diff --git a/openapi3/management-noEnums.yaml b/openapi3/management-noEnums.yaml
index 77dbe165..3fd40ac1 100644
--- a/openapi3/management-noEnums.yaml
+++ b/openapi3/management-noEnums.yaml
@@ -1,7 +1,7 @@
openapi: 3.0.3
info:
- title: Okta API
- description: Allows customers to easily access the Okta API
+ title: Okta Admin Management
+ description: Allows customers to easily access the Okta Management APIs
termsOfService: https://developer.okta.com/terms/
contact:
name: Okta Developer Team
@@ -10,146 +10,924 @@ info:
license:
name: Apache-2.0
url: https://www.apache.org/licenses/LICENSE-2.0.html
- version: 3.0.0
+ version: 5.1.0
x-logo:
url: logo.svg
backgroundColor: transparent
altText: Okta Developer
-externalDocs:
- description: Find more info here
- url: https://developer.okta.com/docs/api/getting_started/design_principles.html
servers:
- - url: https://{subdomain}.{domain}
- variables:
- subdomain:
- default: your-subdomain
- description: The subdomain of your organization
- domain:
- enum:
- - okta.com
- - oktapreview.com
- - okta-emea.com
- default: okta.com
- description: The okta domain of your organization.
- - url: https://{customDomain}
+ - url: https://{yourOktaDomain}
variables:
- customDomain:
- default: auth.your-custom-domain.com
- description: The custom domain configured for your organization
+ yourOktaDomain:
+ default: subdomain.okta.com
+ description: The domain of your organization. This can be a provided subdomain of an official okta domain (okta.com, oktapreview.com, etc) or one of your configured custom domains.
tags:
- name: AgentPools
x-displayName: Agent Pools
+ description: The Agent Pools API provides operation to manage the update settings of the agents for your organization.
+ - name: ApiServiceIntegrations
+ x-displayName: API Service Integrations
+ description: |
+ This API provides operations to manage API service integration instances in your organization.
+
+ For a current list of available API service integrations, see the [Okta Integration Network catalog](https://www.okta.com/integrations/?capability=api).
+
+ See [Add an API Service Integration](https://help.okta.com/okta_help.htm?type=oie&id=ext-add-api-service-integration) for corresponding admin instructions using the Admin Console.
+ If you want to build an API service integration, see [API service integrations in the OIN](https://developer.okta.com/docs/guides/oin-api-service-overview/).
- name: ApiToken
x-displayName: API Tokens
+ description: The API Tokens API provides operations to manage SSWS API tokens for your organization.
- name: Application
x-displayName: Applications
+ description: |-
+ The Applications API provides operations to manage apps in your org.
+
+ To create a custom app integration instance, use the [Create an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) operation with the schema provided in the request payload.
+
+ To create an app instance from the Okta Integration Network (OIN), use the [Create an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication)
+ operation with the corresponding OIN app schema in the request body.
+ - name: ApplicationConnections
+ x-displayName: Application Connections
+ description: |
+ The Application Connections API provides operations for configuring connections to an app.
+
+ Okta supports token-based and OAuth 2.0-based provisioning connections for supported apps.
+ The following available provisioning connections are supported by the indicated apps:
+
+ |
` in the SAML assertion, which sets the provider session time correctly. Use `add` op with the path `/authentication/sessionLifetime` and a value for session lifetime in seconds to add this attribute. Okta calculates `SessionNotOnOrAfter` by adding the `/authentication/sessionLifetime` value to the `issueInstant` attribute and returns it in the SAML `data.assertion.
+ operationId: createSAMLAssertionInlineHook
+ requestBody:
+ required: true
+ content:
+ application/json:
+ schema:
+ allOf:
+ - $ref: '#/components/schemas/InlineHookBasePayload'
+ - $ref: '#/components/schemas/SAMLPayLoad'
+ examples:
+ SAMLPayloadExample:
+ $ref: '#/components/examples/SAMLPayLoadExample'
+ responses:
+ '200':
+ description: Successful response
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/SAMLHookResponse'
+ examples:
+ SAMLHookResponseExample:
+ $ref: '#/components/examples/SAMLHookResponseExample'
+ SAMLHookResponseWithURIFormat:
+ $ref: '#/components/examples/SAMLHookResponseWithURIFormat'
+ '204':
+ description: No content - Use the default action
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ security:
+ - apiToken: []
+ - oauth2: []
+ tags:
+ - InlineHook
+ create-token-hook:
+ post:
+ summary: Create a Token inline hook
+ description: |-
+ Creates a Token inline hook request, one type of inline hook supported by Okta. This is an automated request from Okta to your third-party service endpoint. This reference provides sample JSON objects that are contained in the outbound request from Okta to your external service, and sample JSON objects that you can include in your response.
+
+ This type of inline hook is triggered when OAuth 2.0 and OpenID Connect (OIDC) tokens are minted by your Okta custom authorization server. Before sending the token to the requester, Okta calls out to your external service. Your service can then respond with commands to add custom claims to the token or to modify existing claims.
+
+ Use this functionality to add data that is sensitive, calculated at runtime, or complexly structured and not appropriate for storing in Okta user profiles. Okta never logs nor stores data that is added this way. As an example, tokens minted for a medical app could be augmented with confidential patient data provided by your external service and not stored in Okta.
+
+ In addition to adding custom claims, you can modify or remove an existing custom claim or an OIDC standard profile claim. You can also update how long an access token or an ID token is valid.
+
+ This inline hook works only when using an [Okta custom authorization server](https://developer.okta.com/docs/guides/customize-authz-server/main/#create-an-authorization-server), not the built-in Okta org authorization server.
+
+ See also:
+ * [Inline hooks](https://developer.okta.com/docs/concepts/inline-hooks/) for a general introduction to Okta inline hooks
+ * [Inline Hooks Management API](/openapi/okta-management/management/tag/InlineHook/) for information on the API for registering external service endpoints with Okta
+ * For an example implementation of this inline hook, see [Token inline hook](https://developer.okta.com/docs/guides/token-inline-hook)
+
+ ### Timeout behavior
+ After receiving the Okta request, if there's a response timeout, the Okta process flow proceeds with the original token returned.
+
+ ### Enabling a token inline hook
+ To activate the inline hook, you first need to register your external service endpoint with Okta using the [Inline Hooks Management API](/openapi/okta-management/management/tag/InlineHook).
+ You then need to associate the registered inline hook with a custom authorization server policy rule by completing the following steps:
+ 1. Go to **Security** > **API** > **Authorization Servers.**
+ 2. Select a custom authorization server from the list.
+ 3. Select **Access Policies** and select a policy to use with the hook. In most cases, pick the Default Policy.
+ 4. One of the policy's rules needs to trigger the inline hook. Click the pencil icon for a rule to edit it. If you only have one rule, edit the Default Policy Rule.
+ 5. Click the **Use this Inline Hook** dropdown menu. Any inline hooks that you have registered are listed. Select the hook that you would like to use.
+ 6. Click **Update Rule**.
+
+ > **Note:** You can associate only one inline hook with each rule.
+
+ ### Troubleshoot
+ This section covers what happens when a token inline hook flow fails either due to the external inline hook service returning an error object or not returning a successful response, or the inline hook patch fails.
+ > **Note:** Administrators can use the [Okta System Log](https://developer.okta.com/docs/reference/api/system-log/) to view errors. See the [Troubleshooting](https://developer.okta.com/docs/concepts/inline-hooks/#troubleshooting) section in the inline hooks concept piece for more information on the events related to inline hooks that the Okta System Log captures.
+ - When there's a communication failure with the external service, a timeout for example, the inline hook operation is skipped. The token is generated without any modification from the inline hook.
+
+ **Who can see this error?** Administrators
+
+ - When the external service returns a response with any other HTTP status code besides `200`, the inline hook operation is skipped. The token is generated without any modification from the inline hook.
+
+ **Who can see this error?** Administrators
+
+ - When the external service returns an error object in the response, the entire token inline hook flow fails with no token generated.
+
+ **Who can see this error?** Administrators, developers, and end users. When the OAuth 2.0 client receives the error, the client developer can see that error if the client has the debug information. What the end user sees depends on how errors are handled within the client.
+ > **Note:** See the [error](https://developer.okta.com/docs/reference/token-hook/#error) section on this page for more information on what to include in the error object of your response and what the OAuth 2.0 error includes that Okta returns to the requestor of the token.
+
+ - When a hook command (for example, updating, adding, and deleting claims) can't be performed, the inline hook operation is skipped. The token is generated without any modification from the inline hook.
+
+ **Who can see this error?** Administrators
+
+ The following actions result in an error:
+ - Using an invalid command. For example, if only an ID token is requested, the `commands` array shouldn't contain commands of the type `com.okta.access.patch`.
+ - Using an invalid operation
+ - Attempting to remove a system-specific claim
+ - Attempting to update a claim that doesn't exist
+ - Attempting to update an element within an array that doesn't exist or specifying an invalid index
+ - Attempting to remove a claim that doesn't exist
+ operationId: createTokenInlineHook
+ requestBody:
+ required: true
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/TokenRequest'
+ examples:
+ TokenPayLoadExample:
+ $ref: '#/components/examples/TokenPayLoadExample'
+ responses:
+ '200':
+ description: Successful response
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/TokenHookResponse'
+ examples:
+ TokenHookResponse:
+ $ref: '#/components/examples/TokenHookResponse'
+ TokenHookResponseWithURIFormat:
+ $ref: '#/components/examples/TokenHookResponseWithURIFormat'
+ TokenHookResponseAppendArray:
+ $ref: '#/components/examples/TokenHookResponseAppendArray'
+ TokenHookReplaceExisting:
+ $ref: '#/components/examples/TokenHookReplaceExisting'
+ TokenHookReplaceInPath:
+ $ref: '#/components/examples/TokenHookReplaceInPath'
+ TokenHookModifyLifetime:
+ $ref: '#/components/examples/TokenHookModifyLifetime'
+ TokenHookRemoveClaim:
+ $ref: '#/components/examples/TokenHookRemoveClaim'
+ TokenHookRemoveFromArray:
+ $ref: '#/components/examples/TokenHookRemoveFromArray'
+ TokenHookRemoveFromObject:
+ $ref: '#/components/examples/TokenHookRemoveFromObject'
+ TokenHookErrorExample:
+ $ref: '#/components/examples/TokenHookErrorExample'
+ '204':
+ description: No content - Unverified user response
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ security:
+ - apiToken: []
+ - oauth2: []
+ tags:
+ - InlineHook
+components:
+ examples:
+ APIDevicesListAllResponse:
+ summary: List all devices with embedded users
+ value:
+ - id: guo4a5u7YAHhjXrMK0g4
+ status: CREATED
+ created: '2019-10-02T18:03:07.000Z'
+ lastUpdated: '2019-10-02T18:03:07.000Z'
+ profile:
+ displayName: Example Device name 1
+ platform: WINDOWS
+ serialNumber: XXDDRFCFRGF3M8MD6D
+ sid: S-1-11-111
+ registered: true
+ secureHardwarePresent: false
+ diskEncryptionType: ALL_INTERNAL_VOLUMES
+ resourceType: UDDevice
+ resourceDisplayName:
+ value: Example Device name 1
+ sensitive: false
+ resourceAlternateId: null
+ resourceId: guo4a5u7YAHhjXrMK0g4
+ _links:
+ activate:
+ href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g4/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g4
+ hints:
+ allow:
+ - GET
+ - PATCH
+ - PUT
+ users:
+ href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g4/users
+ hints:
+ allow:
+ - GET
+ _embedded:
+ users: []
+ - id: guo4a5u7YAHhjXrMK0g5
+ status: ACTIVE
+ created: '2023-06-21T23:24:02.000Z'
+ lastUpdated: '2023-06-21T23:24:02.000Z'
+ profile:
+ displayName: Example Device name 2
+ platform: ANDROID
+ manufacturer: Google
+ model: Pixel 6
+ osVersion: 13:2023-05-05
+ registered: true
+ secureHardwarePresent: true
+ diskEncryptionType: USER
+ resourceType: UDDevice
+ resourceDisplayName:
+ value: Example Device name 2
+ sensitive: false
+ resourceAlternateId: null
+ resourceId: guo4a5u7YAHhjXrMK0g5
+ _links:
+ activate:
+ href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g5/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g5
+ hints:
+ allow:
+ - GET
+ - PATCH
+ - PUT
+ users:
+ href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g5/users
+ hints:
+ allow:
+ - GET
+ _embedded:
+ users:
+ - managementStatus: MANAGED
+ created: '2021-10-01T16:52:41.000Z'
+ screenLockType: BIOMETRIC
+ user:
+ id: 00u17vh0q8ov8IU881d7
+ status: ACTIVE
+ created: '2020-08-12T06:46:50.000Z'
+ activated: '2020-08-12T06:46:50.000Z'
+ statusChanged: '2021-01-27T21:05:32.000Z'
+ lastLogin: '2021-10-14T09:04:48.000Z'
+ lastUpdated: '2021-01-27T21:05:32.000Z'
+ passwordChanged: '2020-08-12T06:46:50.000Z'
+ type:
+ id: oty7ut9Uu76oHVUZc0w4
+ profile:
+ firstName: fname
+ lastName: lname
+ mobilePhone: null
+ secondEmail: null
+ login: email@email.com
+ email: email@email.com
+ credentials:
+ password: {}
+ recovery_question:
+ question: What is the food you least liked as a child?
+ provider:
+ type: OKTA
+ name: OKTA
+ _links:
+ suspend:
+ href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/suspend
+ method: POST
+ schema:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/user/osc7ut9Uu76oHVUZc0w4
+ resetPassword:
+ href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/reset_password
+ method: POST
+ forgotPassword:
+ href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/credentials/forgot_password
+ method: POST
+ expirePassword:
+ href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/expire_password
+ method: POST
+ changeRecoveryQuestion:
+ href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/credentials/change_recovery_question
+ method: POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7
+ type:
+ href: https://{yourOktaDomain}/api/v1/meta/types/user/oty7ut9Uu76oHVUZc0w4
+ changePassword:
+ href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/credentials/change_password
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/deactivate
+ APIDevicesListAllUserSummaryResponse:
+ summary: List all devices with embedded user summaries
+ value:
+ - id: guo4a5u7YAHhjXrMK0g4
+ status: CREATED
+ created: '2019-10-02T18:03:07.000Z'
+ lastUpdated: '2019-10-02T18:03:07.000Z'
+ profile:
+ displayName: Example Device name 1
+ platform: WINDOWS
+ serialNumber: XXDDRFCFRGF3M8MD6D
+ sid: S-1-11-111
+ registered: true
+ secureHardwarePresent: false
+ diskEncryptionType: ALL_INTERNAL_VOLUMES
+ resourceType: UDDevice
+ resourceDisplayName:
+ value: Example Device name 1
+ sensitive: false
+ resourceAlternateId: null
+ resourceId: guo4a5u7YAHhjXrMK0g4
+ _links:
+ activate:
+ href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g4/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g4
+ hints:
+ allow:
+ - GET
+ - PATCH
+ - PUT
+ users:
+ href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g4/users
+ hints:
+ allow:
+ - GET
+ _embedded:
+ users: []
+ - id: guo4a5u7YAHhjXrMK0g5
+ status: ACTIVE
+ created: '2023-06-21T23:24:02.000Z'
+ lastUpdated: '2023-06-21T23:24:02.000Z'
+ profile:
+ displayName: Example Device name 2
+ platform: ANDROID
+ manufacturer: Google
+ model: Pixel 6
+ osVersion: 13:2023-05-05
+ registered: true
+ secureHardwarePresent: true
+ diskEncryptionType: USER
+ resourceType: UDDevice
+ resourceDisplayName:
+ value: Example Device name 2
+ sensitive: false
+ resourceAlternateId: null
+ resourceId: guo4a5u7YAHhjXrMK0g5
+ _links:
+ activate:
+ href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g5/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g5
+ hints:
+ allow:
+ - GET
+ - PATCH
+ - PUT
+ users:
+ href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g5/users
+ hints:
+ allow:
+ - GET
+ _embedded:
+ users:
+ - managementStatus: MANAGED
+ created: '2021-10-01T16:52:41.000Z'
+ screenLockType: BIOMETRIC
+ user:
+ id: 00u17vh0q8ov8IU881d7
+ realmId: 00u17vh0q8ov8IU8T0g5
+ profile:
+ firstName: fname
+ lastName: lname
+ login: email@email.com
+ email: email@email.com
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7
+ APIDevicesListAllUsersResponse:
+ summary: Response example
+ value:
+ - created: '2021-08-20T17:13:35.000Z'
+ managementStatus: NOT_MANAGED
+ screenLockType: BIOMETRIC
+ user:
+ id: 00u17vh0q8ov8IU881d7
+ status: ACTIVE
+ created: '2021-08-20T16:08:25.000Z'
+ activated: null
+ statusChanged: '2021-08-20T16:39:41.000Z'
+ lastLogin: '2023-04-18T17:54:12.000Z'
+ lastUpdated: '2021-12-20T18:27:30.000Z'
+ passwordChanged: '2021-12-20T18:27:30.000Z'
+ type:
+ id: oty17vh0n2EHVnbYF1d7
+ profile:
+ firstName: Bunk
+ lastName: Moreland
+ mobilePhone: null
+ secondEmail: null
+ login: bunk.moreland@example.com
+ email: bunk.moreland@example.com
+ credentials:
+ password: null
+ provider:
+ type: OKTA
+ name: OKTA
+ _links:
+ suspend:
+ href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/suspend
+ method: POST
+ schema:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/user/osc17vh0n2EHVnbYF1d7
+ resetPassword:
+ href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/reset_password
+ method: POST
+ forgotPassword:
+ href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/credentials/forgot_password
+ method: POST
+ expirePassword:
+ href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/expire_password
+ method: POST
+ changeRecoveryQuestion:
+ href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/credentials/change_recovery_question
+ method: POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7
+ resetFactors:
+ href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/reset_factors
+ method: POST
+ type:
+ href: https://{yourOktaDomain}/api/v1/meta/types/user/oty17vh0n2EHVnbYF1d7
+ changePassword:
+ href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/credentials/change_password
+ method: POST
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/deactivate
+ method: POST
+ APIPushProvidersListAllResponse:
+ value:
+ - id: ppchvbeucdTgqeiGxR0g4
+ providerType: APNS
+ name: Example Push Provider 1
+ lastUpdatedDate: '2022-01-00T00:00:00.000Z'
+ configuration:
+ keyId: ABC123DEFG
+ teamId: DEF123GHIJ
+ fileName: fileName.p8
+ _links:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/push-providers/{pushProviderId}
+ hints:
+ allow:
+ - DELETE
+ - GET
+ - PUT
+ - id: ppctekcmngGaqeiBxB0g4
+ providerType: FCM
+ name: Example Push Provider 2
+ lastUpdatedDate: '2022-01-00T00:00:00.000Z'
+ configuration:
+ projectId: PROJECT_ID
+ fileName: fileName.json
+ _links:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/push-providers/{pushProviderId}
+ hints:
+ allow:
+ - DELETE
+ - GET
+ - PUT
+ APIServiceIntegrationInstanceSecretListResponse:
+ summary: Secrets list response example
+ value:
+ - id: ocs2f4zrZbs8nUa7p0g4
+ status: INACTIVE
+ client_secret: '***DhOW'
+ secret_hash: yk4SVx4sUWVJVbHt6M-UPA
+ created: '2023-02-21T20:08:24.000Z'
+ lastUpdated: '2023-02-21T20:08:24.000Z'
+ _links:
+ activate:
+ href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ delete:
+ href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4
+ hints:
+ allow:
+ - DELETE
+ - id: ocs2f50kZB0cITmYU0g4
+ status: ACTIVE
+ client_secret: '***MQGQ'
+ secret_hash: 0WOOvBSzV9clc4Nr7Rbaug
+ created: '2023-04-06T21:32:33.000Z'
+ lastUpdated: '2023-04-06T21:32:33.000Z'
+ _links:
+ deactivate:
+ href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f50kZB0cITmYU0g4/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ APIServiceIntegrationListResponse:
+ summary: List response example
+ value:
+ - id: 0oa72lrepvp4WqEET1d9
+ type: my_app_cie
+ name: My App Cloud Identity Engine
+ createdAt: '2023-02-21T20:08:24.000Z'
+ createdBy: 00uu3u0ujW1P6AfZC2d5
+ configGuideUrl: https://{docDomain}/my-app-cie/configuration-guide
+ grantedScopes:
+ - okta.logs.read
+ - okta.groups.read
+ - okta.users.read
+ _links:
+ self:
+ href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa72lrepvp4WqEET1d9
+ hints:
+ allow:
+ - GET
+ - DELETE
+ client:
+ href: https://{yourOktaDomain}/oauth2/v1/clients/0oa72lrepvp4WqEET1d9
+ hints:
+ allow:
+ - GET
+ logo:
+ name: small
+ href: https://{logoDomain}/{logoPath}/my_app_cie_small_logo
+ APIServiceIntegrationResponse:
+ summary: Response example
+ value:
+ id: 0oa72lrepvp4WqEET1d9
+ type: my_app_cie
+ name: My App Cloud Identity Engine
+ createdAt: '2023-02-21T20:08:24.000Z'
+ createdBy: 00uu3u0ujW1P6AfZC2d5
+ configGuideUrl: https://{docDomain}/my-app-cie/configuration-guide
+ grantedScopes:
+ - okta.logs.read
+ - okta.groups.read
+ - okta.users.read
+ _links:
+ self:
+ href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa72lrepvp4WqEET1d9
+ hints:
+ allow:
+ - GET
+ - DELETE
+ client:
+ href: https://{yourOktaDomain}/oauth2/v1/clients/0oa72lrepvp4WqEET1d9
+ hints:
+ allow:
+ - GET
+ logo:
+ name: small
+ href: https://{logoDomain}/{logoPath}/my_app_cie_small_logo
+ ActivateFactorCallResponse:
+ summary: call
+ value:
+ id: clf1o51EADOTFXHHBXBP
+ factorType: call
+ provider: OKTA
+ vendorName: OKTA
+ status: ACTIVE
+ created: '2014-08-06T16:56:31.000Z'
+ lastUpdated: '2014-08-06T16:56:31.000Z'
+ profile:
+ phoneNumber: +1-555-415-1337
+ phoneExtension: '1234'
+ _links:
+ verify:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/clf1o51EADOTFXHHBXBP/verify
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/clf1o51EADOTFXHHBXBP
+ hints:
+ allow:
+ - GET
+ - DELETE
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL
+ hints:
+ allow:
+ - GET
+ ActivateFactorEmailResponse:
+ summary: email
+ value:
+ id: emfnf3gSScB8xXoXK0g3
+ factorType: email
+ provider: OKTA
+ vendorName: OKTA
+ status: ACTIVE
+ profile:
+ email: changed@clouditude.net
+ _links:
+ verify:
+ href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3/factors/emfnf3gSScB8xXoXK0g3/verify
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3/factors/emfnf3gSScB8xXoXK0g3
+ hints:
+ allow:
+ - GET
+ - DELETE
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3
+ hints:
+ allow:
+ - GET
+ ActivateFactorPushResponse:
+ summary: push
+ value:
+ id: opf3hkfocI4JTLAju0g4
+ factorType: push
+ provider: OKTA
+ vendorName: OKTA
+ status: ACTIVE
+ created: '2015-03-16T18:01:28.000Z'
+ lastUpdated: '2015-08-27T14:25:17.000Z'
+ profile:
+ credentialId: dade.murphy@example.com
+ deviceType: SmartPhone_IPhone
+ name: Gibson
+ platform: IOS
+ version: '9.0'
+ _links:
+ verify:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opf3hkfocI4JTLAju0g4/verify
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opf3hkfocI4JTLAju0g4
+ hints:
+ allow:
+ - GET
+ - DELETE
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL
+ hints:
+ allow:
+ - GET
+ ActivateFactorSmsResponse:
+ summary: sms
+ value:
+ id: sms1o51EADOTFXHHBXBP
+ factorType: sms
+ provider: OKTA
+ vendorName: OKTA
+ status: ACTIVE
+ created: '2014-08-06T16:56:31.000Z'
+ lastUpdated: '2014-08-06T16:56:31.000Z'
+ profile:
+ phoneNumber: +1-555-415-1337
+ _links:
+ verify:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/sms1o51EADOTFXHHBXBP/verify
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/sms1o51EADOTFXHHBXBP
+ hints:
+ allow:
+ - GET
+ - DELETE
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL
+ hints:
+ allow:
+ - GET
+ ActivateFactorTotpResponse:
+ summary: token:software:totp
+ value:
+ id: ostf1fmaMGJLMNGNLIVG
+ factorType: token:software:totp
+ provider: OKTA
+ vendorName: OKTA
+ status: ACTIVE
+ created: '2014-07-16T16:13:56.000Z'
+ lastUpdated: '2014-08-06T00:31:07.000Z'
+ profile:
+ credentialId: dade.murphy@example.com
+ _links:
+ verify:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG/verify
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG
+ hints:
+ allow:
+ - GET
+ - DELETE
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL
+ hints:
+ allow:
+ - GET
+ ActivateFactorU2fRequest:
+ summary: u2f
+ value:
+ registrationData: BQTEMUyOM8h1TiZG4DL-RdMr-tYgTYSf62Y52AmwEFTiSYWIRVO5L-MwWdRJOthmV3J3JrqpmGfmFb820-awx1YIQFlTvkMhxItHlpkzahEqicpw7SIH9yMfTn2kaDcC6JaLKPfV5ds0vzuxF1JJj3gCM01bRC-HWI4nCVgc-zaaoRgwggEcMIHDoAMCAQICCwD52fCSMoNczORdMAoGCCqGSM49BAMCMBUxEzARBgNVBAMTClUyRiBJc3N1ZXIwGhcLMDAwMTAxMDAwMFoXCzAwMDEwMTAwMDBaMBUxEzARBgNVBAMTClUyRiBEZXZpY2UwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQFKJupuUgPQcRHUphaW5JPfLvkkwlEwlHKk_ntSp7MS4aTHJyGnpziqncrjiTC_oUVtb-wN-y_t_IMIjueGkhxMAoGCCqGSM49BAMCA0gAMEUCIQDBo6aOLxanIUYnBX9iu3KMngPnobpi0EZSTkVtLC8_cwIgC1945RGqGBKfbyNtkhMifZK05n7fU-gW37Bdnci5D94wRQIhAJv3VvclbRkHAQhaUR8rr8qFTg9iF-GtHoXU95vWaQdyAiAbEr-440U4dQAZF-Sj8G2fxgh5DkgkkWpyUHZhz7N9ew
+ clientData: eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZmluaXNoRW5yb2xsbWVudCIsImNoYWxsZW5nZSI6IlhxR0h0RTBoUkxuVEoxYUF5U1oyIiwib3JpZ2luIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6MzAwMCIsImNpZF9wdWJrZXkiOiJ1bnVzZWQifQ
+ ActivateFactorU2fResponse:
+ summary: u2f
+ value:
+ id: fuf2rovRxogXJ0nDy0g4
+ factorType: u2f
+ provider: FIDO
+ vendorName: FIDO
+ status: ACTIVE
+ created: '2018-05-24T20:43:19.000Z'
+ lastUpdated: '2018-05-24T21:43:32.000Z'
+ profile:
+ credentialId: WVO-QyHEi0eWmTNqESqJynDtIgf3Ix9OfaRoNwLoloso99Xl2zS_O7EXUkmPeAIzTVtEL4dYjicJWBz7NpqhGA
+ version: U2F_V2
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fuf2rovRxogXJ0nDy0g4
+ hints:
+ allow:
+ - GET
+ - DELETE
+ verify:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fuf2rovRxogXJ0nDy0g4/verify
+ hints:
+ allow:
+ - POST
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL
+ hints:
+ allow:
+ - GET
+ ActivateFactorWebauthnRequest:
+ summary: webAuthn
+ value:
+ attestation: o2NmbXRmcGFja2VkZ2F0dFN0bXSiY2FsZyZjc2lnWEgwRgIhAMvf2+dzXlHZN1um38Y8aFzrKvX0k5dt/hnDu9lahbR4AiEAuwtMg3IoaElWMp00QrP/+3Po/6LwXfmYQVfsnsQ+da1oYXV0aERhdGFYxkgb9OHGifjS2dG03qLRqvXrDIRyfGAuc+GzF1z20/eVRV2wvl6tzgACNbzGCmSLCyXx8FUDAEIBvWNHOcE3QDUkDP/HB1kRbrIOoZ1dR874ZaGbMuvaSVHVWN2kfNiO4D+HlAzUEFaqlNi5FPqKw+mF8f0XwdpEBlClAQIDJiABIVgg0a6oo3W0JdYPu6+eBrbr0WyB3uJLI3ODVgDfQnpgafgiWCB4fFo/5iiVrFhB8pNH2tbBtKewyAHuDkRolcCnVaCcmQ==
+ clientData: eyJjaGFsbGVuZ2UiOiJVSk5wYW9sVWt0dF9vcEZPNXJMYyIsIm9yaWdpbiI6Imh0dHBzOi8vcmFpbi5va3RhMS5jb20iLCJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIn0=
+ ActivateFactorWebauthnResponse:
+ summary: webAuthn
+ value:
+ id: fwf2rovRxogXJ0nDy0g4
+ factorType: webauthn
+ provider: FIDO
+ vendorName: FIDO
+ status: ACTIVE
+ created: '2018-05-24T20:43:19.000Z'
+ lastUpdated: '2018-05-24T21:43:32.000Z'
+ profile:
+ credentialId: l3Br0n-7H3g047NqESqJynFtIgf3Ix9OfaRoNwLoloso99Xl2zS_O7EXUkmPeAIzTVtEL4dYjicJWBz7NpqhGA
+ authenticatorName: MacBook Touch ID
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fwf2rovRxogXJ0nDy0g4
+ hints:
+ allow:
+ - GET
+ - DELETE
+ verify:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fwf2rovRxogXJ0nDy0g4/verify
+ hints:
+ allow:
+ - POST
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL
+ hints:
+ allow:
+ - GET
+ ActivateIdPResponse:
+ summary: Activate an Identity Provider
+ value:
+ id: 0oa62bfdiumsUndnZ0h7
+ type: GOOGLE
+ name: Google
+ status: ACTIVE
+ created: '2016-03-24T23:21:49.000Z'
+ lastUpdated: '2016-03-25T19:14:23.000Z'
+ protocol:
+ type: OIDC
+ endpoints:
+ authorization:
+ url: https://accounts.google.com/o/oauth2/auth
+ binding: HTTP-REDIRECT
+ token:
+ url: https://www.googleapis.com/oauth2/v3/token
+ binding: HTTP-POST
+ scopes:
+ - profile
+ - email
+ - openid
+ credentials:
+ client:
+ client_id: your-client-id
+ client_secret: your-client-secret
+ policy:
+ provisioning:
+ action: AUTO
+ profileMaster: true
+ groups:
+ action: NONE
+ conditions:
+ deprovisioned:
+ action: NONE
+ suspended:
+ action: NONE
+ accountLink:
+ filter: null
+ action: AUTO
+ subject:
+ userNameTemplate:
+ template: idpuser.email
+ filter: null
+ matchType: USERNAME
+ mapAMRClaims: false
+ maxClockSkew: 0
+ _links:
+ authorize:
+ href: |-
+ https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa62bfdiumsUndnZ0h7&
+ client_id={clientId}&response_type={responseType}&response_mode={responseMode}&
+ scope={scopes}&redirect_uri={redirectUri}&state={state}
+ templated: true
+ hints:
+ allow:
+ - GET
+ clientRedirectUri:
+ href: https://{yourOktaDomain}/oauth2/v1/authorize/callback
+ hints:
+ allow:
+ - POST
+ ActivateNetworkZone:
+ summary: Activated Network Zone
+ value:
+ type: IP
+ id: nzowc1U5Jh5xuAK0o0g3
+ name: MyIpZone
+ status: ACTIVE
+ usage: POLICY
+ created: '2021-06-24T20:37:32.000Z'
+ lastUpdated: '2021-06-24T20:37:32.000Z'
+ system: false
+ gateways:
+ - type: CIDR
+ value: 1.2.3.4/24
+ proxies:
+ - type: RANGE
+ value: 3.3.4.5-3.3.4.15
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ ActiveAuthorizationServerKey:
+ summary: Active Authorization Server Key
+ value:
+ status: ACTIVE
+ alg: RS256
+ e: AQAB
+ 'n': g0MirhrysJMPm_wK45jvMbbyanfhl-jmTBv0o69GeifPaISaXGv8LKn3-CyJvUJcjjeHE17KtumJWVxUDRzFqtIMZ1ctCZyIAuWO0n LKilg7_EIDXJrS8k14biqkPO1lXGFwtjo3zLHeFSLw6sWf-CEN9zv6Ff3IAXb-RMYpfh-bVrxIgWsWCxjLW-UKI3la-gs0nWHH2PJr5HLJuI JIOL5HLJuIJIOLWahqTnm_r1LSCSYr6N4C-fh--w2_BW8DzTHalBYe76bNr0d7AqtR4tGazmrvrc79Wa2bjyxmhhN1u9jSaZQqq-3VZEod8q3, WHH2PJ5v1LoXniJQ4a2W8nDVqb6h4E8MUKYOpljTfQ
+ kid: RQ8DuhdxCczyMvy7GNJb4Ka3lQ99vrSo3oFBUiZjzzc
+ kty: RSA
+ use: sig
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/keys/RQ8DuhdxCczyMvy7GNJb4Ka3lQ99vrSo3oFBUiZjzzc
+ hints:
+ allow:
+ - GET
+ AddMappingBody:
+ summary: Update an existing profile mapping by adding one or more properties
+ value:
+ properties:
+ additionalProperties:
+ fullName:
+ expression: user.firstName + user.lastName
+ pushStatus: PUSH
+ nickName:
+ expression: user.nickName
+ pushStatus: PUSH
+ AddMappingResponse:
+ summary: Update an existing profile mapping by adding one or more properties
+ value:
+ id: prm1k47ghydIQOTBW0g4
+ source:
+ id: otysbePhQ3yqt4cVv0g3
+ name: user
+ type: user
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/meta/types/user/otysbePhQ3yqt4cVv0g3
+ schema:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscsbePhQ3yqt4cVv0g3
+ target:
+ id: 0oa1qmn4LZQQEH0wZ0g4
+ name: okta_org2org
+ type: appuser
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/apps/0oa1qmn4LZQQEH0wZ0g4
+ schema:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/apps/0oa1qmn4LZQQEH0wZ0g4/default
+ properties:
+ fullName:
+ expression: user.firstName + user.lastName
+ pushStatus: PUSH
+ nickName:
+ expression: user.nickName
+ pushStatus: PUSH
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/mappings/prm1k48weFSOnEUnw0g4
+ AdminConsoleSettingsExample:
+ summary: Default Okta Admin Console Settings
+ value:
+ sessionMaxLifetimeMinutes: 720
+ sessionIdleTimeoutMinutes: 15
+ AerialConsentDetails:
+ description: Example response of consent details
+ value:
+ accountId: 0200bs0617vvhv2v675mch1cukp
+ grantDate: '2023-04-06T21:32:33.000Z'
+ grantedBy: 00uabcdefg1234567890
+ AerialConsentInvalidAccountIdResponse:
+ description: Aerial account ID is invalid
+ value:
+ errorCode: E0000001
+ errorSummary: 'API validation failed: account'
+ errorLink: E0000001
+ errorId: oaewjePjfdBT7m71KkPz0Ipaw
+ errorCauses:
+ - errorSummary: Invalid aerial account ID.
