Get all resource rules for a resource
GET/api/web/v2/resourcerules/resource/:id
Get all resource rules for the specified resource. Caller requires the CONTEXTRULES:VIEW permission.
Request
Path Parameters
The UUID of the resource whose resource rules are to be returned.
Responses
- 200
- 400
- 401
- 403
- 404
- 409
Successful
- application/json
- Schema
- Example (from schema)
Schema
Array [
Array [
]
Array [
Array [
]
]
Array [
]
Array [
Array [
]
]
Array [
]
Array [
Array [
]
Array [
]
Array [
]
]
Array [
Array [
]
]
Array [
]
Array [
Array [
]
Array [
]
Array [
]
]
Array [
Array [
]
]
Array [
]
Array [
Array [
]
Array [
]
Array [
]
]
Array [
Array [
]
]
Array [
Array [
]
]
]
Possible values: [1
, 2
]
The resource rules API version used to create or last update this resource rule. If the resource rule is at version 2, then it cannot be updated using a version 1 API.
dateTimeContext
object
The DateTimeContext context specifies an allowed or disallowed date or time range. Only a date range or a time range can be specified. Risk is applied to the authentication if the current time is outside an allowed range or inside a disallowed range. A date range specifies a start and end date. For example 2019/01/01 to 2019/03/01. A time range species a start and end time and days of the week. For example Monday to Friday, 8am to 5pm.
If true, the startDateTime and endDateTime define the allowed range. If false, the startDateTime and endDateTime define the denied range.
If true, the startTime and endTime define the allowed time range. If false, the startTime and endTime define the denied time range.
If true, the resource rule evaluating the context will return Access Denied.
If specifying a date range, the end date of the range.
If specifying a time range, the end time of the range. The value should be of the form hh:mm:ss
Possible values: <= 100
The number of risk points that apply if this context applies.
If specifying a date range, the start date of the range.
If specifying a time range, the start time of the range. The value should be of the form hh:mm:ss
Possible values: [Mon
, Tue
, Wed
, Thu
, Fri
, Sat
, Sun
]
If specifying a time range, the days of the week to which the time range will apply.
zoneId
object
The timezone offset in which dates and times are considered. For example, a value like -05:00 to specify EST. Set the timezone value if you want to allow times 8am to 5pm in the customer's time zone and not the time zone of the service. If not specified, the default is Z for UTC.
rules
object
transitionRules
object[]
Possible values: [MONDAY
, TUESDAY
, WEDNESDAY
, THURSDAY
, FRIDAY
, SATURDAY
, SUNDAY
]
Possible values: [JANUARY
, FEBRUARY
, MARCH
, APRIL
, MAY
, JUNE
, JULY
, AUGUST
, SEPTEMBER
, OCTOBER
, NOVEMBER
, DECEMBER
]
offsetAfter
object
offsetBefore
object
standardOffset
object
Possible values: [UTC
, WALL
, STANDARD
]
transitions
object[]
duration
object
units
object[]
offsetAfter
object
offsetBefore
object
The description of the resource rule.
deviceCertificateContext
object
Device Certificate checks to see if the user presented a trusted device certificate that's valid. If not found, risk is applied.
If true, the resource rule evaluating the context will return Access Denied.
Possible values: <= 100
The number of risk points that apply if this context applies.
A flag indicating if single-sign on is disabled for this resource rule.
A flag indicating if this resource rule is enabled or not. Only enabled resource rules are considered during authentication.
groups
object[]
required
The groups associated with this resource rule. The resource rule only applies to users in one of the specified groups. A resource rule must specify at least one group which can be the default All Groups if you want the resource rule to apply to all users.
When the group was created.
The externalId of this group.
The UUID of this group. This value is generated when the group is created.
When the group was last modified.
The name of this group.
Possible values: [LDAP_AD
, MGMT_UI
]
The type of group indicating if this group was synchronized from a directory (LDAP_AD) or was created in Identity as a Service (MGMT_UI).
highRiskAuthenticationFlow
object
An AuthenticationFlow defines the authentication options available for a given risk level.
applications
object[]
List of applications using this authentication flow.
The UUID of the application.
The name of the application.
resourceRules
object[]
required
List of resource rules associated to this application.
The unique UUID assigned to the resource rule when it is created.
The name of the resource rule.
The unique UUID assigned to the authentication flow when it is created.
A flag indicating if the authentication flow will be using only domain-based IDPs.
Possible values: [NONE
, KBA
, TEMP_ACCESS_CODE
, OTP
, GRID
, TOKEN
, TOKENPUSH
, FIDO
, USER_CERTIFICATE
, SMARTCREDENTIALPUSH
, FACE
]
The authenticator type to use during in the second step of a two-step authentication scenario when the OIDC identity provider Login flow is enabled and requires a second factor.
loginFlows
object[]
required
List of login flows.
Whether the login flow is enabled or not.
Possible values: [USER_LOGIN
, SMART_LOGIN
, IDP_LOGIN
, PASSKEY_LOGIN
, USER_CERTIFICATE_LOGIN
]
Identifies the login flow type.
The name of the authentication flow.
oidcIdentityProviders
object[]
The OIDC identity providers supported when the IDP login flow is enabled--limited info is returned.
The space separated list of authentication context request values to request as part of the external OIDC identity provider user authentication or user verification request.
The space separated list of authentication method request values to request as part of the external OIDC identity provider user authentication or user verification request.
A flag indicating if the external OIDC identity provider can be used for user authentication.
The authorization endpoint for the external OIDC identity provider.
The URI of the logo to display on the login button for this external OIDC identity provider.
The unique text to display on the login button for this external OIDC identity provider.
Possible values: [CLIENT_SECRET_BASIC
, CLIENT_SECRET_POST
]
The client authentication method to use with the external OIDC identity provider.
The client identifier provided by the external OIDC identity provider.
The client secret provided by the external OIDC identity provider. Currently this value is not returned.
A flag indicating if the user should be created after authenticating to the external OIDC identity provider if it doesn't exist. The user attributes specified by the userAttributeMappings attribute are used to populate the user in IDaaS. This value is used if authenticationEnabled is true.
The space separated list of domains associated with the external OIDC identity provider for use with user authentication.
The value of user fields that need to be set the external OIDC identity provider when acquiring user information. This value is used with a TWITTER IDP.
The UUIDs of groups that will be assigned to users created after an external OIDC identity provider user authentication. An empty list means the user will be assigned to All Groups. If configured, the full set of groups must be configured. This value is used if createUser is true.
The association between a specified claim returned from the external OIDC identity provider and IDaaS groups. This mapping is used to associated IDaaS groups when a user is created or modified based on an external OIDC identity provider user authentication or when it is modified based on an external OIDC identity provider user verification. This value is used if createUser, updateUser, or updateVerificationUser is true.
The UUID of the external OIDC identity provider.
The space separated list of id token claims to request as part of the external OIDC identity provider user authentication or user verification request.
The issuer URI for the external OIDC identity provider.
