Update an OIDC identity provider

PUT 
/api/web/v1/identityproviders/oidc/:id

Update an OIDC identity provider. Caller requires the IDENTITYPROVIDERS:EDIT permission.

Request

Path Parameters

id stringrequired

The UUID of the OIDC Identity Provider to update.

application/json

Body

required

acrValues string

The space separated list of authentication context request values to request as part of the external OIDC identity provider user authentication or user verification request.

amrValues string

The space separated list of authentication method request values to request as part of the external OIDC identity provider user authentication or user verification request. This is required when creating an IDV IDP.

authenticationEnabled boolean

A flag indicating if the external OIDC identity provider can be used for user authentication. If enabled, userAttributeId and userClaim are required.

authorizationEndpoint string

The authorization endpoint for the external OIDC identity provider. This value is required when creating an IDP.

buttonImage string

The URI of the logo to display on the login button for this external OIDC identity provider.

buttonText string

The unique text to display on the login button for this external OIDC identity provider. This value is required when creating an IDP.

clientAuthenticationMethod string

Possible values: [CLIENT_SECRET_BASIC, CLIENT_SECRET_POST]

The client authentication method to use with the external OIDC identity provider. The default value is ClientAuthenticationMethod.CLIENT_SECRET_BASIC.

clientId string

The client identifier provided by the external OIDC identity provider. This value is required when creating an IDP.

clientSecret string

The client secret provided by the external OIDC identity provider. This value is required when creating an IDP.

createUser boolean

A flag indicating if the user should be created after authenticating to the external OIDC identity provider if it doesn't exist. The user attributes specified by the userAttributeMappings attribute are used to populate the user in IDaaS. This value can only be set if authenticationEnabled is true.

domains string

The space separated list of domains associated with the external OIDC identity provider for use with user authentication.

fields string

The value of user fields that need to be set the external OIDC identity provider when acquiring user information. This value is required when creating a TWITTER IDP.

groupIds string[]

The UUIDs of groups that will be assigned to users created after an external OIDC identity provider user authentication. An empty list means the user will be assigned to All Groups. If configured, the full set of groups must be configured. This value can only be set if createUser is true.

groupMapping string

The association between a specified claim returned from the external OIDC identity provider and IDaaS groups. This mapping is used to associated IDaaS groups when a user is created or modified based on an external OIDC identity provider user authentication or when it is modified based on an external OIDC identity provider user verification. This value can only be set if createUser, updateUser, or updateVerificationUser is true.

idTokenClaims string

The space separated list of id token claims to request as part of the external OIDC identity provider user authentication or user verification request.

issuer string

The issuer URI for the external OIDC identity provider. This value is required when creating an IDP.

jwksUri string

The JWKS URI endpoint for the external OIDC identity provider used to verify a token signature. This value is required when creating an IDP except for TWITTER.

maxAge int32

Possible values: >= -1 and <= 2592000

Default value: -1

The max age to request as part of the external OIDC identity provider user authentication or user verification request. If -1, the value will not be included in the request.

name string

The unique name of the external OIDC identity provider. This value is required when creating an IDP.

organizationIds string[]

The UUIDs of organizations that will be assigned to users created after an external OIDC identity provider user authentication. If configured, the full set of organizations must be configured. This value can only be set if createUser is true.

requireUserinfoSignature boolean

A flag indicating if the user information endpoint of the external OIDC identity provider should be signed and verified.

revocationEndpoint string

The revocation endpoint for the external OIDC identity provider.

roleMapping string

The association between a specified claim returned from the external OIDC identity provider and an IDaaS role. This mapping is used to associated an IDaaS role when a user is created or modified based on an external OIDC identity provider user authentication or when it is modified based on an external OIDC identity provider user verification. This value can only be set if createUser, updateUser, or updateVerificationUser is true.

scopes string

The space separated list of scopes to request as part of the external OIDC identity provider user authentication or user verification request. This value is required when creating an IDP except for TWITTER.

tokenEndpoint string

The token endpoint for the external OIDC identity provider. This value is required when creating an IDP.

type string

Possible values: [FACEBOOK, GENERIC, GOOGLE, IDV, MICROSOFT, SP, TWITTER]

The type of the external OIDC identity provider. Once created, this value cannot be updated. This value is required when creating an IDP.

updateUser boolean

A flag indicating if the user should be updated after authenticating to the external OIDC identity provider if it exists. The user attributes specified by the userAttributeMappings attribute are used to populate the user in IDaaS. This value can only be set if authenticationEnabled is true.

updateUserVerification boolean

A flag indicating if the user should be updated after user verification to the external OIDC identity provider if it exists. The user attributes specified by the userAttributeMappings attribute are used to populate the user in IDaaS. This value can only be set if verificationEnabled is true.

userAttributeId string

The IDaaS user attribute ID used to find IDaaS users associated with an external OIDC identity provider user authentication. This value can only be set if authenticationEnabled is true.

userAttributeMappings

object[]

The association between the claims returned from the external OIDC identity provider and IDaaS user attributes. These attributes are used to populate user attributes when it is created or modified based on an external OIDC identity provider user authentication or when it is modified based on an external OIDC identity provider user verification. If configured, the full set of mappings must be configured. This value can only be set if createUser, updateUser, or updateVerificationUser is true.