+ AerialConsentOrgAlreadyLinkedResponse:
+ description: The revoke operation isn't possible when the org is already linked
+ value:
+ errorCode: E0000001
+ errorSummary: 'API validation failed: account'
+ errorLink: E0000001
+ errorId: oae_wheRkaxRT-EFAXwBmBKLg
+ errorCauses:
+ - errorSummary: The org is already linked to an Account.
+ AerialGrantAlreadyPresentErrorResponse:
+ description: Grant is already present
+ value:
+ errorCode: E0000001
+ errorSummary: 'Api validation failed: account'
+ errorLink: E0000001
+ errorId: oaewjePjfdBT7m71KkPz0Ipaw
+ errorCauses:
+ - errorSummary: The org already has a consent grant added to Aerial.
+ AerialGrantNotFoundResponse:
+ description: No grant found for org
+ value:
+ errorCode: E0000007
+ errorSummary: 'Not found: Resource not found: grant (String)'
+ errorLink: E0000007
+ errorId: sampleFYH_dTSSTdpPYIAdHJw
+ errorCauses: []
+ AllAssignmentsOperationResponse:
+ value:
+ id: rre4mje4ez7B2a7B60g7
+ type: realm:assignment
+ status: COMPLETED
+ created: '2023-10-25T21:02:54.000Z'
+ started: '2023-10-25T21:02:54.000Z'
+ completed: '2023-10-25T21:02:54.000Z'
+ assignmentOperation:
+ configuration:
+ id: ALL
+ name: All Assignments
+ numUserMoved: 50
+ _links:
+ self:
+ rel: self
+ href: http://your-subdomain.okta.com/api/v1/operations/rre4mje4ez7B2a7B60g7
+ method: GET
+ ApiTokenListMetadataResponse:
+ value:
+ - name: My API Token
+ userId: 00uabcdefg1234567890
+ tokenWindow: P30D
+ network:
+ connection: ANYWHERE
+ id: 00Tabcdefg1234567890
+ clientName: Okta API
+ expiresAt: '2021-12-11T20:38:10.000Z'
+ created: '2021-11-09T20:38:10.000Z'
+ lastUpdated: '2021-11-11T20:38:10.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/api-tokens/00Tabcdefg1234567890
+ hints:
+ allow:
+ - GET
+ - DELETE
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00uabcdefg1234567890
+ hints:
+ allow:
+ - GET
+ - name: Another API Token
+ userId: 00uabcdefg1234567890
+ tokenWindow: PT5M
+ id: 00T1234567890abcdefg
+ clientName: Okta API
+ expiresAt: '2021-11-11T20:43:10.000Z'
+ created: '2021-11-09T20:38:10.000Z'
+ lastUpdated: '2021-11-11T20:38:10.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/api-tokens/00T1234567890abcdefg
+ hints:
+ allow:
+ - GET
+ - DELETE
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00uabcdefg1234567890
+ hints:
+ allow:
+ - GET
+ ApiTokenMetadataResponse:
+ value:
+ name: My API Token
+ userId: 00uXXXXXXXXXXXXXXXXX
+ tokenWindow: P30D
+ network:
+ connection: ANYWHERE
+ id: 00Tabcdefg1234567890
+ clientName: Okta API
+ expiresAt: '2021-12-11T20:38:10.000Z'
+ created: '2021-11-09T20:38:10.000Z'
+ lastUpdated: '2021-11-11T20:38:10.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/api-tokens/00Tabcdefg1234567890
+ hints:
+ allow:
+ - GET
+ - DELETE
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00uXXXXXXXXXXXXXXXXX
+ hints:
+ allow:
+ - GET
+ AppCsrJsonResponse:
+ summary: CSR object in JSON format
+ value:
+ id: h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50
+ created: '2017-03-28T01:11:10.000Z'
+ csr: MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9/tKvvbFN59T4raoCs/78KRm4fSefHQOv1TKLXo4wTLbsqYWRWc5u0sd5orUMQgPQOyj3i6qh13mALY4BzrT057EG1BUNjGg29QgYlnOk2iX890e5BIDMQQEIKFrvOi2V8cLUkLvE2ydRn0VO1Q1frbUkYeStJYC5Api2JQsYRwa+1ZeDH1ITnIzUaugWhW2WB2lSnwZkenne5KtffxMPYVu+IhNRHoKaRA6Z51YNhMJIx17JM2hs/H4Ka3drk6kzDf7ofk/yBpb9yBWyU7CTSQhdoHidxqFprMDaT66W928t3AeOENHBuwn8c2K9WeGG+bELNyQRJVmawIDAQABoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggxkZXYub2t0YS5jb20wDQYJKoZIhvcNAQELBQADggEBAA2hsVJRVM+A83X9MekjTnIbt19UNT8wX7wlE9jUKirWsxceLiZBpVGn9qfKhhVIpvdaIRSeoFYS2Kg/m1G6bCvjmZLcrQ5FcEBjZH2NKfNppGVnfC2ugtUkBtCB+UUzOhKhRKJtGugenKbP33zRWWIqnd2waF6Cy8TIuqQVPbwEDN9bCbAs7ND6CFYNguY7KYjWzQOeAR716eqpEEXuPYAS4nx/ty4ylonR8cv+gpq51rvq80A4k/36aoeM0Y6I4w64vhTfuvWW2UYFUD+/+y2FA2CSP4JfctySrf1s525v6fzTFZ3qZbB5OZQtP2b8xYWktMzywsxGKDoVDB4wkH4=
+ kty: RSA
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50
+ hints:
+ allow:
+ - GET
+ - DELETE
+ publish:
+ href: https://{yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50/lifecycle/publish
+ hints:
+ allow:
+ - POST
+ AppCsrPkcs10Response:
+ summary: CSR in DER format
+ value: MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9
+ AppFeatureListResponseEx:
+ summary: List app Feature response
+ value:
+ - name: USER_PROVISIONING
+ status: ENABLED
+ description: User provisioning settings from Okta to a downstream application
+ capabilities:
+ create:
+ lifecycleCreate:
+ status: DISABLED
+ update:
+ profile:
+ status: DISABLED
+ lifecycleDeactivate:
+ status: DISABLED
+ password:
+ status: DISABLED
+ seed: RANDOM
+ change: KEEP_EXISTING
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/apps/${appId}/features/USER_PROVISIONING
+ hints:
+ allow:
+ - GET
+ - PUT
+ AppFeatureResponseEx:
+ summary: App Feature response
+ value:
+ name: USER_PROVISIONING
+ status: ENABLED
+ description: User provisioning settings from Okta to a downstream application
+ capabilities:
+ create:
+ lifecycleCreate:
+ status: DISABLED
+ update:
+ profile:
+ status: DISABLED
+ lifecycleDeactivate:
+ status: DISABLED
+ password:
+ status: DISABLED
+ seed: RANDOM
+ change: KEEP_EXISTING
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/apps/${appId}/features/USER_PROVISIONING
+ hints:
+ allow:
+ - GET
+ - PUT
+ AppGrantsEx:
+ summary: App Grants example
+ value:
+ id: oag91n9ruw3dsaXzP0h6
+ status: ACTIVE
+ created: '2023-02-21T16:54:00.000Z'
+ createdBy:
+ id: 00u6eltha0nrSc47i0h7
+ type: User
+ lastUpdated: '2023-02-21T16:54:00.000Z'
+ issuer: '{yourOktaDomain}'
+ clientId: '{clientId}'
+ scopeId: okta.users.read
+ source: ADMIN
+ _embedded:
+ scope:
+ id: okta.users.read
+ _links:
+ app:
+ href: https://{yourOktaDomain}/api/v1/apps/{appId}
+ title: Application name
+ self:
+ href: https://{yourOktaDomain}/api/v1/apps/{appId}/grants/oag91n9ruw3dsaXzP0h6
+ hints:
+ allow:
+ - GET
+ - DELETE
+ client:
+ href: https://{yourOktaDomain}/oauth2/v1/clients/{clientId}
+ title: Client name
+ AppGrantsPostEx:
+ summary: App Grants example
+ value:
+ issuer: '{yourOktaDomain}'
+ scopeId: okta.users.read
+ AppResponseBaseEx:
+ value:
+ id: 0oafxqCAJWWGELFTYASJ
+ status: ACTIVE
+ lastUpdated: '2023-01-21T14:11:24.000Z'
+ created: '2023-01-21T14:11:24.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
+ _links:
+ uploadLogo:
+ href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo
+ hints:
+ allow:
+ - POST
+ appLinks:
+ - name: customswaapp_link
+ href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4
+ type: text/html
+ groups:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups
+ logo:
+ - name: medium
+ href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png
+ type: image/png
+ users:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate
+ AppUserAssignProvRequest:
+ summary: SSO and provisioning Application User request example
+ value:
+ id: 00u15s1KDETTQMQYABRL
+ scope: USER
+ credentials:
+ username: saml.jackson@example.com
+ profile:
+ salesforceGroups:
+ - Employee
+ role: Developer
+ profile: Standard User
+ AppUserAssignSSORequest:
+ summary: SSO Application User request example
+ value:
+ id: 00ud4tVDDXYVKPXKVLCO
+ scope: USER
+ credentials:
+ username: rae.cloud@example.com
+ AppUserCredUpdateResponse:
+ summary: Application User credential update
+ value:
+ id: 00ud4tVDDXYVKPXKVLCO
+ externalId: null
+ created: '2024-01-27T03:52:45.000Z'
+ lastUpdated: '2024-01-27T05:15:30.000Z'
+ scope: USER
+ status: ACTIVE
+ statusChanged: '2024-01-27T03:52:45.000Z'
+ passwordChanged: '2024-01-27T05:15:30.000Z'
+ syncState: DISABLED
+ credentials":
+ userName: rae.cloud@example.com
+ password: {}
+ profile:
+ street_address: null
+ country: null
+ website: null
+ zoneinfo: America/Los_Angeles
+ birthdate: null
+ gender: null
+ formatted: null
+ profile: null
+ locality: null
+ given_name: Rae
+ middle_name: null
+ locale: en_US
+ picture: null
+ name: Rae Cloud
+ nickname: null
+ phone_number: null
+ region: null
+ postal_code: null
+ family_name: Cloud
+ email: rae.cloud@example.com
+ _links:
+ app:
+ href: https://{yourOktaDomain}/api/v1/apps/{appId}
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00ud4tVDDXYVKPXKVLCO
+ AppUserListEx:
+ summary: List Application User example
+ value:
+ - id: 00u1dnq5S0CfjlkpABCD
+ externalId: 00u5edt3PNbbjzvIABCD
+ created: '2024-01-31T18:25:01.000Z'
+ lastUpdated: '2024-01-31T18:25:03.000Z'
+ scope: USER
+ status: PROVISIONED
+ statusChanged: '2024-01-31T18:25:03.000Z'
+ passwordChanged: null
+ syncState: SYNCHRONIZED
+ lastSync: '2024-01-31T18:25:03.000Z'
+ credentials:
+ userName: saml.test@example.com
+ profile:
+ secondEmail: null
+ lastName: Test
+ mobilePhone: null
+ displayName: Saml O Test
+ email: saml.test@example.com
+ salesforceGroups: []
+ role: Tester
+ firstName: Saml
+ streetAddress: null
+ profile: Standard Platform User
+ _links:
+ app:
+ href: https://{yourOktaDomain}/api/v1/apps/0oajiqIRNXPPJBNZMGYL
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD
+ _embedded:
+ user:
+ id: 00u1dnq5S0CfjlkpABCD
+ status: ACTIVE
+ created: '2024-01-09T15:36:04.000Z'
+ activated: '2024-01-09T15:36:05.000Z'
+ statusChanged: '2024-01-09T15:36:05.000Z'
+ lastLogin: null
+ lastUpdated: '2024-01-09T15:36:05.000Z'
+ passwordChanged: '2024-01-09T15:36:05.000Z'
+ type:
+ id: otyzhh29g7Python90g3
+ profile:
+ firstName: Saml
+ lastName: Test
+ mobilePhone: null
+ secondEmail: null
+ login: saml.test@example.com
+ email: saml.test@example.com
+ credentials:
+ password: {}
+ provider:
+ type: OKTA
+ name: OKTA
+ _links:
+ suspend:
+ href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/lifecycle/suspend
+ method: POST
+ schema:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscarho9g7PythoN23z9
+ resetPassword:
+ href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/lifecycle/reset_password
+ method: POST
+ expirePassword:
+ href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/lifecycle/expire_password
+ method: POST
+ changeRecoveryQuestion:
+ href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/credentials/change_recovery_question
+ method: POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD
+ type:
+ href: https://{yourOktaDomain}/api/v1/meta/types/user/otyzhh29g7Python90g3
+ changePassword:
+ href: https://rain.okta1.com/api/v1/users/00u1dnq5S0CfjlkpABCD/credentials/change_password
+ method: POST
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/lifecycle/deactivate
+ method: POST
+ AppUserProfUpdateResponse:
+ summary: Application User profile update
+ value:
+ id: 00ud4tVDDXYVKPXKVLCO
+ externalId: null
+ created: '2024-01-27T03:52:45.000Z'
+ lastUpdated: '2024-01-27T05:05:32.000Z'
+ scope: USER
+ status: ACTIVE
+ statusChanged: '2024-01-27T03:52:45.000Z'
+ passwordChanged: null
+ syncState: DISABLED
+ credentials":
+ userName: rae.cloud@example.com
+ profile:
+ street_address: null
+ country: null
+ website: null
+ zoneinfo: America/Los_Angeles
+ birthdate: null
+ gender: null
+ formatted: null
+ profile: null
+ locality: null
+ given_name: Rae
+ middle_name: Mae
+ locale: en_US
+ picture: null
+ name: Rae Mae Cloud
+ nickname: null
+ phone_number: null
+ region: null
+ postal_code: null
+ family_name: Cloud
+ email: rae.cloud@example.com
+ _links:
+ app:
+ href: https://{yourOktaDomain}/api/v1/apps/{appId}
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00ud4tVDDXYVKPXKVLCO
+ AppUserProvExpandResponse:
+ summary: Application User expand example
+ value:
+ id: 00u1dnq5S0CfjlkpABCD
+ externalId: 00u5edt3PNbbjzvIABCD
+ created: '2024-01-31T18:25:01.000Z'
+ lastUpdated: '2024-01-31T18:25:03.000Z'
+ scope: USER
+ status: PROVISIONED
+ statusChanged: '2024-01-31T18:25:03.000Z'
+ passwordChanged: null
+ syncState: SYNCHRONIZED
+ lastSync: '2024-01-31T18:25:03.000Z'
+ credentials:
+ userName: saml.test@example.com
+ profile:
+ secondEmail: null
+ lastName: Test
+ mobilePhone: null
+ displayName: Saml O Test
+ email: saml.test@example.com
+ salesforceGroups: []
+ role: Tester
+ firstName: Saml
+ streetAddress: null
+ profile: Standard Platform User
+ _links:
+ app:
+ href: https://{yourOktaDomain}/api/v1/apps/0oajiqIRNXPPJBNZMGYL
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD
+ _embedded:
+ user:
+ id: 00u1dnq5S0CfjlkpABCD
+ status: ACTIVE
+ created: '2024-01-09T15:36:04.000Z'
+ activated: '2024-01-09T15:36:05.000Z'
+ statusChanged: '2024-01-09T15:36:05.000Z'
+ lastLogin: null
+ lastUpdated: '2024-01-09T15:36:05.000Z'
+ passwordChanged: '2024-01-09T15:36:05.000Z'
+ type:
+ id: otyzhh29g7Python90g3
+ profile:
+ firstName: Saml
+ lastName: Test
+ mobilePhone: null
+ secondEmail: null
+ login: saml.test@example.com
+ email: saml.test@example.com
+ credentials:
+ password: {}
+ provider:
+ type: OKTA
+ name: OKTA
+ _links:
+ suspend:
+ href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/lifecycle/suspend
+ method: POST
+ schema:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscarho9g7PythoN23z9
+ resetPassword:
+ href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/lifecycle/reset_password
+ method: POST
+ expirePassword:
+ href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/lifecycle/expire_password
+ method: POST
+ changeRecoveryQuestion:
+ href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/credentials/change_recovery_question
+ method: POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD
+ type:
+ href: https://{yourOktaDomain}/api/v1/meta/types/user/otyzhh29g7Python90g3
+ changePassword:
+ href: https://rain.okta1.com/api/v1/users/00u1dnq5S0CfjlkpABCD/credentials/change_password
+ method: POST
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/lifecycle/deactivate
+ method: POST
+ AppUserProvResponse:
+ summary: SSO and provisioning Application User response example
+ value:
+ id: 00u15s1KDETTQMQYABRL
+ externalId: 005o0000000ogQ9AAI
+ created: '2014-08-16T02:35:14.000Z'
+ lastUpdated: '2014-08-16T02:56:49.000Z'
+ scope: USER
+ status: PROVISIONED
+ statusChanged: '2014-08-16T02:56:49.000Z'
+ passwordChanged: null
+ syncState: SYNCHRONIZED
+ lastSync: '2014-08-16T02:56:49.000Z'
+ credentials:
+ userName: saml.jackson@example.com
+ profile:
+ secondEmail: null
+ lastName: Jackson
+ mobilePhone: null
+ email: saml.jackson@example.com
+ salesforceGroups:
+ - Employee
+ role: Developer
+ firstName: Saml
+ profile: Standard User
+ _links:
+ app:
+ href: https://{yourOktaDomain}/api/v1/apps/{appId}
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL
+ AppUserSSOResponse:
+ summary: SSO Application User response example
+ value:
+ id: 00ud4tVDDXYVKPXKVLCO
+ externalId: null
+ created: '2024-01-27T03:52:45.000Z'
+ lastUpdated: '2024-01-27T03:52:45.000Z'
+ scope: USER
+ status: ACTIVE
+ statusChanged: '2024-01-27T03:52:45.000Z'
+ passwordChanged: null
+ syncState: DISABLED
+ credentials":
+ userName: rae.cloud@example.com
+ profile:
+ street_address: null
+ country: null
+ website: null
+ zoneinfo: America/Los_Angeles
+ birthdate: null
+ gender: null
+ formatted: null
+ profile: null
+ locality: null
+ given_name: Rae
+ middle_name: null
+ locale: en_US
+ picture: null
+ name: Rae Cloud
+ nickname: null
+ phone_number: null
+ region: null
+ postal_code: null
+ family_name: Cloud
+ email: rae.cloud@example.com
+ _links:
+ app:
+ href: https://{yourOktaDomain}/api/v1/apps/{appId}
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00ud4tVDDXYVKPXKVLCO
+ AppUserSchemaAddRequest:
+ value:
+ definitions:
+ custom:
+ id: '#custom'
+ type: object
+ properties:
+ twitterUserName:
+ title: Twitter username
+ externalName: twitterUserName
+ description: User's username for twitter.com
+ type: string
+ required: false
+ minLength: 1
+ maxLength: 20
+ required: []
+ AppUserSchemaResponse:
+ value:
+ id: https://{yourOktaDomain}/meta/schemas/apps/0oa25gejWwdXNnFH90g4/default
+ $schema: http://json-schema.org/draft-04/schema#
+ name: Example App
+ title: Example App User
+ lastUpdated: '2017-07-18T23:18:43.000Z'
+ created: '2017-07-18T22:35:30.000Z'
+ definitions:
+ base:
+ id: '#base'
+ type: object
+ properties:
+ userName:
+ title: Username
+ type: string
+ required: true
+ scope: NONE
+ maxLength: 100
+ required:
+ - userName
+ custom:
+ id: '#custom'
+ type: object
+ properties:
+ twitterUserName:
+ title: Twitter username
+ externalName: twitterUserName
+ description: User's username for twitter.com
+ type: string
+ scope: NONE
+ minLength: 1
+ maxLength: 20
+ required: []
+ type: object
+ properties:
+ profile:
+ allOf:
+ - $ref: '#/definitions/base'
+ - $ref: '#/definitions/custom'
+ AppUserUpdateCredRequest:
+ summary: Application User credentials update
+ value:
+ credentials:
+ userName: rae.cloud@example.com
+ password:
+ value: updatedP@55word
+ AppUserUpdateProfileRequest:
+ summary: Application User profile update
+ value:
+ profile:
+ name: Rae Mae Cloud
+ middle_name: Mae
+ AppleIdPResponse:
+ summary: Apple Identity Provider
+ value:
+ id: 0oa18hsHsG3boVejU0g4
+ type: APPLE
+ issuerMode: ORG_URL
+ name: Apple Identity Provider
+ status: ACTIVE
+ created: '2020-06-05T20:57:51.000Z'
+ lastUpdated: '2020-06-05T20:57:51.000Z'
+ protocol:
+ type: OIDC
+ endpoints:
+ authorization:
+ url: https://appleid.apple.com/auth/authorize
+ binding: HTTP-REDIRECT
+ token:
+ url: https://appleid.apple.com/auth/token
+ binding: HTTP-POST
+ scopes:
+ - openid
+ - email
+ - name
+ credentials:
+ client:
+ client_id: your-client-id
+ signing:
+ teamId: test team ID
+ privateKey: MIGTAgEAMBM........Cb9PnybCnzDv+3cWSGWqpAIsQQZ
+ kid: test key ID
+ policy:
+ provisioning:
+ action: AUTO
+ profileMaster: true
+ groups:
+ action: NONE
+ conditions:
+ deprovisioned:
+ action: NONE
+ suspended:
+ action: NONE
+ accountLink:
+ filter: null
+ action: AUTO
+ subject:
+ userNameTemplate:
+ template: idpuser.email
+ filter: null
+ matchType: USERNAME
+ matchAttribute: null
+ mapAMRClaims: false
+ maxClockSkew: 0
+ _links:
+ authorize:
+ href: https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa18hsHsG3boVejU0g4&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri=${redirectUri}&state={state}&nonce={nonce}
+ templated: true
+ hints:
+ allow:
+ - GET
+ clientRedirectUri:
+ href: https://{yourOktaDomain}/oauth2/v1/authorize/callback
+ hints:
+ allow:
+ - POST
+ AssignGroupOwnerRequest:
+ summary: Assign a group owner request example
+ value:
+ id: 00u1cmc03xjzePoWD0h8
+ type: USER
+ AssignGroupOwnerResponse:
+ summary: Assign a group owner response example
+ value:
+ id: 00u1cmc03xjzePoWD0h8
+ type: USER
+ resolved: true
+ originId: null
+ originType: OKTA_DIRECTORY
+ displayName: Oliver Putnam
+ lastUpdated: Wed Mar 29 18:34:31 UTC 2023
+ AuthenticatorMethodInactiveVoice:
+ value:
+ type: voice
+ status: INACTIVE
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/voice
+ hints:
+ allow:
+ - GET
+ - PUT
+ activate:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/voice/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ AuthenticatorMethodPhone:
+ value:
+ - type: sms
+ status: ACTIVE
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/sms
+ hints:
+ allow:
+ - GET
+ - PUT
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/sms/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ - type: voice
+ status: INACTIVE
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/voice
+ hints:
+ allow:
+ - GET
+ - PUT
+ activate:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/voice/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ AuthenticatorMethodSms:
+ value:
+ type: sms
+ status: ACTIVE
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/sms
+ hints:
+ allow:
+ - GET
+ - PUT
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/sms/lifecycle/deactivate
+ hints:
+ allow":
+ - POST
+ AuthenticatorMethodWebauth:
+ value:
+ type: webauthn
+ status: ACTIVE
+ settings:
+ userVerification: DISCOURAGED
+ attachment: ANY
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/webauthn
+ hints:
+ allow:
+ - GET
+ - PUT
+ AuthenticatorRequestDuo:
+ value:
+ key: duo
+ name: Duo Security
+ provider:
+ type: DUO
+ configuration:
+ userNameTemplate:
+ template: oktaId
+ integrationKey: testIntegrationKey
+ secretKey: testSecretKey
+ host: https://api-xxxxxxxx.duosecurity.com
+ AuthenticatorResponseDuo:
+ value:
+ type: app
+ id: aut9gnvcjUHIWb37J0g4
+ key: duo
+ status: ACTIVE
+ name: Duo Security
+ created: '2022-07-15T21:14:02.000Z'
+ lastUpdated: '2022-07-15T21:14:02.000Z'
+ settings: {}
+ provider:
+ type: DUO
+ configuration:
+ host: https://api-xxxxxxxx.duosecurity.com
+ userNameTemplate:
+ template: oktaId
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut5gnvcjUHIWb25J0g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut5gnvcjUHIWb25J0g4/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ methods:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut5gnvcjUHIWb25J0g4/methods
+ hints:
+ allow:
+ - GET
+ AuthenticatorResponseEmail:
+ value:
+ type: email
+ id: aut1nbsPHh7jNjjyP0g4
+ key: okta_email
+ status: ACTIVE
+ name: Email
+ created: '2020-07-26T21:05:23.000Z'
+ lastUpdated: '2020-07-28T21:45:52.000Z'
+ settings:
+ allowedFor: any
+ tokenLifetimeInMinutes: 5
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbsPHh7jNjjyP0g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ methods:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbsPHh7jNjjyP0g4/methods
+ hints:
+ allow:
+ - GET
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbsPHh7jNjjyP0g4/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ AuthenticatorResponseInactiveWebAuthn:
+ value:
+ type: security_key
+ id: aut1nd8PQhGcQtSxB0g4
+ key: webauthn
+ status: INACTIVE
+ name: Security Key or Biometric
+ created: '2020-07-26T21:16:37.000Z'
+ lastUpdated: '2020-07-27T18:59:30.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ methods:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods
+ hints:
+ allow:
+ - GET
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ AuthenticatorResponsePassword:
+ value:
+ type: password
+ id: aut1nbtrJKKA9m45a0g4
+ key: okta_password
+ status: ACTIVE
+ name: Password
+ created: '2020-07-26T21:05:23.000Z'
+ lastUpdated: '2020-07-26T21:05:23.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbtrJKKA9m45a0g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ methods:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbtrJKKA9m45a0g4/methods
+ hints:
+ allow:
+ - GET
+ AuthenticatorResponsePhone:
+ value:
+ type: phone
+ id: aut1nbuyD8m1ckAYc0g4
+ key: phone_number
+ status: INACTIVE
+ name: Phone
+ created: '2020-07-26T21:05:23.000Z'
+ lastUpdated: '2020-07-29T00:21:29.000Z'
+ settings:
+ allowedFor: none
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbuyD8m1ckAYc0g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ methods:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbuyD8m1ckAYc0g4/methods
+ hints:
+ allow:
+ - GET
+ activate:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbuyD8m1ckAYc0g4/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ AuthenticatorResponseSecurityQuestion:
+ summary: Security Question
+ value:
+ type: security_question
+ id: aut1nbvIgEenhwE6c0g4
+ key: security_question
+ status: ACTIVE
+ name: Security Question
+ created: '2020-07-26T21:05:23.000Z'
+ lastUpdated: '2020-07-26T21:05:23.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbvIgEenhwE6c0g4
+ hints:
+ allow:
+ - GET
+ methods:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbvIgEenhwE6c0g4/methods
+ hints:
+ allow:
+ - GET
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbvIgEenhwE6c0g4/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ AuthenticatorResponseWebAuthn:
+ value:
+ type: security_key
+ id: aut1nd8PQhGcQtSxB0g4
+ key: webauthn
+ status: ACTIVE
+ name: Security Key or Biometric
+ created: '2020-07-26T21:16:37.000Z'
+ lastUpdated: '2020-07-27T18:59:30.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ methods:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods
+ hints:
+ allow:
+ - GET
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ AuthenticatorsResponse:
+ summary: Org Authenticators
+ value:
+ - type: email
+ id: aut1nbsPHh7jNjjyP0g4
+ key: okta_email
+ status: ACTIVE
+ name: Email
+ created: '2020-07-26T21:05:23.000Z'
+ lastUpdated: '2020-07-28T21:45:52.000Z'
+ settings:
+ allowedFor: any
+ tokenLifetimeInMinutes: 5
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbsPHh7jNjjyP0g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ methods:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbsPHh7jNjjyP0g4/methods
+ hints:
+ allow:
+ - GET
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbsPHh7jNjjyP0g4/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ - type: password
+ id: aut1nbtrJKKA9m45a0g4
+ key: okta_password
+ status: ACTIVE
+ name: Password
+ created: '2020-07-26T21:05:23.000Z'
+ lastUpdated: '2020-07-26T21:05:23.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbtrJKKA9m45a0g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ methods:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbtrJKKA9m45a0g4/methods
+ hints:
+ allow:
+ - GET
+ - type: phone
+ id: aut1nbuyD8m1ckAYc0g4
+ key: phone_number
+ status: INACTIVE
+ name: Phone
+ created: '2020-07-26T21:05:23.000Z'
+ lastUpdated: '2020-07-29T00:21:29.000Z'
+ settings:
+ allowedFor: none
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbuyD8m1ckAYc0g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ methods:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbuyD8m1ckAYc0g4/methods
+ hints:
+ allow:
+ - GET
+ activate:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbuyD8m1ckAYc0g4/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ - type: security_key
+ id: aut1nd8PQhGcQtSxB0g4
+ key: webauthn
+ status: ACTIVE
+ name: Security Key or Biometric
+ created: '2020-07-26T21:16:37.000Z'
+ lastUpdated: '2020-07-27T18:59:30.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ methods:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods
+ hints:
+ allow:
+ - GET
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ AuthorizationServerPolicy:
+ summary: Authorization Server Policy
+ value:
+ type: OAUTH_AUTHORIZATION_POLICY
+ id: 00palyaappA22DPkj0h7
+ status: ACTIVE
+ name: Vendor2 Policy
+ description: Vendor2 policy description
+ priority: 1
+ system: false
+ conditions:
+ clients:
+ include:
+ - ALL_CLIENTS
+ created: '2017-05-26T19:43:53.000Z'
+ lastUpdated: '2017-06-07T15:28:17.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies/00palyaappA22DPkj0h7
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies/00palyaappA22DPkj0h7/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ rules:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies/00palyaappA22DPkj0h7/rules
+ hints:
+ allow:
+ - GET
+ AuthorizationServerPolicyRule:
+ summary: Authorization Server Policy Rule
+ value:
+ type: RESOURCE_ACCESS
+ id: 0prbsjfyl01zfSZ9K0h7
+ status: ACTIVE
+ name: Default Policy Rule
+ priority: 1
+ created: '2017-08-25T16:57:02.000Z'
+ lastUpdated: '2017-08-30T14:51:05.000Z'
+ system: false
+ conditions:
+ people:
+ users:
+ include: []
+ exclude: []
+ groups:
+ include:
+ - EVERYONE
+ exclude: []
+ grantTypes:
+ include:
+ - implicit
+ - client_credentials
+ - authorization_code
+ - password
+ scopes:
+ include:
+ - '*'
+ actions:
+ token:
+ accessTokenLifetimeMinutes: 60
+ refreshTokenLifetimeMinutes: 0
+ refreshTokenWindowMinutes: 10080
+ inlineHook:
+ id: cal4egvp1mbMldrYN0g7
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/0prbsjfyl01zfSZ9K0h7
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/0prbsjfyl01zfSZ9K0h7/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ AutoLoginAppResponseEx:
+ summary: AUTO_LOGIN
+ value:
+ id: 0oafxqCAJWWGELFTYASJ
+ status: ACTIVE
+ lastUpdated: '2023-01-21T14:11:24.000Z'
+ created: '2023-01-21T14:11:24.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
+ _links:
+ uploadLogo:
+ href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo
+ hints:
+ allow:
+ - POST
+ appLinks:
+ - name: customswaapp_link
+ href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4
+ type: text/html
+ groups:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups
+ logo:
+ - name: medium
+ href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png
+ type: image/png
+ users:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate
+ visibility:
+ autoLaunch: false
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ customswaapp_link: true
+ name: customswaapp
+ label: Custom SWA App
+ features: []
+ signOnMode: AUTO_LOGIN
+ credentials:
+ scheme: EDIT_USERNAME_AND_PASSWORD
+ userNameTemplate:
+ template: ${source.email}
+ type: BUILT_IN
+ revealPassword: false
+ signing: {}
+ settings:
+ app: {}
+ notifications:
+ vpn:
+ network:
+ connection: DISABLED
+ message: null
+ helpUrl: null
+ manualProvisioning: false
+ implicitAssignment: false
+ notes:
+ admin: null
+ enduser: null
+ signOn:
+ redirectUrl: http://swasecondaryredirecturl.okta.com
+ loginUrl: http://swaprimaryloginurl.okta.com
+ AutoLoginEx:
+ summary: AUTO_LOGIN
+ value:
+ label: Custom SWA App
+ signOnMode: AUTO_LOGIN
+ visibility:
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ settings:
+ signOn:
+ redirectUrl: http://swasecondaryredirecturl.okta.com
+ loginUrl: http://swaprimaryloginurl.okta.com
+ AutoLoginPutEx:
+ summary: AUTO_LOGIN
+ value:
+ label: Custom SWA App updated
+ status: ACTIVE
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
+ visibility:
+ autoLaunch: false
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ features: []
+ signOnMode: AUTO_LOGIN
+ credentials:
+ scheme: ADMIN_SETS_CREDENTIALS
+ userNameTemplate:
+ template: ${source.email}
+ type: BUILT_IN
+ settings:
+ signOn:
+ redirectUrl: http://swasecondaryredirecturlupdated.okta.com
+ loginUrl: http://swaprimaryloginurl.okta.com
+ AutoLoginPutResponseEx:
+ summary: AUTO_LOGIN
+ value:
+ id: 0oafxqCAJWWGELFTYASJ
+ status: ACTIVE
+ lastUpdated: '2023-01-21T14:11:24.000Z'
+ created: '2023-01-21T14:11:24.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
+ _links:
+ uploadLogo:
+ href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo
+ hints:
+ allow:
+ - POST
+ appLinks:
+ - name: customswaapp_link
+ href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4
+ type: text/html
+ groups:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups
+ logo:
+ - name: medium
+ href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png
+ type: image/png
+ users:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate
+ visibility:
+ autoLaunch: false
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ customswaapp_link: true
+ name: customswaapp
+ label: Custom SWA App updated
+ features: []
+ signOnMode: AUTO_LOGIN
+ credentials:
+ scheme: ADMIN_SETS_CREDENTIALS
+ userNameTemplate:
+ template: ${source.email}
+ type: BUILT_IN
+ revealPassword: false
+ signing: {}
+ settings:
+ app: {}
+ notifications:
+ vpn:
+ network:
+ connection: DISABLED
+ message: null
+ helpUrl: null
+ manualProvisioning: false
+ implicitAssignment: false
+ notes:
+ admin: null
+ enduser: null
+ signOn:
+ redirectUrl: http://swasecondaryredirecturlupdated.okta.com
+ loginUrl: http://swaprimaryloginurl.okta.com
+ BaseSignOnModeEx:
+ value:
+ status: ACTIVE
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
+ visibility:
+ autoLaunch: false
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ features: []
+ BasicAuthEx:
+ summary: BASIC_AUTH
+ value:
+ name: template_basic_auth
+ label: Sample Basic Auth App
+ signOnMode: BASIC_AUTH
+ settings:
+ app:
+ url: https://example.com/login.html
+ authURL: https://example.com/auth.html
+ BasicAuthPutEx:
+ summary: BASIC_AUTH
+ value:
+ label: Sample Basic Auth App updated
+ signOnMode: BASIC_AUTH
+ settings:
+ app:
+ url: https://example.com/loginUpdated.html
+ authURL: https://example.com/auth.html
+ BasicAuthPutResponseEx:
+ summary: BASIC_AUTH
+ value:
+ id: 0oafxqCAJWWGELFTYASJ
+ status: ACTIVE
+ lastUpdated: '2023-01-21T14:11:24.000Z'
+ created: '2023-01-21T14:11:24.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
+ _links:
+ uploadLogo:
+ href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo
+ hints:
+ allow:
+ - POST
+ appLinks:
+ - name: customswaapp_link
+ href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4
+ type: text/html
+ groups:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups
+ logo:
+ - name: medium
+ href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png
+ type: image/png
+ users:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate
+ visibility:
+ autoLaunch: false
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ login: true
+ name: template_basic_auth
+ label: Sample Basic Auth App updated
+ features: []
+ signOnMode: BASIC_AUTH
+ credentials:
+ scheme: EDIT_USERNAME_AND_PASSWORD
+ userNameTemplate:
+ template: ${source.email}
+ type: BUILT_IN
+ revealPassword: false
+ signing: {}
+ settings:
+ app:
+ loginUrlRegex: null
+ url: https://example.com/loginUpdated.html
+ authURL: https://example.com/auth.html
+ notifications:
+ vpn:
+ network:
+ connection: DISABLED
+ message: null
+ helpUrl: null
+ manualProvisioning: false
+ implicitAssignment: false
+ notes:
+ admin: null
+ enduser: null
+ BasicAuthResponseEx:
+ summary: BASIC_AUTH
+ value:
+ id: 0oafxqCAJWWGELFTYASJ
+ status: ACTIVE
+ lastUpdated: '2023-01-21T14:11:24.000Z'
+ created: '2023-01-21T14:11:24.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
+ _links:
+ uploadLogo:
+ href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo
+ hints:
+ allow:
+ - POST
+ appLinks:
+ - name: customswaapp_link
+ href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4
+ type: text/html
+ groups:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups
+ logo:
+ - name: medium
+ href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png
+ type: image/png
+ users:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate
+ visibility:
+ autoLaunch: false
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ login: true
+ name: template_basic_auth
+ label: Sample Basic Auth App
+ features: []
+ signOnMode: BASIC_AUTH
+ credentials:
+ scheme: EDIT_USERNAME_AND_PASSWORD