The JWKS URI endpoint for the external OIDC identity provider used to verify a token signature.
Possible values: >= -1
and <= 2592000
The max age to request as part of the external OIDC identity provider user authentication or user verification request. If -1, the value will not be included in the request.
The unique name of the external OIDC identity provider.
The UUIDs of organizations that will be assigned to users created after an external OIDC identity provider user authentication. If configured, the full set of organizations must be configured. This value is used if createUser is true.
A flag indicating if the user information endpoint of the external OIDC identity provider should be signed and verified.
The revocation endpoint for the external OIDC identity provider.
The association between a specified claim returned from the external OIDC identity provider and an IDaaS role. This mapping is used to associated an IDaaS role when a user is created or modified based on an external OIDC identity provider user authentication or when it is modified based on an external OIDC identity provider user verification. This value is used if createUser, updateUser, or updateVerificationUser is true.
The space separated list of scopes to request as part of the external OIDC identity provider user authentication or user verification request.
The token endpoint for the external OIDC identity provider.
Possible values: [FACEBOOK
, GENERIC
, GOOGLE
, IDV
, MICROSOFT
, SP
, TWITTER
]
The type of the external OIDC identity provider. Once created, this value cannot be updated.
A flag indicating if the user should be updated after authenticating to the external OIDC identity provider if it exists. The user attributes specified by the userAttributeMappings attribute are used to populate the user in IDaaS. This value is used if authenticationEnabled is true.
A flag indicating if the user should be updated after user verification to the external OIDC identity provider if it exists. The user attributes specified by the userAttributeMappings attribute are used to populate the user in IDaaS. This value is used if verificationEnabled is true.
The IDaaS user attribute ID used to find IDaaS users associated with an external OIDC identity provider user authentication. This value is used if authenticationEnabled is true.
userAttributeMappings
object[]
The association between the claims returned from the external OIDC identity provider and IDaaS user attributes. These attributes are used to populate user attributes when it is created or modified based on an external OIDC identity provider user authentication or when it is modified based on an external OIDC identity provider user verification. If configured, the full set of mappings must be configured. This value is used if createUser, updateUser, or updateVerificationUser is true.
The name of the claim being mapped. This value must be provided when creating or modifying an attribute mapping.
The UUID of the OIDC identity provider attribute mapping.
The UUID of the OIDC identity provider the attribute mapping belongs to.
userAttribute
object
Information about user attribute definitions.
The UUID for this user attribute. Generated when the user attribute is created.
A flag indicating if users must have a value for this user attribute.
The name of this user attribute.
A flag indicating if this user attribute is one of the system defined user attributes.
Possible values: [NONE
, OTP_EMAIL
, OTP_SMS
, OTP_VOICE
]
Type of user attribute. Currently only used to specify the type of contact if the attribute is to be used for OTP delivery.
A flag indicating if this attribute is intended to be unique.
The UUID of the IDaaS user attribute being mapped to. This value must be provided when creating or modifying an attribute mapping.
userAuthMatchMappings
object[]
The association between the claims returned from the external OIDC identity provider and IDaaS user attributes. These attributes are used to match an existing IDaaS user based on an external OIDC identity provider user authentication. If configured, the full set of mappings must be configured. This value is used if authenticationEnabled is true.
The name of the claim being mapped. This value must be provided when creating or modifying a user authentication match mapping.
The UUID of the OIDC identity provider user authentication match mapping.
The UUID of the OIDC identity provider the user authentication match mapping belongs to.
userAttribute
object
Information about user attribute definitions.
The UUID for this user attribute. Generated when the user attribute is created.
A flag indicating if users must have a value for this user attribute.
The name of this user attribute.
A flag indicating if this user attribute is one of the system defined user attributes.
Possible values: [NONE
, OTP_EMAIL
, OTP_SMS
, OTP_VOICE
]
Type of user attribute. Currently only used to specify the type of contact if the attribute is to be used for OTP delivery.
A flag indicating if this attribute is intended to be unique.
The UUID of the IDaaS user attribute being mapped to. This value must be provided when creating or modifying a user authentication match mapping.
The external OIDC identity provider claim used to find IDaaS users associated with an external OIDC identity provider user authentication. This value is used if authenticationEnabled is true.
userVerMatchMappings
object[]
The association between the claims returned from the external OIDC identity provider and IDaaS user attributes. These attributes are used to match an existing IDaaS user based on an external OIDC identity provider user verification. If configured, the full set of mappings must be configured. This value is used if verificationEnabled is true.
The name of the claim being mapped. This value must be provided when creating or modifying a user verification match mapping.
The UUID of the OIDC identity provider user verification match mapping.
The UUID of the OIDC identity provider the user verification match mapping belongs to.
userAttribute
object
Information about user attribute definitions.
The UUID for this user attribute. Generated when the user attribute is created.
A flag indicating if users must have a value for this user attribute.
The name of this user attribute.
A flag indicating if this user attribute is one of the system defined user attributes.
Possible values: [NONE
, OTP_EMAIL
, OTP_SMS
, OTP_VOICE
]
Type of user attribute. Currently only used to specify the type of contact if the attribute is to be used for OTP delivery.
A flag indicating if this attribute is intended to be unique.
The UUID of the IDaaS user attribute being mapped to. This value must be provided when creating or modifying a user verification match mapping.
The space separated list of user information claims to request as part of the external OIDC identity provider user authentication or user verification request.
The user information endpoint for the external OIDC identity provider.
A flag indicating if the external OIDC identity provider can be used for user verification.
A flag indicating if the authentication flow can be modified or deleted.
Possible values: [NONE
, EXTERNAL
, PASSWORD
, KBA
, OTP
, TOKEN
, TOKENPUSH
, SMARTCREDENTIALPUSH
, IDP
, PASSKEY
, SMART_LOGIN
, USER_CERTIFICATE
, FACE
, DENY
]
The authenticator type to use in the first step of a two-step authentication scenario when the User Login flow is enabled.
Possible values: [NONE
, KBA
, TEMP_ACCESS_CODE
, OTP
, GRID
, TOKEN
, TOKENPUSH
, FIDO
, USER_CERTIFICATE
, SMARTCREDENTIALPUSH
, FACE
]
The authenticator type to use during in the second step of a two-step authentication scenario when the User Login flow is enabled.
A flag indicating if Smart Login is enabled for High risk. This parameter is deprecated, use the highRiskAuthenticationFlow attribute with v2 APIs.
Possible values: [NONE
, EXTERNAL
, PASSWORD
, KBA
, OTP
, TOKEN
, TOKENPUSH
, SMARTCREDENTIALPUSH
, IDP
, PASSKEY
, SMART_LOGIN
, USER_CERTIFICATE
, FACE
, DENY
]
The authenticator type to use in the first step of a two-step authentication scenario when the risk score is High. This parameter is deprecated, use the highRiskAuthenticationFlow attribute with v2 APIs.