Array [

claim stringrequired

The name of the claim being mapped. This value must be provided when creating or modifying an attribute mapping.

id string

The UUID of the OIDC identity provider attribute mapping.

oidcIdentityProviderId string

The UUID of the OIDC identity provider the attribute mapping belongs to.

userAttribute

object

Information about user attribute definitions.

id string

The UUID for this user attribute. Generated when the user attribute is created.

mandatory booleanrequired

A flag indicating if users must have a value for this user attribute.

name stringrequired

The name of this user attribute.

systemDefined booleanrequired

A flag indicating if this user attribute is one of the system defined user attributes.

type string

Possible values: [NONE, OTP_EMAIL, OTP_SMS, OTP_VOICE]

Type of user attribute. Currently only used to specify the type of contact if the attribute is to be used for OTP delivery.

unique booleanrequired

A flag indicating if this attribute is intended to be unique.

userAttributeId stringrequired

The UUID of the IDaaS user attribute being mapped to. This value must be provided when creating or modifying an attribute mapping.

]

userAuthMatchMappings

object[]

The association between the claims returned from the external OIDC identity provider and IDaaS user attributes. These attributes are used to match an existing IDaaS user based on an external OIDC identity provider user authentication. If configured, the full set of mappings must be configured. This value can only be set if authenticationEnabled is true.

Array [

claim stringrequired

The name of the claim being mapped. This value must be provided when creating or modifying a user authentication match mapping.

id string

The UUID of the OIDC identity provider user authentication match mapping.

oidcIdentityProviderId string

The UUID of the OIDC identity provider the user authentication match mapping belongs to.

userAttribute

object

Information about user attribute definitions.

id string

The UUID for this user attribute. Generated when the user attribute is created.

mandatory booleanrequired

A flag indicating if users must have a value for this user attribute.

name stringrequired

The name of this user attribute.

systemDefined booleanrequired

A flag indicating if this user attribute is one of the system defined user attributes.

type string

Possible values: [NONE, OTP_EMAIL, OTP_SMS, OTP_VOICE]

Type of user attribute. Currently only used to specify the type of contact if the attribute is to be used for OTP delivery.

unique booleanrequired

A flag indicating if this attribute is intended to be unique.

userAttributeId stringrequired

The UUID of the IDaaS user attribute being mapped to. This value must be provided when creating or modifying a user authentication match mapping.

]

userClaim string

The external OIDC identity provider claim used to find IDaaS users associated with an external OIDC identity provider user authentication. This value can only be set if authenticationEnabled is true.

userVerMatchMappings

object[]

The association between the claims returned from the external OIDC identity provider and IDaaS user attributes. These attributes are used to match an existing IDaaS user based on an external OIDC identity provider user verification. If configured, the full set of mappings must be configured. This value can only be set if verificationEnabled is true.

Array [

claim stringrequired

The name of the claim being mapped. This value must be provided when creating or modifying a user verification match mapping.

id string

The UUID of the OIDC identity provider user verification match mapping.

oidcIdentityProviderId string

The UUID of the OIDC identity provider the user verification match mapping belongs to.

userAttribute

object

Information about user attribute definitions.

id string

The UUID for this user attribute. Generated when the user attribute is created.

mandatory booleanrequired

A flag indicating if users must have a value for this user attribute.

name stringrequired

The name of this user attribute.

systemDefined booleanrequired

A flag indicating if this user attribute is one of the system defined user attributes.

type string

Possible values: [NONE, OTP_EMAIL, OTP_SMS, OTP_VOICE]

Type of user attribute. Currently only used to specify the type of contact if the attribute is to be used for OTP delivery.

unique booleanrequired

A flag indicating if this attribute is intended to be unique.

userAttributeId stringrequired

The UUID of the IDaaS user attribute being mapped to. This value must be provided when creating or modifying a user verification match mapping.