+ userNameTemplate:
+ template: ${source.email}
+ type: BUILT_IN
+ revealPassword: false
+ signing: {}
+ settings:
+ app:
+ loginUrlRegex: null
+ url: https://example.com/login.html
+ authURL: https://example.com/auth.html
+ notifications:
+ vpn:
+ network:
+ connection: DISABLED
+ message: null
+ helpUrl: null
+ manualProvisioning: false
+ implicitAssignment: false
+ notes:
+ admin: null
+ enduser: null
+ BehaviorRuleRequest:
+ value:
+ name: My Behavior Rule
+ type: VELOCITY
+ BehaviorRuleResponse:
+ value:
+ id: abcd1234
+ name: My Behavior Rule
+ type: VELOCITY
+ settings:
+ velocityKph: 805
+ status: ACTIVE
+ created: '2021-11-09T20:38:10.000Z'
+ lastUpdated: '2021-11-11T20:38:10.000Z'
+ _link:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/behaviors/abcd1234
+ hints:
+ allow:
+ - GET
+ - POST
+ - PUT
+ - DELETE
+ BookmarkAppResponseEx:
+ summary: BOOKMARK
+ value:
+ id: 0oafxqCAJWWGELFTYASJ
+ status: ACTIVE
+ lastUpdated: '2023-01-21T14:11:24.000Z'
+ created: '2023-01-21T14:11:24.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
+ _links:
+ uploadLogo:
+ href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo
+ hints:
+ allow:
+ - POST
+ appLinks:
+ - name: customswaapp_link
+ href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4
+ type: text/html
+ groups:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups
+ logo:
+ - name: medium
+ href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png
+ type: image/png
+ users:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate
+ visibility:
+ autoLaunch: false
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ login: true
+ name: bookmark
+ label: Sample Bookmark App
+ features: []
+ signOnMode: BOOKMARK
+ credentials:
+ userNameTemplate:
+ template: ${source.email}
+ type: BUILT_IN
+ signing: {}
+ settings:
+ app:
+ requestIntegration: false
+ url: https://example.com/bookmark.html
+ notifications:
+ vpn:
+ network:
+ connection: DISABLED
+ message: null
+ helpUrl: null
+ manualProvisioning: false
+ implicitAssignment: false
+ notes:
+ admin: null
+ enduser: null
+ BookmarkEx:
+ summary: BOOKMARK
+ value:
+ name: bookmark
+ label: Sample Bookmark App
+ signOnMode: BOOKMARK
+ settings:
+ app:
+ url: https://example.com/bookmark.html
+ BookmarkPutEx:
+ summary: BOOKMARK
+ value:
+ name: bookmark
+ label: Sample Bookmark App updated
+ signOnMode: BOOKMARK
+ settings:
+ app:
+ requestIntegration: true
+ url: https://example.com/bookmark.html
+ BookmarkPutResponseEx:
+ summary: BOOKMARK
+ value:
+ id: 0oafxqCAJWWGELFTYASJ
+ status: ACTIVE
+ lastUpdated: '2023-01-21T14:11:24.000Z'
+ created: '2023-01-21T14:11:24.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
+ _links:
+ uploadLogo:
+ href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo
+ hints:
+ allow:
+ - POST
+ appLinks:
+ - name: customswaapp_link
+ href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4
+ type: text/html
+ groups:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups
+ logo:
+ - name: medium
+ href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png
+ type: image/png
+ users:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate
+ visibility:
+ autoLaunch: false
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ login: true
+ name: bookmark
+ label: Sample Bookmark App updated
+ features: []
+ signOnMode: BOOKMARK
+ credentials:
+ userNameTemplate:
+ template: ${source.email}
+ type: BUILT_IN
+ signing: {}
+ settings:
+ app:
+ requestIntegration: true
+ url: https://example.com/bookmark.html
+ notifications:
+ vpn:
+ network:
+ connection: DISABLED
+ message: null
+ helpUrl: null
+ manualProvisioning: false
+ implicitAssignment: false
+ notes:
+ admin: null
+ enduser: null
+ BrowserPluginEx:
+ summary: BROWSER_PLUGIN
+ value:
+ name: template_swa
+ label: Sample Plugin App
+ signOnMode: BROWSER_PLUGIN
+ settings:
+ app:
+ buttonField: btn-login
+ passwordField: txtbox-password
+ usernameField: txtbox-username
+ url: https://example.com/login.html
+ BrowserPluginPutEx:
+ summary: BROWSER_PLUGIN
+ value:
+ name: template_swa
+ label: Sample Plugin App updated
+ signOnMode: BROWSER_PLUGIN
+ settings:
+ app:
+ buttonField: btn-login
+ passwordField: txtbox-password
+ usernameField: txtbox-username
+ url: https://example_updated.com/login.html
+ BrowserPluginPutResponseEx:
+ summary: BROWSER_PLUGIN
+ value:
+ id: 0oafxqCAJWWGELFTYASJ
+ status: ACTIVE
+ lastUpdated: '2023-01-21T14:11:24.000Z'
+ created: '2023-01-21T14:11:24.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
+ _links:
+ uploadLogo:
+ href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo
+ hints:
+ allow:
+ - POST
+ appLinks:
+ - name: customswaapp_link
+ href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4
+ type: text/html
+ groups:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups
+ logo:
+ - name: medium
+ href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png
+ type: image/png
+ users:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate
+ visibility:
+ autoLaunch: false
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ login: true
+ name: template_swa
+ label: Sample Plugin App updated
+ features: []
+ signOnMode: BROWSER_PLUGIN
+ credentials:
+ scheme: EDIT_USERNAME_AND_PASSWORD
+ userNameTemplate:
+ template: ${source.email}
+ type: BUILT_IN
+ revealPassword: false
+ signing: {}
+ settings:
+ app:
+ loginUrlRegex: null
+ usernameField: txtbox-username
+ buttonField: btn-login
+ passwordField: txtbox-password
+ url: https://example_updated.com/login.html
+ notifications:
+ vpn:
+ network:
+ connection: DISABLED
+ message: null
+ helpUrl: null
+ manualProvisioning: false
+ implicitAssignment: false
+ notes:
+ admin: null
+ enduser: null
+ BrowserPluginResponseEx:
+ summary: BROWSER_PLUGIN
+ value:
+ id: 0oafxqCAJWWGELFTYASJ
+ status: ACTIVE
+ lastUpdated: '2023-01-21T14:11:24.000Z'
+ created: '2023-01-21T14:11:24.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
+ _links:
+ uploadLogo:
+ href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo
+ hints:
+ allow:
+ - POST
+ appLinks:
+ - name: customswaapp_link
+ href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4
+ type: text/html
+ groups:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups
+ logo:
+ - name: medium
+ href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png
+ type: image/png
+ users:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate
+ visibility:
+ autoLaunch: false
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ login: true
+ name: template_swa
+ label: Sample Plugin App
+ features: []
+ signOnMode: BROWSER_PLUGIN
+ credentials:
+ scheme: EDIT_USERNAME_AND_PASSWORD
+ userNameTemplate:
+ template: ${source.email}
+ type: BUILT_IN
+ revealPassword: false
+ signing: {}
+ settings:
+ app:
+ loginUrlRegex: null
+ usernameField: txtbox-username
+ buttonField: btn-login
+ passwordField: txtbox-password
+ url: https://example.com/login.html
+ notifications:
+ vpn:
+ network:
+ connection: DISABLED
+ message: null
+ helpUrl: null
+ manualProvisioning: false
+ implicitAssignment: false
+ notes:
+ admin: null
+ enduser: null
+ BrowserPluginSwa3FieldEx:
+ summary: BROWSER_PLUGIN with three CSS selectors
+ value:
+ name: template_swa3field
+ label: Sample Plugin App
+ signOnMode: BROWSER_PLUGIN
+ settings:
+ app:
+ buttonSelector: '#btn-login'
+ passwordSelector: '#txtbox-password'
+ userNameSelector: '#txtbox-username'
+ targetURL: https://example.com/login.html
+ extraFieldSelector: .login
+ extraFieldValue: SOMEVALUE
+ BrowserPluginSwa3FieldPutEx:
+ summary: BROWSER_PLUGIN with three CSS selectors
+ value:
+ name: template_swa3field
+ label: Sample Plugin App updated
+ signOnMode: BROWSER_PLUGIN
+ settings:
+ app:
+ buttonSelector: '#btn-login'
+ passwordSelector: '#txtbox-password'
+ userNameSelector: '#txtbox-username'
+ targetURL: https://exampleupdated.com/login.html
+ extraFieldSelector: .login
+ extraFieldValue: SOMEVALUE
+ BrowserPluginSwa3FieldPutResponseEx:
+ summary: BROWSER_PLUGIN with three CSS selectors
+ value:
+ id: 0oafxqCAJWWGELFTYASJ
+ status: ACTIVE
+ lastUpdated: '2023-01-21T14:11:24.000Z'
+ created: '2023-01-21T14:11:24.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
+ _links:
+ uploadLogo:
+ href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo
+ hints:
+ allow:
+ - POST
+ appLinks:
+ - name: customswaapp_link
+ href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4
+ type: text/html
+ groups:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups
+ logo:
+ - name: medium
+ href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png
+ type: image/png
+ users:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate
+ visibility:
+ autoLaunch: false
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ login: true
+ name: template_swa3field
+ label: Sample Plugin App updated
+ features: []
+ signOnMode: BROWSER_PLUGIN
+ credentials:
+ scheme: EDIT_USERNAME_AND_PASSWORD
+ userNameTemplate:
+ template: ${source.email}
+ type: BUILT_IN
+ revealPassword: false
+ signing: {}
+ settings:
+ app:
+ loginUrlRegex: null
+ extraFieldSelector: .login
+ extraFieldValue: SOMEVALUE
+ userNameSelector: '#txtbox-username'
+ passwordSelector: '#txtbox-password'
+ buttonSelector: '#btn-login'
+ targetURL: https://exampleupdated.com/login.html
+ notifications:
+ vpn:
+ network:
+ connection: DISABLED
+ message: null
+ helpUrl: null
+ manualProvisioning: false
+ implicitAssignment: false
+ notes:
+ admin: null
+ enduser: null
+ BrowserPluginSwa3FieldResponseEx:
+ summary: BROWSER_PLUGIN with three CSS selectors
+ value:
+ id: 0oafxqCAJWWGELFTYASJ
+ status: ACTIVE
+ lastUpdated: '2023-01-21T14:11:24.000Z'
+ created: '2023-01-21T14:11:24.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
+ _links:
+ uploadLogo:
+ href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo
+ hints:
+ allow:
+ - POST
+ appLinks:
+ - name: customswaapp_link
+ href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4
+ type: text/html
+ groups:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups
+ logo:
+ - name: medium
+ href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png
+ type: image/png
+ users:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate
+ visibility:
+ autoLaunch: false
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ login: true
+ name: template_swa3field
+ label: Sample Plugin App
+ features: []
+ signOnMode: BROWSER_PLUGIN
+ credentials:
+ scheme: EDIT_USERNAME_AND_PASSWORD
+ userNameTemplate:
+ template: ${source.email}
+ type: BUILT_IN
+ revealPassword: false
+ signing: {}
+ settings:
+ app:
+ loginUrlRegex: null
+ extraFieldSelector: .login
+ extraFieldValue: SOMEVALUE
+ userNameSelector: '#txtbox-username'
+ passwordSelector: '#txtbox-password'
+ buttonSelector: '#btn-login'
+ targetURL: https://example.com/login.html
+ notifications:
+ vpn:
+ network:
+ connection: DISABLED
+ message: null
+ helpUrl: null
+ manualProvisioning: false
+ implicitAssignment: false
+ notes:
+ admin: null
+ enduser: null
+ BundleEntitlementsResponse:
+ summary: List of governance bundle entitlements
+ value:
+ entitlements:
+ - id: espfxqCAJWWGELFTYASJ
+ role: GROUP_MEMBERSHIP_ADMIN
+ name: Group Membership Admin
+ description: Perform all admin activities for groups in the org
+ _links:
+ values: http://your-subdomain.okta.com/api/v1/iam/governance/bundles/0bbfxqCAJWWGELFTYAAA/entitlements/espfxqCAJWWGELFTYASJ/values
+ _links:
+ self:
+ href: http://your-subdomain.okta.com/api/v1/iam/governance/bundles?limit=2&after=10
+ next:
+ href: http://your-subdomain.okta.com/api/v1/iam/governance/bundles?after=bundleId12
+ bundle:
+ href: http://your-subdomain.okta.com/api/v1/iam/governance/bundles/0bbfxqCAJWWGELFTYAAA
+ CAPTCHAInstanceRequestHCaptcha:
+ value:
+ name: myHCaptcha
+ secretKey: xxxxxxxxxxx
+ siteKey: xxxxxxxxxxx
+ type: HCAPTCHA
+ CAPTCHAInstanceRequestReCaptcha:
+ value:
+ name: myReCaptcha
+ secretKey: xxxxxxxxxxx
+ siteKey: yyyyyyyyyyyyyyy
+ type: RECAPTCHA_V2
+ CAPTCHAInstanceResponseHCaptcha:
+ value:
+ id: abcd1234
+ name: myHCaptcha
+ siteKey: xxxxxxxxxxx
+ type: HCAPTCHA
+ _links:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/captchas/abcd1234
+ hints:
+ allow:
+ - GET
+ - POST
+ - PUT
+ - DELETE
+ CAPTCHAInstanceResponseReCaptcha:
+ value:
+ id: abcd4567
+ name: myReCaptcha
+ siteKey: yyyyyyyyyyyyyyy
+ type: RECAPTCHA_V2
+ _links:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/captchas/abcd4567
+ hints:
+ allow:
+ - GET
+ - POST
+ - PUT
+ - DELETE
+ ChangePwdRequest:
+ value:
+ oldPassword:
+ value: tlpWENT2m
+ newPassword:
+ value: uTVM,TPw55
+ revokeSessions: true
+ ChangePwdResponse:
+ value:
+ password: {}
+ recovery_question:
+ question: Who's a major player in the cowboy scene?
+ provider:
+ type: OKTA
+ name: OKTA
+ CreateAnEventHook:
+ summary: Create an event hook
+ value:
+ name: Event Hook Test
+ events:
+ type: EVENT_TYPE
+ items:
+ - group.user_membership.add
+ channel:
+ type: HTTP
+ version: 1.0.0
+ config:
+ uri: https://example_external_service/userAdded
+ headers:
+ - key: X-Other-Header
+ value: my-header-value
+ authScheme:
+ type: HEADER
+ key: Authorization
+ value: my-shared-secret
+ CreateAnEventHookWithFilter:
+ summary: Create an event hook with a filter
+ value:
+ name: Event Hook with Filter
+ description: An event hook using an Okta Expression Language filter
+ events:
+ type: EVENT_TYPE
+ items:
+ - group.user_membership.add
+ filter:
+ type: EXPRESSION_LANGUAGE
+ eventFilterMap:
+ - event: group.user_membership.add
+ condition:
+ expression: event.target.?[type eq 'UserGroup'].size()>0 && event.target.?[displayName eq 'Sales'].size()>0
+ channel:
+ type: HTTP
+ version: 1.0.0
+ config:
+ uri: https://example_external_service/userAdded
+ authScheme:
+ type: HEADER
+ key: Authorization
+ value: my-shared-secret
+ CreateAppleIdPRequest:
+ summary: Create Apple Identity Provider
+ value:
+ type: APPLE
+ name: Apple Identity Provider
+ protocol:
+ type: OIDC
+ scopes:
+ - openid
+ - email
+ - name
+ credentials:
+ client:
+ client_id: your-client-id
+ signing:
+ privateKey: MIGTAgEAMBM........Cb9PnybCnzDv+3cWSGWqpAIsQQZ
+ kid: test key ID
+ teamId: test team ID
+ policy:
+ provisioning:
+ action: AUTO
+ profileMaster: true
+ groups:
+ action: NONE
+ conditions:
+ deprovisioned:
+ action: NONE
+ suspended:
+ action: NONE
+ accountLink:
+ action: AUTO
+ subject:
+ userNameTemplate:
+ template: idpuser.email
+ matchType: USERNAME
+ CreateAssocAuthServerBody:
+ summary: Create a trusted relationship between authorization servers
+ value:
+ - trusted: '{authorizationServerId}'
+ CreateAssocAuthServerResponse:
+ summary: Create a trusted relationship between authorization servers
+ value:
+ - id: '{authorizationServerId}'
+ name: Sample Authorization Server
+ description: Sample Authorization Server description
+ audiences:
+ - https://api.resource.com
+ issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId}
+ issuerMode: CUSTOM_URL
+ status: ACTIVE
+ created: '2023-05-17T22:25:57.000Z'
+ lastUpdated: '2023-05-17T22:25:57.000Z'
+ credentials:
+ signing:
+ rotationMode: AUTO
+ lastRotated: '2023-05-17T22:25:57.000Z'
+ nextRotation: '2023-08-15T22:25:57.000Z'
+ kid: WYQxoK4XAwGFn5Zw5AzLxFvqEKLP79BbsKmWeuc5TB4
+ use: sig
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}
+ hints:
+ allow:
+ - DELETE
+ CreateAuthServerBody:
+ summary: Create a custom authorization server
+ value:
+ name: Sample Authorization Server
+ description: Sample Authorization Server description
+ audiences:
+ - api://default
+ CreateAuthServerResponse:
+ summary: Create a custom authorization server
+ value:
+ id: '{authorizationServerId}'
+ name: Sample Authorization Server
+ description: Sample Authorization Server description
+ audiences:
+ - https://api.resource.com
+ issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId}
+ issuerMode: ORG_URL
+ status: ACTIVE
+ created: '2023-05-17T22:25:57.000Z'
+ lastUpdated: '2023-05-17T22:25:57.000Z'
+ credentials:
+ signing:
+ rotationMode: AUTO
+ lastRotated: '2023-05-17T22:25:57.000Z'
+ nextRotation: '2023-08-15T22:25:57.000Z'
+ kid: WYQxoK4XAwGFn5Zw5AzLxFvqEKLP79BbsKmWeuc5TB4
+ _links:
+ scopes:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes
+ hints:
+ allow:
+ - GET
+ claims:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims
+ hints:
+ allow:
+ - GET
+ policies:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies
+ hints:
+ allow:
+ - GET
+ self:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}
+ hints:
+ allow:
+ - GET
+ - DELETE
+ - PUT
+ metadata:
+ - name: oauth-authorization-server
+ href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/oauth-authorization-server
+ hints:
+ allow:
+ - GET
+ - name: openid-configuration
+ href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/openid-configuration
+ hints:
+ allow:
+ - GET
+ rotateKey:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/lifecycle/keyRotate
+ hints:
+ allow:
+ - POST
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ CreateAuthorizationServerPolicyRequest:
+ summary: Create Authorization Server Policy
+ value:
+ type: OAUTH_AUTHORIZATION_POLICY
+ status: ACTIVE
+ name: Default Policy
+ description: Default policy description
+ priority: 1
+ system: false
+ conditions:
+ clients":
+ include":
+ - ALL_CLIENTS
+ CreateAuthorizationServerPolicyRuleRequest:
+ summary: Create Authorization Server Policy Rule
+ value:
+ type: RESOURCE_ACCESS
+ name: Default Policy Rule
+ priority: 1
+ conditions:
+ people:
+ groups:
+ include:
+ - EVERYONE
+ grantTypes:
+ include:
+ - implicit
+ - client_credentials
+ - authorization_code
+ - password
+ scopes:
+ include:
+ - '*'
+ actions:
+ token:
+ accessTokenLifetimeMinutes: 60
+ refreshTokenLifetimeMinutes: 0
+ refreshTokenWindowMinutes: 10080
+ inlineHook:
+ id: cal4egvp1mbMldrYN0g7
+ CreateBrandRequest:
+ value:
+ name: My Awesome Brand
+ CreateBrandResponse:
+ value:
+ id: bnd114iNkrcN6aR680g5
+ removePoweredByOkta: false
+ customPrivacyPolicyUrl: null,
+ agreeToCustomPrivacyPolicy: false,
+ name: My Awesome Brand
+ locale: en
+ defaultApp:
+ appInstanceId: null
+ appLinkName: null
+ classicApplicationUri: null
+ isDefault: false
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g5
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ themes:
+ href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g5/themes
+ hints:
+ allow:
+ - GET
+ CreateChildOrgRequestEx:
+ summary: Create org request
+ value:
+ subdomain: my-child-org-1
+ name: My Child Org 1
+ website: http://www.examplecorp.com
+ edition: SKU
+ admin:
+ profile:
+ firstName: First
+ lastName: Last
+ email: FirstLast@example.com
+ login: FirstLast@example.com
+ mobilePhone: null
+ credentials:
+ password:
+ value: XXXX
+ CreateChildOrgResponseEx:
+ summary: Create org response
+ value:
+ id: 00o1n8sbwArJ7OQRw406
+ subdomain: my-child-org-1
+ name: My Child Org 1
+ website: http://www.examplecorp.com
+ status: ACTIVE
+ edition: SKU
+ expiresAt: null
+ created: '2024-08-27T15:42:52.000Z'
+ lastUpdated: '2024-08-27T15:42:56.000Z'
+ licensing:
+ apps: []
+ settings:
+ app:
+ errorRedirectUrl: null
+ interstitialUrl: null
+ interstitialMinWaitTime: 1200
+ userAccount:
+ attributes:
+ secondaryEmail: true
+ secondaryImage: true
+ portal:
+ errorRedirectUrl: null
+ signOutUrl: null
+ logs:
+ level: INFO
+ token: XXXXXXXXXXXXX
+ tokenType: SSWS
+ _links:
+ administrator:
+ href: https://my-child-org-1.oktapreview.com/api/v1/users/00u1n8sheI1WBQlDV406
+ uploadLogo:
+ href: https://my-child-org-1.oktapreview.com/api/v1/org/logo
+ organization:
+ href: https://my-child-org-1.oktapreview.com/api/v1/orgs/my-child-org-1
+ contacts:
+ href: https://my-child-org-1.oktapreview.com/api/v1/orgs/my-child-org-1/contacts
+ policy:
+ href: https://my-child-org-1.oktapreview.com/api/v1/orgs/my-child-org-1/policy
+ CreateCustomRoleResponseGroup:
+ value:
+ id: irb1q92TFAHzySt3x0g4
+ role: cr0Yq6IJxGIr0ouum0g3
+ label: UserCreatorRole
+ type: CUSTOM
+ status: ACTIVE
+ created: '2019-02-06T16:20:57.000Z'
+ lastUpdated: '2019-02-06T16:20:57.000Z'
+ assignmentType: GROUP
+ resource-set: iamoJDFKaJxGIr0oamd9g
+ _links:
+ assignee:
+ href": https://{yourOktaDomain}/api/v1/groups/00gsr2IepS8YhHRFf0g3
+ resource-set:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g
+ role:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3
+ permissions:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions
+ CreateCustomTokenClaimBody:
+ summary: Create a custom token Claim
+ value:
+ - alwaysIncludeInToken: true
+ claimType: IDENTITY
+ conditions:
+ scopes:
+ - profile
+ group_filter_type: CONTAINS
+ name: Support
+ status: ACTIVE
+ system: false
+ value: Support
+ valueType: GROUPS
+ CreateCustomTokenClaimResponse:
+ summary: Create a custom token Claim response
+ value:
+ - id: '{claimId}'
+ name: Support
+ status: ACTIVE
+ claimType: IDENTITY
+ valueType: GROUPS
+ value: Support
+ conditions:
+ scopes:
+ - profile
+ system: false
+ alwaysIncludeInToken: true
+ apiResourceId: null
+ group_filter_type: CONTAINS
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims/{claimId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ CreateEDNZRequest:
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
+ summary: Create an Enhanced Dynamic Network Zone
+ value:
+ type: DYNAMIC_V2
+ name: testZone106
+ status: ACTIVE
+ usage: BLOCKLIST
+ locations:
+ include: []
+ exclude: []
+ asns:
+ include: []
+ exclude: []
+ ipServiceCategories:
+ include:
+ - ALL_ANONYMIZERS
+ exclude: []
+ CreateEDNZResponse:
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
+ summary: Enhanced Dynamic Network Zone
+ value:
+ type: DYNAMIC_V2
+ id: nzok0oz2xYHOZtIch0g4
+ name: testZone106
+ status: ACTIVE
+ usage: BLOCKLIST
+ create: '2024-05-13T16:33:44.000Z'
+ lastUpdated: '2024-05-13T16:33:44.000Z'
+ system: false
+ locations:
+ include: []
+ exclude: []
+ asns:
+ include: []
+ exclude: []
+ ipServiceCategories:
+ include:
+ - ALL_ANONYMIZERS
+ exclude: []
+ _links:
+ self:
+ href: http://{yourOktaDomain}/api/v1/zones/nzok0oz2xYHOZtIch0g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: http://{yourOktaDomain}/api/v1/zones/nzok0oz2xYHOZtIch0g4/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ CreateEmailDomainRequest:
+ value:
+ displayName: Admin
+ userName: admin
+ domain: example.com
+ brandId: bnd100iSrkcN6aR680g1
+ validationSubdomain: mail
+ CreateFacebookIdPRequest:
+ summary: Create Facebook Identity Provider
+ value:
+ type: FACEBOOK
+ name: Facebook
+ protocol:
+ type: OAUTH2
+ scopes:
+ - public_profile
+ - email
+ credentials:
+ client:
+ client_id: your-client-id
+ client_secret: your-client-secret
+ policy:
+ provisioning:
+ action: AUTO
+ profileMaster: true
+ groups:
+ action: NONE
+ conditions:
+ deprovisioned:
+ action: NONE
+ suspended:
+ action: NONE
+ accountLink:
+ filter: null
+ action: AUTO
+ subject:
+ userNameTemplate:
+ template: idpuser.userPrincipalName
+ filter: null
+ matchType: USERNAME
+ mapAMRClaims: false
+ maxClockSkew: 0
+ CreateGenericOidcIdPRequest:
+ summary: Create Generic OpenID Connect Identity Provider
+ value:
+ type: OIDC
+ name: Example OpenID Connect IdP
+ protocol:
+ algorithms:
+ request:
+ signature:
+ algorithm: HS256
+ scope: REQUEST
+ endpoints:
+ acs:
+ binding: HTTP-POST
+ type: INSTANCE
+ authorization:
+ binding: HTTP-REDIRECT
+ url: https://idp.example.com/authorize
+ token:
+ binding: HTTP-POST
+ url: https://idp.example.com/token
+ userInfo:
+ binding: HTTP-REDIRECT
+ url: https://idp.example.com/userinfo
+ jwks:
+ binding: HTTP-REDIRECT
+ url: https://idp.example.com/keys
+ scopes:
+ - openid
+ - profile
+ - email
+ type: OIDC
+ credentials:
+ client:
+ client_id: your-client-id
+ client_secret: your-client-secret
+ pkce_required: 'true'
+ issuer:
+ url: https://idp.example.com
+ policy:
+ accountLink:
+ action: AUTO
+ filter: null
+ provisioning:
+ action: AUTO
+ conditions:
+ deprovisioned:
+ action: NONE
+ suspended:
+ action: NONE
+ groups:
+ action: NONE
+ mapAMRClaims: false
+ maxClockSkew: 120000
+ subject:
+ userNameTemplate:
+ template: idpuser.email
+ matchType: USERNAME
+ CreateGoogleIdPRequest:
+ summary: Create Google Identity Provider
+ value:
+ type: GOOGLE
+ name: Google
+ protocol:
+ type: OAUTH2
+ scopes:
+ - profile
+ - email
+ - openid
+ credentials:
+ client:
+ client_id: your-client-id
+ client_secret: your-client-secret
+ policy:
+ provisioning:
+ action: AUTO
+ profileMaster: true
+ groups:
+ action: NONE
+ conditions:
+ deprovisioned:
+ action: NONE
+ suspended:
+ action: NONE
+ accountLink:
+ filter: null
+ action: AUTO
+ subject:
+ userNameTemplate:
+ template: idpuser.userPrincipalName
+ filter: null
+ matchType: USERNAME
+ mapAMRClaims: false
+ maxClockSkew: 0
+ CreateHookKeyResponse:
+ summary: Create a key response example
+ value:
+ id: HKY1p7jWLndGQV9M60g4
+ keyId: 7fbc27fd-e3df-4522-86bf-1930110256ad
+ name: My new key
+ created: '2022-08-31T18:09:58.000Z'
+ lastUpdated: '2022-08-31T18:09:58.000Z'
+ isUsed: 'false'
+ _embedded:
+ kty: RSA
+ alg: RSA
+ kid: 7fbc27fd-e3df-4522-86bf-1930110256ad
+ use: 'null'
+ e: AQAB
+ 'n': 2naqCnv6r4xNQs7207lRtKQvdtnlVND-8k5iYBIiqoKGY3CqUmRm1jleoOniiQoMkFX8Wj2DmVqr002efF3vOQ7_gjtTatBTVUNbNIQLybun4dkVoUtfP7pRc5SLpcP3eGPRVar734ZrpQXzmCEdpqBt3jrVjwYjNE5DqOjbYXFJtMsy8CWE9LRJ3kyHEoHPzo22dG_vMrXH0_sAQoCk_4TgNCbvyzVmGVYXI_BkUnp0hv2pR4bQVRYzGB9dKJdctOh8zULqc_EJ8tiYsS05YnF7whrWEyARK0rH-e4d4W-OmBTga_zhY4kJ4NsoQ4PyvcatZkxjPO92QHQOFDnf3w`
+ CreateIAMStandardRoleResponseGroup:
+ value:
+ id: irb1q92TFAHzySt3x0g4
+ role: ACCESS_REQUESTS_ADMIN
+ label: Access Requests Administrator
+ type: ACCESS_REQUESTS_ADMIN
+ status: ACTIVE
+ created: '2019-02-06T16:20:57.000Z'
+ lastUpdated: '2019-02-06T16:20:57.000Z'
+ assignmentType: GROUP
+ resource-set: ACCESS_CERTIFICATIONS_IAM_POLICY
+ _links:
+ assignee:
+ href: https://{yourOktaDomain}/api/v1/groups/00gsr2IepS8YhHRFf0g3
+ resource-set:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY
+ role:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_REQUESTS_ADMIN
+ permissions:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_REQUESTS_ADMIN/permissions
+ member:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY/bindings/ACCESS_REQUESTS_ADMIN/members/irb4jlomnnDBuBDyJ0g7
+ CreateIPPolicyBlockListNetworkZone:
+ summary: Create an IP Blocklist Network Zone
+ value:
+ type: IP
+ name: newBlockListNetworkZone
+ status: ACTIVE
+ usage: BLOCKLIST
+ gateways:
+ - type: CIDR
+ value: 1.2.3.4/24
+ - type: CIDR
+ value: 2.3.4.5/24
+ proxies: null
+ CreateIPPolicyBlockListNetworkZoneResponse:
+ summary: IP Blocklist Network Zone
+ value:
+ type: IP
+ id: nzo1qasnPb1kqEq0e0g4
+ name: newBlockListNetworkzone
+ status: ACTIVE
+ usage: BLOCKLIST
+ created: '2021-08-09T20:22:09.000Z'
+ lastUpdated: '2021-08-09T20:22:09.000Z'
+ system: false
+ gateways:
+ - type: CIDR
+ value: 1.2.3.4/24
+ - type: CIDR
+ value: 2.3.4.5/24
+ proxies: null
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/zones/nzo1qasnPb1kqEq0e0g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/zones/nzo1qasnPb1kqEq0e0g4/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ CreateIPPolicyNetworkZone:
+ summary: Create an IP Policy Network Zone
+ value:
+ type: IP
+ name: newNetworkZone
+ gateways:
+ - type: CIDR
+ value: 1.2.3.4/24
+ - type: CIDR
+ value: 2.3.4.5/24
+ proxies:
+ - type: CIDR
+ value: 2.2.3.4/24
+ - type: CIDR
+ value: 3.3.4.5/24
+ CreateIPPolicyNetworkZoneResponse:
+ summary: IP Policy Network Zone
+ value:
+ type: IP
+ id: nzowb8T5Jh5xuAJ0o0g7
+ name: newNetworkZone
+ status: ACTIVE
+ usage: POLICY
+ created: '2021-08-09T21:32:01.000Z'
+ lastUpdated: '2021-08-09T21:32:01.000Z'
+ system: false
+ gateways:
+ - type: CIDR
+ value: 1.2.3.4/24'
+ - type: CIDR
+ value: 2.3.4.5/24
+ proxies:
+ - type: CIDR
+ value: 2.2.3.4/24
+ - type: CIDR
+ value: 3.3.4.5/24
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/zones/nzowb8T5Jh5xuAJ0o0g7
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/zones/nzowb8T5Jh5xuAJ0o0g7/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ CreateLinkedObjectRequest:
+ summary: Create manager-subordinate link request
+ value:
+ primary:
+ name: manager
+ title: manager
+ description: Manager link property
+ type: USER
+ associated:
+ name: subordinate
+ title: subordinate
+ description: Subordinate link property
+ type: USER
+ CreateLinkedObjectResponse:
+ summary: Create manager-subordinate link property response
+ value:
+ primary:
+ name: manager
+ title: manager
+ description: Manager link property
+ type: USER
+ associated:
+ name: subordinate
+ title: subordinate
+ description: Subordinate link property
+ type: USER
+ _links:
+ self:
+ href: http://your-subdomain.okta.com/api/v1/meta/schemas/user/linkedObjects/manager
+ CreateMicrosoftIdPRequest:
+ summary: Create Microsoft Identity Provider
+ value:
+ type: MICROSOFT
+ name: Microsoft
+ protocol:
+ type: OIDC
+ scopes:
+ - openid
+ - email
+ - profile
+ - https://graph.microsoft.com/User.Read
+ credentials:
+ client:
+ client_id: your-client-id
+ client_secret: your-client-secret
+ policy:
+ provisioning:
+ action: AUTO
+ profileMaster: true
+ groups:
+ action: NONE
+ conditions:
+ deprovisioned:
+ action: NONE
+ suspended:
+ action: NONE
+ accountLink:
+ filter: null
+ action: AUTO
+ subject:
+ userNameTemplate:
+ template: idpuser.userPrincipalName
+ filter: null
+ matchType: USERNAME
+ mapAMRClaims: false
+ maxClockSkew: 0
+ CreateOAuth2ScopeRequest:
+ summary: Example scope
+ value:
+ name: car:drive
+ description: Drive car
+ consent: REQUIRED
+ displayName: Saml Jackson
+ CreateOrReplaceSMSTemplateRequest:
+ value:
+ name: Custom
+ type: SMS_VERIFY_CODE
+ template: '${org.name}: your verification code is ${code}'
+ translations:
+ es: '${org.name}: el código de verificación es ${code}'
+ fr: '${org.name}: votre code de vérification est ${code}'
+ it: '${org.name}: il codice di verifica è ${code}'
+ CreateOrReplaceSMSTemplateResponse:
+ value:
+ id: 6NQUJ5yR3bpgEiYmq8IC
+ name: Custom
+ type: SMS_VERIFY_CODE
+ template: '${org.name}: your verification code is ${code}'
+ translations:
+ es: '${org.name}: el código de verificación es ${code}'
+ fr: '${org.name}: votre code de vérification est ${code}'
+ it: '${org.name}: il codice di verifica è ${code}'
+ created: '2024-04-25T17:35:02.000Z'
+ lastUpdated: '2024-04-25T17:35:02.000Z'
+ CreateSamlIdPRequest:
+ summary: Create SAML 2.0 Identity Provider
+ value:
+ type: SAML2
+ name: Example SAML IdP
+ protocol:
+ type: SAML2
+ endpoints:
+ sso:
+ url: https://idp.example.com
+ binding: HTTP-POST
+ destination: https://idp.example.com
+ acs:
+ binding: HTTP-POST
+ type: INSTANCE
+ algorithms:
+ request:
+ signature:
+ algorithm: SHA-256
+ scope: REQUEST
+ response:
+ signature:
+ algorithm: SHA-256
+ scope: ANY
+ credentials:
+ trust:
+ issuer: https://idp.example.com
+ audience: http://www.okta.com/123
+ kid: your-key-id
+ policy:
+ provisioning:
+ action: AUTO
+ profileMaster: true
+ groups:
+ action: NONE
+ conditions:
+ deprovisioned:
+ action: NONE
+ suspended:
+ action: NONE
+ accountLink:
+ filter: null
+ action: AUTO
+ subject:
+ userNameTemplate:
+ template: saml.subjectNameId
+ format:
+ - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+ filter: (\S+@example\.com)
+ matchType: USERNAME
+ CreateSessionBody:
+ summary: Create a new Session with a valid session token
+ value:
+ sessionToken: 00HiohZYpJgMSHwmL9TQy7RRzuY-q9soKp1SPmYYow
+ CreateSessionResponse:
+ summary: Create a new Session with a valid session token
+ value:
+ amr:
+ - pwd
+ createdAt: '2019-08-24T14:15:22Z'
+ expiresAt: '2019-08-24T14:15:22Z'
+ id: l7FbDVqS8zHSy65uJD85
+ idp:
+ id: 01a2bcdef3GHIJKLMNOP
+ type: ACTIVE_DIRECTORY
+ lastFactorVerification: '2019-08-24T14:15:22Z'
+ lastPasswordVerification: '2019-08-24T14:15:22Z'
+ login: user@example.com
+ status: ACTIVE
+ userId: 00u0abcdefGHIJKLMNOP
+ _links:
+ self:
+ hints:
+ allow:
+ - DELETE
+ href: https://{yourOktaDomain}/api/v1/sessions/l7FbDVqS8zHSy65uJD85
+ CreateSmartCardIdPRequest:
+ summary: Create SmartCard Identity Provider
+ value:
+ type: X509
+ status: ACTIVE
+ name: Smart Card IDP Name
+ properties:
+ additionalAmr:
+ - sc
+ - hwk
+ - pin
+ - mfa
+ protocol:
+ type: MTLS
+ credentials:
+ trust:
+ revocation: CRL
+ revocationCacheLifetime: 2880
+ issuer: your-issuer
+ kid: your-kid
+ policy:
+ provisioning:
+ action: DISABLED
+ mapAMRClaims: false
+ maxClockSkew: 120000
+ subject:
+ matchType: EMAIL
+ matchAttribute: ''
+ userNameTemplate:
+ template: idpuser.subjectAltNameEmail
+ CreateStandardRoleAssignmentResponseGroup:
+ value:
+ id: grasraHPx7i79ajaJ0g3
+ label: Organization Administrator
+ type: ORG_ADMIN
+ status: ACTIVE
+ created: '2019-02-27T14:56:55.000Z'
+ lastUpdated: '2019-02-27T14:56:55.000Z'
+ assignmentType: GROUP
+ _links:
+ assignee:
+ href: https://{yourOktaDomain}/api/v1/groups/00gsr2IepS8YhHRFf0g3
+ CreateUISchemaBody:
+ summary: UI Schema body request
+ value:
+ uiSchema:
+ type: Group
+ elements:
+ - type: Control
+ scope: '#/properties/firstName'
+ label: First Name
+ options:
+ format: text
+ - type: Control
+ scope: '#/properties/lastName'
+ label: Last Name
+ options:
+ format: text
+ - type: Control
+ scope: '#/properties/email'
+ label: Primary email
+ options:
+ format: text
+ buttonLabel: Submit
+ label: Sign in
+ CreateUISchemaResponse:
+ summary: Returns full UI Schema body
+ value:
+ id: uis4a7liocgcRgcxZ0g7
+ uiSchema:
+ type: Group
+ label: Sign in
+ buttonLabel: Submit
+ elements:
+ - type: Control
+ scope: '#/properties/firstName'
+ label: First name
+ options:
+ format: text
+ - type: Control
+ scope: '#/properties/lastName'
+ label: Last name
+ options:
+ format: text
+ - type: Control
+ scope: '#/properties/email'
+ label: Primary email
+ options:
+ format: text
+ created: '2022-07-25T12:56:31.000Z'
+ lastUpdated: '2022-07-26T11:53:59.000Z'
+ _links:
+ self:
+ href: https://exmaple.com/api/v1/meta/uischemas/uis4a7liocgcRgcxZ0g7
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ CreateUpdateEmailCustomizationRequest:
+ value:
+ language: fr
+ subject: Bienvenue dans ${org.name}!