Possible values: [NONE
, KBA
, TEMP_ACCESS_CODE
, OTP
, GRID
, TOKEN
, TOKENPUSH
, FIDO
, USER_CERTIFICATE
, SMARTCREDENTIALPUSH
, FACE
]
The authenticator type to use during in the second step of a two-step authentication scenario when the risk score is High. This parameter is deprecated, use the highRiskAuthenticationFlow attribute with v2 APIs.
The unique UUID assigned to the resource rule when it is created.
ipContext
object
The IP context specifies allowed or denied IP address ranges or lists. Risk is applied to the authentication if the current IP address does not match an allowed IP address range/list or does match a denied IP address range/list.
The UUID of an existing IP List that defines IPs that can access the resource. Risk applies if the given IP address is not found in the IP List. If specified, the allowed IP List takes precedence over the denied IP List.
List of IP Address ranges (in CIDR notation) that are allowed access the resource. Risk applies if the given IP address is not in one of the allowed IP ranges. If specified, the allowed IP values take precedence over the denied IP values.
The UUID of an existing IP List that defines IPs that cannot access the resource. Risk applies if the given IP address is found in the IP List. The denied IP List is ignored if an allowed IP List is specified.
List of IP Address ranges (in CIDR notation) that cannot access the resource. Risk applies if the given IP address is in one of the denied IP ranges. The denied IP values are ignored if allowed IP ranges are specified.
If true, the resource rule evaluating the context will return Access Denied.
Possible values: <= 100
The number of risk points that apply if this context applies.
Possible values: [CUSTOM
, IPLIST
]
The type of IpContext. If not specified, this value defaults to CUSTOM.
kbaContext
object
The KBA context allows the settings for knowledge-based authentication to be overridden for a particular resource rule. For example, a different challenge size can be specified.
Number of questions that the user must answer. If not provided, the default QA challenge size in the KBA settings is used.
If true, the resource rule evaluating the context will return Access Denied.
Number of questions that the user could answer incorrectly and still be considered a valid response. If not provided, the default wrong answers allowed in the KBA settings is used.
locationContext
object
The location context specifies allowed or denied country codes. Risk is applied to the authentication if the location of the current IP address does not match an allowed country or matches a disallowed country.
If true, the list of countries defines allowed countries. If false, the list of countries defines denied countries.
If true, then allows anonymous/TOR IP addresses. If false, then denies anonymous/TOR IP addresses.
List of country codes (ISO alpha-2) that can access(allowed=true) or not access (allowed=false).
If true, the resource rule evaluating the context will return Access Denied.
Possible values: <= 100
The number of risk points that apply if this context applies.
locationHistoryContext
object
Location history checks to see if the location of the current IP address matches a location from a previous authentication. If the current location does not match history, risk is applied.
If true, the resource rule evaluating the context will return Access Denied.
Possible values: <= 100
The number of risk points that apply if this context applies.
lowRiskAuthenticationFlow
object
An AuthenticationFlow defines the authentication options available for a given risk level.
applications
object[]
List of applications using this authentication flow.
The UUID of the application.
The name of the application.
resourceRules
object[]
required
List of resource rules associated to this application.
The unique UUID assigned to the resource rule when it is created.
The name of the resource rule.
The unique UUID assigned to the authentication flow when it is created.
A flag indicating if the authentication flow will be using only domain-based IDPs.
Possible values: [NONE
, KBA
, TEMP_ACCESS_CODE
, OTP
, GRID
, TOKEN
, TOKENPUSH
, FIDO
, USER_CERTIFICATE
, SMARTCREDENTIALPUSH
, FACE
]
The authenticator type to use during in the second step of a two-step authentication scenario when the OIDC identity provider Login flow is enabled and requires a second factor.
loginFlows
object[]
required
List of login flows.
Whether the login flow is enabled or not.
Possible values: [USER_LOGIN
, SMART_LOGIN
, IDP_LOGIN
, PASSKEY_LOGIN
, USER_CERTIFICATE_LOGIN
]
Identifies the login flow type.
The name of the authentication flow.
oidcIdentityProviders
object[]
The OIDC identity providers supported when the IDP login flow is enabled--limited info is returned.
The space separated list of authentication context request values to request as part of the external OIDC identity provider user authentication or user verification request.
The space separated list of authentication method request values to request as part of the external OIDC identity provider user authentication or user verification request.
A flag indicating if the external OIDC identity provider can be used for user authentication.
The authorization endpoint for the external OIDC identity provider.
The URI of the logo to display on the login button for this external OIDC identity provider.
The unique text to display on the login button for this external OIDC identity provider.
Possible values: [CLIENT_SECRET_BASIC
, CLIENT_SECRET_POST
]
The client authentication method to use with the external OIDC identity provider.
The client identifier provided by the external OIDC identity provider.
The client secret provided by the external OIDC identity provider. Currently this value is not returned.
A flag indicating if the user should be created after authenticating to the external OIDC identity provider if it doesn't exist. The user attributes specified by the userAttributeMappings attribute are used to populate the user in IDaaS. This value is used if authenticationEnabled is true.
The space separated list of domains associated with the external OIDC identity provider for use with user authentication.
The value of user fields that need to be set the external OIDC identity provider when acquiring user information. This value is used with a TWITTER IDP.
The UUIDs of groups that will be assigned to users created after an external OIDC identity provider user authentication. An empty list means the user will be assigned to All Groups. If configured, the full set of groups must be configured. This value is used if createUser is true.
The association between a specified claim returned from the external OIDC identity provider and IDaaS groups. This mapping is used to associated IDaaS groups when a user is created or modified based on an external OIDC identity provider user authentication or when it is modified based on an external OIDC identity provider user verification. This value is used if createUser, updateUser, or updateVerificationUser is true.
The UUID of the external OIDC identity provider.
The space separated list of id token claims to request as part of the external OIDC identity provider user authentication or user verification request.
The issuer URI for the external OIDC identity provider.
The JWKS URI endpoint for the external OIDC identity provider used to verify a token signature.
Possible values: >= -1
and <= 2592000
The max age to request as part of the external OIDC identity provider user authentication or user verification request. If -1, the value will not be included in the request.
The unique name of the external OIDC identity provider.
The UUIDs of organizations that will be assigned to users created after an external OIDC identity provider user authentication. If configured, the full set of organizations must be configured. This value is used if createUser is true.
A flag indicating if the user information endpoint of the external OIDC identity provider should be signed and verified.
The revocation endpoint for the external OIDC identity provider.
The association between a specified claim returned from the external OIDC identity provider and an IDaaS role. This mapping is used to associated an IDaaS role when a user is created or modified based on an external OIDC identity provider user authentication or when it is modified based on an external OIDC identity provider user verification. This value is used if createUser, updateUser, or updateVerificationUser is true.
The space separated list of scopes to request as part of the external OIDC identity provider user authentication or user verification request.
The token endpoint for the external OIDC identity provider.
Possible values: [FACEBOOK
, GENERIC
, GOOGLE
, IDV
, MICROSOFT
, SP
, TWITTER
]
The type of the external OIDC identity provider. Once created, this value cannot be updated.
