Update an authentication flow
PUT/api/web/v2/authenticationflows/:id
Update the specified authentication flow. Caller requires the CONTEXTRULES:EDIT permission.
Request
Path Parameters
The UUID of the authentication flow to be modified.
- application/json
Body
required
Array [
]
A flag indicating if the authentication flow will be using only domain-based IDPs.
Possible values: [NONE
, KBA
, TEMP_ACCESS_CODE
, OTP
, GRID
, TOKEN
, TOKENPUSH
, FIDO
, USER_CERTIFICATE
, SMARTCREDENTIALPUSH
, FACE
]
The authenticator type to use during in the second step of a two-step authentication scenario when the OIDC identity provider Login flow is enabled and requires a second factor.
loginFlows
object[]
required
List of enabled login flows--at least one must be enabled. If a login flow is not provided, then it's treated as disabled. Enabled login flows must be supported by the account entitlement.
Whether the login flow is enabled or not.
Possible values: [USER_LOGIN
, SMART_LOGIN
, IDP_LOGIN
, PASSKEY_LOGIN
, USER_CERTIFICATE_LOGIN
]
Identifies the login flow type.
The name of the authentication flow.
The UUIDs of the OIDC identity providers supported when the IDP login flow is enabled--at least one is required.
Possible values: [NONE
, EXTERNAL
, PASSWORD
, KBA
, OTP
, TOKEN
, TOKENPUSH
, SMARTCREDENTIALPUSH
, IDP
, PASSKEY
, SMART_LOGIN
, USER_CERTIFICATE
, FACE
, DENY
]
The authenticator type to use in the first step of a two-step authentication scenario when the User Login flow is enabled.
Possible values: [NONE
, KBA
, TEMP_ACCESS_CODE
, OTP
, GRID
, TOKEN
, TOKENPUSH
, FIDO
, USER_CERTIFICATE
, SMARTCREDENTIALPUSH
, FACE
]
The list of authenticator types to use in the second step of a two-step authentication scenario when the User Login flow is enabled. Use an empty array when none is required.
Responses
- 200
- 400
- 401
- 403
- 404
- 409
Successful
- application/json
- Schema
- Example (from schema)
Schema
Array [
Array [
]
]
Array [
]
Array [
Array [
]
Array [
]
Array [
]
]
applications
object[]
List of applications using this authentication flow.
The UUID of the application.
The name of the application.
resourceRules
object[]
required
List of resource rules associated to this application.
The unique UUID assigned to the resource rule when it is created.
The name of the resource rule.
The unique UUID assigned to the authentication flow when it is created.
A flag indicating if the authentication flow will be using only domain-based IDPs.
Possible values: [NONE
, KBA
, TEMP_ACCESS_CODE
, OTP
, GRID
, TOKEN
, TOKENPUSH
, FIDO
, USER_CERTIFICATE
, SMARTCREDENTIALPUSH
, FACE
]
The authenticator type to use during in the second step of a two-step authentication scenario when the OIDC identity provider Login flow is enabled and requires a second factor.
loginFlows
object[]
required
List of login flows.
Whether the login flow is enabled or not.
Possible values: [USER_LOGIN
, SMART_LOGIN
, IDP_LOGIN
, PASSKEY_LOGIN
, USER_CERTIFICATE_LOGIN
]
Identifies the login flow type.
The name of the authentication flow.
oidcIdentityProviders
object[]
The OIDC identity providers supported when the IDP login flow is enabled--limited info is returned.
The space separated list of authentication context request values to request as part of the external OIDC identity provider user authentication or user verification request.
The space separated list of authentication method request values to request as part of the external OIDC identity provider user authentication or user verification request.
A flag indicating if the external OIDC identity provider can be used for user authentication.
The authorization endpoint for the external OIDC identity provider.
The URI of the logo to display on the login button for this external OIDC identity provider.
The unique text to display on the login button for this external OIDC identity provider.
Possible values: [CLIENT_SECRET_BASIC
, CLIENT_SECRET_POST
]
The client authentication method to use with the external OIDC identity provider.
The client identifier provided by the external OIDC identity provider.
The client secret provided by the external OIDC identity provider. Currently this value is not returned.