+ body: Bonjour ${user.profile.firstName}. Activer le compte
+ isDefault: false
+ CreateUpdateEmailCustomizationResponse:
+ value:
+ language: fr
+ subject: Bienvenue dans ${org.name}!
+ body: Bonjour ${user.profile.firstName}. Activer le compte
+ isDefault: false
+ id: oel11u6DqUiMbQkpl0g4
+ created: '2021-11-09T20:38:10.000Z'
+ lastUpdated: '2021-11-11T20:38:10.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ template:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation
+ hints:
+ allow:
+ - GET
+ preview:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4/preview
+ hints:
+ allow:
+ - GET
+ test:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test
+ hints:
+ allow:
+ - POST
+ CreateUpdateIamRolePermissionRequestExampleWithExclude:
+ value:
+ conditions:
+ exclude:
+ okta:ResourceAttribute/User/Profile:
+ - zipCode
+ CreateUpdateIamRolePermissionRequestExampleWithInclude:
+ value:
+ conditions:
+ include:
+ okta:ResourceAttribute/User/Profile:
+ - city
+ - state
+ CreateUserRequest:
+ summary: Create a user type request
+ value:
+ description: A new custom user type
+ displayName: New User Type
+ name: newUserType
+ CreateUserResponse:
+ summary: Create a user type response
+ value:
+ id: otyfnly5cQjJT9PnR0g4
+ displayName: New User Type
+ name: newUserType
+ description: A new custom user type
+ createdBy: sprz9fj1ycBcsgopy1d6
+ lastUpdatedBy: sprz9fj1ycBcsgopy1d6
+ created: '2021-07-05T20:40:38.000Z'
+ lastUpdated: '2021-07-05T20:40:38.000Z'
+ default: false
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6
+ schema:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6
+ CsrJsonResponse:
+ summary: CSR object in JSON format
+ value:
+ id: h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50
+ created: '2017-03-28T01:11:10.000Z'
+ csr: MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9/tKvvbFN59T4raoCs/78KRm4fSefHQOv1TKLXo4wTLbsqYWRWc5u0sd5orUMQgPQOyj3i6qh13mALY4BzrT057EG1BUNjGg29QgYlnOk2iX890e5BIDMQQEIKFrvOi2V8cLUkLvE2ydRn0VO1Q1frbUkYeStJYC5Api2JQsYRwa+1ZeDH1ITnIzUaugWhW2WB2lSnwZkenne5KtffxMPYVu+IhNRHoKaRA6Z51YNhMJIx17JM2hs/H4Ka3drk6kzDf7ofk/yBpb9yBWyU7CTSQhdoHidxqFprMDaT66W928t3AeOENHBuwn8c2K9WeGG+bELNyQRJVmawIDAQABoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggxkZXYub2t0YS5jb20wDQYJKoZIhvcNAQELBQADggEBAA2hsVJRVM+A83X9MekjTnIbt19UNT8wX7wlE9jUKirWsxceLiZBpVGn9qfKhhVIpvdaIRSeoFYS2Kg/m1G6bCvjmZLcrQ5FcEBjZH2NKfNppGVnfC2ugtUkBtCB+UUzOhKhRKJtGugenKbP33zRWWIqnd2waF6Cy8TIuqQVPbwEDN9bCbAs7ND6CFYNguY7KYjWzQOeAR716eqpEEXuPYAS4nx/ty4ylonR8cv+gpq51rvq80A4k/36aoeM0Y6I4w64vhTfuvWW2UYFUD+/+y2FA2CSP4JfctySrf1s525v6fzTFZ3qZbB5OZQtP2b8xYWktMzywsxGKDoVDB4wkH4=
+ kty: RSA
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/idps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50
+ hints:
+ allow:
+ - GET
+ - DELETE
+ publish:
+ href: https://{yourOktaDomain}/api/v1/idps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50/lifecycle/publish
+ hints:
+ allow:
+ - POST
+ CsrPkcs10Response:
+ summary: CSR in DER format
+ value: MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9
+ CustomRoleAssignmentRequest:
+ value:
+ type: CUSTOM
+ role: cr04cxy6yzSCtNciD0g7
+ resource-set: iam4cxy6z7hhaZCSk0g7
+ CustomRoleResponseClient:
+ value:
+ id: irb4ey26fpFI3vQ8y0g7
+ label: view_minimal
+ type: CUSTOM
+ status: ACTIVE
+ created: '2023-05-01T15:16:47.000Z'
+ lastUpdated: '2023-05-01T15:16:47.000Z'
+ assignmentType: CLIENT
+ resource-set: iam4cxy6z7hhaZCSk0g7
+ role: cr04cxy6yzSCtNciD0g7
+ _links:
+ role:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr04cxy6yzSCtNciD0g7
+ resource-set:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iam4cxy6z7hhaZCSk0g7
+ permissions:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr04cxy6yzSCtNciD0g7/permissions
+ member:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iam4cxy6z7hhaZCSk0g7/bindings/cr04cxy6yzSCtNciD0g7/members/irb4ey26fpFI3vQ8y0g7
+ assignee:
+ href: https://{yourOktaDomain}/oauth2/v1/clients/0oa4ee9vgbIuqTUvd0g7
+ CustomRoleResponseUser:
+ value:
+ id: irb1q92TFAHzySt3x0g4
+ role: cr0Yq6IJxGIr0ouum0g3
+ label: UserCreatorRole
+ type: CUSTOM
+ status: ACTIVE
+ created: '2019-02-06T16:20:57.000Z'
+ lastUpdated: '2019-02-06T16:20:57.000Z'
+ assignmentType: USER
+ resource-set: iamoJDFKaJxGIr0oamd9g
+ _links:
+ assignee:
+ href": https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR
+ resource-set:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g
+ role:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3
+ permissions:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions
+ CustomRolesListResponseClient:
+ value:
+ - id: irb4ey26fpFI3vQ8y0g7
+ label: view_minimal
+ type: CUSTOM
+ status: ACTIVE
+ created: '2023-05-01T15:16:47.000Z'
+ lastUpdated: '2023-05-01T15:16:47.000Z'
+ assignmentType: CLIENT
+ resource-set: iam4cxy6z7hhaZCSk0g7
+ role: cr04cxy6yzSCtNciD0g7
+ _links:
+ role:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr04cxy6yzSCtNciD0g7
+ resource-set:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iam4cxy6z7hhaZCSk0g7
+ permissions:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr04cxy6yzSCtNciD0g7/permissions
+ member:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iam4cxy6z7hhaZCSk0g7/bindings/cr04cxy6yzSCtNciD0g7/members/irb4ey26fpFI3vQ8y0g7
+ assignee:
+ href: https://{yourOktaDomain}/oauth2/v1/clients/0oa4ee9vgbIuqTUvd0g7
+ CustomRolesListResponseGroup:
+ value:
+ - id: irb1q92TFAHzySt3x0g4
+ role: cr0Yq6IJxGIr0ouum0g3
+ label: UserCreatorRole
+ type: CUSTOM
+ status: ACTIVE
+ created: '2019-02-06T16:20:57.000Z'
+ lastUpdated: '2019-02-06T16:20:57.000Z'
+ assignmentType: GROUP
+ resource-set: iamoJDFKaJxGIr0oamd9g
+ _links:
+ assignee:
+ href": https://{yourOktaDomain}/api/v1/groups/00g1emaKYZTWRYYRRTSK
+ resource-set:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g
+ member:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3/members/irb1qe6PGuMc7Oh8N0g4
+ role:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3
+ permissions:
+ href: https://{yourOktaDomain}/api/v1/iam/permission-sets/cr0Yq6IJxGIr0ouum0g3/permissions
+ DeactivateIdPResponse:
+ summary: Deactivate an Identity Provider
+ value:
+ id: 0oa62bfdiumsUndnZ0h7
+ type: GOOGLE
+ name: Google
+ status: INACTIVE
+ created: '2016-03-24T23:21:49.000Z'
+ lastUpdated: '2016-03-25T19:16:53.000Z'
+ protocol:
+ type: OIDC
+ endpoints:
+ authorization:
+ url: https://accounts.google.com/o/oauth2/auth
+ binding: HTTP-REDIRECT
+ token:
+ url: https://www.googleapis.com/oauth2/v3/token
+ binding: HTTP-POST
+ scopes:
+ - profile
+ - email
+ - openid
+ credentials:
+ client:
+ client_id: your-client-id
+ client_secret: your-client-secret
+ policy:
+ provisioning:
+ action: AUTO
+ profileMaster: true
+ groups:
+ action: NONE
+ conditions:
+ deprovisioned:
+ action: NONE
+ suspended:
+ action: NONE
+ accountLink:
+ filter: null
+ action: AUTO
+ subject:
+ userNameTemplate:
+ template: idpuser.userPrincipalName
+ filter: null
+ matchType: USERNAME
+ mapAMRClaims: false
+ maxClockSkew: 0
+ _links:
+ authorize:
+ href: |-
+ https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa62bfdiumsUndnZ0h7&
+ client_id={clientId}&response_type={responseType}&response_mode={responseMode}&
+ scope={scopes}&redirect_uri={redirectUri}&state={state}
+ templated: true
+ hints:
+ allow:
+ - GET
+ clientRedirectUri:
+ href: https://{yourOktaDomain}/oauth2/v1/authorize/callback
+ hints:
+ allow:
+ - POST
+ DeactivateNetworkZone:
+ summary: Deactivated Network Zone
+ value:
+ type: IP
+ id: nzowc1U5Jh5xuAK0o0g3
+ name: MyIpZone
+ status: INACTIVE
+ usage: POLICY
+ created: '2021-06-24T20:37:32.000Z'
+ lastUpdated: '2021-06-24T20:37:32.000Z'
+ system: false
+ gateways:
+ - type: CIDR
+ value: 1.2.3.4/24
+ proxies:
+ - type: RANGE
+ value: 3.3.4.5-3.3.4.15
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ activate:
+ href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ DeactivatedSecurityEventsProviderResponse:
+ summary: Inactive Security Events Provider
+ value:
+ id: sse1qg25RpusjUP6m0g5
+ name: Security Events Provider with well-known URL
+ type: okta
+ status: INACTIVE
+ settings:
+ well_known_url: https://example.okta.com/.well-known/ssf-configuration
+ issuer: Issuer
+ jwks_url: https://example.okta.com/jwks/path
+ _links:
+ self:
+ href: https://example.okta.com/api/v1/security-events-providers/sse1qg25RpusjUP6m0g5
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ activate:
+ href: https://example.okta.com/api/v1/security-events-providers/sse1qg25RpusjUP6m0g5/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ DefaultEnhancedDynamicNetworkZone:
+ summary: Default Enhanced Dynamic Network Zone
+ value:
+ type: DYNAMIC_V2
+ id: nzohcnxFrSgsiwyHp0g4
+ name: DefaultEnhancedDynamicZone
+ status: ACTIVE
+ usage: BLOCKLIST
+ created: '2024-05-06T19:12:29.000Z'
+ lastUpdated: '2024-05-09T21:02:31.000Z'
+ system: true
+ locations:
+ include: []
+ exclude: []
+ ipServiceCategories:
+ include:
+ - ALL_ANONYMIZERS
+ exclue: []
+ asns:
+ include: []
+ exclude: []
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/zones/nzou3u0stMCmgOzXK1d6
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/zones/nzou3u0stMCmgOzXK1d6/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ DefaultIpBlocklistNetworkZone:
+ summary: Default IP Blocklist Network Zone
+ value:
+ type: IP
+ id: nzou3u0stMCmgOzXK1d6
+ name: BlockedIpZone
+ status: ACTIVE
+ usage: BLOCKLIST
+ created: '2021-06-09T21:32:46.000Z'
+ lastUpdated: '2021-06-09T21:32:46.000Z'
+ system: true
+ gateways: null
+ proxies: null
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/zones/nzou3u0stMCmgOzXK1d6
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/zones/nzou3u0stMCmgOzXK1d6/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ DefaultIpNetworkZone:
+ summary: Default IP Network Zone
+ value:
+ type: IP
+ id: nzou3u0ssJfZjYsWL1d6
+ name: LegacyIpZone
+ status: ACTIVE
+ usage: POLICY
+ created: '2021-06-09T21:32:46.000Z'
+ lastUpdated: '2021-06-09T21:32:46.000Z'
+ system: true
+ gateways: null
+ proxies: null
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/zones/nzou3u0ssJfZjYsWL1d6
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/zones/nzou3u0ssJfZjYsWL1d6/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ DefaultRealmAssignment:
+ value:
+ id: rul2jy7jLUlnO5ng00g4
+ status: ACTIVE
+ name: Catch-all
+ created: '2022-04-04T15:56:05.000Z'
+ lastUpdated: '2022-05-05T18:15:44.000Z'
+ isDefault: true
+ conditions:
+ profileSourceId: 0oa4enoRyjwSCy6hx0g4,
+ expression:
+ value: string
+ actions:
+ assignUserToRealm:
+ realmId: 00g1b7rvh0xPLKXFf2g5
+ priority: 499
+ _links:
+ self:
+ rel: self
+ href: http://your-subdomain.okta.com/api/v1/realm-assignments/rul2jy7jLUlnO5ng00g4
+ method: GET
+ DefaultRealmResponse:
+ value:
+ id: guox9jQ16k9V8IQWL0g3
+ created: '2022-04-04T15:56:05.000Z'
+ lastUpdated: '2022-05-05T18:15:44.000Z'
+ isDefault: true
+ profile:
+ name: Default Realm
+ _links:
+ self:
+ rel: self
+ href: http://your-subdomain.okta.com/api/v1/realms/guox9jQ16k9V8IQWL0g3
+ method: GET
+ DeviceAssuranceAndroidRequest:
+ summary: Android request
+ value:
+ name: Device assurance Android
+ osVersion:
+ minimum: 12
+ diskEncryptionType:
+ include:
+ - USER
+ - FULL
+ jailbreak: false
+ platform: ANDROID
+ screenLockType:
+ include:
+ - BIOMETRIC
+ secureHardwarePresent: true
+ DeviceAssuranceAndroidResponse:
+ summary: Android response
+ value:
+ id: dae3m8o4rWhwReDeM1c5
+ name: Device assurance Android
+ lastUpdate: '2022-01-01T00:00:00.000Z'
+ createdUpdate: '2022-01-01T00:00:00.000Z'
+ lastUpdatedBy: 00u217pyf72CdUrBt1c5
+ createdBy: 00u217pyf72CdUrBt1c5
+ osVersion:
+ minimum: 12.4.5
+ diskEncryptionType:
+ include:
+ - USER
+ - FULL
+ jailbreak: false
+ platform: ANDROID
+ screenLockType:
+ include:
+ - BIOMETRIC
+ secureHardwarePresent: true
+ _links:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5
+ hints:
+ allow:
+ - DELETE
+ - GET
+ - PUT
+ DeviceAssuranceAndroidWithDynamicVersionRequirementRequest:
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
+ summary: Android with dynamic version requirement request
+ value:
+ name: Device assurance Android
+ osVersion:
+ dynamicVersionRequirement:
+ type: MINIMUM
+ distanceFromLatestMajor: 0
+ diskEncryptionType:
+ include:
+ - USER
+ - FULL
+ jailbreak: false
+ platform: ANDROID
+ screenLockType:
+ include:
+ - BIOMETRIC
+ secureHardwarePresent: true
+ DeviceAssuranceAndroidWithDynamicVersionRequirementResponse:
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
+ summary: Android with dynamic version requirement response
+ value:
+ id: dae3m8o4rWhwReDeM1c5
+ name: Device assurance Android
+ lastUpdate: '2022-01-01T00:00:00.000Z'
+ createdUpdate: '2022-01-01T00:00:00.000Z'
+ lastUpdatedBy: 00u217pyf72CdUrBt1c5
+ createdBy: 00u217pyf72CdUrBt1c5
+ osVersion:
+ dynamicVersionRequirement:
+ type: MINIMUM
+ distanceFromLatestMajor: 0
+ diskEncryptionType:
+ include:
+ - USER
+ - FULL
+ jailbreak: false
+ platform: ANDROID
+ screenLockType:
+ include:
+ - BIOMETRIC
+ secureHardwarePresent: true
+ _links:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5
+ hints:
+ allow:
+ - DELETE
+ - GET
+ - PUT
+ DeviceAssuranceChromeOSWithThirdPartySignalProvidersRequest:
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
+ summary: ChromeOS with third-party signal providers request
+ value:
+ name: Device assurance ChromeOS
+ platform: CHROMEOS
+ thirdPartySignalProviders:
+ dtc:
+ osVersion:
+ minimum: 10.0.19041.1110
+ diskEncrypted: true
+ osFirewall: true
+ screenLockSecured: true
+ allowScreenLock: true
+ browserVersion:
+ minimum: 15393.27.0
+ deviceEnrollmentDomain: testDomain
+ builtInDnsClientEnabled: true
+ chromeRemoteDesktopAppBlocked: true
+ safeBrowsingProtectionLevel: ENHANCED_PROTECTION
+ siteIsolationEnabled: true
+ passwordProtectionWarningTrigger: PASSWORD_PROTECTION_OFF
+ realtimeUrlCheckMode: true
+ keyTrustLevel: CHROME_OS_VERIFIED_MODE
+ DeviceAssuranceChromeOSWithThirdPartySignalProvidersResponse:
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
+ summary: ChromeOS with third-party signal providers response
+ value:
+ id: dae3m8o4rWhwReDeM1c5
+ name: Device assurance ChromeOS
+ lastUpdate: '2022-01-01T00:00:00.000Z'
+ createdUpdate: '2022-01-01T00:00:00.000Z'
+ lastUpdatedBy: 00u217pyf72CdUrBt1c5
+ createdBy: 00u217pyf72CdUrBt1c5
+ platform: CHROMEOS
+ thirdPartySignalProviders:
+ dtc:
+ osVersion:
+ minimum: 10.0.19041.1110
+ diskEncrypted: true
+ osFirewall: true
+ screenLockSecured: true
+ allowScreenLock: true
+ browserVersion:
+ minimum: 15393.27.0
+ deviceEnrollmentDomain: testDomain
+ builtInDnsClientEnabled: true
+ chromeRemoteDesktopAppBlocked: true
+ safeBrowsingProtectionLevel: ENHANCED_PROTECTION
+ siteIsolationEnabled: true
+ passwordProtectionWarningTrigger: PASSWORD_PROTECTION_OFF
+ realtimeUrlCheckMode: true
+ keyTrustLevel: CHROME_OS_VERIFIED_MODE
+ _links:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5
+ hints:
+ allow:
+ - DELETE
+ - GET
+ - PUT
+ DeviceAssuranceIosRequest:
+ summary: iOS request
+ value:
+ name: Device assurance iOS
+ osVersion:
+ minimum: 12.4.5
+ jailbreak: false
+ platform: IOS
+ screenLockType:
+ include:
+ - BIOMETRIC
+ DeviceAssuranceIosResponse:
+ summary: iOS response
+ value:
+ id: dae3m8o4rWhwReDeM1c5
+ name: Device assurance iOS
+ lastUpdate: '2022-01-01T00:00:00.000Z'
+ createdUpdate: '2022-01-01T00:00:00.000Z'
+ lastUpdatedBy: 00u217pyf72CdUrBt1c5
+ createdBy: 00u217pyf72CdUrBt1c5
+ osVersion:
+ minimum: 12.4.5.9
+ jailbroken: false
+ platform: IOS
+ screenLockType:
+ include:
+ - BIOMETRIC
+ _links:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5
+ hints:
+ allow:
+ - DELETE
+ - GET
+ - PUT
+ DeviceAssuranceIosWithDynamicVersionRequirementRequest:
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
+ summary: iOS with dynamic version requirement request
+ value:
+ name: Device assurance iOS
+ osVersion:
+ dynamicVersionRequirement:
+ type: EXACT_ANY_SUPPORTED
+ latestSecurityPatch: true
+ jailbreak: false
+ platform: IOS
+ screenLockType:
+ include:
+ - BIOMETRIC
+ DeviceAssuranceIosWithDynamicVersionRequirementResponse:
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
+ summary: iOS with dynamic version requirement response
+ value:
+ id: dae3m8o4rWhwReDeM1c5
+ name: Device assurance iOS
+ lastUpdate: '2022-01-01T00:00:00.000Z'
+ createdUpdate: '2022-01-01T00:00:00.000Z'
+ lastUpdatedBy: 00u217pyf72CdUrBt1c5
+ createdBy: 00u217pyf72CdUrBt1c5
+ osVersion:
+ dynamicVersionRequirement:
+ type: EXACT_ANY_SUPPORTED
+ latestSecurityPatch: true
+ jailbroken: false
+ platform: IOS
+ screenLockType:
+ include:
+ - BIOMETRIC
+ _links:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5
+ hints:
+ allow:
+ - DELETE
+ - GET
+ - PUT
+ DeviceAssuranceMacOSRequest:
+ summary: macOS request
+ value:
+ name: Device assurance macOS
+ osVersion:
+ minimum: 12.4.5
+ diskEncryptionType:
+ include:
+ - ALL_INTERNAL_VOLUMES
+ platform: MACOS
+ screenLockType:
+ include:
+ - PASSCODE
+ - BIOMETRIC
+ secureHardwarePresent: true
+ DeviceAssuranceMacOSResponse:
+ summary: macOS response
+ value:
+ id: dae3m8o4rWhwReDeM1c5
+ name: Device assurance macOS
+ lastUpdate: '2022-01-01T00:00:00.000Z'
+ createdUpdate: '2022-01-01T00:00:00.000Z'
+ lastUpdatedBy: 00u217pyf72CdUrBt1c5
+ createdBy: 00u217pyf72CdUrBt1c5
+ osVersion:
+ minimum: 12.4.5
+ diskEncryptionType:
+ include:
+ - ALL_INTERNAL_VOLUMES
+ platform: MACOS
+ screenLockType:
+ include:
+ - PASSCODE
+ - BIOMETRIC
+ secureHardwarePresent: true
+ _links:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5
+ hints:
+ allow:
+ - DELETE
+ - GET
+ - PUT
+ DeviceAssuranceMacOSWithDynamicVersionRequirementRequest:
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
+ summary: macOS with dynamic version requirement request
+ value:
+ name: Device assurance macOS
+ osVersion:
+ dynamicVersionRequirement:
+ type: EXACT
+ distanceFromLatestMajor: 0
+ latestSecurityPatch: true
+ diskEncryptionType:
+ include:
+ - ALL_INTERNAL_VOLUMES
+ platform: MACOS
+ screenLockType:
+ include:
+ - PASSCODE
+ - BIOMETRIC
+ secureHardwarePresent: true
+ DeviceAssuranceMacOSWithDynamicVersionRequirementResponse:
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
+ summary: macOS with dynamic version requirement response
+ value:
+ id: dae3m8o4rWhwReDeM1c5
+ name: Device assurance macOS
+ lastUpdate: '2022-01-01T00:00:00.000Z'
+ createdUpdate: '2022-01-01T00:00:00.000Z'
+ lastUpdatedBy: 00u217pyf72CdUrBt1c5
+ createdBy: 00u217pyf72CdUrBt1c5
+ osVersion:
+ dynamicVersionRequirement:
+ type: EXACT
+ distanceFromLatestMajor: 0
+ latestSecurityPatch: true
+ diskEncryptionType:
+ include:
+ - ALL_INTERNAL_VOLUMES
+ platform: MACOS
+ screenLockType:
+ include:
+ - PASSCODE
+ - BIOMETRIC
+ secureHardwarePresent: true
+ _links:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5
+ hints:
+ allow:
+ - DELETE
+ - GET
+ - PUT
+ DeviceAssuranceMacOSWithThirdPartySignalProvidersRequest:
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
+ summary: macOS with third-party signal providers request
+ value:
+ name: Device assurance macOS
+ osVersion:
+ minimum: 12.4.5
+ diskEncryptionType:
+ include:
+ - ALL_INTERNAL_VOLUMES
+ platform: MACOS
+ screenLockType:
+ include:
+ - PASSCODE
+ - BIOMETRIC
+ secureHardwarePresent: true
+ thirdPartySignalProviders:
+ dtc:
+ osVersion:
+ minimum: 10.0.19041.1110
+ diskEncrypted: true
+ osFirewall: true
+ screenLockSecured: true
+ browserVersion:
+ minimum: 15393.27.0
+ deviceEnrollmentDomain": testDomain
+ builtInDnsClientEnabled": true
+ chromeRemoteDesktopAppBlocked": true
+ safeBrowsingProtectionLevel": true
+ siteIsolationEnabled": true
+ passwordProtectionWarningTrigger": PASSWORD_PROTECTION_OFF
+ realtimeUrlCheckMode": true
+ DeviceAssuranceMacOSWithThirdPartySignalProvidersResponse:
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
+ summary: macOS with third-party signal providers response
+ value:
+ id: dae3m8o4rWhwReDeM1c5
+ name: Device assurance macOS
+ lastUpdate: '2022-01-01T00:00:00.000Z'
+ createdUpdate: '2022-01-01T00:00:00.000Z'
+ lastUpdatedBy: 00u217pyf72CdUrBt1c5
+ createdBy: 00u217pyf72CdUrBt1c5
+ osVersion:
+ minimum: 12.4.5.9
+ diskEncryptionType:
+ include:
+ - ALL_INTERNAL_VOLUMES
+ platform: MACOS
+ screenLockType:
+ include:
+ - PASSCODE
+ - BIOMETRIC
+ secureHardwarePresent: true
+ thirdPartySignalProviders:
+ dtc:
+ osVersion:
+ minimum: 10.0.19041.1110
+ diskEncrypted: true
+ osFirewall: true
+ screenLockSecured: true
+ browserVersion:
+ minimum: 15393.27.0
+ deviceEnrollmentDomain: testDomain
+ builtInDnsClientEnabled: true
+ chromeRemoteDesktopAppBlocked: true
+ safeBrowsingProtectionLevel: ENHANCED_PROTECTION
+ siteIsolationEnabled: true
+ passwordProtectionWarningTrigger: PASSWORD_PROTECTION_OFF
+ realtimeUrlCheckMode: true
+ keyTrustLevel: CHROME_BROWSER_HW_KEY
+ _links:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5
+ hints:
+ allow:
+ - DELETE
+ - GET
+ - PUT
+ DeviceAssuranceWindowsRequest:
+ summary: Windows request
+ value:
+ name: Device assurance Windows
+ osVersion:
+ minimum: 12.4.5.9
+ diskEncryptionType:
+ include:
+ - ALL_INTERNAL_VOLUMES
+ platform: WINDOWS
+ screenLockType:
+ include:
+ - PASSCODE
+ - BIOMETRIC
+ secureHardwarePresent: true
+ DeviceAssuranceWindowsResponse:
+ summary: Windows response
+ value:
+ id: dae3m8o4rWhwReDeM1c5
+ name: Device assurance Windows
+ lastUpdate: '2022-01-01T00:00:00.000Z'
+ createdUpdate: '2022-01-01T00:00:00.000Z'
+ lastUpdatedBy: 00u217pyf72CdUrBt1c5
+ createdBy: 00u217pyf72CdUrBt1c5
+ osVersion:
+ minimum: 12.4.5.9
+ diskEncryptionType:
+ include:
+ - ALL_INTERNAL_VOLUMES
+ platform: WINDOWS
+ screenLockType:
+ include:
+ - PASSCODE
+ - BIOMETRIC
+ secureHardwarePresent: true
+ _links:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5
+ hints:
+ allow:
+ - DELETE
+ - GET
+ - PUT
+ DeviceAssuranceWindowsWithDynamicVersionRequirementsRequest:
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
+ summary: Windows with Windows 11 and Windows 10 dynamic version requirements request
+ value:
+ name: Device assurance Windows
+ osVersionConstraints:
+ - majorVersionConstraint: WINDOWS_11
+ dynamicVersionRequirement:
+ type: MINIMUM
+ distanceFromLatestMajor: 1
+ latestSecurityPatch: true
+ - majorVersionConstraint: WINDOWS_10
+ dynamicVersionRequirement:
+ type: EXACT_ANY_SUPPORTED
+ diskEncryptionType:
+ include:
+ - ALL_INTERNAL_VOLUMES
+ platform: WINDOWS
+ screenLockType:
+ include:
+ - PASSCODE
+ - BIOMETRIC
+ secureHardwarePresent: true
+ DeviceAssuranceWindowsWithDynamicVersionRequirementsResponse:
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
+ summary: Windows with Windows 11 and Windows 10 dynamic version requirements response
+ value:
+ id: dae3m8o4rWhwReDeM1c5
+ name: Device assurance Windows
+ lastUpdate: '2022-01-01T00:00:00.000Z'
+ createdUpdate: '2022-01-01T00:00:00.000Z'
+ lastUpdatedBy: 00u217pyf72CdUrBt1c5
+ createdBy: 00u217pyf72CdUrBt1c5
+ osVersionConstraints:
+ - majorVersionConstraint: WINDOWS_11
+ dynamicVersionRequirement:
+ type: MINIMUM
+ distanceFromLatestMajor: 1
+ latestSecurityPatch: true
+ - majorVersionConstraint: WINDOWS_10
+ dynamicVersionRequirement:
+ type: EXACT_ANY_SUPPORTED
+ diskEncryptionType:
+ include:
+ - ALL_INTERNAL_VOLUMES
+ platform: WINDOWS
+ screenLockType:
+ include:
+ - PASSCODE
+ - BIOMETRIC
+ secureHardwarePresent: true
+ _links:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5
+ hints:
+ allow:
+ - DELETE
+ - GET
+ - PUT
+ DeviceAssuranceWindowsWithThirdPartySignalProvidersRequest:
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
+ summary: Windows with third-party signal providers request
+ value:
+ name: Device assurance Windows
+ osVersion:
+ minimum: 12.4.5.9
+ diskEncryptionType:
+ include:
+ - ALL_INTERNAL_VOLUMES
+ platform: WINDOWS
+ screenLockType:
+ include:
+ - PASSCODE
+ - BIOMETRIC
+ secureHardwarePresent: true
+ thirdPartySignalProviders:
+ dtc:
+ osVersion:
+ minimum: 10.0.19041.1110
+ diskEncrypted: true
+ osFirewall: true
+ screenLockSecured: true
+ browserVersion:
+ minimum: 15393.27.0
+ deviceEnrollmentDomain: testDomain
+ builtInDnsClientEnabled: true
+ chromeRemoteDesktopAppBlocked: true
+ safeBrowsingProtectionLevel: ENHANCED_PROTECTION
+ siteIsolationEnabled: true
+ passwordProtectionWarningTrigger: PASSWORD_PROTECTION_OFF
+ realtimeUrlCheckMode: true
+ secureBootEnabled: true
+ windowsMachineDomain: testMachineDomain
+ windowsUserDomain: testUserDomain
+ thirdPartyBlockingEnabled: true
+ crowdStrikeCustomerId: testCustomerId
+ crowdStrikeAgentId": testAgentId
+ keyTrustLevel: CHROME_BROWSER_HW_KEY
+ DeviceAssuranceWindowsWithThirdPartySignalProvidersResponse:
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
+ summary: Windows with third-party signal providers response
+ value:
+ id: dae3m8o4rWhwReDeM1c5
+ name: Device assurance Windows
+ lastUpdate: '2022-01-01T00:00:00.000Z'
+ createdUpdate: '2022-01-01T00:00:00.000Z'
+ lastUpdatedBy: 00u217pyf72CdUrBt1c5
+ createdBy: 00u217pyf72CdUrBt1c5
+ osVersion:
+ minimum: 12.4.5.9
+ diskEncryptionType:
+ include:
+ - ALL_INTERNAL_VOLUMES
+ platform: WINDOWS
+ screenLockType:
+ include:
+ - PASSCODE
+ - BIOMETRIC
+ secureHardwarePresent: true
+ thirdPartySignalProviders:
+ dtc:
+ osVersion:
+ minimum: 10.0.19041.1110
+ diskEncrypted: true
+ osFirewall: true
+ screenLockSecured: true
+ browserVersion:
+ minimum: 15393.27.0
+ deviceEnrollmentDomain: testDomain
+ builtInDnsClientEnabled: true
+ chromeRemoteDesktopAppBlocked: true
+ safeBrowsingProtectionLevel: ENHANCED_PROTECTION
+ siteIsolationEnabled: true
+ passwordProtectionWarningTrigger: PASSWORD_PROTECTION_OFF
+ realtimeUrlCheckMode: true
+ secureBootEnabled: true
+ windowsMachineDomain: testMachineDomain