A flag indicating if the user should be updated after authenticating to the external OIDC identity provider if it exists. The user attributes specified by the userAttributeMappings attribute are used to populate the user in IDaaS. This value is used if authenticationEnabled is true.
A flag indicating if the user should be updated after user verification to the external OIDC identity provider if it exists. The user attributes specified by the userAttributeMappings attribute are used to populate the user in IDaaS. This value is used if verificationEnabled is true.
The IDaaS user attribute ID used to find IDaaS users associated with an external OIDC identity provider user authentication. This value is used if authenticationEnabled is true.
userAttributeMappings
object[]
The association between the claims returned from the external OIDC identity provider and IDaaS user attributes. These attributes are used to populate user attributes when it is created or modified based on an external OIDC identity provider user authentication or when it is modified based on an external OIDC identity provider user verification. If configured, the full set of mappings must be configured. This value is used if createUser, updateUser, or updateVerificationUser is true.
The name of the claim being mapped. This value must be provided when creating or modifying an attribute mapping.
The UUID of the OIDC identity provider attribute mapping.
The UUID of the OIDC identity provider the attribute mapping belongs to.
userAttribute
object
Information about user attribute definitions.
The UUID for this user attribute. Generated when the user attribute is created.
A flag indicating if users must have a value for this user attribute.
The name of this user attribute.
A flag indicating if this user attribute is one of the system defined user attributes.
Possible values: [NONE
, OTP_EMAIL
, OTP_SMS
, OTP_VOICE
]
Type of user attribute. Currently only used to specify the type of contact if the attribute is to be used for OTP delivery.
A flag indicating if this attribute is intended to be unique.
The UUID of the IDaaS user attribute being mapped to. This value must be provided when creating or modifying an attribute mapping.
userAuthMatchMappings
object[]
The association between the claims returned from the external OIDC identity provider and IDaaS user attributes. These attributes are used to match an existing IDaaS user based on an external OIDC identity provider user authentication. If configured, the full set of mappings must be configured. This value is used if authenticationEnabled is true.
The name of the claim being mapped. This value must be provided when creating or modifying a user authentication match mapping.
The UUID of the OIDC identity provider user authentication match mapping.
The UUID of the OIDC identity provider the user authentication match mapping belongs to.
userAttribute
object
Information about user attribute definitions.
The UUID for this user attribute. Generated when the user attribute is created.
A flag indicating if users must have a value for this user attribute.
The name of this user attribute.
A flag indicating if this user attribute is one of the system defined user attributes.
Possible values: [NONE
, OTP_EMAIL
, OTP_SMS
, OTP_VOICE
]
Type of user attribute. Currently only used to specify the type of contact if the attribute is to be used for OTP delivery.
A flag indicating if this attribute is intended to be unique.
The UUID of the IDaaS user attribute being mapped to. This value must be provided when creating or modifying a user authentication match mapping.
The external OIDC identity provider claim used to find IDaaS users associated with an external OIDC identity provider user authentication. This value is used if authenticationEnabled is true.
userVerMatchMappings
object[]
The association between the claims returned from the external OIDC identity provider and IDaaS user attributes. These attributes are used to match an existing IDaaS user based on an external OIDC identity provider user verification. If configured, the full set of mappings must be configured. This value is used if verificationEnabled is true.
The name of the claim being mapped. This value must be provided when creating or modifying a user verification match mapping.
The UUID of the OIDC identity provider user verification match mapping.
The UUID of the OIDC identity provider the user verification match mapping belongs to.
userAttribute
object
Information about user attribute definitions.
The UUID for this user attribute. Generated when the user attribute is created.
A flag indicating if users must have a value for this user attribute.
The name of this user attribute.
A flag indicating if this user attribute is one of the system defined user attributes.
Possible values: [NONE
, OTP_EMAIL
, OTP_SMS
, OTP_VOICE
]
Type of user attribute. Currently only used to specify the type of contact if the attribute is to be used for OTP delivery.
A flag indicating if this attribute is intended to be unique.
The UUID of the IDaaS user attribute being mapped to. This value must be provided when creating or modifying a user verification match mapping.
The space separated list of user information claims to request as part of the external OIDC identity provider user authentication or user verification request.
The user information endpoint for the external OIDC identity provider.
A flag indicating if the external OIDC identity provider can be used for user verification.
A flag indicating if the authentication flow can be modified or deleted.
Possible values: [NONE
, EXTERNAL
, PASSWORD
, KBA
, OTP
, TOKEN
, TOKENPUSH
, SMARTCREDENTIALPUSH
, IDP
, PASSKEY
, SMART_LOGIN
, USER_CERTIFICATE
, FACE
, DENY
]
The authenticator type to use in the first step of a two-step authentication scenario when the User Login flow is enabled.
Possible values: [NONE
, KBA
, TEMP_ACCESS_CODE
, OTP
, GRID
, TOKEN
, TOKENPUSH
, FIDO
, USER_CERTIFICATE
, SMARTCREDENTIALPUSH
, FACE
]
The authenticator type to use during in the second step of a two-step authentication scenario when the User Login flow is enabled.
A flag indicating if Smart Login is enabled for Low risk. This parameter is deprecated, use the lowRiskAuthenticationFlow attribute with v2 APIs.
Possible values: [NONE
, EXTERNAL
, PASSWORD
, KBA
, OTP
, TOKEN
, TOKENPUSH
, SMARTCREDENTIALPUSH
, IDP
, PASSKEY
, SMART_LOGIN
, USER_CERTIFICATE
, FACE
, DENY
]
The authenticator type to use in the first step of a two-step authentication scenario when the risk score is Low. This parameter is deprecated, use the lowRiskAuthenticationFlow attribute with v2 APIs.
Possible values: [NONE
, KBA
, TEMP_ACCESS_CODE
, OTP
, GRID
, TOKEN
, TOKENPUSH
, FIDO
, USER_CERTIFICATE
, SMARTCREDENTIALPUSH
, FACE
]
The authenticator type to use during in the second step of a two-step authentication scenario when the risk score is Low. This parameter is deprecated, use the lowRiskAuthenticationFlow attribute with v2 APIs.
Possible values: <= 100
Risk scores below this value are considered Low risk.
machineContext
object
Represents a Machine Authenticator authentication context. When defined, a Machine Authentication authenticator is expected in the authentication request. Risk will apply if the machine authentication authenticator is not present or if the risk for the machine authentication authentication is greater than the risk limit define for the Machine context.
If true, the resource rule evaluating the context will return Access Denied.
The risk points apply if the machine authenticator risk is below or equal to this value.
Possible values: <= 100
The number of risk points that apply if this context applies.
mediumRiskAuthenticationFlow
object
An AuthenticationFlow defines the authentication options available for a given risk level.
applications
object[]
List of applications using this authentication flow.
The UUID of the application.
The name of the application.
resourceRules
object[]
required
List of resource rules associated to this application.