]

userinfoClaims string

The space separated list of user information claims to request as part of the external OIDC identity provider user authentication or user verification request.

userinfoEndpoint string

The user information endpoint for the external OIDC identity provider.

verificationEnabled boolean

A flag indicating if the external OIDC identity provider can be used for user verification. If enabled, userVerMatchMappings is required.

Responses

200

Successful

application/json

Schema

Schema

acrValues string

The space separated list of authentication context request values to request as part of the external OIDC identity provider user authentication or user verification request.

amrValues string

The space separated list of authentication method request values to request as part of the external OIDC identity provider user authentication or user verification request.

authenticationEnabled boolean

A flag indicating if the external OIDC identity provider can be used for user authentication.

authorizationEndpoint string

The authorization endpoint for the external OIDC identity provider.

buttonImage string

The URI of the logo to display on the login button for this external OIDC identity provider.

buttonText string

The unique text to display on the login button for this external OIDC identity provider.

clientAuthenticationMethod string

Possible values: [CLIENT_SECRET_BASIC, CLIENT_SECRET_POST]

The client authentication method to use with the external OIDC identity provider.

clientId string

The client identifier provided by the external OIDC identity provider.

clientSecret string

The client secret provided by the external OIDC identity provider. Currently this value is not returned.

createUser boolean

A flag indicating if the user should be created after authenticating to the external OIDC identity provider if it doesn't exist. The user attributes specified by the userAttributeMappings attribute are used to populate the user in IDaaS. This value is used if authenticationEnabled is true.

domains string

The space separated list of domains associated with the external OIDC identity provider for use with user authentication.

fields string

The value of user fields that need to be set the external OIDC identity provider when acquiring user information. This value is used with a TWITTER IDP.

groupIds string[]

The UUIDs of groups that will be assigned to users created after an external OIDC identity provider user authentication. An empty list means the user will be assigned to All Groups. If configured, the full set of groups must be configured. This value is used if createUser is true.

groupMapping string

The association between a specified claim returned from the external OIDC identity provider and IDaaS groups. This mapping is used to associated IDaaS groups when a user is created or modified based on an external OIDC identity provider user authentication or when it is modified based on an external OIDC identity provider user verification. This value is used if createUser, updateUser, or updateVerificationUser is true.

id string

The UUID of the external OIDC identity provider.

idTokenClaims string

The space separated list of id token claims to request as part of the external OIDC identity provider user authentication or user verification request.

issuer string

The issuer URI for the external OIDC identity provider.

jwksUri string

The JWKS URI endpoint for the external OIDC identity provider used to verify a token signature.

maxAge int32

Possible values: >= -1 and <= 2592000

The max age to request as part of the external OIDC identity provider user authentication or user verification request. If -1, the value will not be included in the request.

name string

The unique name of the external OIDC identity provider.

organizationIds string[]

The UUIDs of organizations that will be assigned to users created after an external OIDC identity provider user authentication. If configured, the full set of organizations must be configured. This value is used if createUser is true.

requireUserinfoSignature boolean

A flag indicating if the user information endpoint of the external OIDC identity provider should be signed and verified.

revocationEndpoint string

The revocation endpoint for the external OIDC identity provider.

roleMapping string

The association between a specified claim returned from the external OIDC identity provider and an IDaaS role. This mapping is used to associated an IDaaS role when a user is created or modified based on an external OIDC identity provider user authentication or when it is modified based on an external OIDC identity provider user verification. This value is used if createUser, updateUser, or updateVerificationUser is true.

scopes string

The space separated list of scopes to request as part of the external OIDC identity provider user authentication or user verification request.

tokenEndpoint string

The token endpoint for the external OIDC identity provider.

type string

Possible values: [FACEBOOK, GENERIC, GOOGLE, IDV, MICROSOFT, SP, TWITTER]

The type of the external OIDC identity provider. Once created, this value cannot be updated.

updateUser boolean

A flag indicating if the user should be updated after authenticating to the external OIDC identity provider if it exists. The user attributes specified by the userAttributeMappings attribute are used to populate the user in IDaaS. This value is used if authenticationEnabled is true.

updateUserVerification boolean

A flag indicating if the user should be updated after user verification to the external OIDC identity provider if it exists. The user attributes specified by the userAttributeMappings attribute are used to populate the user in IDaaS. This value is used if verificationEnabled is true.

userAttributeId string

The IDaaS user attribute ID used to find IDaaS users associated with an external OIDC identity provider user authentication. This value is used if authenticationEnabled is true.

userAttributeMappings

object[]

The association between the claims returned from the external OIDC identity provider and IDaaS user attributes. These attributes are used to populate user attributes when it is created or modified based on an external OIDC identity provider user authentication or when it is modified based on an external OIDC identity provider user verification. If configured, the full set of mappings must be configured. This value is used if createUser, updateUser, or updateVerificationUser is true.