A flag indicating if the user should be created after authenticating to the external OIDC identity provider if it doesn't exist. The user attributes specified by the userAttributeMappings attribute are used to populate the user in IDaaS. This value is used if authenticationEnabled is true.
The space separated list of domains associated with the external OIDC identity provider for use with user authentication.
The value of user fields that need to be set the external OIDC identity provider when acquiring user information. This value is used with a TWITTER IDP.
The UUIDs of groups that will be assigned to users created after an external OIDC identity provider user authentication. An empty list means the user will be assigned to All Groups. If configured, the full set of groups must be configured. This value is used if createUser is true.
The association between a specified claim returned from the external OIDC identity provider and IDaaS groups. This mapping is used to associated IDaaS groups when a user is created or modified based on an external OIDC identity provider user authentication or when it is modified based on an external OIDC identity provider user verification. This value is used if createUser, updateUser, or updateVerificationUser is true.
The UUID of the external OIDC identity provider.
The space separated list of id token claims to request as part of the external OIDC identity provider user authentication or user verification request.
The issuer URI for the external OIDC identity provider.
The JWKS URI endpoint for the external OIDC identity provider used to verify a token signature.
Possible values: >= -1
and <= 2592000
The max age to request as part of the external OIDC identity provider user authentication or user verification request. If -1, the value will not be included in the request.
The unique name of the external OIDC identity provider.
The UUIDs of organizations that will be assigned to users created after an external OIDC identity provider user authentication. If configured, the full set of organizations must be configured. This value is used if createUser is true.
A flag indicating if the user information endpoint of the external OIDC identity provider should be signed and verified.
The revocation endpoint for the external OIDC identity provider.
The association between a specified claim returned from the external OIDC identity provider and an IDaaS role. This mapping is used to associated an IDaaS role when a user is created or modified based on an external OIDC identity provider user authentication or when it is modified based on an external OIDC identity provider user verification. This value is used if createUser, updateUser, or updateVerificationUser is true.
The space separated list of scopes to request as part of the external OIDC identity provider user authentication or user verification request.
The token endpoint for the external OIDC identity provider.
Possible values: [FACEBOOK
, GENERIC
, GOOGLE
, IDV
, MICROSOFT
, SP
, TWITTER
]
The type of the external OIDC identity provider. Once created, this value cannot be updated.
A flag indicating if the user should be updated after authenticating to the external OIDC identity provider if it exists. The user attributes specified by the userAttributeMappings attribute are used to populate the user in IDaaS. This value is used if authenticationEnabled is true.
A flag indicating if the user should be updated after user verification to the external OIDC identity provider if it exists. The user attributes specified by the userAttributeMappings attribute are used to populate the user in IDaaS. This value is used if verificationEnabled is true.
The IDaaS user attribute ID used to find IDaaS users associated with an external OIDC identity provider user authentication. This value is used if authenticationEnabled is true.
userAttributeMappings
object[]
The association between the claims returned from the external OIDC identity provider and IDaaS user attributes. These attributes are used to populate user attributes when it is created or modified based on an external OIDC identity provider user authentication or when it is modified based on an external OIDC identity provider user verification. If configured, the full set of mappings must be configured. This value is used if createUser, updateUser, or updateVerificationUser is true.
The name of the claim being mapped. This value must be provided when creating or modifying an attribute mapping.
The UUID of the OIDC identity provider attribute mapping.
The UUID of the OIDC identity provider the attribute mapping belongs to.
userAttribute
object
Information about user attribute definitions.
The UUID for this user attribute. Generated when the user attribute is created.
A flag indicating if users must have a value for this user attribute.
The name of this user attribute.
A flag indicating if this user attribute is one of the system defined user attributes.
Possible values: [NONE
, OTP_EMAIL
, OTP_SMS
, OTP_VOICE
]
Type of user attribute. Currently only used to specify the type of contact if the attribute is to be used for OTP delivery.
A flag indicating if this attribute is intended to be unique.