The unique UUID assigned to the resource rule when it is created.
The name of the resource rule.
The unique UUID assigned to the authentication flow when it is created.
A flag indicating if the authentication flow will be using only domain-based IDPs.
Possible values: [NONE
, KBA
, TEMP_ACCESS_CODE
, OTP
, GRID
, TOKEN
, TOKENPUSH
, FIDO
, USER_CERTIFICATE
, SMARTCREDENTIALPUSH
, FACE
]
The authenticator type to use during in the second step of a two-step authentication scenario when the OIDC identity provider Login flow is enabled and requires a second factor.
loginFlows
object[]
required
List of login flows.
Whether the login flow is enabled or not.
Possible values: [USER_LOGIN
, SMART_LOGIN
, IDP_LOGIN
, PASSKEY_LOGIN
, USER_CERTIFICATE_LOGIN
]
Identifies the login flow type.
The name of the authentication flow.
oidcIdentityProviders
object[]
The OIDC identity providers supported when the IDP login flow is enabled--limited info is returned.
The space separated list of authentication context request values to request as part of the external OIDC identity provider user authentication or user verification request.
The space separated list of authentication method request values to request as part of the external OIDC identity provider user authentication or user verification request.
A flag indicating if the external OIDC identity provider can be used for user authentication.
The authorization endpoint for the external OIDC identity provider.
The URI of the logo to display on the login button for this external OIDC identity provider.
The unique text to display on the login button for this external OIDC identity provider.
Possible values: [CLIENT_SECRET_BASIC
, CLIENT_SECRET_POST
]
The client authentication method to use with the external OIDC identity provider.
The client identifier provided by the external OIDC identity provider.
The client secret provided by the external OIDC identity provider. Currently this value is not returned.
A flag indicating if the user should be created after authenticating to the external OIDC identity provider if it doesn't exist. The user attributes specified by the userAttributeMappings attribute are used to populate the user in IDaaS. This value is used if authenticationEnabled is true.
The space separated list of domains associated with the external OIDC identity provider for use with user authentication.
The value of user fields that need to be set the external OIDC identity provider when acquiring user information. This value is used with a TWITTER IDP.
The UUIDs of groups that will be assigned to users created after an external OIDC identity provider user authentication. An empty list means the user will be assigned to All Groups. If configured, the full set of groups must be configured. This value is used if createUser is true.
The association between a specified claim returned from the external OIDC identity provider and IDaaS groups. This mapping is used to associated IDaaS groups when a user is created or modified based on an external OIDC identity provider user authentication or when it is modified based on an external OIDC identity provider user verification. This value is used if createUser, updateUser, or updateVerificationUser is true.
The UUID of the external OIDC identity provider.
The space separated list of id token claims to request as part of the external OIDC identity provider user authentication or user verification request.
The issuer URI for the external OIDC identity provider.
The JWKS URI endpoint for the external OIDC identity provider used to verify a token signature.
Possible values: >= -1
and <= 2592000
The max age to request as part of the external OIDC identity provider user authentication or user verification request. If -1, the value will not be included in the request.
The unique name of the external OIDC identity provider.
The UUIDs of organizations that will be assigned to users created after an external OIDC identity provider user authentication. If configured, the full set of organizations must be configured. This value is used if createUser is true.
A flag indicating if the user information endpoint of the external OIDC identity provider should be signed and verified.
The revocation endpoint for the external OIDC identity provider.
The association between a specified claim returned from the external OIDC identity provider and an IDaaS role. This mapping is used to associated an IDaaS role when a user is created or modified based on an external OIDC identity provider user authentication or when it is modified based on an external OIDC identity provider user verification. This value is used if createUser, updateUser, or updateVerificationUser is true.
The space separated list of scopes to request as part of the external OIDC identity provider user authentication or user verification request.
The token endpoint for the external OIDC identity provider.
Possible values: [FACEBOOK
, GENERIC
, GOOGLE
, IDV
, MICROSOFT
, SP
, TWITTER
]
The type of the external OIDC identity provider. Once created, this value cannot be updated.
A flag indicating if the user should be updated after authenticating to the external OIDC identity provider if it exists. The user attributes specified by the userAttributeMappings attribute are used to populate the user in IDaaS. This value is used if authenticationEnabled is true.
A flag indicating if the user should be updated after user verification to the external OIDC identity provider if it exists. The user attributes specified by the userAttributeMappings attribute are used to populate the user in IDaaS. This value is used if verificationEnabled is true.
The IDaaS user attribute ID used to find IDaaS users associated with an external OIDC identity provider user authentication. This value is used if authenticationEnabled is true.
userAttributeMappings
object[]
The association between the claims returned from the external OIDC identity provider and IDaaS user attributes. These attributes are used to populate user attributes when it is created or modified based on an external OIDC identity provider user authentication or when it is modified based on an external OIDC identity provider user verification. If configured, the full set of mappings must be configured. This value is used if createUser, updateUser, or updateVerificationUser is true.
The name of the claim being mapped. This value must be provided when creating or modifying an attribute mapping.
The UUID of the OIDC identity provider attribute mapping.
The UUID of the OIDC identity provider the attribute mapping belongs to.
userAttribute
object
Information about user attribute definitions.
The UUID for this user attribute. Generated when the user attribute is created.
A flag indicating if users must have a value for this user attribute.
The name of this user attribute.
A flag indicating if this user attribute is one of the system defined user attributes.
Possible values: [NONE
, OTP_EMAIL
, OTP_SMS
, OTP_VOICE
]
Type of user attribute. Currently only used to specify the type of contact if the attribute is to be used for OTP delivery.
A flag indicating if this attribute is intended to be unique.
The UUID of the IDaaS user attribute being mapped to. This value must be provided when creating or modifying an attribute mapping.
userAuthMatchMappings
object[]
The association between the claims returned from the external OIDC identity provider and IDaaS user attributes. These attributes are used to match an existing IDaaS user based on an external OIDC identity provider user authentication. If configured, the full set of mappings must be configured. This value is used if authenticationEnabled is true.
The name of the claim being mapped. This value must be provided when creating or modifying a user authentication match mapping.
The UUID of the OIDC identity provider user authentication match mapping.
The UUID of the OIDC identity provider the user authentication match mapping belongs to.
userAttribute
object
Information about user attribute definitions.
The UUID for this user attribute. Generated when the user attribute is created.
A flag indicating if users must have a value for this user attribute.
The name of this user attribute.
A flag indicating if this user attribute is one of the system defined user attributes.
Possible values: [NONE
, OTP_EMAIL
, OTP_SMS
, OTP_VOICE
]
Type of user attribute. Currently only used to specify the type of contact if the attribute is to be used for OTP delivery.
A flag indicating if this attribute is intended to be unique.
The UUID of the IDaaS user attribute being mapped to. This value must be provided when creating or modifying a user authentication match mapping.