Array [

claim stringrequired

The name of the claim being mapped. This value must be provided when creating or modifying an attribute mapping.

id string

The UUID of the OIDC identity provider attribute mapping.

oidcIdentityProviderId string

The UUID of the OIDC identity provider the attribute mapping belongs to.

userAttribute

object

Information about user attribute definitions.

id string

The UUID for this user attribute. Generated when the user attribute is created.

mandatory booleanrequired

A flag indicating if users must have a value for this user attribute.

name stringrequired

The name of this user attribute.

systemDefined booleanrequired

A flag indicating if this user attribute is one of the system defined user attributes.

type string

Possible values: [NONE, OTP_EMAIL, OTP_SMS, OTP_VOICE]

Type of user attribute. Currently only used to specify the type of contact if the attribute is to be used for OTP delivery.

unique booleanrequired

A flag indicating if this attribute is intended to be unique.

userAttributeId stringrequired

The UUID of the IDaaS user attribute being mapped to. This value must be provided when creating or modifying an attribute mapping.

]

userAuthMatchMappings

object[]

The association between the claims returned from the external OIDC identity provider and IDaaS user attributes. These attributes are used to match an existing IDaaS user based on an external OIDC identity provider user authentication. If configured, the full set of mappings must be configured. This value is used if authenticationEnabled is true.

Array [

claim stringrequired

The name of the claim being mapped. This value must be provided when creating or modifying a user authentication match mapping.

id string

The UUID of the OIDC identity provider user authentication match mapping.

oidcIdentityProviderId string

The UUID of the OIDC identity provider the user authentication match mapping belongs to.

userAttribute

object

Information about user attribute definitions.

id string

The UUID for this user attribute. Generated when the user attribute is created.

mandatory booleanrequired

A flag indicating if users must have a value for this user attribute.

name stringrequired

The name of this user attribute.

systemDefined booleanrequired

A flag indicating if this user attribute is one of the system defined user attributes.

type string

Possible values: [NONE, OTP_EMAIL, OTP_SMS, OTP_VOICE]

Type of user attribute. Currently only used to specify the type of contact if the attribute is to be used for OTP delivery.

unique booleanrequired

A flag indicating if this attribute is intended to be unique.

userAttributeId stringrequired

The UUID of the IDaaS user attribute being mapped to. This value must be provided when creating or modifying a user authentication match mapping.

]

userClaim string

The external OIDC identity provider claim used to find IDaaS users associated with an external OIDC identity provider user authentication. This value is used if authenticationEnabled is true.

userVerMatchMappings

object[]

The association between the claims returned from the external OIDC identity provider and IDaaS user attributes. These attributes are used to match an existing IDaaS user based on an external OIDC identity provider user verification. If configured, the full set of mappings must be configured. This value is used if verificationEnabled is true.

Array [

claim stringrequired

The name of the claim being mapped. This value must be provided when creating or modifying a user verification match mapping.

id string

The UUID of the OIDC identity provider user verification match mapping.

oidcIdentityProviderId string

The UUID of the OIDC identity provider the user verification match mapping belongs to.

userAttribute

object

Information about user attribute definitions.

id string

The UUID for this user attribute. Generated when the user attribute is created.

mandatory booleanrequired

A flag indicating if users must have a value for this user attribute.

name stringrequired

The name of this user attribute.

systemDefined booleanrequired

A flag indicating if this user attribute is one of the system defined user attributes.

type string

Possible values: [NONE, OTP_EMAIL, OTP_SMS, OTP_VOICE]

Type of user attribute. Currently only used to specify the type of contact if the attribute is to be used for OTP delivery.

unique booleanrequired

A flag indicating if this attribute is intended to be unique.

userAttributeId stringrequired

The UUID of the IDaaS user attribute being mapped to. This value must be provided when creating or modifying a user verification match mapping.

]

userinfoClaims string

The space separated list of user information claims to request as part of the external OIDC identity provider user authentication or user verification request.

userinfoEndpoint string

The user information endpoint for the external OIDC identity provider.

verificationEnabled boolean

A flag indicating if the external OIDC identity provider can be used for user verification.