The UUID of the IDaaS user attribute being mapped to. This value must be provided when creating or modifying an attribute mapping.
userAuthMatchMappings
object[]
The association between the claims returned from the external OIDC identity provider and IDaaS user attributes. These attributes are used to match an existing IDaaS user based on an external OIDC identity provider user authentication. If configured, the full set of mappings must be configured. This value is used if authenticationEnabled is true.
The name of the claim being mapped. This value must be provided when creating or modifying a user authentication match mapping.
The UUID of the OIDC identity provider user authentication match mapping.
The UUID of the OIDC identity provider the user authentication match mapping belongs to.
userAttribute
object
Information about user attribute definitions.
The UUID for this user attribute. Generated when the user attribute is created.
A flag indicating if users must have a value for this user attribute.
The name of this user attribute.
A flag indicating if this user attribute is one of the system defined user attributes.
Possible values: [NONE
, OTP_EMAIL
, OTP_SMS
, OTP_VOICE
]
Type of user attribute. Currently only used to specify the type of contact if the attribute is to be used for OTP delivery.
A flag indicating if this attribute is intended to be unique.
The UUID of the IDaaS user attribute being mapped to. This value must be provided when creating or modifying a user authentication match mapping.
The external OIDC identity provider claim used to find IDaaS users associated with an external OIDC identity provider user authentication. This value is used if authenticationEnabled is true.
userVerMatchMappings
object[]
The association between the claims returned from the external OIDC identity provider and IDaaS user attributes. These attributes are used to match an existing IDaaS user based on an external OIDC identity provider user verification. If configured, the full set of mappings must be configured. This value is used if verificationEnabled is true.
The name of the claim being mapped. This value must be provided when creating or modifying a user verification match mapping.
The UUID of the OIDC identity provider user verification match mapping.
The UUID of the OIDC identity provider the user verification match mapping belongs to.
userAttribute
object
Information about user attribute definitions.
The UUID for this user attribute. Generated when the user attribute is created.
A flag indicating if users must have a value for this user attribute.
The name of this user attribute.
A flag indicating if this user attribute is one of the system defined user attributes.
Possible values: [NONE
, OTP_EMAIL
, OTP_SMS
, OTP_VOICE
]
Type of user attribute. Currently only used to specify the type of contact if the attribute is to be used for OTP delivery.
A flag indicating if this attribute is intended to be unique.
The UUID of the IDaaS user attribute being mapped to. This value must be provided when creating or modifying a user verification match mapping.
The space separated list of user information claims to request as part of the external OIDC identity provider user authentication or user verification request.
The user information endpoint for the external OIDC identity provider.
A flag indicating if the external OIDC identity provider can be used for user verification.
A flag indicating if the authentication flow can be modified or deleted.
Possible values: [NONE
, EXTERNAL
, PASSWORD
, KBA
, OTP
, TOKEN
, TOKENPUSH
, SMARTCREDENTIALPUSH
, IDP
, PASSKEY
, SMART_LOGIN
, USER_CERTIFICATE
, FACE
, DENY
]
The authenticator type to use in the first step of a two-step authentication scenario when the User Login flow is enabled.
Possible values: [NONE
, KBA
, TEMP_ACCESS_CODE
, OTP
, GRID
, TOKEN
, TOKENPUSH
, FIDO
, USER_CERTIFICATE
, SMARTCREDENTIALPUSH
, FACE
]
The authenticator type to use during in the second step of a two-step authentication scenario when the User Login flow is enabled.