The external OIDC identity provider claim used to find IDaaS users associated with an external OIDC identity provider user authentication. This value is used if authenticationEnabled is true.
userVerMatchMappings
object[]
The association between the claims returned from the external OIDC identity provider and IDaaS user attributes. These attributes are used to match an existing IDaaS user based on an external OIDC identity provider user verification. If configured, the full set of mappings must be configured. This value is used if verificationEnabled is true.
The name of the claim being mapped. This value must be provided when creating or modifying a user verification match mapping.
The UUID of the OIDC identity provider user verification match mapping.
The UUID of the OIDC identity provider the user verification match mapping belongs to.
userAttribute
object
Information about user attribute definitions.
The UUID for this user attribute. Generated when the user attribute is created.
A flag indicating if users must have a value for this user attribute.
The name of this user attribute.
A flag indicating if this user attribute is one of the system defined user attributes.
Possible values: [NONE
, OTP_EMAIL
, OTP_SMS
, OTP_VOICE
]
Type of user attribute. Currently only used to specify the type of contact if the attribute is to be used for OTP delivery.
A flag indicating if this attribute is intended to be unique.
The UUID of the IDaaS user attribute being mapped to. This value must be provided when creating or modifying a user verification match mapping.
The space separated list of user information claims to request as part of the external OIDC identity provider user authentication or user verification request.
The user information endpoint for the external OIDC identity provider.
A flag indicating if the external OIDC identity provider can be used for user verification.
A flag indicating if the authentication flow can be modified or deleted.
Possible values: [NONE
, EXTERNAL
, PASSWORD
, KBA
, OTP
, TOKEN
, TOKENPUSH
, SMARTCREDENTIALPUSH
, IDP
, PASSKEY
, SMART_LOGIN
, USER_CERTIFICATE
, FACE
, DENY
]
The authenticator type to use in the first step of a two-step authentication scenario when the User Login flow is enabled.
Possible values: [NONE
, KBA
, TEMP_ACCESS_CODE
, OTP
, GRID
, TOKEN
, TOKENPUSH
, FIDO
, USER_CERTIFICATE
, SMARTCREDENTIALPUSH
, FACE
]
The authenticator type to use during in the second step of a two-step authentication scenario when the User Login flow is enabled.
A flag indicating if Smart Login is enabled for Medium risk. This parameter is deprecated, use the mediumRiskAuthenticationFlow attribute with v2 APIs.
Possible values: [NONE
, EXTERNAL
, PASSWORD
, KBA
, OTP
, TOKEN
, TOKENPUSH
, SMARTCREDENTIALPUSH
, IDP
, PASSKEY
, SMART_LOGIN
, USER_CERTIFICATE
, FACE
, DENY
]
The authenticator type to use in the first step of a two-step authentication scenario when the risk score is Medium. This parameter is deprecated, use the mediumRiskAuthenticationFlow attribute with v2 APIs.
Possible values: [NONE
, KBA
, TEMP_ACCESS_CODE
, OTP
, GRID
, TOKEN
, TOKENPUSH
, FIDO
, USER_CERTIFICATE
, SMARTCREDENTIALPUSH
, FACE
]
The authenticator type to use during in the second step of a two-step authentication scenario when the risk score is Medium. This parameter is deprecated, use the mediumRiskAuthenticationFlow attribute with v2 APIs.
Possible values: <= 100
Risk scores below this value are considered Medium risk. Risk scores equal or greater than this value are considered High risk.
The name of the resource rule.
The UUID of the resource to which this resource rule is assigned.
The name of the resource to which this resource rule is assigned.
riskEngineContexts
object[]
If risk engine rules are defined, the transaction contexts specify the levels at which risk is applied to the authentication request if the corresponding risk engine rules trigger risk.
If true, the resource rule evaluating the context will return Access Denied.
The name of this transaction context.
The risk points apply if the accumulated risk of each configured transaction rule is above this value.
Possible values: <= 100
The number of risk points that apply if this context applies.
transactionRuleRisks
object[]
required
The transaction rules associated with this context.
Possible values: >= 1
and <= 100
The risk score that applies if this transaction rule is triggered.
The id of the transaction rule associated with this risk definition.
A flag indicating if second factor can be skipped if the user does not exist and the first factor is EXTERNAL.
A flag indicating if this resource rule enforces strict access. Strict access means that if this rule denies access, the user is denied access even if other resource rules allow access.
A flag indicating if this resource rule is associated with a system resource including the Admin and User portals. A resource rule for a system resource cannot be deleted. They can only be disabled if there is at least one enabled resource rule for the resource.
transactionContexts
object[]
If transaction details are specified during an authentication request, the transaction contexts specify the levels at which risk is applied to the authentication request if the corresponding transaction rules trigger risk. A maximum of two are allowed.
If true, the resource rule evaluating the context will return Access Denied.
The name of this transaction context.
The risk points apply if the accumulated risk of each configured transaction rule is above this value.
Possible values: <= 100
The number of risk points that apply if this context applies.
transactionRuleRisks
object[]
required
The transaction rules associated with this context.
Possible values: >= 1
and <= 100
The risk score that applies if this transaction rule is triggered.
The id of the transaction rule associated with this risk definition.
travelVelocityContext
object
Travel velocity checks to see if the time between authentications at different locations means the user has traveled faster than a given velocity. If the velocity is exceeded, risk applies.
If true, the resource rule evaluating the context will return Access Denied.
Possible values: <= 100
The number of risk points that apply if this context applies.