Example (from schema)

{
  "acrValues": "level1 level2",
  "amrValues": "level1 level2",
  "authenticationEnabled": true,
  "authorizationEndpoint": "https://account.mycompany.com/oauth/authorize",
  "buttonImage": "https://account.mycompany.com/images/logo.png",
  "buttonText": "Sign in With MyCompany Co.",
  "clientAuthenticationMethod": "ClientAuthenticationMethod.CLIENT_SECRET_BASIC",
  "clientId": "client123",
  "clientSecret": "cl1en7S3cr3t!",
  "createUser": true,
  "domains": "test.com sample.com",
  "fields": "email,name,first_name,last_name",
  "groupIds": [
    "string"
  ],
  "groupMapping": "string",
  "id": "6784549d-433c-44ea-a42f-4701458dg245",
  "idTokenClaims": "groups upn",
  "issuer": "https://accounts.mycompany.com",
  "jwksUri": "https://account.mycompany.com/oauth/discovery/keys",
  "maxAge": 300,
  "name": "MyCompany Co.",
  "organizationIds": [
    "string"
  ],
  "requireUserinfoSignature": true,
  "revocationEndpoint": "https://account.mycompany.com/oauth/revoke",
  "roleMapping": "string",
  "scopes": "openid email",
  "tokenEndpoint": "https://account.mycompany.com/oauth/token",
  "type": "FACEBOOK",
  "updateUser": true,
  "updateUserVerification": true,
  "userAttributeId": "string",
  "userAttributeMappings": [
    {
      "claim": "email",
      "id": "6781549d-433c-44ea-a42f-4705c26f3245",
      "oidcIdentityProviderId": "6881549d-433c-44ea-a42f-4705c26f3245",
      "userAttribute": {
        "id": "string",
        "mandatory": true,
        "name": "string",
        "systemDefined": true,
        "type": "OTP_EMAIL",
        "unique": true
      },
      "userAttributeId": "6981549d-433c-44ea-a42f-4705c26f3245"
    }
  ],
  "userAuthMatchMappings": [
    {
      "claim": "email",
      "id": "6781549d-433c-44ea-a42f-4705c26f3245",
      "oidcIdentityProviderId": "6881549d-433c-44ea-a42f-4705c26f3245",
      "userAttribute": {
        "id": "string",
        "mandatory": true,
        "name": "string",
        "systemDefined": true,
        "type": "OTP_EMAIL",
        "unique": true
      },
      "userAttributeId": "6981549d-433c-44ea-a42f-4705c26f3245"
    }
  ],
  "userClaim": "string",
  "userVerMatchMappings": [
    {
      "claim": "email",
      "id": "6781549d-433c-44ea-a42f-4705c26f3245",
      "oidcIdentityProviderId": "6881549d-433c-44ea-a42f-4705c26f3245",
      "userAttribute": {
        "id": "string",
        "mandatory": true,
        "name": "string",
        "systemDefined": true,
        "type": "OTP_EMAIL",
        "unique": true
      },
      "userAttributeId": "6981549d-433c-44ea-a42f-4705c26f3245"
    }
  ],
  "userinfoClaims": "groups upn",
  "userinfoEndpoint": "https://account.mycompany.com/oauth/userinfo",
  "verificationEnabled": true
}

400

Bad Request

application/json

Schema

Schema

errorCode string

Error Codes specific to cause of failure.

errorMessage string

Additional Error Message describing the error.

parameters object[]

Optional additional error information.

Example (from schema)

{
  "errorCode": "invalid_user_response",
  "errorMessage": "Application id cannot be null",
  "parameters": [
    {}
  ]
}

401

Access denied

application/json

Schema

Schema

errorCode string

Error Codes specific to cause of failure.

errorMessage string

Additional Error Message describing the error.

parameters object[]

Optional additional error information.

Example (from schema)

{
  "errorCode": "invalid_user_response",
  "errorMessage": "Application id cannot be null",
  "parameters": [
    {}
  ]
}

403

Forbidden

application/json

Schema

Schema

errorCode string

Error Codes specific to cause of failure.

errorMessage string

Additional Error Message describing the error.

parameters object[]

Optional additional error information.

Example (from schema)

{
  "errorCode": "invalid_user_response",
  "errorMessage": "Application id cannot be null",
  "parameters": [
    {}
  ]
}

404

Not Found

application/json

Schema

Schema

errorCode string

Error Codes specific to cause of failure.

errorMessage string

Additional Error Message describing the error.

parameters object[]

Optional additional error information.

Example (from schema)

{
  "errorCode": "invalid_user_response",
  "errorMessage": "Application id cannot be null",
  "parameters": [
    {}
  ]
}

409

Conflict

application/json

Schema

Schema

errorCode string

Error Codes specific to cause of failure.

errorMessage string

Additional Error Message describing the error.

parameters object[]

Optional additional error information.

Example (from schema)

{
  "errorCode": "invalid_user_response",
  "errorMessage": "Application id cannot be null",
  "parameters": [
    {}
  ]
}

Loading...