{
"applications": [
{
"id": "string",
"name": "string",
"resourceRules": [
{
"id": "string",
"name": "string"
}
]
}
],
"id": "string",
"idpDomainBased": true,
"idpLoginSecondStep": [
"NONE"
],
"loginFlows": [
{
"enabled": true,
"loginFlowType": "USER_LOGIN"
}
],
"name": "string",
"oidcIdentityProviders": [
{
"acrValues": "level1 level2",
"amrValues": "level1 level2",
"authenticationEnabled": true,
"authorizationEndpoint": "https://account.mycompany.com/oauth/authorize",
"buttonImage": "https://account.mycompany.com/images/logo.png",
"buttonText": "Sign in With MyCompany Co.",
"clientAuthenticationMethod": "ClientAuthenticationMethod.CLIENT_SECRET_BASIC",
"clientId": "client123",
"clientSecret": "cl1en7S3cr3t!",
"createUser": true,
"domains": "test.com sample.com",
"fields": "email,name,first_name,last_name",
"groupIds": [
"string"
],
"groupMapping": "string",
"id": "6784549d-433c-44ea-a42f-4701458dg245",
"idTokenClaims": "groups upn",
"issuer": "https://accounts.mycompany.com",
"jwksUri": "https://account.mycompany.com/oauth/discovery/keys",
"maxAge": 300,
"name": "MyCompany Co.",
"organizationIds": [
"string"
],
"requireUserinfoSignature": true,
"revocationEndpoint": "https://account.mycompany.com/oauth/revoke",
"roleMapping": "string",
"scopes": "openid email",
"tokenEndpoint": "https://account.mycompany.com/oauth/token",
"type": "FACEBOOK",
"updateUser": true,
"updateUserVerification": true,
"userAttributeId": "string",
"userAttributeMappings": [
{
"claim": "email",
"id": "6781549d-433c-44ea-a42f-4705c26f3245",
"oidcIdentityProviderId": "6881549d-433c-44ea-a42f-4705c26f3245",
"userAttribute": {
"id": "string",
"mandatory": true,
"name": "string",
"systemDefined": true,
"type": "OTP_EMAIL",
"unique": true
},
"userAttributeId": "6981549d-433c-44ea-a42f-4705c26f3245"
}
],
"userAuthMatchMappings": [
{
"claim": "email",
"id": "6781549d-433c-44ea-a42f-4705c26f3245",
"oidcIdentityProviderId": "6881549d-433c-44ea-a42f-4705c26f3245",
"userAttribute": {
"id": "string",
"mandatory": true,
"name": "string",
"systemDefined": true,
"type": "OTP_EMAIL",
"unique": true
},
"userAttributeId": "6981549d-433c-44ea-a42f-4705c26f3245"
}
],
"userClaim": "string",
"userVerMatchMappings": [
{
"claim": "email",
"id": "6781549d-433c-44ea-a42f-4705c26f3245",
"oidcIdentityProviderId": "6881549d-433c-44ea-a42f-4705c26f3245",
"userAttribute": {
"id": "string",
"mandatory": true,
"name": "string",
"systemDefined": true,
"type": "OTP_EMAIL",
"unique": true
},
"userAttributeId": "6981549d-433c-44ea-a42f-4705c26f3245"
}
],
"userinfoClaims": "groups upn",
"userinfoEndpoint": "https://account.mycompany.com/oauth/userinfo",
"verificationEnabled": true
}
],
"readOnly": true,
"userLoginFirstStep": "NONE",
"userLoginSecondStep": [
"NONE"
]
}
Bad Request
- application/json
- Schema
- Example (from schema)
Schema
Error Codes specific to cause of failure.
Additional Error Message describing the error.
Optional additional error information.
{
"errorCode": "invalid_user_response",
"errorMessage": "Application id cannot be null",
"parameters": [
{}
]
}
Access denied
- application/json
- Schema
- Example (from schema)
Schema
Error Codes specific to cause of failure.
Additional Error Message describing the error.
Optional additional error information.
{
"errorCode": "invalid_user_response",
"errorMessage": "Application id cannot be null",
"parameters": [
{}
]
}
Forbidden
- application/json
- Schema
- Example (from schema)
Schema
Error Codes specific to cause of failure.
Additional Error Message describing the error.
Optional additional error information.
{
"errorCode": "invalid_user_response",
"errorMessage": "Application id cannot be null",
"parameters": [
{}
]
}
Not Found
- application/json
- Schema
- Example (from schema)
Schema
Error Codes specific to cause of failure.
Additional Error Message describing the error.
Optional additional error information.
{
"errorCode": "invalid_user_response",
"errorMessage": "Application id cannot be null",
"parameters": [
{}
]
}
Conflict
- application/json
- Schema
- Example (from schema)
Schema
Error Codes specific to cause of failure.
Additional Error Message describing the error.
Optional additional error information.
{
"errorCode": "invalid_user_response",
"errorMessage": "Application id cannot be null",
"parameters": [
{}
]
}