[
{
"apiVersion": 1,
"dateTimeContext": {
"allowedDateTime": true,
"allowedTime": true,
"denyAccess": true,
"endDateTime": "2019-02-19T13:15:27Z",
"endTime": "17:00:00",
"riskPoint": 0,
"startDateTime": "2019-02-19T13:15:27Z",
"startTime": "08:00:00",
"weekDays": [
"Mon"
],
"zoneId": {
"id": "string",
"rules": {
"fixedOffset": true,
"transitionRules": [
{
"dayOfMonthIndicator": 0,
"dayOfWeek": "MONDAY",
"localTime": "string",
"midnightEndOfDay": true,
"month": "JANUARY",
"offsetAfter": {
"id": "string",
"totalSeconds": 0
},
"offsetBefore": {
"id": "string",
"totalSeconds": 0
},
"standardOffset": {
"id": "string",
"totalSeconds": 0
},
"timeDefinition": "UTC"
}
],
"transitions": [
{
"dateTimeAfter": "2019-02-19T13:15:27Z",
"dateTimeBefore": "2019-02-19T13:15:27Z",
"duration": {
"nano": 0,
"negative": true,
"positive": true,
"seconds": 0,
"units": [
{
"dateBased": true,
"durationEstimated": true,
"timeBased": true
}
],
"zero": true
},
"gap": true,
"instant": "2019-02-19T13:15:27Z",
"offsetAfter": {
"id": "string",
"totalSeconds": 0
},
"offsetBefore": {
"id": "string",
"totalSeconds": 0
},
"overlap": true
}
]
}
}
},
"description": "string",
"deviceCertificateContext": {
"denyAccess": true,
"riskPoint": 0
},
"disableSSO": true,
"enabled": true,
"groups": [
{
"created": "2019-02-19T13:15:27Z",
"externalId": "string",
"id": "string",
"lastModified": "2019-02-19T13:15:27Z",
"name": "string",
"type": "MGMT_UI"
}
],
"highRiskAuthenticationFlow": {
"applications": [
{
"id": "string",
"name": "string",
"resourceRules": [
{
"id": "string",
"name": "string"
}
]
}
],
"id": "string",
"idpDomainBased": true,
"idpLoginSecondStep": [
"NONE"
],
"loginFlows": [
{
"enabled": true,
"loginFlowType": "USER_LOGIN"
}
],
"name": "string",
"oidcIdentityProviders": [
{
"acrValues": "level1 level2",
"amrValues": "level1 level2",
"authenticationEnabled": true,
"authorizationEndpoint": "https://account.mycompany.com/oauth/authorize",
"buttonImage": "https://account.mycompany.com/images/logo.png",
"buttonText": "Sign in With MyCompany Co.",
"clientAuthenticationMethod": "ClientAuthenticationMethod.CLIENT_SECRET_BASIC",
"clientId": "client123",
"clientSecret": "cl1en7S3cr3t!",
"createUser": true,
"domains": "test.com sample.com",
"fields": "email,name,first_name,last_name",
"groupIds": [
"string"
],
"groupMapping": "string",
"id": "6784549d-433c-44ea-a42f-4701458dg245",
"idTokenClaims": "groups upn",
"issuer": "https://accounts.mycompany.com",
"jwksUri": "https://account.mycompany.com/oauth/discovery/keys",
"maxAge": 300,
"name": "MyCompany Co.",
"organizationIds": [
"string"
],
"requireUserinfoSignature": true,
"revocationEndpoint": "https://account.mycompany.com/oauth/revoke",
"roleMapping": "string",
"scopes": "openid email",
"tokenEndpoint": "https://account.mycompany.com/oauth/token",
"type": "FACEBOOK",
"updateUser": true,
"updateUserVerification": true,
"userAttributeId": "string",
"userAttributeMappings": [
{
"claim": "email",
"id": "6781549d-433c-44ea-a42f-4705c26f3245",
"oidcIdentityProviderId": "6881549d-433c-44ea-a42f-4705c26f3245",
"userAttribute": {
"id": "string",
"mandatory": true,
"name": "string",
"systemDefined": true,
"type": "OTP_EMAIL",
"unique": true
},
"userAttributeId": "6981549d-433c-44ea-a42f-4705c26f3245"
}
],
"userAuthMatchMappings": [
{
"claim": "email",
"id": "6781549d-433c-44ea-a42f-4705c26f3245",
"oidcIdentityProviderId": "6881549d-433c-44ea-a42f-4705c26f3245",
"userAttribute": {
"id": "string",
"mandatory": true,
"name": "string",
"systemDefined": true,
"type": "OTP_EMAIL",
"unique": true
},
"userAttributeId": "6981549d-433c-44ea-a42f-4705c26f3245"
}
],
"userClaim": "string",
"userVerMatchMappings": [
{
"claim": "email",
"id": "6781549d-433c-44ea-a42f-4705c26f3245",
"oidcIdentityProviderId": "6881549d-433c-44ea-a42f-4705c26f3245",
"userAttribute": {
"id": "string",
"mandatory": true,
"name": "string",
"systemDefined": true,
"type": "OTP_EMAIL",
"unique": true
},
"userAttributeId": "6981549d-433c-44ea-a42f-4705c26f3245"
}
],
"userinfoClaims": "groups upn",
"userinfoEndpoint": "https://account.mycompany.com/oauth/userinfo",
"verificationEnabled": true
}
],
"readOnly": true,
"userLoginFirstStep": "NONE",
"userLoginSecondStep": [
"NONE"
]
},
"id": "string",
"ipContext": {
"allowedIpList": "string",
"allowedIpRanges": [
"string"
],
"deniedIpList": "string",
"deniedIpRanges": [
"string"
],
"denyAccess": true,
"riskPoint": 0,
"type": "CUSTOM"
},
"kbaContext": {
"challengeSize": 0,
"denyAccess": true,
"wrongAnswersAllowed": 0
},
"locationContext": {
"allowed": true,
"anonymousAllowed": true,
"countryCodes": [
"string"
],
"denyAccess": true,
"riskPoint": 0
},
"locationHistoryContext": {
"denyAccess": true,
"riskPoint": 0
},
"lowRiskAuthenticationFlow": {
"applications": [
{
"id": "string",
"name": "string",
"resourceRules": [
{
"id": "string",
"name": "string"
}
]
}
],
"id": "string",
"idpDomainBased": true,
"idpLoginSecondStep": [
"NONE"
],
"loginFlows": [
{
"enabled": true,
"loginFlowType": "USER_LOGIN"
}
],
"name": "string",
"oidcIdentityProviders": [
{
"acrValues": "level1 level2",
"amrValues": "level1 level2",
"authenticationEnabled": true,
"authorizationEndpoint": "https://account.mycompany.com/oauth/authorize",
"buttonImage": "https://account.mycompany.com/images/logo.png",
"buttonText": "Sign in With MyCompany Co.",
"clientAuthenticationMethod": "ClientAuthenticationMethod.CLIENT_SECRET_BASIC",
"clientId": "client123",
"clientSecret": "cl1en7S3cr3t!",
"createUser": true,
"domains": "test.com sample.com",
"fields": "email,name,first_name,last_name",
"groupIds": [
"string"
],
"groupMapping": "string",
"id": "6784549d-433c-44ea-a42f-4701458dg245",
"idTokenClaims": "groups upn",
"issuer": "https://accounts.mycompany.com",
"jwksUri": "https://account.mycompany.com/oauth/discovery/keys",
"maxAge": 300,
"name": "MyCompany Co.",
"organizationIds": [
"string"
],
"requireUserinfoSignature": true,
"revocationEndpoint": "https://account.mycompany.com/oauth/revoke",
"roleMapping": "string",
"scopes": "openid email",
"tokenEndpoint": "https://account.mycompany.com/oauth/token",
"type": "FACEBOOK",
"updateUser": true,
"updateUserVerification": true,
"userAttributeId": "string",
"userAttributeMappings": [
{
"claim": "email",
"id": "6781549d-433c-44ea-a42f-4705c26f3245",
