification request.

    amrValues string

    The space separated list of authentication method request values to request as part of the external OIDC identity provider user authentication or user verification request.

    authenticationEnabled boolean

    A flag indicating if the external OIDC identity provider can be used for user authentication.

    authorizationEndpoint string

    The authorization endpoint for the external OIDC identity provider.

    buttonImage string

    The URI of the logo to display on the login button for this external OIDC identity provider.

    buttonText string

    The unique text to display on the login button for this external OIDC identity provider.

    clientAuthenticationMethod string

    Possible values: [CLIENT_SECRET_BASIC, CLIENT_SECRET_POST]

    The client authentication method to use with the external OIDC identity provider.

    clientId string

    The client identifier provided by the external OIDC identity provider.

    clientSecret string

    The client secret provided by the external OIDC identity provider. Currently this value is not returned.

    createUser boolean

    A flag indicating if the user should be created after authenticating to the external OIDC identity provider if it doesn't exist. The user attributes specified by the userAttributeMappings attribute are used to populate the user in IDaaS. This value is used if authenticationEnabled is true.

    domains string

    The space separated list of domains associated with the external OIDC identity provider for use with user authentication.

    fields string

    The value of user fields that need to be set the external OIDC identity provider when acquiring user information. This value is used with a TWITTER IDP.

    groupIds string[]

    The UUIDs of groups that will be assigned to users created after an external OIDC identity provider user authentication. An empty list means the user will be assigned to All Groups. If configured, the full set of groups must be configured. This value is used if createUser is true.

    groupMapping string

    The association between a specified claim returned from the external OIDC identity provider and IDaaS groups. This mapping is used to associated IDaaS groups when a user is created or modified based on an external OIDC identity provider user authentication or when it is modified based on an external OIDC identity provider user verification. This value is used if createUser, updateUser, or updateVerificationUser is true.

    id string

    The UUID of the external OIDC identity provider.

    idTokenClaims string

    The space separated list of id token claims to request as part of the external OIDC identity provider user authentication or user verification request.

    issuer string

    The issuer URI for the external OIDC identity provider.

    jwksUri string

    The JWKS URI endpoint for the external OIDC identity provider used to verify a token signature.

    maxAge int32

    Possible values: >= -1 and <= 2592000

    The max age to request as part of the external OIDC identity provider user authentication or user verification request. If -1, the value will not be included in the request.

    name string

    The unique name of the external OIDC identity provider.

    organizationIds string[]

    The UUIDs of organizations that will be assigned to users created after an external OIDC identity provider user authentication. If configured, the full set of organizations must be configured. This value is used if createUser is true.

    requireUserinfoSignature boolean

    A flag indicating if the user information endpoint of the external OIDC identity provider should be signed and verified.

    revocationEndpoint string

    The revocation endpoint for the external OIDC identity provider.

    roleMapping string

    The association between a specified claim returned from the external OIDC identity provider and an IDaaS role. This mapping is used to associated an IDaaS role when a user is created or modified based on an external OIDC identity provider user authentication or when it is modified based on an external OIDC identity provider user verification. This value is used if createUser, updateUser, or updateVerificationUser is true.

    scopes string

    The space separated list of scopes to request as part of the external OIDC identity provider user authentication or user verification request.

    tokenEndpoint string

    The token endpoint for the external OIDC identity provider.

    type string

    Possible values: [FACEBOOK, GENERIC, GOOGLE, IDV, MICROSOFT, SP, TWITTER]

    The type of the external OIDC identity provider. Once created, this value cannot be updated.

    updateUser boolean

    A flag indicating if the user should be updated after authenticating to the external OIDC identity provider if it exists. The user attributes specified by the userAttributeMappings attribute are used to populate the user in IDaaS. This value is used if authenticationEnabled is true.

    updateUserVerification boolean

    A flag indicating if the user should be updated after user verification to the external OIDC identity provider if it exists. The user attributes specified by the userAttributeMappings attribute are used to populate the user in IDaaS. This value is used if verificationEnabled is true.

    userAttributeId string

    The IDaaS user attribute ID used to find IDaaS users associated with an external OIDC identity provider user authentication. This value is used if authenticationEnabled is true.

    userAttributeMappings

    object[]

    The association between the claims returned from the external OIDC identity provider and IDaaS user attributes. These attributes are used to populate user attributes when it is created or modified based on an external OIDC identity provider user authentication or when it is modified based on an external OIDC identity provider user verification. If configured, the full set of mappings must be configured. This value is used if createUser, updateUser, or updateVerificationUser is true.