+ windowsUserDomain: testUserDomain
+ thirdPartyBlockingEnabled: true
+ crowdStrikeCustomerId: testCustomerId
+ crowdStrikeAgentId": testAgentId
+ keyTrustLevel: CHROME_BROWSER_HW_KEY
+ _links:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5
+ hints:
+ allow:
+ - DELETE
+ - GET
+ - PUT
+ DeviceAssuranceWindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionStringRequest:
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
+ summary: Windows with Windows 11 dynamic version requirement and Windows 10 minimum version request
+ value:
+ name: Device assurance Windows
+ osVersionConstraints:
+ - majorVersionConstraint: WINDOWS_11
+ dynamicVersionRequirement:
+ type: EXACT
+ distanceFromLatestMajor: 1
+ - majorVersionConstraint: WINDOWS_10
+ minimum: 10.0.19045.0
+ diskEncryptionType:
+ include:
+ - ALL_INTERNAL_VOLUMES
+ platform: WINDOWS
+ screenLockType:
+ include:
+ - PASSCODE
+ - BIOMETRIC
+ secureHardwarePresent: true
+ DeviceAssuranceWindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionStringResponse:
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
+ summary: Windows with Windows 11 dynamic version requirement and Windows 10 minimum version response
+ value:
+ id: dae3m8o4rWhwReDeM1c5
+ name: Device assurance Windows
+ lastUpdate: '2022-01-01T00:00:00.000Z'
+ createdUpdate: '2022-01-01T00:00:00.000Z'
+ lastUpdatedBy: 00u217pyf72CdUrBt1c5
+ createdBy: 00u217pyf72CdUrBt1c5
+ osVersionConstraints:
+ - majorVersionConstraint: WINDOWS_11
+ dynamicVersionRequirement:
+ type: EXACT
+ distanceFromLatestMajor: 1
+ - majorVersionConstraint: WINDOWS_10
+ minimum: 10.0.19045.0
+ diskEncryptionType:
+ include:
+ - ALL_INTERNAL_VOLUMES
+ platform: WINDOWS
+ screenLockType:
+ include:
+ - PASSCODE
+ - BIOMETRIC
+ secureHardwarePresent: true
+ _links:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5
+ hints:
+ allow:
+ - DELETE
+ - GET
+ - PUT
+ DeviceAssuranceWindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirementRequest:
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
+ summary: Windows with Windows 11 minimum version and a Windows 10 dynamic version requirement request
+ value:
+ name: Device assurance Windows
+ osVersionConstraints:
+ - majorVersionConstraint: WINDOWS_11
+ minimum: 10.0.22000.0
+ - majorVersionConstraint: WINDOWS_10
+ dynamicVersionRequirement:
+ type: NOT_ALLOWED
+ diskEncryptionType:
+ include:
+ - ALL_INTERNAL_VOLUMES
+ platform: WINDOWS
+ screenLockType:
+ include:
+ - PASSCODE
+ - BIOMETRIC
+ secureHardwarePresent: true
+ DeviceAssuranceWindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirementResponse:
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
+ summary: Windows with Windows 11 minimum version and Windows 10 dynamic version requirement response
+ value:
+ id: dae3m8o4rWhwReDeM1c5
+ name: Device assurance Windows
+ lastUpdate: '2022-01-01T00:00:00.000Z'
+ createdUpdate: '2022-01-01T00:00:00.000Z'
+ lastUpdatedBy: 00u217pyf72CdUrBt1c5
+ createdBy: 00u217pyf72CdUrBt1c5
+ osVersionConstraints:
+ - majorVersionConstraint: WINDOWS_11
+ minimum: 10.0.22000.0
+ - majorVersionConstraint: WINDOWS_10
+ dynamicVersionRequirement:
+ type: NOT_ALLOWED
+ diskEncryptionType:
+ include:
+ - ALL_INTERNAL_VOLUMES
+ platform: WINDOWS
+ screenLockType:
+ include:
+ - PASSCODE
+ - BIOMETRIC
+ secureHardwarePresent: true
+ _links:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5
+ hints:
+ allow:
+ - DELETE
+ - GET
+ - PUT
+ DeviceChecksMacOSRequest:
+ summary: macOS request
+ value:
+ name: Device Check macOS
+ description: Query macOS devices to check if firewall is enabled
+ variableName: macOSFirewall
+ platform: MACOS
+ query: SELECT CASE WHEN global_state = 0 THEN 0 ELSE 1 END AS firewall_enabled FROM alf;
+ DeviceChecksMacOSResponse:
+ summary: macOS response
+ value:
+ id: dch3m8o4rWhwReDeM1c5
+ name: Device Check macOS
+ lastUpdate: '2022-01-01T00:00:00.000Z'
+ createdUpdate: '2022-01-01T00:00:00.000Z'
+ lastUpdatedBy: 00u217pyf72CdUrBt1c5
+ createdBy: 00u217pyf72CdUrBt1c5
+ description: Query macOS devices to check if firewall is enabled
+ variableName: macOSFirewall
+ query: SELECT CASE WHEN global_state = 0 THEN 0 ELSE 1 END AS firewall_enabled FROM alf;
+ platform: MACOS
+ _links:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/device-checks/dch3m8o4rWhwReDeM1c5
+ hints:
+ allow:
+ - DELETE
+ - GET
+ - PUT
+ DeviceChecksWindowsRequest:
+ summary: Windows request
+ value:
+ name: Device Check Windows
+ description: Query Windows devices to check if firewall is enabled
+ variableName: windowsFirewall
+ platform: WINDOWS
+ query: SELECT CASE WHEN enabled = 1 THEN 1 ELSE 0 END AS firewall_enabled FROM windows_firewall_profiles;
+ DeviceChecksWindowsResponse:
+ summary: Windows response
+ value:
+ id: dch3m8o4rWhwReDeM1c5
+ name: Device Check Windows
+ lastUpdate: '2022-01-01T00:00:00.000Z'
+ createdUpdate: '2022-01-01T00:00:00.000Z'
+ lastUpdatedBy: 00u217pyf72CdUrBt1c5
+ createdBy: 00u217pyf72CdUrBt1c5
+ description: Query Windows devices to check if firewall is enabled
+ variableName: windowsFirewall
+ query: SELECT CASE WHEN enabled = 1 THEN 1 ELSE 0 END AS firewall_enabled FROM windows_firewall_profiles;
+ platform: WINDOWS
+ _links:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/device-checks/dch3m8o4rWhwReDeM1c5
+ hints:
+ allow:
+ - DELETE
+ - GET
+ - PUT
+ DeviceResponse:
+ value:
+ id: guo8jx5vVoxfvJeLb0w4
+ status: ACTIVE
+ created: '2020-11-03T21:47:01.000Z'
+ lastUpdated: '2020-11-03T23:46:27.000Z'
+ profile:
+ displayName: DESKTOP-EHAD3IE
+ platform: WINDOWS
+ manufacturer: International Corp
+ model: VMware7,1
+ osVersion: 10.0.18362
+ serialNumber: 56 4d 4f 95 74 c5 d3 e7-fc 3a 57 9c c2 f8 5d ce
+ udid: 954F4D56-C574-E7D3-FC3A-579CC2F85DCE
+ sid: S-1-5-21-3992267483-1860856704-2413701314-500
+ registered: true
+ secureHardwarePresent: false
+ diskEncryptionType: NONE
+ resourceId: guo8jx5vVoxfvJeLb0w4
+ resourceDisplayName:
+ value: DESKTOP-EHAD3IE
+ sensitive: false
+ resourceType: UDDevice
+ resourceAlternateId: null
+ _links:
+ suspend:
+ href: https://{yourOktaDomain}/api/v1/devices/guo8jx5vVoxfvJeLb0w4/lifecycle/suspend
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/devices/guo8jx5vVoxfvJeLb0w4
+ hints:
+ allow:
+ - GET
+ - PATCH
+ - PUT
+ users:
+ href: https://{yourOktaDomain}/api/v1/devices/guo8jx5vVoxfvJeLb0w4/users
+ hints:
+ allow:
+ - GET
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/devices/guo8jx5vVoxfvJeLb0w4/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ EmailCustomizationResponse:
+ value:
+ language: en
+ isDefault: true
+ subject: Welcome to ${org.name}!
+ body: Hello, ${user.profile.firstName}. Click here to activate your account.
+ id: oel11u6DqUiMbQkpl0g4
+ created: '2021-11-09T20:38:10.000Z'
+ lastUpdated: '2021-11-11T20:38:10.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ template:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation
+ hints:
+ allow:
+ - GET
+ preview:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4/preview
+ hints:
+ allow:
+ - GET
+ test:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test
+ hints:
+ allow:
+ - POST
+ EmailDomainResponse:
+ value:
+ id: OeD114iNkrcN6aR680g4
+ validationStatus: NOT_STARTED
+ displayName: Admin
+ userName: admin
+ domain: example.com
+ validationSubdomain: mail
+ dnsValidationRecords:
+ - recordType: TXT
+ fqdn: _oktaverification.example.com
+ verificationValue: 759080212bda43e3bc825a7d73b4bb64
+ - recordType: CNAME
+ fqdn: mail.example.com
+ verificationValue: u22224444.wl024.sendgrid.net
+ - recordType: CNAME
+ fqdn: t02._domainkey.example.com
+ verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net
+ - recordType: CNAME
+ fqdn: t022._domainkey.example.com
+ verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net
+ EmailSettingsRequest:
+ value:
+ recipients: ALL_USERS
+ EmailSettingsResponse:
+ value:
+ recipients: ALL_USERS
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/settings
+ hints:
+ allow:
+ - GET
+ - PUT
+ template:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation
+ hints:
+ allow:
+ - GET
+ EmailTemplateDefaultContentResponse:
+ value:
+ subject: Welcome to ${org.name}!
+ body:
Hello, ${user.profile.firstName}. Click here to activate your account.
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/default-content
+ hints:
+ allow:
+ - GET
+ template:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation
+ hints:
+ allow:
+ - GET
+ preview:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/default-content/preview
+ hints:
+ allow:
+ - GET
+ EmbeddedGroupAssignmentSampleResponse:
+ summary: Application Group with an embedded Group
+ value:
+ id: 00g15acRUy0SYb9GT0g4
+ priority: 0
+ lastUpdated: '2024-06-02T13:17:57.000Z'
+ profile:
+ preferredLanguage: English
+ manager: Donald Glover
+ securityQuestion: Who is the footballer to have played the game
+ securityAnswer: Ronaldinho
+ timezone: Canada/Eastern
+ initialStatus: active_with_pass
+ managerId: ike.ogb@gmail.com
+ locale: en_US
+ division: top
+ organization: wazobia
+ userType: null
+ department: marketing
+ _links:
+ app:
+ href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4
+ self:
+ href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4/groups/00g15acRUy0SYb9GT0g4
+ group:
+ href: http://{yourOktaDomain}/api/v1/groups/00g15acRUy0SYb9GT0g4
+ _embedded:
+ group:
+ id: 00g15acRUy0SYb9GT0g4
+ created: '2024-06-02T13:02:12.000Z'
+ lastUpdated: '2024-06-02T13:02:12.000Z'
+ lastMembershipUpdated: '2024-06-02T13:03:13.000Z'
+ objectClass:
+ - okta:user_group
+ type: OKTA_GROUP
+ profile:
+ name: Football Group
+ description: Group with professional footballers
+ _links:
+ logo:
+ - name: medium
+ href: http://{yourOktaDomain}/assets/img/logos/groups/odyssey/okta-medium.30ce6d4085dff29412984e4c191bc874.png
+ type: image/png
+ - name: large
+ href: http://{yourOktaDomain}/assets/img/logos/groups/odyssey/okta-large.c3cb8cda8ae0add1b4fe928f5844dbe3.png
+ type: image/png
+ users:
+ href: http://{yourOktaDomain}/api/v1/groups/00g15acRUy0SYb9GT0g4/users
+ apps:
+ href: http://{yourOktaDomain}/api/v1/groups/00g15acRUy0SYb9GT0g4/apps
+ EmbeddedMetadataGroupAssignmentSampleResponse:
+ summary: Application Group with embedded metadata
+ value:
+ id: 00g15acRUy0SYb9GT0g4
+ priority: 0
+ lastUpdated: '2024-06-02T13:17:57.000Z'
+ profile:
+ preferredLanguage: English
+ manager: Donald Glover
+ securityQuestion: Who is the footballer to have played the game
+ securityAnswer: Ronaldinho
+ timezone: Canada/Eastern
+ initialStatus: active_with_pass
+ managerId: ike.ogb@gmail.com
+ locale: en_US
+ division: top
+ organization: wazobia
+ userType: null
+ department: marketing
+ _links:
+ app:
+ href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4
+ self:
+ href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4/groups/00g15acRUy0SYb9GT0g4
+ group:
+ href: http://{yourOktaDomain}/api/v1/groups/00g15acRUy0SYb9GT0g4
+ _embedded:
+ metadata:
+ credentials: {}
+ profile:
+ division:
+ source:
+ type: USER
+ value:
+ - id: 00uzojLwDGgUynjJS0g3
+ self:
+ href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3
+ lastUpdated: null
+ preferredLanguage:
+ source:
+ type: USER
+ value:
+ - id: 00uzojLwDGgUynjJS0g3
+ self:
+ href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3
+ lastUpdated: null
+ manager:
+ source:
+ type: MAPPING
+ value:
+ - id: null
+ lastUpdated: null
+ securityQuestion:
+ source:
+ type: USER
+ value:
+ - id: 00uzojLwDGgUynjJS0g3
+ self:
+ href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3
+ lastUpdated: null
+ securityAnswer:
+ source:
+ type: USER
+ value:
+ - id: 00uzojLwDGgUynjJS0g3
+ self:
+ href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3
+ lastUpdated: null
+ timezone:
+ source:
+ type: USER
+ value:
+ - id: 00uzojLwDGgUynjJS0g3
+ self:
+ href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3
+ lastUpdated: null
+ organization:
+ source:
+ type: USER
+ value:
+ - id: 00uzojLwDGgUynjJS0g3
+ self:
+ href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3
+ lastUpdated: null
+ initialStatus:
+ source:
+ type: USER
+ value:
+ - id: 00uzojLwDGgUynjJS0g3
+ self:
+ href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3
+ lastUpdated: null
+ managerId:
+ source:
+ type: MAPPING
+ value:
+ - id: null
+ lastUpdated: null
+ userType:
+ source:
+ type: MAPPING
+ value:
+ - id: null
+ lastUpdated: null
+ locale:
+ source:
+ type: USER
+ value:
+ - id: 00uzojLwDGgUynjJS0g3
+ self:
+ href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3
+ lastUpdated: null
+ department:
+ source:
+ type: MAPPING
+ value:
+ - id: null
+ lastUpdated: null
+ EnrollFactorCallRequest:
+ summary: call
+ value:
+ factorType: call
+ provider: OKTA
+ profile:
+ phoneNumber: +1-555-415-1337
+ honeExtension: '1234'
+ EnrollFactorCallResponse:
+ summary: call
+ value:
+ id: clf1nz9JHJGHWRKMTLHP
+ factorType: call
+ provider: OKTA
+ vendorName: OKTA
+ status: PENDING_ACTIVATION
+ created: '2014-08-05T20:59:49.000Z'
+ lastUpdated: '2014-08-06T03:59:49.000Z'
+ profile:
+ phoneNumber: +1-555-415-1337
+ phoneExtension: '1234'
+ _links:
+ activate:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/clf1nz9JHJGHWRKMTLHP/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ resend:
+ - name: call
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/clf1nz9JHJGHWRKMTLHP/resend
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/clf1nz9JHJGHWRKMTLHP
+ hints:
+ allow:
+ - GET
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL
+ hints:
+ allow:
+ - GET
+ EnrollFactorCustomTotpRequest:
+ summary: custom totp
+ value:
+ factorType: token:hotp
+ provider: CUSTOM
+ factorProfileId: fpr20l2mDyaUGWGCa0g4
+ profile:
+ sharedSecret: 484f97be3213b117e3a20438e291540a
+ EnrollFactorCustomTotpResponse:
+ summary: custom totp
+ value:
+ id: chf20l33Ks8U2Zjba0g4
+ factorType: token:hotp
+ provider: CUSTOM
+ vendorName: Entrust Datacard
+ status: ACTIVE
+ created: '2019-07-22T23:22:36.000Z'
+ lastUpdated: '2019-07-22T23:22:36.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00utf43LCCmTJVcsK0g3/factors/chf20l33Ks8U2Zjba0g4
+ hints:
+ allow:
+ - GET
+ - DELETE
+ verify:
+ href: https://{yourOktaDomain}/api/v1/users/00utf43LCCmTJVcsK0g3/factors/chf20l33Ks8U2Zjba0g4/verify
+ hints:
+ allow:
+ - POST
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00utf43LCCmTJVcsK0g3
+ hints:
+ allow:
+ - GET
+ EnrollFactorEmailRequest:
+ summary: email
+ value:
+ factorType: email
+ provider: OKTA
+ profile:
+ email: test@gmail.com
+ EnrollFactorEmailResponse:
+ summary: email
+ value:
+ id: emfnf3gSScB8xXoXK0g3
+ factorType: email
+ provider: OKTA
+ vendorName: OKTA
+ status: PENDING_ACTIVATION
+ _links:
+ activate:
+ href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3/factors/emfnf3gSScB8xXoXK0g3/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ resend:
+ - name: email
+ href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3/factors/emfnf3gSScB8xXoXK0g3/resend
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3/factors/emfnf3gSScB8xXoXK0g3
+ hints:
+ allow:
+ - GET
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3
+ hints:
+ allow:
+ - GET
+ EnrollFactorGoogleRequest:
+ summary: google token:software:totp
+ value:
+ factorType: token:software:totp
+ provider: GOOGLE
+ EnrollFactorGoogleResponse:
+ value:
+ id: ostf1fmaMGJLMNGNLIVG
+ factorType: token:software:totp
+ provider: GOOGLE
+ vendorName: GOOGLE
+ status: PENDING_ACTIVATION
+ created: '2014-07-16T16:13:56.000Z'
+ lastUpdated: '2014-07-16T16:13:56.000Z'
+ profile:
+ credentialId: dade.murphy@example.com
+ _links:
+ activate:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG
+ hints:
+ allow:
+ - GET
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL
+ hints:
+ allow:
+ - GET
+ _embedded:
+ activation:
+ timeStep: 30
+ sharedSecret: JBTWGV22G4ZGKV3N
+ encoding: base32
+ keyLength: 16
+ _links:
+ qrcode:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG/qr/00fukNElRS_Tz6k-CFhg3pH4KO2dj2guhmaapXWbc4
+ type: image/png
+ EnrollFactorOVPushRequest:
+ summary: token:software:totp push
+ value:
+ factorType: push
+ provider: OKTA
+ EnrollFactorOVPushResponse:
+ summary: token:software:totp
+ value:
+ id: opfbtzzrjgwauUsxO0g4
+ factorType: push
+ provider: OKTA
+ vendorName: OKTA
+ status: PENDING_ACTIVATION
+ created: '2015-11-13T07:34:22.000Z'
+ lastUpdated: '2015-11-13T07:34:22.000Z'
+ _links:
+ poll:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfbtzzrjgwauUsxO0g4/lifecycle/activate/poll
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfbtzzrjgwauUsxO0g4
+ hints:
+ allow:
+ - GET
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL
+ hints:
+ allow:
+ - GET
+ _embedded:
+ activation:
+ expiresAt: '2015-11-13T07:44:22.000Z'
+ factorResult: WAITING
+ _links:
+ send:
+ - name: email
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfbtzzrjgwauUsxO0g4/lifecycle/activate/email
+ hints:
+ allow:
+ - POST
+ - name: sms
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfbtzzrjgwauUsxO0g4/lifecycle/activate/sms
+ hints:
+ allow:
+ - POST
+ qrcode:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfbtzzrjgwauUsxO0g4/qr/00Ji8qVBNJD4LmjYy1WZO2VbNqvvPdaCVua-1qjypa
+ type: image/png
+ EnrollFactorOVTotpRequest:
+ summary: token:software:totp
+ value:
+ factorType: token:software:totp
+ provider: OKTA
+ EnrollFactorOVTotpResponse:
+ summary: token:software:totp
+ value:
+ id: ostf1fmaMGJLMNGNLIVG
+ factorType: token:software:totp
+ provider: OKTA
+ vendorName: OKTA
+ status: PENDING_ACTIVATION
+ created: '2014-07-16T16:13:56.000Z'
+ lastUpdated: '2014-07-16T16:13:56.000Z'
+ profile:
+ credentialId: dade.murphy@example.com
+ _links:
+ activate:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG
+ hints:
+ allow:
+ - GET
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL
+ hints:
+ allow:
+ - GET
+ _embedded:
+ activation:
+ timeStep: 30
+ sharedSecret: JBTWGV22G4ZGKV3N
+ encoding: base32
+ keyLength: 6
+ _links:
+ qrcode:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG/qr/00fukNElRS_Tz6k-CFhg3pH4KO2dj2guhmaapXWbc4
+ type: image/png
+ EnrollFactorQuestionRequest:
+ summary: question
+ value:
+ question:
+ summary: question factor
+ value:
+ factorType: question
+ provider: OKTA
+ profile:
+ question: disliked_food
+ answer: mayonnaise
+ EnrollFactorQuestionResponse:
+ summary: question
+ value:
+ id: ufs1o01OTMGHLAJPVHDZ
+ factorType: question
+ provider: OKTA
+ vendorName: OKTA
+ status: ACTIVE
+ created: '2014-08-05T22:58:49.000Z'
+ lastUpdated: '2014-08-05T22:58:49.000Z'
+ profile:
+ question: disliked_food
+ questionText: What is the food you least liked as a child?
+ _links:
+ questions:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/questions
+ hints:
+ allow:
+ - GET
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ufs1o01OTMGHLAJPVHDZ
+ hints:
+ allow:
+ - GET
+ - DELETE
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL
+ hints:
+ allow:
+ - GET
+ EnrollFactorRsaSecurIdRequest:
+ summary: RSA SecurID
+ value:
+ factorType: token
+ provider: RSA
+ profile:
+ credentialId: dade.murphy@example.com
+ verify:
+ passCode: '5275875498'
+ EnrollFactorRsaSecurIdResponse:
+ summary: RSA SecurID
+ value:
+ id: rsabtznMn6cp94ez20g4
+ factorType: token
+ provider: RSA
+ vendorName: RSA
+ status: ACTIVE
+ created: '2015-11-13T07:05:53.000Z'
+ lastUpdated: '2015-11-13T07:05:53.000Z'
+ profile:
+ credentialId: dade.murphy@example.com
+ _links:
+ verify:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/rsabtznMn6cp94ez20g4/verify
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/rsabtznMn6cp94ez20g4
+ hints:
+ allow:
+ - GET
+ - DELETE
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL
+ hints:
+ allow:
+ - GET
+ EnrollFactorSmsRequest:
+ summary: sms
+ value:
+ factorType: sms
+ provider: OKTA
+ profile:
+ phoneNumber: +1-555-415-1337
+ EnrollFactorSmsResponse:
+ summary: sms
+ value:
+ id: mbl1nz9JHJGHWRKMTLHP
+ factorType: sms
+ provider: OKTA
+ vendorName: OKTA
+ status: PENDING_ACTIVATION
+ created: '2014-08-05T20:59:49.000Z'
+ lastUpdated: '2014-08-06T03:59:49.000Z'
+ profile:
+ phoneNumber: +1-555-415-1337
+ _links:
+ activate:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/mbl1nz9JHJGHWRKMTLHP/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ resend:
+ - name: sms
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/mbl1nz9JHJGHWRKMTLHP/resend
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/mbl1nz9JHJGHWRKMTLHP
+ hints:
+ allow:
+ - GET
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL
+ hints:
+ allow:
+ - GET
+ EnrollFactorSymantecVipRequest:
+ summary: Symantec VIP
+ value:
+ factorType: token
+ provider: SYMANTEC
+ profile:
+ credentialId: VSMT14393584
+ verify:
+ passCode: '875498'
+ nextPassCode: '678195'
+ EnrollFactorSymantecVipResponse:
+ summary: Symantec VIP
+ value:
+ id: ufvbtzgkYaA7zTKdQ0g4
+ factorType: token
+ provider: SYMANTEC
+ vendorName: SYMANTEC
+ status: ACTIVE
+ created: '2015-11-13T06:52:08.000Z'
+ lastUpdated: '2015-11-13T06:52:08.000Z'
+ profile:
+ credentialId: VSMT14393584
+ _links:
+ verify:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ufvbtzgkYaA7zTKdQ0g4/verify
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ufvbtzgkYaA7zTKdQ0g4
+ hints:
+ allow:
+ - GET
+ - DELETE
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL
+ hints:
+ allow:
+ - GET
+ EnrollFactorU2fRequest:
+ summary: u2f
+ value:
+ factorType: u2f
+ provider: FIDO
+ EnrollFactorU2fResponse:
+ summary: u2f
+ value:
+ id: fuf2rovRxogXJ0nDy0g4
+ factorType: u2f
+ provider: FIDO
+ vendorName: FIDO
+ status: PENDING_ACTIVATION
+ created: '2018-05-24T20:43:19.000Z'
+ lastUpdated: '2018-05-24T20:43:19.000Z'
+ _links:
+ activate:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fuf2rovRxogXJ0nDy0g4/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fuf2rovRxogXJ0nDy0g4
+ hints:
+ allow:
+ - GET
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL
+ hints:
+ allow:
+ - GET
+ _embedded:
+ activation:
+ version: U2F_V2
+ nonce: 9DmGJDLvaU6KWxJbfrZ0
+ timeoutSeconds: 20
+ EnrollFactorWebauthnRequest:
+ summary: webAuthn
+ value:
+ factorType: webauthn
+ provider: FIDO
+ EnrollFactorWebauthnResponse:
+ summary: webAuthn
+ value:
+ id: fwf2rovRxogXJ0nDy0g4
+ factorType: webauthn
+ provider: FIDO
+ vendorName: FIDO
+ status: PENDING_ACTIVATION
+ created: '2018-05-24T20:43:19.000Z'
+ lastUpdated: '2018-05-24T20:43:19.000Z'
+ _links:
+ activate:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fwf2rovRxogXJ0nDy0g4/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fwf2rovRxogXJ0nDy0g4
+ hints:
+ allow:
+ - GET
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL
+ hints:
+ allow:
+ - GET
+ _embedded:
+ activation:
+ attestation: direct
+ authenticatorSelection:
+ userVerification: preferred
+ requireResidentKey: false
+ challenge: cdsZ1V10E0BGE4GcG3IK
+ excludeCredentials: []
+ pubKeyCredParams:
+ - type: public-key
+ alg: -7
+ - type: public-key
+ alg: -257
+ rp:
+ name: Rain-Cloud59
+ user:
+ displayName: First Last
+ name: first.last@gmail.com
+ id: 00u15s1KDETTQMQYABRL
+ EnrollFactorYubikeyRequest:
+ summary: yubikey
+ value:
+ factorType: token:hardware
+ provider: YUBICO
+ verify:
+ passCode: cccccceukngdfgkukfctkcvfidnetljjiknckkcjulji
+ EnrollFactorYubikeyResponse:
+ value:
+ id: ykfbty3BJeBgUi3750g4
+ factorType: token:hardware
+ provider: YUBICO
+ vendorName: YUBICO
+ status: ACTIVE
+ created: '2015-11-13T05:27:49.000Z'
+ lastUpdated: '2015-11-13T05:27:49.000Z'
+ profile:
+ credentialId: '000004102994'
+ _links:
+ verify:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ykfbty3BJeBgUi3750g4/verify
+ hints:
+ allow:
+ - POST
+ self:
+ href: hhttps://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ykfbty3BJeBgUi3750g4
+ hints:
+ allow:
+ - GET
+ - DELETE
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL
+ hints:
+ allow:
+ - GET
+ EntitlementValuesResponse:
+ summary: List of bundle entitlement values
+ value:
+ entitlementValues:
+ - id: entfxqCAJWWGELFTYAAA
+ value: orn:okta:00o5rb5mt2H3d1TJd0h7:groups:00guaxWZ0AOa5NFAj0g3
+ name: Restricted users group
+ _links:
+ group: http://your-subdomain.okta.com/api/v1/groups/00guaxWZ0AOa5NFAj0g3
+ _links:
+ self:
+ href: http://your-subdomain.okta.com/api/v1/iam/governance/bundles?limit=2&after=10
+ bundle:
+ href: http://your-subdomain.okta.com/api/v1/iam/governance/bundles/0bbfxqCAJWWGELFTYAAA
+ entitlements:
+ href: http://your-subdomain.okta.com/api/v1/iam/governance/bundles/0bbfxqCAJWWGELFTYAAA/entitlements
+ ErrorAccessDenied:
+ summary: Access Denied
+ value:
+ errorCode: E0000006
+ errorSummary: You do not have permission to perform the requested action
+ errorLink: E0000006
+ errorId: sampleNUSD_8fdkFd8fs8SDBK
+ errorCauses: []
+ ErrorAgentTimeOut:
+ value:
+ errorCode: E0000237
+ errorSummary: Timed out waiting for agent.
+ errorLink: E0000237
+ errorId: sampleMlLvGUj_YD5v16vkYWY
+ errorCauses: []
+ ErrorApiValidationFailed:
+ summary: API Validation Failed
+ value:
+ errorCode: E0000001
+ errorSummary: 'Api validation failed: {0}'
+ errorLink: E0000001
+ errorId: sampleiCF-8D5rLW6myqiPItW
+ errorCauses: []
+ ErrorAppFeatureAPIValidationFailed:
+ summary: API Validation Failed
+ value:
+ errorCode: E0000001
+ errorSummary: 'Api validation failed: feature'
+ errorLink: E0000001
+ errorId: oaeZLxeiHUUQomPkM8xOqvu1A
+ errorCauses:
+ - errorSummary: Provisioning is not enabled for the app instance.
+ ErrorAppUserForbiddenAction:
+ summary: Forbidden action
+ description: If the `PUSH_NEW_USERS` or `PUSH_PROFILE_UPDATES` feature is enabled and the request specifies a value for a profile-mapped (Universal Directory) attribute that doesn't match the mapped value, then a 403 error is returned.