"oidcIdentityProviderId": "6881549d-433c-44ea-a42f-4705c26f3245",
"userAttribute": {
"id": "string",
"mandatory": true,
"name": "string",
"systemDefined": true,
"type": "OTP_EMAIL",
"unique": true
},
"userAttributeId": "6981549d-433c-44ea-a42f-4705c26f3245"
}
],
"userAuthMatchMappings": [
{
"claim": "email",
"id": "6781549d-433c-44ea-a42f-4705c26f3245",
"oidcIdentityProviderId": "6881549d-433c-44ea-a42f-4705c26f3245",
"userAttribute": {
"id": "string",
"mandatory": true,
"name": "string",
"systemDefined": true,
"type": "OTP_EMAIL",
"unique": true
},
"userAttributeId": "6981549d-433c-44ea-a42f-4705c26f3245"
}
],
"userClaim": "string",
"userVerMatchMappings": [
{
"claim": "email",
"id": "6781549d-433c-44ea-a42f-4705c26f3245",
"oidcIdentityProviderId": "6881549d-433c-44ea-a42f-4705c26f3245",
"userAttribute": {
"id": "string",
"mandatory": true,
"name": "string",
"systemDefined": true,
"type": "OTP_EMAIL",
"unique": true
},
"userAttributeId": "6981549d-433c-44ea-a42f-4705c26f3245"
}
],
"userinfoClaims": "groups upn",
"userinfoEndpoint": "https://account.mycompany.com/oauth/userinfo",
"verificationEnabled": true
}
],
"readOnly": true,
"userLoginFirstStep": "NONE",
"userLoginSecondStep": [
"NONE"
]
},
"lowRiskThreshold": 0,
"machineContext": {
"denyAccess": true,
"riskLimit": 0,
"riskPoint": 0
},
"mediumRiskAuthenticationFlow": {
"applications": [
{
"id": "string",
"name": "string",
"resourceRules": [
{
"id": "string",
"name": "string"
}
]
}
],
"id": "string",
"idpDomainBased": true,
"idpLoginSecondStep": [
"NONE"
],
"loginFlows": [
{
"enabled": true,
"loginFlowType": "USER_LOGIN"
}
],
"name": "string",
"oidcIdentityProviders": [
{
"acrValues": "level1 level2",
"amrValues": "level1 level2",
"authenticationEnabled": true,
"authorizationEndpoint": "https://account.mycompany.com/oauth/authorize",
"buttonImage": "https://account.mycompany.com/images/logo.png",
"buttonText": "Sign in With MyCompany Co.",
"clientAuthenticationMethod": "ClientAuthenticationMethod.CLIENT_SECRET_BASIC",
"clientId": "client123",
"clientSecret": "cl1en7S3cr3t!",
"createUser": true,
"domains": "test.com sample.com",
"fields": "email,name,first_name,last_name",
"groupIds": [
"string"
],
"groupMapping": "string",
"id": "6784549d-433c-44ea-a42f-4701458dg245",
"idTokenClaims": "groups upn",
"issuer": "https://accounts.mycompany.com",
"jwksUri": "https://account.mycompany.com/oauth/discovery/keys",
"maxAge": 300,
"name": "MyCompany Co.",
"organizationIds": [
"string"
],
"requireUserinfoSignature": true,
"revocationEndpoint": "https://account.mycompany.com/oauth/revoke",
"roleMapping": "string",
"scopes": "openid email",
"tokenEndpoint": "https://account.mycompany.com/oauth/token",
"type": "FACEBOOK",
"updateUser": true,
"updateUserVerification": true,
"userAttributeId": "string",
"userAttributeMappings": [
{
"claim": "email",
"id": "6781549d-433c-44ea-a42f-4705c26f3245",
"oidcIdentityProviderId": "6881549d-433c-44ea-a42f-4705c26f3245",
"userAttribute": {
"id": "string",
"mandatory": true,
"name": "string",
"systemDefined": true,
"type": "OTP_EMAIL",
"unique": true
},
"userAttributeId": "6981549d-433c-44ea-a42f-4705c26f3245"
}
],
"userAuthMatchMappings": [
{
"claim": "email",
"id": "6781549d-433c-44ea-a42f-4705c26f3245",
"oidcIdentityProviderId": "6881549d-433c-44ea-a42f-4705c26f3245",
"userAttribute": {
"id": "string",
"mandatory": true,
"name": "string",
"systemDefined": true,
"type": "OTP_EMAIL",
"unique": true
},
"userAttributeId": "6981549d-433c-44ea-a42f-4705c26f3245"
}
],
"userClaim": "string",
"userVerMatchMappings": [
{
"claim": "email",
"id": "6781549d-433c-44ea-a42f-4705c26f3245",
"oidcIdentityProviderId": "6881549d-433c-44ea-a42f-4705c26f3245",
"userAttribute": {
"id": "string",
"mandatory": true,
"name": "string",
"systemDefined": true,
"type": "OTP_EMAIL",
"unique": true
},
"userAttributeId": "6981549d-433c-44ea-a42f-4705c26f3245"
}
],
"userinfoClaims": "groups upn",
"userinfoEndpoint": "https://account.mycompany.com/oauth/userinfo",
"verificationEnabled": true
}
],
"readOnly": true,
"userLoginFirstStep": "NONE",
"userLoginSecondStep": [
"NONE"
]
},
"mediumRiskThreshold": 0,
"name": "string",
"resourceId": "string",
"resourceName": "string",
"riskEngineContexts": [
{
"denyAccess": true,
"name": "string",
"riskLimit": 0,
"riskPoint": 0,
"transactionRuleRisks": [
{
"riskScore": 0,
"transactionRuleId": "string"
}
]
}
],
"skipSecondFactorIfUserNotExist": true,
"strictAccess": true,
"systemResourceContext": true,
"transactionContexts": [
{
"denyAccess": true,
"name": "string",
"riskLimit": 0,
"riskPoint": 0,
"transactionRuleRisks": [
{
"riskScore": 0,
"transactionRuleId": "string"
}
]
}
],
"travelVelocityContext": {
"denyAccess": true,
"riskPoint": 0
}
}
]
Bad Request
- application/json
- Schema
- Example (from schema)
Schema
Error Codes specific to cause of failure.
Additional Error Message describing the error.
Optional additional error information.
{
"errorCode": "invalid_user_response",
"errorMessage": "Application id cannot be null",
"parameters": [
{}
]
}
Access denied
- application/json
- Schema
- Example (from schema)
Schema
Error Codes specific to cause of failure.
Additional Error Message describing the error.
Optional additional error information.
{
"errorCode": "invalid_user_response",
"errorMessage": "Application id cannot be null",
"parameters": [
{}
]
}
Forbidden
- application/json
- Schema
- Example (from schema)
Schema
Error Codes specific to cause of failure.
Additional Error Message describing the error.
Optional additional error information.
{
"errorCode": "invalid_user_response",
"errorMessage": "Application id cannot be null",
"parameters": [
{}
]
}
Not Found
- application/json
- Schema
- Example (from schema)
Schema
Error Codes specific to cause of failure.
Additional Error Message describing the error.
Optional additional error information.
{
"errorCode": "invalid_user_response",
"errorMessage": "Application id cannot be null",
"parameters": [
{}
]
}
Conflict
- application/json
- Schema
- Example (from schema)
Schema
Error Codes specific to cause of failure.
Additional Error Message describing the error.
Optional additional error information.
{
"errorCode": "invalid_user_response",
"errorMessage": "Application id cannot be null",
"parameters": [
{}
]
}