  • Array [

    • claim stringrequired

    The name of the claim being mapped. This value must be provided when creating or modifying an attribute mapping.

    id string

    The UUID of the OIDC identity provider attribute mapping.

    oidcIdentityProviderId string

    The UUID of the OIDC identity provider the attribute mapping belongs to.

    userAttribute

    object

    Information about user attribute definitions.

    id string

    The UUID for this user attribute. Generated when the user attribute is created.

    mandatory booleanrequired

    A flag indicating if users must have a value for this user attribute.

    name stringrequired

    The name of this user attribute.

    systemDefined booleanrequired

    A flag indicating if this user attribute is one of the system defined user attributes.

    type string

    Possible values: [NONE, OTP_EMAIL, OTP_SMS, OTP_VOICE]

    Type of user attribute. Currently only used to specify the type of contact if the attribute is to be used for OTP delivery.

    unique booleanrequired

    A flag indicating if this attribute is intended to be unique.

    userAttributeId stringrequired

    The UUID of the IDaaS user attribute being mapped to. This value must be provided when creating or modifying an attribute mapping.

  • ]

    • userAuthMatchMappings

    object[]

    The association between the claims returned from the external OIDC identity provider and IDaaS user attributes. These attributes are used to match an existing IDaaS user based on an external OIDC identity provider user authentication. If configured, the full set of mappings must be configured. This value is used if authenticationEnabled is true.

  • Array [

    • claim stringrequired

    The name of the claim being mapped. This value must be provided when creating or modifying a user authentication match mapping.

    id string

    The UUID of the OIDC identity provider user authentication match mapping.

    oidcIdentityProviderId string

    The UUID of the OIDC identity provider the user authentication match mapping belongs to.

    userAttribute

    object

    Information about user attribute definitions.

    id string

    The UUID for this user attribute. Generated when the user attribute is created.

    mandatory booleanrequired

    A flag indicating if users must have a value for this user attribute.

    name stringrequired

    The name of this user attribute.

    systemDefined booleanrequired

    A flag indicating if this user attribute is one of the system defined user attributes.

    type string

    Possible values: [NONE, OTP_EMAIL, OTP_SMS, OTP_VOICE]

    Type of user attribute. Currently only used to specify the type of contact if the attribute is to be used for OTP delivery.

    unique booleanrequired

    A flag indicating if this attribute is intended to be unique.

    userAttributeId stringrequired

    The UUID of the IDaaS user attribute being mapped to. This value must be provided when creating or modifying a user authentication match mapping.

  • ]

    • userClaim string

    The external OIDC identity provider claim used to find IDaaS users associated with an external OIDC identity provider user authentication. This value is used if authenticationEnabled is true.

    userVerMatchMappings

    object[]

    The association between the claims returned from the external OIDC identity provider and IDaaS user attributes. These attributes are used to match an existing IDaaS user based on an external OIDC identity provider user verification. If configured, the full set of mappings must be configured. This value is used if verificationEnabled is true.

  • Array [

    • claim stringrequired

    The name of the claim being mapped. This value must be provided when creating or modifying a user verification match mapping.

    id string

    The UUID of the OIDC identity provider user verification match mapping.

    oidcIdentityProviderId string

    The UUID of the OIDC identity provider the user verification match mapping belongs to.

    userAttribute

    object

    Information about user attribute definitions.

    id string

    The UUID for this user attribute. Generated when the user attribute is created.

    mandatory booleanrequired

    A flag indicating if users must have a value for this user attribute.

    name stringrequired

    The name of this user attribute.

    systemDefined booleanrequired

    A flag indicating if this user attribute is one of the system defined user attributes.

    type string

    Possible values: [NONE, OTP_EMAIL, OTP_SMS, OTP_VOICE]

    Type of user attribute. Currently only used to specify the type of contact if the attribute is to be used for OTP delivery.

    unique booleanrequired

    A flag indicating if this attribute is intended to be unique.

    userAttributeId stringrequired

    The UUID of the IDaaS user attribute being mapped to. This value must be provided when creating or modifying a user verification match mapping.

  • ]

    • userinfoClaims string

    The space separated list of user information claims to request as part of the external OIDC identity provider user authentication or user verification request.

    userinfoEndpoint string

    The user information endpoint for the external OIDC identity provider.

    verificationEnabled boolean

    A flag indicating if the external OIDC identity provider can be used for user verification.