+ value:
+ errorCode: E0000075
+ errorSummary: Cannot modify the firstName attribute because it has a field mapping and profile push is enabled.
+ errorLink: E0000075
+ errorId: sampleWXiR_K-WwaTKhlgBQ
+ errorCauses: []
+ ErrorAppUserUpdateBadRequest:
+ summary: Bad request
+ description: If you attempt to assign a username or password to an app with an incompatible authentication scheme, then a 400 error is returned.
+ value:
+ errorCode: E0000041
+ errorSummary: Credentials should not be set on this resource based on the scheme.
+ errorLink: E0000041
+ errorId: oaeUM77NBynQQu4C_qT5ngjGQ
+ errorCauses:
+ errorSummary: User level credentials should not be provided for this scheme.
+ ErrorCAPTCHALimitOfOne:
+ value:
+ errorCode: E0000165
+ errorSummary: CAPTCHA count limit reached. At most one CAPTCHA instance is allowed per Org.
+ errorLink: E0000165
+ errorId: oaejrB1fWL1S7mc-2KcG-SOtw
+ errorCauses: []
+ ErrorCAPTCHAOrgWideSetting:
+ value:
+ errorCode: E0000149
+ errorSummary: Current CAPTCHA is associated with org-wide settings, cannot be removed.
+ errorLink: E0000149
+ errorId: samplezsusshPdiTWiITwqBt8
+ errorCauses: []
+ ErrorCAPTCHAOrgWideSettingNull:
+ summary: captchaId is null, but enabledPages is defined
+ value:
+ errorCode: E0000001
+ errorSummary: 'Api validation failed: captchaId'
+ errorLink: E0000001
+ errorId: oae-hk3rssXQmOWDRsaFfxe8A
+ errorCauses:
+ errorSummary: 'captchaId: Invalid CAPTCHA ID. The value of captchaId cannot be blank when enabledPages is not empty. Please resubmit with an existing CAPTCHA ID or disable CAPTCHA support on all supported pages.'
+ ErrorClientJsonWebKeyDuplicateKid:
+ value:
+ errorCode: E0000001
+ errorSummary: 'Api validation failed: JsonWebKey'
+ errorLink: E0000001
+ errorId: sampleQPivGUj_ND5v78vbYWW
+ errorCauses:
+ - errorSummary: All keys in the 'jwks' must have a unique `kid`.
+ ErrorClientJsonWebKeyKidLengthTooShort:
+ value:
+ errorCode: E0000001
+ errorSummary: 'Api validation failed: JsonWebKey'
+ errorLink: E0000001
+ errorId: sampleQPivGUj_ND5v78vbYWW
+ errorCauses:
+ - errorSummary: RSA key length in the 'jwks' is less than '2,048' bits for the given key.
+ ErrorClientJsonWebKeyNonUniqueKid:
+ value:
+ errorCode: E0000001
+ errorSummary: 'Api validation failed: JsonWebKey'
+ errorLink: E0000001
+ errorId: sampleQPivGUj_ND5v78vbYWW
+ errorCauses:
+ - errorSummary: Each key should have a unique kid when adding multiple keys. Use the Apps API to update the JWKS to add a kid for the existing key, or delete the existing key and re-add the key with a kid using the JWKS APIs.
+ ErrorClientJsonWebKeyTooManyKids:
+ value:
+ errorCode: E0000001
+ errorSummary: 'Api validation failed: JsonWebKey'
+ errorLink: E0000001
+ errorId: sampleQPivGUj_ND5v78vbYWW
+ errorCauses:
+ - errorSummary: You can't create a new key. You have reached the maximum number of keys allowed (50). To add another key, you must first delete an existing one.
+ ErrorClientSecretNonAscii:
+ summary: Client secret allows only ASCII error
+ value:
+ errorCode: E0000001
+ errorSummary: 'Api validation failed: client_secret'
+ errorLink: E0000001
+ errorId: sampleQPivGUj_ND5v78vbYWW
+ errorCauses:
+ - errorSummary: 'client_secret: ''''client_secret'''' must only contain printable ASCII: [x20-x7E]+'
+ ErrorClientSecretTooLong:
+ summary: Client secret too long error
+ value:
+ errorCode: E0000001
+ errorSummary: 'Api validation failed: client_secret'
+ errorLink: E0000001
+ errorId: sampleQPivGUj_ND5v78vbYWW
+ errorCauses:
+ - errorSummary: 'client_secret: ''client_secret'' can''t be more than ''100'' characters long.'
+ ErrorClientSecretTooShort:
+ summary: Client secret too short error
+ value:
+ errorCode: E0000001
+ errorSummary: 'Api validation failed: client_secret'
+ errorLink: E0000001
+ errorId: sampleQPivGUj_ND5v78vbYWW
+ errorCauses:
+ - errorSummary: 'client_secret: ''client_secret'' must be at least ''14'' characters long.'
+ ErrorClientSecretTooShortWithClientSecretJWT:
+ summary: Client secret is too short for JWT error
+ value:
+ errorCode: E0000001
+ errorSummary: 'Api validation failed: client_secret'
+ errorLink: E0000001
+ errorId: sampleQPivGUj_ND5v78vbYWW
+ errorCauses:
+ - errorSummary: 'client_secret: ''client_secret'' must be at least ''32'' characters long when ''token_endpoint_auth_method'' is ''client_secret_jwt''.'
+ ErrorClientSecretWithPrivateKeyJWT:
+ summary: Client secret can't be used for private key JWT error
+ value:
+ errorCode: E0000001
+ errorSummary: 'Api validation failed: client_secret'
+ errorLink: E0000001
+ errorId: sampleQPivGUj_ND5v78vbYWW
+ errorCauses:
+ - errorSummary: '''client_secret'' can''t be used when ''token_endpoint_auth_method'' is ''private_key_jwt''.'
+ ErrorCreateBrandExists:
+ value:
+ errorCode: E0000202
+ errorSummary: Brand name already exists.
+ errorLink: E0000202
+ errorId: oaeKABuesTdRvCXeCTpSpXAcQ
+ errorCauses: []
+ ErrorCreateUserWithExpiredPasswordWithNullPassword:
+ value:
+ errorCode: E0000124
+ errorSummary: Could not create user. To create a user and expire their password immediately, a password must be specified.
+ errorLink: E0000124
+ errorId: oaeXxuZgXBySvqi1FvtkwoYCA
+ errorCauses:
+ - errorSummary: Could not create user. To create a user and expire their password immediately, a password must be specified.
+ ErrorCreateUserWithExpiredPasswordWithoutActivation:
+ value:
+ errorCode: E0000125
+ errorSummary: Could not create user. To create a user and expire their password immediately, `activate` must be true.
+ errorLink: E0000125
+ errorId: oaeDd77L9R-TJaD7j_rXsQ31w
+ errorCauses:
+ - errorSummary: Could not create user. To create a user and expire their password immediately, `activate` must be true.
+ ErrorCreateUserWithTooManyManyGroupsResponse:
+ value:
+ errorCode: E0000093
+ errorSummary: Target count limit exceeded
+ errorLink: E0000093
+ errorId: oaePVSLIYnIQsC0B-ptBIllVA
+ errorCauses:
+ - errorSummary: The number of group targets is too large
+ ErrorDeactivateTheOnlyClientSecret:
+ value:
+ errorCode: E0000001
+ errorSummary: 'Api validation failed: OAuth2ClientSecretMediated'
+ errorLink: E0000001
+ errorId: sampleQPivGUj_ND5v78vbYWW
+ errorCauses:
+ - errorSummary: You can't deactivate the only active client secret.
+ ErrorDeactivateTheOnlyKeyWithPrivateKeyJwtAuthMethod:
+ value:
+ errorCode: E0000001
+ errorSummary: 'Api validation failed: JsonWebKey'
+ errorLink: E0000001
+ errorId: sampleQPivGUj_ND5v78vbYWW
+ errorCauses:
+ - errorSummary: Can't deactivate the only active JSON Web Key when the value for `token_endpoint_auth_method` is `private_key_jwt`.
+ ErrorDeactivateTheOnlyKeyWithRequestObjectSignAlgorithm:
+ value:
+ errorCode: E0000001
+ errorSummary: 'Api validation failed: JsonWebKey'
+ errorLink: E0000001
+ errorId: sampleQPivGUj_ND5v78vbYWW
+ errorCauses:
+ - errorSummary: The `jwks` must contain at least one key with an algorithm matching the `request_object_signature_algorithm`.
+ ErrorDeleteActiveJsonWebKey:
+ value:
+ errorCode: E0000001
+ errorSummary: 'Api validation failed: JsonWebKey'
+ errorLink: E0000001
+ errorId: sampleQPivGUj_ND5v78vbYWW
+ errorCauses:
+ - errorSummary: You can't delete an active JSON Web key. Deactivate the key before deleting it.
+ ErrorDeleteActiveSecret:
+ value:
+ errorCode: E0000001
+ errorSummary: 'Api validation failed: OAuth2ClientSecretMediated'
+ errorLink: E0000001
+ errorId: sampleQPivGUj_ND5v78vbYWW
+ errorCauses:
+ - errorSummary: You can't delete an active client secret. Deactivate the secret before deleting it.
+ ErrorDeleteBrandAssociatedWithDomain:
+ value:
+ errorCode: E0000201
+ errorSummary: A brand associated with a domain cannot be deleted
+ errorLink: E0000201
+ errorId: oaeAdRqprFuTyKokyYPbURJkA
+ errorCauses: []
+ ErrorDeleteDefaultBrand:
+ value:
+ errorCode: E0000200
+ errorSummary: A default brand cannot be deleted
+ errorLink: E0000200
+ errorId: oaeAdRqprFuTyKokyYPbURJkA
+ errorCauses: []
+ ErrorDeviceAssuranceInUse:
+ summary: Can't delete device assurance policy in use by authentication policies
+ value:
+ errorSummary: Device assurance is in use and cannot be deleted.
+ errorId: oaenwA1ra80S9W-pvbh4m6haA
+ errorCauses: []
+ ErrorDeviceCheckInUse:
+ summary: Can't delete device check in use by device assurance policies
+ value:
+ errorSummary: Device check is in use and can't be deleted.
+ errorId: oaenwA1ra80S9W-pvbh4m6haA
+ errorCauses: []
+ ErrorEmailCustomizationCannotClearDefault:
+ value:
+ errorCode: E0000185
+ errorSummary: The isDefault parameter of the default email template customization can't be set to false.
+ errorLink: E0000185
+ errorId: oaejrB1fWL1S7mc-2KcG-SOtw
+ errorCauses: []
+ ErrorEmailCustomizationCannotDeleteDefault:
+ value:
+ errorCode: E0000184
+ errorSummary: A default email template customization can't be deleted.
+ errorLink: E0000184
+ errorId: oaeAdRqprFuTyKokyYPbURJkA
+ errorCauses: []
+ ErrorEmailCustomizationDefaultAlreadyExists:
+ value:
+ errorCode: E0000182
+ errorSummary: A default email template customization already exists.
+ errorLink: E0000182
+ errorId: oaeXYwTiMvASsC3O4HCzjFaCA
+ errorCauses: []
+ ErrorEmailCustomizationLanguageAlreadyExists:
+ value:
+ errorCode: E0000183
+ errorSummary: An email template customization for that language already exists.
+ errorLink: E0000183
+ errorId: oaeUcGELffqRay0u1OPdnPypw
+ errorCauses: []
+ ErrorEmailDomainAlreadyExists:
+ value:
+ errorCode: E0000197
+ errorSummary: Email domain already exists.
+ errorLink: E0000197
+ errorId: oaeEdRqprFuTyKokyYPbURJkA
+ errorCauses: []
+ ErrorEmailDomainInUse:
+ value:
+ errorCode: E0000216
+ errorSummary: Email domain can't be deleted due to mail provider restrictions.
+ errorLink: E0000216
+ errorId: oaeEdRqprFuTyKokyYPbURJkB
+ errorCauses: []
+ ErrorEmailDomainInvalidStatus:
+ value:
+ errorCode: E0000217
+ errorSummary: Invalid status. Can't validate email domain with current status.
+ errorLink: E0000217
+ errorId: oaeEdRqprFuTyKokyYPbURJkD
+ errorCauses: []
+ ErrorEmailDomainNotVerified:
+ value:
+ errorCode: E0000218
+ errorSummary: Email domain couldn't be verified by mail provider.
+ errorLink: E0000218
+ errorId: oaeEdRqprFuTyKokyYPbURJkC
+ errorCauses: []
+ ErrorInternalServer:
+ summary: Internal Server Error
+ value:
+ errorCode: E0000009
+ errorSummary: Internal Server Error
+ errorLink: E0000000
+ errorId: sampleAlJ82XS2SDB_vaNIWgcA
+ errorCauses: []
+ ErrorInvalidEmailTemplateRecipients:
+ value:
+ errorCode: E0000189
+ errorSummary: This template does not support the recipients value.
+ errorLink: E0000189
+ errorId: oae8L1-UkcNTeGi5xVQ28_lww
+ errorCauses: []
+ ErrorInvalidLinkedObjectDef:
+ summary: Invalid linked objection definition
+ value:
+ errorCode: E0000127
+ errorSummary: Invalid linked objection definition. Linked object identifier is already in use.
+ errorLink: E0000127
+ errorId: oaeh5FICFF2RnqakoNofPadhw
+ errorCauses:
+ - errorSummary: Linked object identifier for primary is already in use.
+ reason: UNIQUE_CONSTRAINT
+ locationType: body
+ domain: linkedObjects
+ - errorSummary: Linked object identifier for associated is already in use.
+ reason: UNIQUE_CONSTRAINT
+ locationType: body
+ domain: linkedObjects
+ ErrorInvalidTokenProvided:
+ summary: Invalid Token Provided
+ value:
+ errorCode: E0000011
+ errorSummary: Invalid token provided
+ errorLink: E0000011
+ errorId: sampleQPivGUj_ND5v78vbYWW
+ errorCauses: []
+ ErrorKeyCredentialCloneDuplicateKey:
+ summary: Duplicate key credential error
+ value:
+ errorCode: E0000001
+ errorSummary: 'Api validation failed: cloneKey'
+ errorLink: E0000001
+ errorId: sampleQPivGUj_ND5v78vbYWW
+ errorCauses:
+ - errorSummary: Key already exists in the list of key credentials for the target app.
+ ErrorKeyCredentialInvalidValidity:
+ summary: Key credential invalid year error
+ value:
+ errorCode: E0000001
+ errorSummary: 'Api validation failed: generateKey'
+ errorLink: E0000001
+ errorId: sampleQPivGUj_ND5v78vbYWW
+ errorCauses:
+ - errorSummary: Validity years out of range. It should be 2 - 10 years.
+ ErrorMaxNumberOfSecrets:
+ summary: Maximum client secrets reached error
+ value:
+ errorCode: E0000001
+ errorSummary: 'Api validation failed: OAuth2ClientSecretMediated'
+ errorLink: E0000001
+ errorId: sampleQPivGUj_ND5v78vbYWW
+ errorCauses:
+ - errorSummary: You've reached the maximum number of client secrets per client.
+ ErrorMissingRequiredParameter:
+ summary: Missing Required Parameter
+ value:
+ errorCode: E0000028
+ errorSummary: The request is missing a required parameter.
+ errorLink: E0000028
+ errorId: sampleiCF-l7mr9XqM1NQ
+ errorCauses: []
+ ErrorNoConnectedAgents:
+ value:
+ errorCode: E0000236
+ errorSummary: There are no connected agents.
+ errorLink: E0000236
+ errorId: sampleMlLvGUj_YD5v16vkYWY
+ errorCauses: []
+ ErrorPinOrCredRequestsGenerationFailure:
+ summary: PIN or Cred Requests Generation Failed
+ value:
+ errorCode: E0000001
+ errorSummary: 'Api validation failed: pinRequest|credRequests'
+ errorLink: E0000001
+ errorId: oaehk3rssXQmOWDRsaFfxe8A
+ errorCauses:
+ errorSummary: There was a problem generating the pinRequest|credRequests.
+ ErrorPinOrCredResponsesProcessingFailure:
+ summary: PIN or Cred Response Processing Failed
+ value:
+ errorCode: E0000001
+ errorSummary: 'Api validation failed: pinResponse|credResponses'
+ errorLink: E0000001
+ errorId: oaehk3rssXQmOWDRsaFfxe8B
+ errorCauses:
+ errorSummary: There was a problem generating the pinResponse|credResponses.
+ ErrorPublishCSRCertDoesNotMatchCSR:
+ summary: Mismatch certificate and CSR error
+ value:
+ errorCode: E0000001
+ errorSummary: 'Api validation failed: certificate'
+ errorLink: E0000001
+ errorId: sampleQPivGUj_ND5v78vbYWW
+ errorCauses:
+ - errorSummary: The certificate doesn't match the CSR.
+ ErrorPublishCSRCertValidityLessThan90Days:
+ summary: Certificate valid for 90 days error
+ value:
+ errorCode: E0000001
+ errorSummary: 'Api validation failed: certificate'
+ errorLink: E0000001
+ errorId: sampleQPivGUj_ND5v78vbYWW
+ errorCauses:
+ - errorSummary: The certificate must be valid for more than 90 days.
+ ErrorPushProviderUsedByCustomAppAuthenticator:
+ value:
+ errorCode: E0000187
+ errorSummary: Cannot delete push provider because it is being used by a custom app authenticator.
+ errorLink: E0000187
+ errorId: oaenwA1ra80S9W-pvbh4m6haA
+ errorCauses: []
+ ErrorResourceNotFound:
+ summary: Resource Not Found
+ value:
+ errorCode: E0000007
+ errorSummary: 'Not found: {0}'
+ errorLink: E0000007
+ errorId: sampleMlLvGUj_YD5v16vkYWY
+ errorCauses: []
+ ErrorTooManyRequests:
+ summary: Too Many Requests
+ value:
+ errorCode: E0000047
+ errorSummary: API call exceeded rate limit due to too many requests.
+ errorLink: E0000047
+ errorId: sampleQPivGUj_ND5v78vbYWW
+ errorCauses: []
+ ExampleOAuth2Scope:
+ summary: Example scope
+ value:
+ id: scp5yu8kLOnDzo7lh0g4
+ name: car:drive
+ description: Drive car
+ system: false
+ default: false
+ displayName: Saml Jackson
+ consent: REQUIRED
+ optional: false
+ metadataPublish: NO_CLIENTS
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes/scp5yu8kLOnDzo7lh0g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ ExampleOAuth2Scopes:
+ summary: All scopes
+ value:
+ - id: scp5yu8kLOnDzo7lh0g4
+ name: car:drive
+ description: Drive car
+ system: false
+ default: false
+ displayName: Saml Jackson
+ consent: REQUIRED
+ optional: false
+ metadataPublish: NO_CLIENTS
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes/scp5yu8kLOnDzo7lh0g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ ExpirePwdResponse:
+ value:
+ id: 00ub0oNGTSWTBKOLGLNR
+ status: PASSWORD_EXPIRED
+ created: '2013-06-24T16:39:18.000Z'
+ activated: '2013-06-24T16:39:19.000Z'
+ statusChanged: '2013-06-24T16:39:19.000Z'
+ lastLogin: '2013-06-24T17:39:19.000Z'
+ lastUpdated: '2013-06-27T16:35:28.000Z'
+ passwordChanged: '2013-06-24T16:39:19.000Z'
+ profile:
+ firstName: Isaac
+ lastName: Brock
+ email: isaac.brock@example.com
+ login: isaac.brock@example.com
+ mobilePhone: 555-415-1337
+ credentials:
+ password: {}
+ recovery_question:
+ question: Who's a major player in the cowboy scene?
+ provider:
+ type: OKTA
+ name: OKTA
+ _links:
+ resetPassword:
+ href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/reset_password
+ resetFactors:
+ href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/reset_factors
+ expirePassword:
+ href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/expire_password
+ forgotPassword:
+ href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/credentials/forgot_password
+ changeRecoveryQuestion:
+ href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/credentials/change_recovery_question
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/deactivate
+ changePassword:
+ href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/credentials/change_password
+ ExpirePwdWithTempPwdResponse:
+ value:
+ tempPassword: F46gy7X4
+ ExpiredAuthorizationServerKey:
+ summary: Expired Authorization Server Key
+ value:
+ status: EXPIRED
+ alg: RS256
+ e: AQAB
+ 'n': lC4ehVB6W0OCtNPnz8udYH9Ao83B6EKnHA5eTcMOap_lQZ-nKtS1lZwBj4wXRVc1XmS0d2OQFA1VMQ-dHLDE3CiGfsGqWbaiZFdW7U GLO1nAwfDdH6xp3xwpKOMewDXbAHJlXdYYAe2ap - CE9c5WLTUBU6JROuWcorHCNJisj1aExyiY5t3JQQVGpBz2oUIHo7NRzQoKimvp dMvMzcYnTlk1dhlG11b1GTkBclprm1BmOP7Ltjd7aEumOJWS67nKcAZzl48Zyg5KtV11V9F9dkGt25qHauqFKL7w3wu - DYhT0hmyFc wn - tXS6e6HQbfHhR_MQxysLtDGOk2ViWv8AQ
+ kid: h5Sr3LXcpQiQlAUVPdhrdLFoIvkhRTAVs_h39bQnxlU
+ kty: RSA
+ use: sig
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/keys/h5Sr3LXcpQiQlAUVPdhrdLFoIvkhRTAVs_h39bQnxlU
+ hints:
+ allow:
+ - GET
+ FacebookIdPResponse:
+ summary: Facebook Identity Provider
+ value:
+ id: 0oa62b57p7c8PaGpU0h7
+ type: FACEBOOK
+ name: Facebook
+ status: ACTIVE
+ created: '2016-03-24T23:18:27.000Z'
+ lastUpdated: '2016-03-24T23:18:27.000Z'
+ protocol:
+ type: OAUTH2
+ endpoints:
+ authorization:
+ url: https://www.facebook.com/dialog/oauth
+ binding: HTTP-REDIRECT
+ token:
+ url: https://graph.facebook.com/v2.5/oauth/access_token
+ binding: HTTP-POST
+ scopes:
+ - public_profile
+ - email
+ credentials:
+ client:
+ client_id: your-client-id
+ client_secret: your-client-secret
+ policy:
+ provisioning:
+ action: AUTO
+ profileMaster: true
+ groups:
+ action: NONE
+ conditions:
+ deprovisioned:
+ action: NONE
+ suspended:
+ action: NONE
+ accountLink:
+ filter: null
+ action: AUTO
+ subject:
+ userNameTemplate:
+ template: idpuser.userPrincipalName
+ filter: null
+ matchType: USERNAME
+ mapAMRClaims: false
+ maxClockSkew: 0
+ _links:
+ authorize:
+ href: |-
+ https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa62b57p7c8PaGpU0h7&
+ client_id={clientId}&response_type={responseType}&response_mode={responseMode}&
+ scope={scopes}&redirect_uri={redirectUri}&state={state}
+ templated: true
+ hints:
+ allow:
+ - GET
+ clientRedirectUri:
+ href: https://{yourOktaDomain}/oauth2/v1/authorize/callback
+ hints:
+ allow:
+ - POST
+ FactorEmail:
+ value:
+ id: emfnf3gSScB8xXoXK0g3
+ factorType: email
+ provider: OKTA
+ vendorName: OKTA
+ status: ACTIVE
+ profile:
+ email: changed@clouditude.net
+ _links:
+ verify:
+ href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3/factors/emfnf3gSScB8xXoXK0g3/verify
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3/factors/emfnf3gSScB8xXoXK0g3
+ hints:
+ allow:
+ - GET
+ - DELETE
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3
+ hints:
+ allow:
+ - GET
+ FactorPasscodeRequest:
+ value:
+ passCode: '123456'
+ FactorResponseSms:
+ value:
+ id: sms2gt8gzgEBPUWBIFHN
+ factorType: sms
+ provider: OKTA
+ vendorName: OKTA
+ status: ACTIVE
+ created: '2014-06-27T20:27:26.000Z'
+ lastUpdated: '2014-06-27T20:27:26.000Z'
+ profile:
+ phoneNumber: +1-555-415-1337
+ _links:
+ verify:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/sms2gt8gzgEBPUWBIFHN/verify
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/sms2gt8gzgEBPUWBIFHN
+ hints:
+ allow:
+ - GET
+ - DELETE
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL
+ hints:
+ allow:
+ - GET
+ ForgotPwdRecoveryQuestionRequest:
+ value:
+ password:
+ value: uTVM,TPw55
+ recovery_question:
+ answer: Annie Oakley
+ ForgotPwdRecoveryQuestionResponse:
+ value:
+ password: {}
+ recovery_question:
+ question: Who's a major player in the cowboy scene?
+ provider:
+ type: OKTA
+ name: OKTA
+ ForgotPwdResponse:
+ value:
+ resetPasswordUrl: https://{yourOktaDomain}/signin/reset-password/XE6wE17zmphl3KqAPFxO
+ GenericOidcIdpResponse:
+ summary: Generic OpenID Connect Identity Provider
+ value:
+ id: 0oaulob4BFVa4zQvt0g3
+ type: OIDC
+ name: Example OpenID Connect IdP
+ status: ACTIVE
+ created: '2019-02-07T20:07:47.000Z'
+ lastUpdated: '2019-02-07T20:07:47.000Z'
+ protocol:
+ type: OIDC
+ endpoints:
+ authorization:
+ url: https://idp.example.com/authorize
+ binding: HTTP-REDIRECT
+ token:
+ url: https://idp.example.com/token
+ binding: HTTP-POST
+ userInfo:
+ url: https://idp.example.com/userinfo
+ binding: HTTP-REDIRECT
+ jwks:
+ url: https://idp.example.com/keys
+ binding: HTTP-REDIRECT
+ algorithms:
+ request:
+ signature:
+ algorithm: HS256
+ scope: REQUEST
+ scopes:
+ - openid
+ issuer:
+ url: https://idp.example.com
+ credentials:
+ client:
+ client_id: your-client-id
+ client_secret: your-client-secret
+ pkce_required: 'true'
+ policy:
+ provisioning:
+ action: AUTO
+ profileMaster: false
+ groups:
+ action: NONE
+ conditions:
+ deprovisioned:
+ action: NONE
+ suspended:
+ action: NONE
+ accountLink:
+ filter: null
+ action: AUTO
+ subject:
+ userNameTemplate:
+ template: idpuser.email
+ filter: null
+ matchType: USERNAME
+ matchAttribute: null
+ mapAMRClaims: false
+ maxClockSkew: 0
+ _links:
+ authorize:
+ href: https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oaulob4BFVa4zQvt0g3&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri={redirectUri}&state={state}&nonce={nonce}
+ templated: true
+ hints:
+ allow:
+ - GET
+ clientRedirectUri:
+ href: https://{yourOktaDomain}/oauth2/v1/authorize/callback
+ hints:
+ allow:
+ - POST
+ GetApplicationsByGroupResponseEx:
+ summary: Retrieve apps assigned to a group
+ value:
+ - id: 0oa7vicdkRNrz59R80w6
+ name: workday
+ label: hrportal2
+ status: ACTIVE
+ lastUpdated: '2021-05-17T23:10:50.000Z'
+ created: '2021-05-17T23:10:49.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
+ visibility:
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ login: true
+ features: []
+ signOnMode: SAML_2_0
+ credentials:
+ userNameTemplate:
+ template: ${source.login}
+ type: BUILT_IN
+ signing:
+ kid: wRejFXWxFlK9nnLozx5qKWQa3fg-JRXw7dvdlTjs5Pg
+ settings:
+ app:
+ siteURL: https://acme.workday.com
+ notifications:
+ vpn:
+ network:
+ connection: DISABLED
+ message: null
+ helpUrl: null
+ signOn:
+ defaultRelayState: null
+ ssoAcsUrlOverride: null
+ audienceOverride: null
+ recipientOverride: null
+ destinationOverride: null
+ attributeStatements: []
+ _links:
+ help:
+ href: https://testorgone-admin.okta.com/app/workday/0oa7vicdkRNrz59R80w6/setup/help/SAML_2_0/external-doc
+ type: text/html
+ metadata:
+ href: https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/sso/saml/metadata
+ type: application/xml
+ appLinks:
+ - name: login
+ href: https://testorgone.okta.com/home/workday/0oa7vicdkRNrz59R80w6/30
+ type: text/html
+ groups:
+ href: https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/groups
+ logo:
+ - name: medium
+ href: https://tc2static.oktacdn.com/fs/bcg/4/gfs1wwhrwJR4LpB5X0w6
+ type: image/png
+ users:
+ href: https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/users
+ deactivate:
+ href: https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/lifecycle/deactivate
+ - id: 0oa7vicvor8YSr9Hc0w6
+ name: workday
+ label: hrportal1
+ status: ACTIVE
+ lastUpdated: '2021-05-17T23:10:22.000Z'
+ created: '2021-05-17T23:10:22.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
+ visibility:
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ login: true
+ features: []
+ signOnMode: SAML_2_0
+ credentials:
+ userNameTemplate:
+ template: ${source.login}
+ type: BUILT_IN
+ signing:
+ kid: wRejFXWxFlK9nnLozx5qKWQa3fg-JRXw7dvdlTjs5Pg
+ settings:
+ app:
+ siteURL: https://acme.workday.com
+ notifications:
+ vpn:
+ network:
+ connection: DISABLED
+ message: null
+ helpUrl: null
+ signOn:
+ defaultRelayState: null
+ ssoAcsUrlOverride: null
+ audienceOverride: null
+ recipientOverride: null
+ destinationOverride: null
+ attributeStatements: []
+ _links:
+ help:
+ href: https://testorgone-admin.okta.com/app/workday/0oa7vicvor8YSr9Hc0w6/setup/help/SAML_2_0/external-doc
+ type: text/html
+ metadata:
+ href: https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/sso/saml/metadata
+ type: application/xml
+ appLinks:
+ - name: login
+ href: https://testorgone.okta.com/home/workday/0oa7vicvor8YSr9Hc0w6/30
+ type: text/html
+ groups:
+ href: https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/groups
+ logo:
+ - name: medium
+ href: https://tc2static.oktacdn.com/fs/bcg/4/gfs1wwhrwJR4LpB5X0w6
+ type: image/png
+ users:
+ href: https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/users
+ deactivate:
+ href: https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/lifecycle/deactivate
+ - id: 0oabkvBLDEKCNXBGYUAS
+ name: template_swa
+ label: Sample Plugin App
+ status: ACTIVE
+ lastUpdated: '2013-09-11T17:58:54.000Z'
+ created: '2013-09-11T17:46:08.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ visibility:
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ login: true
+ features: []
+ signOnMode: BROWSER_PLUGIN
+ credentials:
+ scheme: EDIT_USERNAME_AND_PASSWORD
+ userNameTemplate:
+ template: ${source.login}
+ type: BUILT_IN
+ settings:
+ app:
+ buttonField: btn-login
+ passwordField: txtbox-password
+ usernameField: txtbox-username
+ url: https://example.com/login.html
+ _links:
+ logo:
+ - href: https:/example.okta.com/img/logos/logo_1.png
+ name: medium
+ type: image/png
+ users:
+ href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/users
+ groups:
+ href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/groups
+ self:
+ href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/lifecycle/deactivate
+ GetApplicationsByKeyResponseEx:
+ summary: Retrieve apps using a key
+ value:
+ - id: 0oa1gjh63g214q0Hq0g4
+ name: testorgone_customsaml20app_1
+ label: Custom Saml 2.0 App
+ status: ACTIVE
+ lastUpdated: '2016-08-09T20:12:19.000Z'
+ created: '2016-08-09T20:12:19.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
+ visibility:
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ testorgone_customsaml20app_1_link: true
+ features: []
+ signOnMode: SAML_2_0
+ credentials:
+ userNameTemplate:
+ template: ${fn:substringBefore(source.login, "@")}
+ type: BUILT_IN
+ signing: {}
+ settings:
+ app: {}
+ notifications:
+ vpn:
+ network:
+ connection: DISABLED
+ message: null
+ helpUrl: null
+ signOn:
+ defaultRelayState: ''
+ ssoAcsUrl: https://{yourOktaDomain}
+ idpIssuer: https://www.okta.com/${org.externalKey}
+ audience: https://example.com/tenant/123
+ recipient: https://recipient.okta.com
+ destination: https://destination.okta.com
+ subjectNameIdTemplate: ${user.userName}
+ subjectNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
+ responseSigned: true
+ assertionSigned: true
+ signatureAlgorithm: RSA_SHA256
+ digestAlgorithm: SHA256
+ honorForceAuthn: true
+ authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+ slo:
+ enabled: true
+ spIssuer: https://testorgone.okta.com
+ logoutUrl: https://testorgone.okta.com/logout
+ participateSlo:
+ enabled: true
+ logoutRequestUrl: https://testorgone.okta.com/logout/participate
+ sessionIndexRequired: true
+ bindingType: REDIRECT
+ spCertificate:
+ x5c:
+ - "MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV\r\n"
+ requestCompressed: false
+ allowMultipleAcsEndpoints: false
+ acsEndpoints: []
+ attributeStatements: []
+ _links:
+ logo:
+ - name: medium
+ href: https://testorgone.okta.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png
+ type: image/png
+ appLinks:
+ - name: testorgone_customsaml20app_1_link
+ href: https://testorgone.okta.com/home/testorgone_customsaml20app_1/0oa1gjh63g214q0Hq0g4/aln1gofChJaerOVfY0g4
+ type: text/html
+ help:
+ href: https://testorgone-admin.okta.com/app/testorgone_customsaml20app_1/0oa1gjh63g214q0Hq0g4/setup/help/SAML_2_0/instructions
+ type: text/html
+ users:
+ href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/users
+ deactivate:
+ href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/lifecycle/deactivate
+ groups:
+ href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/groups
+ metadata:
+ href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/sso/saml/metadata
+ type: application/xml
+ _embedded:
+ user:
+ id: 00ucw2RPGIUNTDQOYPOF
+ externalId: null