  • ]

    • readOnly booleanrequired

    A flag indicating if the authentication flow can be modified or deleted.

    userLoginFirstStep string

    Possible values: [NONE, EXTERNAL, PASSWORD, KBA, OTP, TOKEN, TOKENPUSH, SMARTCREDENTIALPUSH, IDP, PASSKEY, SMART_LOGIN, USER_CERTIFICATE, FACE, DENY]

    The authenticator type to use in the first step of a two-step authentication scenario when the User Login flow is enabled.

    userLoginSecondStep string[]

    Possible values: [NONE, KBA, TEMP_ACCESS_CODE, OTP, GRID, TOKEN, TOKENPUSH, FIDO, USER_CERTIFICATE, SMARTCREDENTIALPUSH, FACE]

    The authenticator type to use during in the second step of a two-step authentication scenario when the User Login flow is enabled.

    mediumRiskEnableSmartLogin booleandeprecated

    A flag indicating if Smart Login is enabled for Medium risk. This parameter is deprecated, use the mediumRiskAuthenticationFlow attribute with v2 APIs.

    mediumRiskFirstStep stringdeprecated

    Possible values: [NONE, EXTERNAL, PASSWORD, KBA, OTP, TOKEN, TOKENPUSH, SMARTCREDENTIALPUSH, IDP, PASSKEY, SMART_LOGIN, USER_CERTIFICATE, FACE, DENY]

    The authenticator type to use in the first step of a two-step authentication scenario when the risk score is Medium. This parameter is deprecated, use the mediumRiskAuthenticationFlow attribute with v2 APIs.

    mediumRiskSecondStep string[]deprecated

    Possible values: [NONE, KBA, TEMP_ACCESS_CODE, OTP, GRID, TOKEN, TOKENPUSH, FIDO, USER_CERTIFICATE, SMARTCREDENTIALPUSH, FACE]

    The authenticator type to use during in the second step of a two-step authentication scenario when the risk score is Medium. This parameter is deprecated, use the mediumRiskAuthenticationFlow attribute with v2 APIs.

    mediumRiskThreshold int32

    Possible values: <= 100

    Risk scores below this value are considered Medium risk. Risk scores equal or greater than this value are considered High risk.

    name stringrequired

    The name of the resource rule.

    resourceId string

    The UUID of the resource to which this resource rule is assigned.

    resourceName string

    The name of the resource to which this resource rule is assigned.

    riskEngineContexts

    object[]

    If risk engine rules are defined, the transaction contexts specify the levels at which risk is applied to the authentication request if the corresponding risk engine rules trigger risk.

  • Array [

    • denyAccess booleanrequired

    If true, the resource rule evaluating the context will return Access Denied.

    name stringrequired

    The name of this transaction context.

    riskLimit int32required

    The risk points apply if the accumulated risk of each configured transaction rule is above this value.

    riskPoint int32required

    Possible values: <= 100

    The number of risk points that apply if this context applies.

    transactionRuleRisks

    object[]

    required

    The transaction rules associated with this context.

  • Array [

    • riskScore int32required

    Possible values: >= 1 and <= 100

    The risk score that applies if this transaction rule is triggered.

    transactionRuleId stringrequired

    The id of the transaction rule associated with this risk definition.

  • ]

  • ]

    • skipSecondFactorIfUserNotExist booleanrequired

    A flag indicating if second factor can be skipped if the user does not exist and the first factor is EXTERNAL.

    strictAccess booleanrequired

    A flag indicating if this resource rule enforces strict access. Strict access means that if this rule denies access, the user is denied access even if other resource rules allow access.

    systemResourceContext boolean

    A flag indicating if this resource rule is associated with a system resource including the Admin and User portals. A resource rule for a system resource cannot be deleted. They can only be disabled if there is at least one enabled resource rule for the resource.

    transactionContexts

    object[]

    If transaction details are specified during an authentication request, the transaction contexts specify the levels at which risk is applied to the authentication request if the corresponding transaction rules trigger risk. A maximum of two are allowed.

  • Array [

    • denyAccess booleanrequired

    If true, the resource rule evaluating the context will return Access Denied.

    name stringrequired

    The name of this transaction context.

    riskLimit int32required

    The risk points apply if the accumulated risk of each configured transaction rule is above this value.

    riskPoint int32required

    Possible values: <= 100

    The number of risk points that apply if this context applies.

    transactionRuleRisks

    object[]

    required

    The transaction rules associated with this context.

  • Array [

    • riskScore int32required

    Possible values: >= 1 and <= 100

    The risk score that applies if this transaction rule is triggered.

    transactionRuleId stringrequired

    The id of the transaction rule associated with this risk definition.

  • ]

  • ]

    • travelVelocityContext

    object

    Travel velocity checks to see if the time between authentications at different locations means the user has traveled faster than a given velocity. If the velocity is exceeded, risk applies.

    denyAccess booleanrequired

    If true, the resource rule evaluating the context will return Access Denied.

    riskPoint int32required

    Possible values: <= 100

    The number of risk points that apply if this context applies.

Loading...