+ created: '2014-03-21T23:31:35.000Z'
+ lastUpdated: '2014-03-21T23:31:35.000Z'
+ scope: USER
+ status: ACTIVE
+ statusChanged: '2014-03-21T23:31:35.000Z'
+ passwordChanged: null
+ syncState: DISABLED
+ lastSync: null
+ credentials:
+ userName: user@example.com
+ _links:
+ app:
+ href: https://{yourOktaDomain}/api/v1/apps/0oabizCHPNYALCHDUIOD
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00ucw2RPGIUNTDQOYPOF
+ id: 0oabkvBLDEKCNXBGYUAS
+ name: template_swa
+ label: Sample Plugin App
+ status: ACTIVE
+ lastUpdated: '2013-09-11T17:58:54.000Z'
+ created: '2013-09-11T17:46:08.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ visibility:
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ login: true
+ features: []
+ signOnMode: BROWSER_PLUGIN
+ credentials:
+ scheme: EDIT_USERNAME_AND_PASSWORD
+ userNameTemplate:
+ template: ${source.login}
+ type: BUILT_IN
+ settings:
+ app:
+ buttonField: btn-login
+ passwordField: txtbox-password
+ usernameField: txtbox-username
+ url: https://example.com/login.html
+ _links:
+ logo:
+ - href: https://example.okta.com/img/logos/logo_1.png
+ name: medium
+ type: image/png
+ users:
+ href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/users
+ groups:
+ href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/groups
+ self:
+ href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/lifecycle/deactivate
+ _embedded:
+ user:
+ id: 00ucw2RPGIUNTDQOYPOF
+ externalId: null
+ created: '2014-06-10T15:16:01.000Z'
+ lastUpdated: '2014-06-10T15:17:38.000Z'
+ scope: USER
+ status: ACTIVE
+ statusChanged: '2014-06-10T15:16:01.000Z'
+ passwordChanged: '2014-06-10T15:17:38.000Z'
+ syncState: DISABLED
+ lastSync: null
+ credentials:
+ userName: user@example.com
+ password: {}
+ _links:
+ app:
+ href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00ucw2RPGIUNTDQOYPOF
+ GetApplicationsByNameResponseEx:
+ summary: Retrieve apps by name
+ value:
+ - id: 0oa7vicdkRNrz59R80w6
+ name: workday
+ label: hrportal2
+ status: ACTIVE
+ lastUpdated: '2021-05-17T23:10:50.000Z'
+ created: '2021-05-17T23:10:49.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
+ visibility:
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ login: true
+ features: []
+ signOnMode: SAML_2_0
+ credentials:
+ userNameTemplate:
+ template: ${source.login}
+ type: BUILT_IN
+ signing:
+ kid: wRejFXWxFlK9nnLozx5qKWQa3fg-JRXw7dvdlTjs5Pg
+ settings:
+ app:
+ siteURL: https://acme.workday.com
+ notifications:
+ vpn:
+ network:
+ connection: DISABLED
+ message: null
+ helpUrl: null
+ signOn:
+ defaultRelayState: null
+ ssoAcsUrlOverride: null
+ audienceOverride: null
+ recipientOverride: null
+ destinationOverride: null
+ attributeStatements: []
+ _links:
+ help:
+ href: https://testorgone-admin.okta.com/app/workday/0oa7vicdkRNrz59R80w6/setup/help/SAML_2_0/external-doc
+ type: text/html
+ metadata:
+ href: https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/sso/saml/metadata
+ type: application/xml
+ appLinks:
+ - name: login
+ href: https://testorgone.okta.com/home/workday/0oa7vicdkRNrz59R80w6/30
+ type: text/html
+ groups:
+ href: https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/groups
+ logo:
+ - name: medium
+ href: https://tc2static.oktacdn.com/fs/bcg/4/gfs1wwhrwJR4LpB5X0w6
+ type: image/png
+ users:
+ href: https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/users
+ deactivate:
+ href: https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/lifecycle/deactivate
+ - id: 0oa7vicvor8YSr9Hc0w6
+ name: workday
+ label: hrportal1
+ status: ACTIVE
+ lastUpdated: '2021-05-17T23:10:22.000Z'
+ created: '2021-05-17T23:10:22.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
+ visibility:
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ login: true
+ features: []
+ signOnMode: SAML_2_0
+ credentials:
+ userNameTemplate:
+ template: ${source.login}
+ type: BUILT_IN
+ signing:
+ kid: wRejFXWxFlK9nnLozx5qKWQa3fg-JRXw7dvdlTjs5Pg
+ settings:
+ app:
+ siteURL: https://acme.workday.com
+ notifications:
+ vpn:
+ network:
+ connection: DISABLED
+ message: null
+ helpUrl: null
+ signOn:
+ defaultRelayState: null
+ ssoAcsUrlOverride: null
+ audienceOverride: null
+ recipientOverride: null
+ destinationOverride: null
+ attributeStatements: []
+ _links:
+ help:
+ href: https://testorgone-admin.okta.com/app/workday/0oa7vicvor8YSr9Hc0w6/setup/help/SAML_2_0/external-doc
+ type: text/html
+ metadata:
+ href: https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/sso/saml/metadata
+ type: application/xml
+ appLinks:
+ - name: login
+ href: https://testorgone.okta.com/home/workday/0oa7vicvor8YSr9Hc0w6/30
+ type: text/html
+ groups:
+ href: https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/groups
+ logo:
+ - name: medium
+ href: https://tc2static.oktacdn.com/fs/bcg/4/gfs1wwhrwJR4LpB5X0w6
+ type: image/png
+ users:
+ href: https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/users
+ deactivate:
+ href: https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/lifecycle/deactivate
+ GetApplicationsByUserResponseEx:
+ summary: Retrieve apps assigned to a user
+ value:
+ - id: 0oa1gjh63g214q0Hq0g4
+ name: testorgone_customsaml20app_1
+ label: Custom Saml 2.0 App
+ status: ACTIVE
+ lastUpdated: '2016-08-09T20:12:19.000Z'
+ created: '2016-08-09T20:12:19.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
+ visibility:
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ testorgone_customsaml20app_1_link: true
+ features: []
+ signOnMode: SAML_2_0
+ credentials:
+ userNameTemplate:
+ template: ${fn:substringBefore(source.login, "@")}
+ type: BUILT_IN
+ signing: {}
+ settings:
+ app: {}
+ notifications:
+ vpn:
+ network:
+ connection: DISABLED
+ message: null
+ helpUrl: null
+ signOn:
+ defaultRelayState: ''
+ ssoAcsUrl: https://{yourOktaDomain}
+ idpIssuer: https://www.okta.com/${org.externalKey}
+ audience: https://example.com/tenant/123
+ recipient: https://recipient.okta.com
+ destination: https://destination.okta.com
+ subjectNameIdTemplate: ${user.userName}
+ subjectNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
+ responseSigned: true
+ assertionSigned: true
+ signatureAlgorithm: RSA_SHA256
+ digestAlgorithm: SHA256
+ honorForceAuthn: true
+ authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+ slo:
+ enabled: true
+ spIssuer: https://testorgone.okta.com
+ logoutUrl: https://testorgone.okta.com/logout
+ participateSlo:
+ enabled: true
+ logoutRequestUrl: https://testorgone.okta.com/logout/participate
+ sessionIndexRequired: true
+ bindingType: REDIRECT
+ spCertificate:
+ x5c:
+ - "MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV\r\n"
+ requestCompressed: false
+ allowMultipleAcsEndpoints: false
+ acsEndpoints: []
+ attributeStatements: []
+ _links:
+ logo:
+ - name: medium
+ href: https://testorgone.okta.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png
+ type: image/png
+ appLinks:
+ - name: testorgone_customsaml20app_1_link
+ href: https://testorgone.okta.com/home/testorgone_customsaml20app_1/0oa1gjh63g214q0Hq0g4/aln1gofChJaerOVfY0g4
+ type: text/html
+ help:
+ href: https://testorgone-admin.okta.com/app/testorgone_customsaml20app_1/0oa1gjh63g214q0Hq0g4/setup/help/SAML_2_0/instructions
+ type: text/html
+ users:
+ href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/users
+ deactivate:
+ href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/lifecycle/deactivate
+ groups:
+ href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/groups
+ metadata:
+ href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/sso/saml/metadata
+ type: application/xml
+ _embedded:
+ user:
+ id: 00ucw2RPGIUNTDQOYPOF
+ externalId: null
+ created: '2014-03-21T23:31:35.000Z'
+ lastUpdated: '2014-03-21T23:31:35.000Z'
+ scope: USER
+ status: ACTIVE
+ statusChanged: '2014-03-21T23:31:35.000Z'
+ passwordChanged: null
+ syncState: DISABLED
+ lastSync: null
+ credentials:
+ userName: user@example.com
+ _links:
+ app:
+ href: https://{yourOktaDomain}/api/v1/apps/0oabizCHPNYALCHDUIOD
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00ucw2RPGIUNTDQOYPOF
+ id: 0oabkvBLDEKCNXBGYUAS
+ name: template_swa
+ label: Sample Plugin App
+ status: ACTIVE
+ lastUpdated: '2013-09-11T17:58:54.000Z'
+ created: '2013-09-11T17:46:08.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ visibility:
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ login: true
+ features: []
+ signOnMode: BROWSER_PLUGIN
+ credentials:
+ scheme: EDIT_USERNAME_AND_PASSWORD
+ userNameTemplate:
+ template: ${source.login}
+ type: BUILT_IN
+ settings:
+ app:
+ buttonField: btn-login
+ passwordField: txtbox-password
+ usernameField: txtbox-username
+ url: https://example.com/login.html
+ _links:
+ logo:
+ - href: https://example.okta.com/img/logos/logo_1.png
+ name: medium
+ type: image/png
+ users:
+ href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/users
+ groups:
+ href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/groups
+ self:
+ href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/lifecycle/deactivate
+ _embedded:
+ user:
+ id: 00ucw2RPGIUNTDQOYPOF
+ externalId: null
+ created: '2014-06-10T15:16:01.000Z'
+ lastUpdated: '2014-06-10T15:17:38.000Z'
+ scope: USER
+ status: ACTIVE
+ statusChanged: '2014-06-10T15:16:01.000Z'
+ passwordChanged: '2014-06-10T15:17:38.000Z'
+ syncState: DISABLED
+ lastSync: null
+ credentials:
+ userName: user@example.com
+ password: {}
+ _links:
+ app:
+ href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00ucw2RPGIUNTDQOYPOF
+ GetApplicationsResponseEx:
+ summary: Retrieve an app
+ value:
+ id: 0oa1gjh63g214q0Hq0g4
+ name: testorgone_customsaml20app_1
+ label: Custom Saml 2.0 App
+ status: ACTIVE
+ lastUpdated: '2016-08-09T20:12:19.000Z'
+ created: '2016-08-09T20:12:19.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
+ visibility:
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ testorgone_customsaml20app_1_link: true
+ features: []
+ signOnMode: SAML_2_0
+ credentials:
+ userNameTemplate:
+ template: ${fn:substringBefore(source.login, "@")}
+ type: BUILT_IN
+ signing: {}
+ settings:
+ app: {}
+ notifications:
+ vpn:
+ network:
+ connection: DISABLED
+ message: null
+ helpUrl: null
+ signOn:
+ defaultRelayState: ''
+ ssoAcsUrl: https://{yourOktaDomain}
+ idpIssuer: https://www.okta.com/${org.externalKey}
+ audience: https://example.com/tenant/123
+ recipient: https://recipient.okta.com
+ destination: https://destination.okta.com
+ subjectNameIdTemplate: ${user.userName}
+ subjectNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
+ responseSigned: true
+ assertionSigned: true
+ signatureAlgorithm: RSA_SHA256
+ digestAlgorithm: SHA256
+ honorForceAuthn: true
+ authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+ slo:
+ enabled: true
+ spIssuer: https://testorgone.okta.com
+ logoutUrl: https://testorgone.okta.com/logout
+ participateSlo:
+ enabled: true
+ logoutRequestUrl: https://testorgone.okta.com/logout/participate
+ sessionIndexRequired: true
+ bindingType: REDIRECT
+ spCertificate:
+ x5c:
+ - "MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV\r\n"
+ requestCompressed: false
+ allowMultipleAcsEndpoints: false
+ acsEndpoints: []
+ attributeStatements: []
+ inlineHooks:
+ - id: cal3ughy17pylLxQB357
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/inlineHooks/cal3ughy17pylLxQB357
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ _links:
+ logo:
+ - name: medium
+ href: https://testorgone.okta.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png
+ type: image/png
+ appLinks:
+ - name: testorgone_customsaml20app_1_link
+ href: https://testorgone.okta.com/home/testorgone_customsaml20app_1/0oa1gjh63g214q0Hq0g4/aln1gofChJaerOVfY0g4
+ type: text/html
+ help:
+ href: https://testorgone-admin.okta.com/app/testorgone_customsaml20app_1/0oa1gjh63g214q0Hq0g4/setup/help/SAML_2_0/instructions
+ type: text/html
+ users:
+ href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/users
+ deactivate:
+ href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/lifecycle/deactivate
+ groups:
+ href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/groups
+ metadata:
+ href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/sso/saml/metadata
+ type: application/xml
+ GetAssociatedLinkedObjectsResponse:
+ summary: Retrieve all associated Linked Object values response
+ value:
+ - _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u5zex6ztMbOZhF50h7
+ - _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u1tsf0nQKavLDUh0g5
+ GetBrandResponse:
+ value:
+ id: bnd114iNkrcN6aR680g4
+ agreeToCustomPrivacyPolicy: false
+ removePoweredByOkta: false
+ customPrivacyPolicyUrl: null
+ name: Okta Default
+ isDefault: true
+ locale: en
+ emailDomainId: OeD114iNkrcN6aR680g4
+ defaultApp:
+ appInstanceId: 0oa114iNkrcN6aR680g4
+ appLinkName: null
+ classicApplicationUri: null
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ themes:
+ href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4/themes
+ hints:
+ allow:
+ - GET
+ emailDomain:
+ href: https://{yourOktaDomain}/api/v1/email-domains/OeD114iNkrcN6aR680g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ GetEmailTemplateResponse:
+ value:
+ name: UserActivation
+ _embedded:
+ customizationCount: 0
+ settings:
+ recipients: ALL_USERS
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/settings
+ hints:
+ allow:
+ - GET
+ - PUT
+ template:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation
+ hints:
+ allow:
+ - GET
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation
+ hints:
+ allow:
+ - GET
+ settings:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/settings
+ hints:
+ allow:
+ - GET
+ - PUT
+ defaultContent:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/default-content
+ hints:
+ allow:
+ - GET
+ customizations:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations
+ hints:
+ allow:
+ - GET
+ - POST
+ - DELETE
+ test:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test
+ hints:
+ allow:
+ - POST
+ GetPrimaryLinkedObjectResponse:
+ summary: Retrieve primary Linked Object value response
+ value:
+ - _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7
+ GetRealmAssignmentResponse:
+ value:
+ id: rul2jy7jLUlnO3ng00g4
+ status: ACTIVE
+ name: Realm Assignment 1
+ created: '2022-04-04T15:56:05.000Z'
+ lastUpdated: '2022-05-05T18:15:44.000Z'
+ isDefault: false
+ conditions:
+ profileSourceId: 0oa4enoRyjwSCy5hx0g4
+ expression:
+ value: string
+ actions:
+ assignUserToRealm:
+ realmId: 00g1b7rvh0xPLKXFf0g5
+ priority: 0
+ _links:
+ self:
+ rel: self
+ href: http://your-subdomain.okta.com/api/v1/realm-assignments/rul2jy7jLUlnO3ng00g4
+ method: GET
+ GetRoleAssignmentGovernanceGrantResources:
+ value:
+ resources:
+ - resource: orn:okta:directory:00ozmkUsqWxsUxhGO0g3:groups:00g114290ar1oCC5A0g5
+ label: test-group-1
+ - resource: orn:okta:directory:00ozmkUsqWxsUxhGO0g3:groups:00g118990hl1oCC5B0g5
+ label: test-group-2
+ _links:
+ next:
+ href: https://{yourOktaDomain}/api/v1/users/00u15r0i2hC4jeTne0g5/roles/KVJUKUS7IFCE2SKO/governance/grai2556vZgWesWf10g4/resources?after=orn:okta:directory:00ozmkUsqWxsUxhGO0g3:groups:00g118990hl1oCC5A0g5
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u15r0i2hC4jeTne0g5/roles/KVJUKUS7IFCE2SKO/governance/grai2556vZgWesWf10g4/resources
+ GetRoleAssignmentGovernanceGrantResponse:
+ value:
+ type: ENTITLEMENT-BUNDLE
+ grantId: grai2556vZgWesWf10g4
+ bundleId: enbhz2pAwtts9UBes0g4
+ expirationDate: '2024-12-09 14:17:22.0'
+ _links:
+ resources:
+ href: https://{yourOktaDomain}/api/v1/users/00u15r0i2hC4jeTne0g5/roles/KVJUKUS7IFCE2SKO/governance/grai2556vZgWesWf10g4/resources
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u15r0i2hC4jeTne0g5/roles/KVJUKUS7IFCE2SKO/governance/grai2556vZgWesWf10g4
+ GetSessionResponse:
+ value:
+ id: aps1qqonvr2SZv6o70h8
+ identitySourceId: 0oa3l6l6WK6h0R0QW0g4
+ status: CREATED
+ importType: INCREMENTAL
+ created: '2022-04-04T15:56:05.000Z'
+ lastUpdated: '2022-05-05T16:15:44.000Z'
+ GetThemeResponse:
+ value:
+ id: thdul904tTZ6kWVhP0g3
+ logo: https://{yourOktaDomain}/assets/img/logos/okta-logo.47066819ac7db5c13f4c431b2687cef6.png
+ favicon: https://{yourOktaDomain}/favicon.ico
+ backgroundImage: null
+ primaryColorHex: '#1662dd'
+ primaryColorContrastHex: '#000000'
+ secondaryColorHex: '#ebebed'
+ secondaryColorContrastHex: '#000000'
+ signInPageTouchPointVariant: OKTA_DEFAULT
+ endUserDashboardTouchPointVariant: OKTA_DEFAULT
+ errorPageTouchPointVariant: OKTA_DEFAULT
+ emailTemplateTouchPointVariant: OKTA_DEFAULT
+ loadingPageTouchPointVariant: OKTA_DEFAULT
+ GetUseRoleGovernanceResponse:
+ value:
+ grants:
+ - type: CUSTOM
+ grantId: grai24zWTjnDazeOI0g4
+ _links:
+ resources:
+ href: https://{yourOktaDomain}/api/v1/users/00u15r0i2hC4jeTne0g5/roles/KVJUKUS7IFCE2SKO/governance/grai24zWTjnDazeOI0g4/resources
+ - type: ENTITLEMENT-BUNDLE
+ grantId: grai2556vZgWesWf10g4
+ bundleId: enbhz2pAwtts9UBes0g4
+ expirationDate: '2024-12-09 14:17:22.0'
+ _links:
+ resources:
+ href: https://{yourOktaDomain}//api/v1/users/00u15r0i2hC4jeTne0g5/roles/KVJUKUS7IFCE2SKO/governance/grai2556vZgWesWf10g4/resources
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u15r0i2hC4jeTne0g5/roles/KVJUKUS7IFCE2SKO/governance
+ assignee:
+ href: https://{yourOktaDomain}/api/v1/users/00u15r0i2hC4jeTne0g5"
+ GetUserLinkedObjectResponse:
+ summary: Retrieve user linked object value
+ value:
+ - _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7
+ GetUserResponse:
+ summary: Retrieve a user type response
+ value:
+ id: otyfnly5cQjJT9PnR0g4
+ displayName: New User Type
+ name: newUserType
+ description: A new custom user type
+ createdBy: sprz9fj1ycBcsgopy1d6
+ lastUpdatedBy: sprz9fj1ycBcsgopy1d6
+ created: '2021-07-05T20:40:38.000Z'
+ lastUpdated: '2021-07-05T20:40:38.000Z'
+ default: false
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6
+ schema:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6
+ GetYubikeyOptTokenResponse:
+ summary: Get Yubikey OPT Token response
+ value:
+ id: ykkxdtCA1fKVxyu6R0g3
+ created: '2020-06-09T23:42:05.000Z'
+ activated: '2020-06-09T23:47:29.000Z'
+ lastVerified: '2020-06-09T23:47:29.000Z'
+ lastUpdated: '2020-06-09T23:47:29.000Z'
+ status: ACTIVE
+ profile:
+ serial: '000009508427'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/org/factors/yubikey_token/tokens/ykkxdtCA1fKVxyu6R0g3
+ hints:
+ allow:
+ - GET
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00uu0x8sxTr9HcHOo0g3
+ hints:
+ allow:
+ - GET
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/users/00uu0x8sxTr9HcHOo0g3/factors/ykfxduQAhl89YyPrV0g3
+ hints:
+ allow:
+ - DELETE
+ GoogleIdPResponse:
+ summary: Google Identity Provider
+ value:
+ id: 0oa62bfdiumsUndnZ0h7
+ type: GOOGLE
+ name: Google
+ status: ACTIVE
+ created: '2016-03-24T23:21:49.000Z'
+ lastUpdated: '2016-03-24T23:21:49.000Z'
+ protocol:
+ type: OIDC
+ endpoints:
+ authorization:
+ url: https://accounts.google.com/o/oauth2/auth
+ binding: HTTP-REDIRECT
+ token:
+ url: https://www.googleapis.com/oauth2/v3/token
+ binding: HTTP-POST
+ scopes:
+ - profile
+ - email
+ - openid
+ credentials:
+ client:
+ client_id: your-client-id
+ client_secret: your-client-secret
+ policy:
+ provisioning:
+ action: AUTO
+ profileMaster: true
+ groups:
+ action: NONE
+ conditions:
+ deprovisioned:
+ action: NONE
+ suspended:
+ action: NONE
+ accountLink:
+ filter: null
+ action: AUTO
+ subject:
+ userNameTemplate:
+ template: idpuser.userPrincipalName
+ filter: null
+ matchType: USERNAME
+ mapAMRClaims: false
+ maxClockSkew: 0
+ _links:
+ authorize:
+ href: |-
+ https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa62bfdiumsUndnZ0h7&
+ client_id={clientId}&response_type={responseType}&response_mode={responseMode}&
+ scope={scopes}&redirect_uri={redirectUri}&state={state}
+ templated: true
+ hints:
+ allow:
+ - GET
+ clientRedirectUri:
+ href: https://{yourOktaDomain}/oauth2/v1/authorize/callback
+ hints:
+ allow:
+ - POST
+ GovernanceBundle:
+ summary: Governance Bundle
+ value:
+ id: 0bbfxqCAJWWGELFTYAAA
+ name: Group admin bundle
+ description: Group bundle for administrative access
+ status: ACTIVE
+ orn: orn:okta:governance:00o5rb5mt2H3d1TJd0h7:bundles:0bbfxqCAJWWGELFTYAAA
+ _links:
+ self: http://your-subdomain.okta.com/api/v1/iam/governance/bundles/0bbfxqCAJWWGELFTYAAA
+ entitlements: http://your-subdomain.okta.com/api/v1/iam/governance/bundles/0bbfxqCAJWWGELFTYAAA/entitlements
+ GovernanceBundleCreateRequestCustomRole:
+ summary: Create governance bundle with custom role
+ value:
+ name: Custom admin bundle
+ description: Custom bundle for administrative access
+ entitlements:
+ role: cr0WxyzJxGIr0ouum0g4
+ resourceSets:
+ - iamoJDFKaJxGIr0oamd9g
+ GovernanceBundleCreateRequestScopedStandardRole:
+ summary: Create governance bundle with scoped standard role
+ value:
+ name: Group admin bundle
+ description: Group bundle for administrative access
+ entitlements:
+ role: GROUP_MEMBERSHIP_ADMIN
+ targets:
+ - 00guaxWZ0AOa5NFAj0g3
+ GovernanceBundleCreateRequestStandardRole:
+ summary: Create governance bundle with non-scoped standard role
+ value:
+ name: Group admin bundle
+ description: Group bundle for administrative access
+ entitlements:
+ role: GROUP_MEMBERSHIP_ADMIN
+ GovernanceBundleUpdateRequestCustomRole:
+ summary: Update governance bundle with custom role
+ value:
+ name: Custom admin bundle
+ description: Custom bundle for administrative access
+ entitlements:
+ role: cr0WxyzJxGIr0ouum0g4
+ resourceSets:
+ - iamoJDFKaJxGIr0oamd9g
+ GovernanceBundleUpdateRequestScopedStandardRole:
+ summary: Update governance bundle with scoped standard role
+ value:
+ name: Group admin bundle
+ description: Group bundle for administrative access
+ entitlements:
+ role: GROUP_MEMBERSHIP_ADMIN
+ targets:
+ - 00guaxWZ0AOa5NFAj0g3
+ GovernanceBundleUpdateRequestStandardRole:
+ summary: Update governance bundle with non-scoped standard role
+ value:
+ name: Group admin bundle
+ description: Group bundle for administrative access
+ entitlements:
+ role: GROUP_MEMBERSHIP_ADMIN
+ GovernanceBundlesResponse:
+ summary: List of governance bundles
+ value:
+ bundles:
+ - id: 0bbfxqCAJWWGELFTYAAA
+ name: Group admin bundle
+ description: Group bundle for administrative access
+ status: ACTIVE
+ orn: orn:okta:governance:00o5rb5mt2H3d1TJd0h7:bundles:0bbfxqCAJWWGELFTYAAA
+ _links:
+ entitlements: http://your-subdomain.okta.com/api/v1/iam/governance/bundles/0bbfxqCAJWWGELFTYAAA/entitlements
+ _links:
+ self:
+ href: http://your-subdomain.okta.com/api/v1/iam/governance/bundles?limit=2&after=10
+ next:
+ href: http://your-subdomain.okta.com/api/v1/iam/governance/bundles?after=bundleId12
+ GroupAssignmentExListResponse:
+ summary: Application Groups list with embedded metadata
+ value:
+ - id: 00g15acRUy0SYb9GT0g4
+ priority: 0
+ lastUpdated: '2024-06-02T13:17:57.000Z'
+ profile:
+ preferredLanguage: English
+ manager: Donald Glover
+ securityQuestion: Who is the footballer to have played the game
+ securityAnswer: Ronaldinho
+ timezone: Canada/Eastern
+ initialStatus: active_with_pass
+ managerId: ike.ogb@gmail.com
+ locale: en_US
+ division: top
+ organization: wazobia
+ userType: null
+ department: marketing
+ _links:
+ app:
+ href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4
+ self:
+ href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4/groups/00g15acRUy0SYb9GT0g4
+ group:
+ href: http://{yourOktaDomain}/api/v1/groups/00g15acRUy0SYb9GT0g4
+ _embedded:
+ metadata:
+ credentials: {}
+ profile:
+ division:
+ source:
+ type: USER
+ value:
+ - id: 00uzojLwDGgUynjJS0g3
+ self:
+ href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3
+ lastUpdated: null
+ preferredLanguage:
+ source:
+ type: USER
+ value:
+ - id: 00uzojLwDGgUynjJS0g3
+ self:
+ href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3
+ lastUpdated: null
+ manager:
+ source:
+ type: MAPPING
+ value:
+ - id: null
+ lastUpdated: null
+ securityQuestion:
+ source:
+ type: USER
+ value:
+ - id: 00uzojLwDGgUynjJS0g3
+ self:
+ href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3
+ lastUpdated: null
+ securityAnswer:
+ source:
+ type: USER
+ value:
+ - id: 00uzojLwDGgUynjJS0g3
+ self:
+ href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3
+ lastUpdated: null
+ timezone:
+ source:
+ type: USER
+ value:
+ - id: 00uzojLwDGgUynjJS0g3
+ self:
+ href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3
+ lastUpdated: null
+ organization:
+ source:
+ type: USER
+ value:
+ - id: 00uzojLwDGgUynjJS0g3
+ self:
+ href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3
+ lastUpdated: null
+ initialStatus:
+ source:
+ type: USER
+ value:
+ - id: 00uzojLwDGgUynjJS0g3
+ self:
+ href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3
+ lastUpdated: null
+ managerId:
+ source:
+ type: MAPPING
+ value:
+ - id: null
+ lastUpdated: null
+ userType:
+ source:
+ type: MAPPING
+ value:
+ - id: null
+ lastUpdated: null
+ locale:
+ source:
+ type: USER
+ value:
+ - id: 00uzojLwDGgUynjJS0g3
+ self:
+ href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3
+ lastUpdated: null
+ department:
+ source:
+ type: MAPPING
+ value:
+ - id: null
+ lastUpdated: null
+ GroupAssignmentExResponse:
+ summary: Application Group response
+ value:
+ id: 00g15acRUy0SYb9GT0g4
+ priority: 0
+ lastUpdated: '2024-06-02T13:17:57.000Z'
+ profile:
+ preferredLanguage: English
+ manager: Donald Glover
+ securityQuestion: Who is the footballer to have played the game
+ securityAnswer: Ronaldinho
+ timezone: Canada/Eastern
+ initialStatus: active_with_pass
+ managerId: ike.ogb@gmail.com
+ locale: en_US
+ division: top
+ organization: wazobia
+ userType: null
+ department: marketing
+ _links:
+ app:
+ href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4
+ self:
+ href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4/groups/00g15acRUy0SYb9GT0g4
+ group:
+ href: http://{yourOktaDomain}/api/v1/groups/00g15acRUy0SYb9GT0g4
+ GroupAssignmentPatchRequestExample:
+ summary: Update app group request
+ value:
+ - op: replace
+ path: /profile/manager
+ value: Carlo Ancelotti
+ GroupAssignmentPatchResponseExample:
+ summary: Update Application Group response
+ value:
+ id: 00g15acRUy0SYb9GT0g4
+ priority: 0
+ lastUpdated: '2024-06-03T13:42:20.000Z'
+ profile:
+ preferredLanguage: English
+ securityQuestion: Who is the footballer to have played the game
+ securityAnswer: Jay Jay Okocha
+ timezone: Canada/Eastern
+ initialStatus: active_with_pass
+ managerId: ike.ogb@gmail.com
+ locale: en_US
+ division: top
+ organization: null
+ userType: null
+ department: Accounting
+ manager: Carlo Ancelotti
+ _links:
+ app:
+ href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4
+ self:
+ href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4/groups/00g15acRUy0SYb9GT0g4
+ group:
+ href: http://{yourOktaDomain}/api/v1/groups/00g15acRUy0SYb9GT0g4
+ GroupAssignmentPutRequestExample:
+ summary: Assign Application Group request
+ value:
+ id: 00g15acRUy0SYb9GT0g4
+ profile:
+ preferredLanguage: English
+ manager: Arsene Wenger
+ securityQuestion: Who is the footballer to have played the game
+ securityAnswer: Jay Jay Okocha
+ timezone: Canada/Eastern
+ initialStatus: active_with_pass
+ managerId: ike.ogb@gmail.com
+ locale: en_US
+ division: top
+ organization: null
+ userType: null
+ department: Accounting
+ GroupAssignmentPutResponseExample:
+ summary: Assign Application Group response
+ value:
+ id: 00g15acRUy0SYb9GT0g4
+ priority: 0
+ lastUpdated: '2024-06-03T13:52:07.000Z'
+ profile:
+ preferredLanguage: English
+ manager: Arsene Wenger
+ securityQuestion: Who is the footballer to have played the game
+ securityAnswer: Jay Jay Okocha
+ timezone: Canada/Eastern
+ initialStatus: active_with_pass
+ managerId: ike.ogb@gmail.com
+ locale: en_US
+ division: top
+ organization: null
+ userType: null
+ department: Accounting
+ _links:
+ app:
+ href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4
+ self:
+ href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4/groups/00g15acRUy0SYb9GT0g4
+ group:
+ href: http://{yourOktaDomain}/api/v1/groups/00g15acRUy0SYb9GT0g4
+ GroupSchemaAddRequest:
+ value:
+ definitions:
+ custom:
+ id: '#custom'
+ type: object
+ properties:
+ groupContact:
+ title: Group administrative contact
+ description: Group administrative contact
+ type: string
+ required: false
+ minLength: 1
+ maxLength: 20
+ permissions:
+ - principal: SELF
+ action: READ_WRITE
+ required: []
+ GroupSchemaResponse:
+ value:
+ $schema: http://json-schema.org/draft-04/schema#
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/group/default
+ method: GET
+ rel: self
+ created: '2021-01-30T00:18:24.000Z'
+ definitions:
+ base:
+ id: '#base'
+ properties: {}
+ required:
+ - name
+ type: object
+ custom:
+ id: '#custom'
+ properties:
+ groupContact:
+ description: Group administrative contact
+ master:
+ type: PROFILE_MASTER
+ mutability: READ_WRITE
+ permissions:
+ - action: READ_WRITE
+ principal: SELF
+ scope: NONE
+ title: Group administrative contact
+ type: string
+ required: []
+ type: object
+ description: Okta group profile template
+ id: https://{yourOktaDomain}/meta/schemas/group/default
+ lastUpdated: '2021-02-25T23:05:31.000Z'
+ name: group
+ properties:
+ profile:
+ allOf:
+ - $ref: '#/definitions/custom'
+ - $ref: '#/definitions/base'
+ title: Okta group
+ type: object
+ IAMStandardRoleResponseClient:
+ value:
+ id: irb4jlodtdN4yJ88b0g7
+ role: ACCESS_REQUESTS_ADMIN
+ label: Access Requests Administrator
+ type: ACCESS_REQUESTS_ADMIN
+ status: ACTIVE
+ created: '2023-07-06T21:52:48.000Z'
+ lastUpdated: '2023-07-06T21:52:48.000Z'
+ assignmentType: CLIENT
+ resource-set: ACCESS_CERTIFICATIONS_IAM_POLICY
+ _links:
+ assignee:
+ href: https://{yourOktaDomain}/api/v1/client/0oa5vymVNCe2cPEeZ0g4
+ resource-set:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY
+ role:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_REQUESTS_ADMIN
+ permissions:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_REQUESTS_ADMIN/permissions
+ member:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY/bindings/ACCESS_REQUESTS_ADMIN/members/irb4jlomnnDBuBDyJ0g7
+ IAMStandardRoleResponseUser:
+ value:
+ id: irb1q92TFAHzySt3x0g4
+ role: ACCESS_REQUESTS_ADMIN
+ label: Access Requests administrator
+ type: ACCESS_REQUESTS_ADMIN
+ status: ACTIVE
+ created: '2019-02-06T16:20:57.000Z'
+ lastUpdated: '2019-02-06T16:20:57.000Z'
+ assignmentType: USER
+ resource-set: ACCESS_CERTIFICATIONS_IAM_POLICY
+ _links:
+ assignee:
+ href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR
+ resource-set:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY
+ role:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_REQUESTS_ADMIN
+ permissions:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_REQUESTS_ADMIN/permissions
+ member:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY/bindings/ACCESS_REQUESTS_ADMIN/members/irb1q92TFAHzySt3x0g4
+ IAMStandardRolesListResponse:
+ value:
+ - id: IFIFAX2BIRGUSTQ
+ label: Application administrator
+ type: APP_ADMIN
+ status: ACTIVE
+ created: '2019-02-06T16:17:40.000Z'
+ lastUpdated: '2019-02-06T16:17:40.000Z'
+ assignmentType: USER
+ _links:
+ assignee:
+ href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3
+ - id: irb1q92TFAHzySt3x0g4
+ role: cr0Yq6IJxGIr0ouum0g3
+ label: UserCreatorRole
+ type: CUSTOM
+ status: ACTIVE
+ created: '2019-02-06T16:20:57.000Z'
+ lastUpdated: '2019-02-06T16:20:57.000Z'
+ assignmentType: USER
+ resource-set: iamoJDFKaJxGIr0oamd9g
+ _links:
+ assignee:
+ href: https://{yourOktaDomain}/api/v1/users/00u1gytb3XCr9Dkr18r2
+ resource-set:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g
+ member:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3/members/irb1qe6PGuMc7Oh8N0g4
+ role:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3
+ permissions:
+ href: https://{yourOktaDomain}/api/v1/iam/permission-sets/cr0Yq6IJxGIr0ouum0g3/permissions
+ - id: irb5e92YgBazyyQ3x1q5
+ role: ACCESS_CERTIFICATIONS_ADMIN
+ label: Access Certifications administrator
+ type: ACCESS_CERTIFICATIONS_ADMIN
+ status: ACTIVE
+ created: '2019-02-06T16:20:57.000Z'
+ lastUpdated: '2019-02-06T16:20:57.000Z'
+ assignmentType: USER
+ resource-set: ACCESS_CERTIFICATIONS_IAM_POLICY
+ _links:
+ assignee:
+ href: https://{yourOktaDomain}/api/v1/users/00u1gytb3XCr9Dkr18r2
+ resource-set:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY
+ member:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY/bindings/ACCESS_CERTIFICATIONS_ADMIN/members/irb1qe6PGuMc7Oh8N0g4
+ role:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_CERTIFICATIONS_ADMIN
+ permissions:
+ href: https://{yourOktaDomain}/api/v1/iam/permission-sets/OKTA_IAM_TEST_DELIVERED_ROLE/permissions
+ IAMStandardRolesListResponseClient:
+ value:
+ - id: irb5e92YgBazyyQ3x1q5
+ role: ACCESS_CERTIFICATIONS_ADMIN
+ label: Access Certifications Administrator
+ type: ACCESS_CERTIFICATIONS_ADMIN
+ status: ACTIVE
+ created: '2019-02-06T16:20:57.000Z'
+ lastUpdated: '2019-02-06T16:20:57.000Z'
+ assignmentType: CLIENT
+ resource-set: ACCESS_CERTIFICATIONS_IAM_POLICY
+ _links:
+ assignee:
+ href: https://{yourOktaDomain}/api/v1/clients/0oa4ee9vgbIuqTUvd0g7
+ resource-set:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY
+ member:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY/bindings/ACCESS_CERTIFICATIONS_ADMIN/members/irb1qe6PGuMc7Oh8N0g4
+ role:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_CERTIFICATIONS_ADMIN
+ permissions:
+ href: https://{yourOktaDomain}/api/v1/iam/permission-sets/OKTA_IAM_TEST_DELIVERED_ROLE/permissionsZ
+ IAMStandardRolesListResponseGroup:
+ value:
+ - id: irb5e92YgBazyyQ3x1q5
+ role: ACCESS_CERTIFICATIONS_ADMIN
+ label: Access Certifications Administrator
+ type: ACCESS_CERTIFICATIONS_ADMIN
+ status: ACTIVE
+ created: '2019-02-06T16:20:57.000Z'
+ lastUpdated: '2019-02-06T16:20:57.000Z'
+ assignmentType: Group
+ resource-set: ACCESS_CERTIFICATIONS_IAM_POLICY
+ _links:
+ assignee:
+ href: https://{yourOktaDomain}/api/v1/groups/00g1emaKYZTWRYYRRTSK
+ resource-set:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY
+ member:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY/bindings/ACCESS_CERTIFICATIONS_ADMIN/members/irb1qe6PGuMc7Oh8N0g4
+ role:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_CERTIFICATIONS_ADMIN
+ permissions:
+ href: https://{yourOktaDomain}/api/v1/iam/permission-sets/OKTA_IAM_TEST_DELIVERED_ROLE/permissions
+ IdPAppUserResponse:
+ summary: IdP User
+ value:
+ id: 00u5t60iloOHN9pBi0h7
+ externalId: externalId
+ created: '2017-12-19T17:30:16.000Z'
+ lastUpdated: '2017-12-19T17:30:16.000Z'
+ profile:
+ profileUrl: null
+ firstName: null
+ lastName: null
+ honorificSuffix: null
+ displayName: null
+ honorificPrefix: null
+ middleName: null
+ email: null
+ _links:
+ idp:
+ href: https://{yourOktaDomain}/api/v1/idps/0oa62bfdiumsUndnZ0h7
+ self:
+ href: https://{yourOktaDomain}/api/v1/idps/0oa62bfdiumsUndnZ0h7/users/00u5t60iloOHN9pBi0h7
+ hints:
+ allow:
+ - GET
+ - DELETE
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7
+ IdPKeyCredentialRequest:
+ summary: Identity Provider Key Credential
+ value:
+ e: '65537'
+ 'n': '101438407598598116085679865987760095721749307901605456708912786847324207000576780508113360584555007890315805735307890113536927352312915634368993759211767770602174860126854831344273970871509573365292777620005537635317282520456901584213746937262823585533063042033441296629204165064680610660631365266976782082747'
+ x5c:
+ - MIIDnjCCAoagAwIBAgIGAVG3MN+PMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB2V4YW1wbGUxHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMTUxMjE4MjIyMjMyWhcNMjUxMjE4MjIyMzMyWjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdleGFtcGxlMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtcnyvuVCrsFEKCwHDenS3Ocjed8eWDv3zLtD2K/iZfE8BMj2wpTfn6Ry8zCYey3mWlKdxIybnV9amrujGRnE0ab6Q16v9D6RlFQLOG6dwqoRKuZy33Uyg8PGdEudZjGbWuKCqqXEp+UKALJHV+k4wWeVH8g5d1n3KyR2TVajVJpCrPhLFmq1Il4G/IUnPe4MvjXqB6CpKkog1+ThWsItPRJPAM+RweFHXq7KfChXsYE7Mmfuly8sDQlvBmQyxZnFHVuiPfCvGHJjpvHy11YlHdOjfgqHRvZbmo30+y0X/oY/yV4YEJ00LL6eJWU4wi7ViY3HP6/VCdRjHoRdr5L/DwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCzzhOFkvyYLNFj2WDcq1YqD4sBy1iCia9QpRH3rjQvMKDwQDYWbi6EdOX0TQ/IYR7UWGj+2pXd6v0t33lYtoKocp/4lUvT3tfBnWZ5KnObi+J2uY2teUqoYkASN7F+GRPVOuMVoVgm05ss8tuMb2dLc9vsx93sDt+XlMTv/2qi5VPwaDtqduKkzwW9lUfn4xIMkTiVvCpe0X2HneD2Bpuao3/U8Rk0uiPfq6TooWaoW3kjsmErhEAs9bA7xuqo1KKY9CdHcFhkSsMhoeaZylZHtzbnoipUlQKSLMdJQiiYZQ0bYL83/Ta9fulr1EERICMFt3GUmtYaZZKHpWSfdJp9
+ x5t#S256: wzPVobIrveR1x-PCbjsFGNV-6zn7Rm9KuOWOG4Rk6jE
+ IdPKeyCredentialResponse:
+ summary: Identity Provider Key Credential
+ value:
+ kid: your-key-id
+ created: '2016-01-03T18:15:47.000Z'
+ lastUpdated: '2016-01-03T18:15:47.000Z'
+ e: '65537'
+ 'n': '101438407598598116085679865987760095721749307901605456708912786847324207000576780508113360584555007890315805735307890113536927352312915634368993759211767770602174860126854831344273970871509573365292777620005537635317282520456901584213746937262823585533063042033441296629204165064680610660631365266976782082747'
+ kty: RSA
+ use: sig
+ x5c:
+ - MIIDnjCCAoagAwIBAgIGAVG3MN+PMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB2V4YW1wbGUxHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMTUxMjE4MjIyMjMyWhcNMjUxMjE4MjIyMzMyWjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdleGFtcGxlMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtcnyvuVCrsFEKCwHDenS3Ocjed8eWDv3zLtD2K/iZfE8BMj2wpTfn6Ry8zCYey3mWlKdxIybnV9amrujGRnE0ab6Q16v9D6RlFQLOG6dwqoRKuZy33Uyg8PGdEudZjGbWuKCqqXEp+UKALJHV+k4wWeVH8g5d1n3KyR2TVajVJpCrPhLFmq1Il4G/IUnPe4MvjXqB6CpKkog1+ThWsItPRJPAM+RweFHXq7KfChXsYE7Mmfuly8sDQlvBmQyxZnFHVuiPfCvGHJjpvHy11YlHdOjfgqHRvZbmo30+y0X/oY/yV4YEJ00LL6eJWU4wi7ViY3HP6/VCdRjHoRdr5L/DwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCzzhOFkvyYLNFj2WDcq1YqD4sBy1iCia9QpRH3rjQvMKDwQDYWbi6EdOX0TQ/IYR7UWGj+2pXd6v0t33lYtoKocp/4lUvT3tfBnWZ5KnObi+J2uY2teUqoYkASN7F+GRPVOuMVoVgm05ss8tuMb2dLc9vsx93sDt+XlMTv/2qi5VPwaDtqduKkzwW9lUfn4xIMkTiVvCpe0X2HneD2Bpuao3/U8Rk0uiPfq6TooWaoW3kjsmErhEAs9bA7xuqo1KKY9CdHcFhkSsMhoeaZylZHtzbnoipUlQKSLMdJQiiYZQ0bYL83/Ta9fulr1EERICMFt3GUmtYaZZKHpWSfdJp9
+ x5t#S256: wzPVobIrveR1x-PCbjsFGNV-6zn7Rm9KuOWOG4Rk6jE
+ IdPSigningKeyCredentialResponse:
+ summary: Identity Provider Signing Key Credential
+ value:
+ created: '2015-12-10T18:56:23.000Z'
+ expiresAt: '2017-12-10T18:56:22.000Z'
+ kid: akm5hvbbevE341ovl0h7
+ kty: RSA
+ use: sig
+ x5c:
+ - MIIDnjCCAoagAwIBAgIGAVG3MN+PMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB2V4YW1wbGUxHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMTUxMjE4MjIyMjMyWhcNMjUxMjE4MjIyMzMyWjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdleGFtcGxlMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtcnyvuVCrsFEKCwHDenS3Ocjed8eWDv3zLtD2K/iZfE8BMj2wpTfn6Ry8zCYey3mWlKdxIybnV9amrujGRnE0ab6Q16v9D6RlFQLOG6dwqoRKuZy33Uyg8PGdEudZjGbWuKCqqXEp+UKALJHV+k4wWeVH8g5d1n3KyR2TVajVJpCrPhLFmq1Il4G/IUnPe4MvjXqB6CpKkog1+ThWsItPRJPAM+RweFHXq7KfChXsYE7Mmfuly8sDQlvBmQyxZnFHVuiPfCvGHJjpvHy11YlHdOjfgqHRvZbmo30+y0X/oY/yV4YEJ00LL6eJWU4wi7ViY3HP6/VCdRjHoRdr5L/DwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCzzhOFkvyYLNFj2WDcq1YqD4sBy1iCia9QpRH3rjQvMKDwQDYWbi6EdOX0TQ/IYR7UWGj+2pXd6v0t33lYtoKocp/4lUvT3tfBnWZ5KnObi+J2uY2teUqoYkASN7F+GRPVOuMVoVgm05ss8tuMb2dLc9vsx93sDt+XlMTv/2qi5VPwaDtqduKkzwW9lUfn4xIMkTiVvCpe0X2HneD2Bpuao3/U8Rk0uiPfq6TooWaoW3kjsmErhEAs9bA7xuqo1KKY9CdHcFhkSsMhoeaZylZHtzbnoipUlQKSLMdJQiiYZQ0bYL83/Ta9fulr1EERICMFt3GUmtYaZZKHpWSfdJp9
+ x5t#S256: wzPVobIrveR1x-PCbjsFGNV-6zn7Rm9KuOWOG4Rk6jE
+ InlineHookMgmtCreateHTTPRequest:
+ summary: Create an inline hook with HTTP authentication
+ value:
+ name: Token hook with HTTP authentication
+ type: com.okta.oauth2.tokens.transform
+ version: 1.0.0
+ channel:
+ type: HTTP
+ version: 1.0.0
+ config:
+ uri: https://example.com/tokenHook
+ headers:
+ - key: x-any-key
+ value: my-header-value
+ method: POST
+ authScheme:
+ type: HEADER
+ key: Authorization
+ value: my-shared-secret
+ InlineHookMgmtCreateHTTPResponse:
+ summary: Inline hook with HTTP authentication response
+ value:
+ id: calb7gacafgwgE7hc5e4
+ status: ACTIVE
+ name: Token hook with HTTP authentication
+ type: com.okta.oauth2.tokens.transform
+ version: 1.0.0
+ channel:
+ type: HTTP
+ version: 1.0.0
+ config:
+ uri: https://example.com/tokenHook
+ headers: []
+ method: POST
+ authScheme:
+ type: header
+ key: authorization
+ created: '2024-08-22T21:01:09.000Z'
+ lastUpdated: '2024-09-05T16:06:09.000Z'
+ _links:
+ activate:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4
+ delete:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4
+ hints:
+ allow:
+ - DELETE
+ InlineHookMgmtCreateOAuthClientSecretRequest:
+ summary: Create an inline hook with OAuth 2.0 Client Secret
+ value:
+ name: Registration hook with OAuth 2.0 Client Secret Post
+ type: com.okta.oauth2.tokens.transform
+ version: 1.0.0
+ channel:
+ type: OAUTH
+ version: 1.0.0
+ config:
+ authType: client_secret_post
+ clientId: 0oaj43vkrq7wKxZSI5e6
+ clientSecret: b-iATvTu7sIocvhWx95S9kF.....vfZhM6q6khSaojLBejF21cUn5bPm9abi
+ uri: https://example.com/tokenHook
+ headers: []
+ method: POST
+ tokenUrl: https://example.okta.com/oauth2/default/v1/token
+ InlineHookMgmtCreateOAuthClientSecretResponse:
+ summary: Inline hook with OAuth 2.0 Client Secret response
+ value:
+ id: calj4fythrqj5Bxol5e5
+ status: ACTIVE
+ name: Registration hook with OAuth 2.0 Client Secret Post
+ type: com.okta.user.pre-registration
+ version: 1.0.0
+ channel:
+ type: OAUTH
+ version: 1.0.0
+ config:
+ uri: https://example.com/registrationHook
+ headers: []
+ method: POST
+ authScheme: null
+ clientId: 0oaj43vkrq7wKxZSI5e6
+ tokenUrl: https:/subdomain.okta.com/oauth2/default/v1/token"
+ authType: client_secret_post
+ scope: null
+ created: '2024-08-22T21:01:09.000Z'
+ lastUpdated: '2024-09-05T16:06:09.000Z'
+ _links:
+ self:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5
+ execute:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5/execute
+ hints:
+ allow:
+ - POST
+ deactivate:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ InlineHookMgmtCreateOAuthPrivateKeyRequest:
+ summary: Create an inline hook with OAuth 2.0 Private Key
+ value:
+ name: Token hook with OAuth 2.0 Private Key authentication
+ type: com.okta.oauth2.tokens.transform
+ version: 1.0.0
+ channel:
+ type: OAUTH
+ version: 1.0.0
+ config:
+ authType: private_key_jwt
+ clientId: 0oaj43vkrq7wKxZSI5e6
+ hookKeyId: HKYj4ft1a3fjmwZg05e6
+ uri: https://example.com/tokenHook
+ headers:
+ - key: x-any-key
+ value: my-header-value
+ method: POST
+ tokenUrl: https://example.okta.com/oauth2/default/v1/token
+ InlineHookMgmtCreateOAuthPrivateKeyResponse:
+ summary: Inline hook with OAuth 2.0 Private Key response
+ value:
+ id: calj4fythrqj5Bxol4ai6
+ status: ACTIVE
+ name: Token Hook with OAuth 2.0 Private Key JWT
+ type: com.okta.oauth2.tokens.transform
+ version: 1.0.0
+ channel:
+ type: OAUTH
+ version: 1.0.0
+ config:
+ uri: https://example.com/tokenHook
+ headers: []
+ method: POST
+ authScheme: null
+ clientId: 0oaj43vkrq7wKxZSI5d7
+ tokenUrl: https:/subdomain.okta.com/oauth2/default/v1/token"
+ authType: private_key_jwt
+ scope: null
+ hookKeyId: HKYj4ft1a3fjmwZg05d6
+ created: '2024-08-22T21:01:09.000Z'
+ lastUpdated: '2024-09-05T16:06:09.000Z'
+ _links:
+ self:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6
+ execute:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6/execute
+ hints:
+ allow:
+ - POST
+ deactivate:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ InlineHookMgmtHTTPexample:
+ summary: An inline hook with HTTP authentication
+ value:
+ id: calb7gacafgwgE7hc5e4
+ status: ACTIVE
+ name: Token hook with HTTP authentication
+ type: com.okta.oauth2.tokens.transform
+ version: 1.0.0
+ channel:
+ type: HTTP
+ version: 1.0.0
+ config:
+ uri: https://example.com/tokenHook
+ headers: []
+ method: POST
+ authScheme:
+ type: header
+ key: authorization
+ created: '2024-08-22T21:01:09.000Z'
+ lastUpdated: '2024-09-05T16:06:09.000Z'
+ _links:
+ activate:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4
+ delete:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4
+ hints:
+ allow:
+ - DELETE
+ InlineHookMgmtHTTPexampleDeactivate:
+ value:
+ id: calb7gacafgwgE7hc5e4
+ status: INACTIVE
+ name: Token hook with HTTP authentication
+ type: com.okta.oauth2.tokens.transform
+ version: 1.0.0
+ channel:
+ type: HTTP
+ version: 1.0.0
+ config:
+ uri: https://example.com/tokenHook
+ headers: []
+ method: POST
+ authScheme:
+ type: header
+ key: authorization
+ created: '2024-08-22T21:01:09.000Z'
+ lastUpdated: '2024-09-05T16:06:09.000Z'
+ _links:
+ activate:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4
+ delete:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4
+ hints:
+ allow:
+ - DELETE
+ InlineHookMgmtOAuthCSPexample:
+ summary: An inline hook example with OAuth 2.0 Client Secret Post
+ value:
+ id: calj4fythrqj5Bxol5e5
+ status: ACTIVE
+ name: Registration hook with OAuth 2.0 Client Secret Post
+ type: com.okta.user.pre-registration
+ version: 1.0.0
+ channel:
+ type: OAUTH
+ version: 1.0.0
+ config:
+ uri: https://example.com/registrationHook
+ headers: []
+ method: POST
+ authScheme: null
+ clientId: 0oaj43vkrq7wKxZSI5e6
+ tokenUrl: https:/subdomain.okta.com/oauth2/default/v1/token"
+ authType: client_secret_post
+ scope: null
+ created: '2024-08-22T21:01:09.000Z'
+ lastUpdated: '2024-09-05T16:06:09.000Z'
+ _links:
+ self:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5
+ execute:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5/execute
+ hints:
+ allow:
+ - POST
+ deactivate:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ InlineHookMgmtOauthPKJexample:
+ summary: An inline hook example with OAuth 2.0 Private Key JWT
+ value:
+ id: calj4fythrqj5Bxol4ai6
+ status: ACTIVE
+ name: Token Hook with OAuth 2.0 Private Key JWT
+ type: com.okta.oauth2.tokens.transform
+ version: 1.0.0
+ channel:
+ type: OAUTH
+ version: 1.0.0
+ config:
+ uri: https://example.com/tokenHook
+ headers: []
+ method: POST
+ authScheme: null
+ clientId: 0oaj43vkrq7wKxZSI5d7
+ tokenUrl: https:/subdomain.okta.com/oauth2/default/v1/token"
+ authType: private_key_jwt
+ scope: null
+ hookKeyId: HKYj4ft1a3fjmwZg05d6
+ created: '2024-08-22T21:01:09.000Z'
+ lastUpdated: '2024-09-05T16:06:09.000Z'
+ _links:
+ self:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6
+ execute:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6/execute
+ hints:
+ allow:
+ - POST
+ deactivate:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ InlineHookMgmtPutHTTPRequest:
+ summary: Update an inline hook name
+ value:
+ name: New name token hook with HTTP authentication
+ version: 1.0.0
+ channel:
+ type: HTTP
+ version: 1.0.0
+ config:
+ uri: https://example.com/tokenHook
+ headers:
+ - key: x-any-key
+ value: my-header-value
+ method: POST
+ authScheme:
+ type: HEADER
+ key: Authorization
+ value: my-shared-secret
+ InlineHookMgmtPutResponse:
+ value:
+ id: calb7gacafgwgE7hc5e4
+ status: ACTIVE
+ name: New name token hook with HTTP authentication
+ type: com.okta.oauth2.tokens.transform
+ version: 1.0.0
+ channel:
+ type: HTTP
+ version: 1.0.0
+ config:
+ uri: https://example.com/tokenHook
+ headers: []
+ method: POST
+ authScheme:
+ type: header
+ key: authorization
+ created: '2024-08-22T21:01:09.000Z'
+ lastUpdated: '2024-09-05T16:06:09.000Z'
+ _links:
+ activate:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4
+ delete:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4
+ hints:
+ allow:
+ - DELETE
+ description: Inline hook response with a new name
+ InlineHookTelephony:
+ value:
+ channel:
+ type: HTTP
+ version: 1.0.0
+ config:
+ uri: https://your-external-webservice/sendOtp
+ headers: []
+ method: POST
+ authScheme:
+ type: HEADER
+ key: x-telephony-key
+ created: '2024-03-28T17:30:25.000Z'
+ id: caldpyulr3nbET2du1d7
+ lastUpdated: '2024-05-07T16:35:18.000Z'
+ name: testTelephonyHook
+ status: ACTIVE
+ type: com.okta.telephony.provider
+ version: null
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/inlineHooks/caldpyulr3nbET2du1d7
+ execute:
+ href: https://{yourOktaDomain}/api/v1/inlineHooks/caldpyulr3nbET2du1d7/execute
+ hints:
+ allow":
+ - POST
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/inlineHooks/caldpyulr3nbET2du1d7/lifecycle/deactivate
+ hints:
+ allow":
+ - POST
+ InlineHooktMgmtListAllexample:
+ summary: List all inline hooks response
+ value:
+ - id: calb7gacafgwgE7hc5e4
+ status: ACTIVE
+ name: Token hook with HTTP authentication
+ type: com.okta.oauth2.tokens.transform
+ version: 1.0.0
+ channel:
+ type: HTTP
+ version: 1.0.0
+ config:
+ uri: https://example.com/tokenHook
+ headers: []
+ method: POST
+ authScheme:
+ type: header
+ key: authorization
+ created: '2024-08-22T21:01:09.000Z'
+ lastUpdated: '2024-09-05T16:06:09.000Z'
+ _links:
+ activate:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4
+ delete:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4
+ hints:
+ allow:
+ - DELETE
+ - id: calj4fythrqj5Bxol5e5
+ status: ACTIVE
+ name: Registration hook with OAuth 2.0 Client Secret Post
+ type: com.okta.user.pre-registration
+ version: 1.0.0
+ channel:
+ type: OAUTH
+ version: 1.0.0
+ config:
+ uri: https://example.com/registrationHook
+ headers: []
+ method: POST
+ authScheme: null
+ clientId: 0oaj43vkrq7wKxZSI5e6
+ tokenUrl: https:/subdomain.okta.com/oauth2/default/v1/token"
+ authType: client_secret_post
+ scope: null
+ created: '2024-08-22T21:01:09.000Z'
+ lastUpdated: '2024-09-05T16:06:09.000Z'
+ _links:
+ self:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5
+ execute:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5/execute
+ hints:
+ allow:
+ - POST
+ deactivate:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ - id: calj4fythrqj5Bxol4ai6
+ status: ACTIVE
+ name: Token Hook with OAuth 2.0 Private Key JWT
+ type: com.okta.oauth2.tokens.transform
+ version: 1.0.0
+ channel:
+ type: OAUTH
+ version: 1.0.0
+ config:
+ uri: https://example.com/tokenHook
+ headers: []
+ method: POST
+ authScheme: null
+ clientId: 0oaj43vkrq7wKxZSI5d7
+ tokenUrl: https:/subdomain.okta.com/oauth2/default/v1/token"
+ authType: private_key_jwt
+ scope: null
+ hookKeyId: HKYj4ft1a3fjmwZg05d6
+ created: '2024-08-22T21:01:09.000Z'
+ lastUpdated: '2024-09-05T16:06:09.000Z'
+ _links:
+ self:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6
+ execute:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6/execute
+ hints:
+ allow:
+ - POST
+ deactivate:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ InvalidRotateUse:
+ summary: Invalid Use
+ value:
+ errorCode: E0000001
+ errorSummary: 'Api validation failed: rotateKeys'
+ errorLink: E0000001
+ errorId: oaeprak9qKHRlaWiclJ4oPJRQ
+ errorCauses:
+ - errorSummary: Invalid value specified for key 'use' parameter
+ KeyCredentialExample:
+ summary: Key Credential example
+ value:
+ created: '2015-12-10T18:56:23.000Z'
+ lastUpdated: '2024-08-13T18:26:57.000Z'
+ expiresAt: '2017-12-10T18:56:22.000Z'
+ x5c:
+ - MIIDqDCCApCgAwIBAgIGAVGNQFX5MA0GCSqGSIb3DQEBBQUAMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTAeFw0xNTEyMTAxODU1MjJaFw0xNzEyMTAxODU2MjJaMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJJjrcnI6cXBiXNq9YDgfYrQe2O5qEHG4MXP8Ue0sMeefFkFEHYHnHUeZCq6WTAGqR+1LFgOl+Eq9We5V+qNlGIfkFkQ3iHGBrIALKqLCd0Et76HicDiegz7j9DtN+lo0hG/gfcw5783L5g5xeQ7zVmCQMkFwoUA0uA3bsfUSrmfORHJL+EMNQT8XIXD8NkG4g6u7ylHVRTLgXbe+W/p04m3EP6l41xl+MhIpBaPxDsyUvcKCNwkZN3aZIin1O9Y4YJuDHxrM64/VtLLp0sC05iawAmfsLunF7rdJAkWUpPn+xkviyNQ3UpvwAYuDr+jKLUdh2reRnm1PezxMIXzBVMCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEARnFIjyitrCGbleFr3KeAwdOyeHiRmgeKupX5ZopgXtcseJoToUIinX5DVw2fVZPahqs0Q7/a0wcVnTRpw6946qZCwKd/PvZ1feVuVEA5Ui3+XvHuSH5xLp7NvYG1snNEvlbN3+NDUMlWj2NEbihowUBt9+UxTpQO3+N08q3aZk3hOZ+tHt+1Te7KEEL/4CM28GZ9MY7fSrS7MAgp1+ZXtn+kRlMrXnQ49qBda37brwDRqmSY9PwNMbev3r+9ZHwxr9W5wXW4Ev4C4xngA7RkVoyDbItSUho0I0M0u/LHuppclnXrw97xyO5Z883eIBvPVjfRcxsJxXJ8jx70ATDskw==
+ e: AQAB
+ 'n': mkC6yAJVvFwUlmM9gKjb2d-YK5qHFt-mXSsbjWKKs4EfNm-BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL_q7n0f_SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH-bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQ
+ kid: SIMcCQNY3uwXoW3y0vf6VxiBb5n9pf8L2fK8d-FIbm4
+ kty: RSA
+ use: sig
+ x5t#S256": 5GOpy9CQVtfvBmu2T8BHvpKE4OGtC3BuS046t7p9pps
+ LinkIdPAppUserResponse:
+ summary: Linked IdP User
+ value:
+ id: 00ub0oNGTSWTBKOLGLNR
+ externalId: '121749775026145'
+ created: '2017-03-30T02:19:51.000Z'
+ lastUpdated: '2017-03-30T02:19:51.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/idps/0oa62b57p7c8PaGpU0h7/users/00ub0oNGTSWTBKOLGLNR
+ hints:
+ allow:
+ - GET
+ - DELETE
+ idp:
+ href: https://{yourOktaDomain}/api/v1/idps/0oa62b57p7c8PaGpU0h7
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR
+ ListAllKeyCredentialsExample:
+ summary: List all Key Credentials example
+ value:
+ - created: '2015-12-10T18:56:23.000Z'
+ lastUpdated: '2024-08-13T18:26:57.000Z'
+ expiresAt: '2017-12-10T18:56:22.000Z'
+ x5c:
+ - MIIDqDCCApCgAwIBAgIGAVGNQFX5MA0GCSqGSIb3DQEBBQUAMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTAeFw0xNTEyMTAxODU1MjJaFw0xNzEyMTAxODU2MjJaMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJJjrcnI6cXBiXNq9YDgfYrQe2O5qEHG4MXP8Ue0sMeefFkFEHYHnHUeZCq6WTAGqR+1LFgOl+Eq9We5V+qNlGIfkFkQ3iHGBrIALKqLCd0Et76HicDiegz7j9DtN+lo0hG/gfcw5783L5g5xeQ7zVmCQMkFwoUA0uA3bsfUSrmfORHJL+EMNQT8XIXD8NkG4g6u7ylHVRTLgXbe+W/p04m3EP6l41xl+MhIpBaPxDsyUvcKCNwkZN3aZIin1O9Y4YJuDHxrM64/VtLLp0sC05iawAmfsLunF7rdJAkWUpPn+xkviyNQ3UpvwAYuDr+jKLUdh2reRnm1PezxMIXzBVMCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEARnFIjyitrCGbleFr3KeAwdOyeHiRmgeKupX5ZopgXtcseJoToUIinX5DVw2fVZPahqs0Q7/a0wcVnTRpw6946qZCwKd/PvZ1feVuVEA5Ui3+XvHuSH5xLp7NvYG1snNEvlbN3+NDUMlWj2NEbihowUBt9+UxTpQO3+N08q3aZk3hOZ+tHt+1Te7KEEL/4CM28GZ9MY7fSrS7MAgp1+ZXtn+kRlMrXnQ49qBda37brwDRqmSY9PwNMbev3r+9ZHwxr9W5wXW4Ev4C4xngA7RkVoyDbItSUho0I0M0u/LHuppclnXrw97xyO5Z883eIBvPVjfRcxsJxXJ8jx70ATDskw==
+ e: AQAB
+ 'n': mkC6yAJVvFwUlmM9gKjb2d-YK5qHFt-mXSsbjWKKs4EfNm-BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL_q7n0f_SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH-bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQ
+ kid: SIMcCQNY3uwXoW3y0vf6VxiBb5n9pf8L2fK8d-FIbm4
+ kty: RSA
+ use: sig
+ x5t#S256": 5GOpy9CQVtfvBmu2T8BHvpKE4OGtC3BuS046t7p9pps
+ - created: '2015-12-10T18:55:35.000Z'
+ lastUpdated: '2024-08-13T18:26:57.000Z'
+ expiresAt: '2045-01-23T02:15:23.000Z'
+ x5c:
+ - MIIDqDCCApCgAwIBAgIGAUsUkouzMA0GCSqGSIb3DQEBBQUAMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTAeFw0xNTAxMjMwMjE0MjNaFw00NTAxMjMwMjE1MjNaMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKhmkmKsu3FYeBiJg44aN6Ah3g9gof1cytXJVMnblDUWpLfe/FMUQCssh8Y8NCYRri5jni4efBgk6B3SkC7ymqsOXILIEHSwUYWnAaqDOTxO101mHzryowu1+0PldRNoyTthahpprvAPYlTin9zrDTqFT+WY/zwoaN8H+CfixlW1nM85qF18zYYekkW50MSoHPcfJKe2ywIhPXTYTSBEPcHh8dQEjBrZn7A4qOoDnfOXll8OL7j2O6EVyTtHA0tLJHVLpwI4gSPsXFwEnHltjN57odwYe9yds0BbM/YG9i+am1+3cmZ6Uyd16mLGclrr05o9BHcEZ4ZctV2hr6whbRsCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAnNlF27gRmhGTQ+GRAvbvYToFRgsIbBAPvRqB2LmEIiQ6UJd602w6uP1sv/zEzBYg4SnMLuVyWgOJ6d71dCvXdIO9mgAq6BaEPjlo0WhGyt+zGrpkMnIX5EwRa64kHydcPRHNA607wVYA96sJdyNJEMzBvjY9fJnfevzzDCN3NWpMS2T6rk6HP5IziI1VuFWY2OUC1kbCqLj1dUgp8koe3ftLL55ZpkAocnVMnrzBveNjgAOAiKTMcyS0bhESph9aVWvuHVZSfTnUjnTPb/4jA2YlB3ED+qaU3aqHwft1KXwZskNXBKXy7lyC+CMoeB3/ncFhSg/UllBooPPS3wYlNA==
+ e: AQAB
+ 'n': htbi5H5MN_oYaKcZ8vlWRZn2oTrPY0v8_2Br_VZPJgJ57dCgguq5dDk1Me_ax-B3kjBPdXcW8wEoUFaU30spyVeQjZrdqsSvF0nMW4OzrMOIqrGLwCrAoDBS8tutfk5Y7qc-5xABzxgu4BjgSK5nWXbCt_UR0DzVTknotmMGeT8tAej8F6GAphLa0YhIxWT7Jy-y_pdANsiUPRiZBoLueGI0rrCqgYHIQVjNoj4-si105KCXbQuyYM9_Cd-dyyu5KJ4Ic0cOW61gpx4pnecMgSy8OX57FEd06W2hExBd49ah6jra2KFMeOGe3rkIXirdkofl1mBgeQ77ruKO1wW9Qw
+ kid: mXtzOtml09Dg1ZCeKxTRBo3KrQuBWFkJ5oxhVagjTzo
+ kty: RSA
+ use: sig
+ x5t#S256": 7CCyXWwKzH4P6PoBP91B1S_iIZVzuGffVnUXu-BTYQQ
+ ListAllKeysResponse:
+ summary: List All Keys response example
+ value:
+ - id: HKY1i2htmXF5UNQhL0g4
+ keyId: bb5bed7d-6e4d-488f-9c86-59b93a2bb3fb
+ name: My new key
+ created: '2022-08-22T16:34:33.000Z'
+ lastUpdated: '2022-08-22T16:34:33.000Z'
+ isUsed: 'true'
+ - id: HKY1p7jWLndGQV9M60g4
+ keyId: 7fbc27fd-e3df-4522-86bf-1930110256ad
+ name: Test key
+ created: '2022-08-31T18:09:58.000Z'
+ lastUpdated: '2022-08-31T18:09:58.000Z'
+ isUsed: 'false'
+ ListAppGrantsEx:
+ summary: List all app Grants example
+ value:
+ - id: oag91n9ruw3dsaXzP0h6
+ status: ACTIVE
+ created: '2023-02-21T16:54:00.000Z'
+ createdBy:
+ id: 00u6eltha0nrSc47i0h7
+ type: User
+ lastUpdated: '2023-02-21T16:54:00.000Z'
+ issuer: '{yourOktaDomain}'
+ clientId: '{clientId}'
+ scopeId: okta.users.read
+ source: ADMIN
+ _embedded:
+ scope:
+ id: okta.users.read
+ _links:
+ app:
+ href: https://{yourOktaDomain}/api/v1/apps/{appId}
+ title: Application name
+ self:
+ href: https://{yourOktaDomain}/api/v1/apps/{appId}/grants/oag91n9ruw3dsaXzP0h6
+ hints:
+ allow:
+ - GET
+ - DELETE
+ client:
+ href: https://{yourOktaDomain}/oauth2/v1/clients/{clientId}
+ title: Client name
+ - id: oaghm3sh9ukdkvDmO0h6
+ status: ACTIVE
+ created: '2023-02-03T21:57:49.000Z'
+ createdBy:
+ id: 00u6eltha0nrSc47i0h7
+ type: User
+ lastUpdated: '2023-02-03T21:57:49.000Z'
+ issuer: '{yourOktaDomain}'
+ clientId: '{clientId}'
+ scopeId: okta.apps.manage
+ source: ADMIN
+ _embedded:
+ scope:
+ id: okta.apps.manage
+ _links:
+ app:
+ href: https://{yourOktaDomain}/api/v1/apps/{appId}
+ title: Application name
+ self:
+ href: https://{yourOktaDomain}/api/v1/apps/{appId}/grants/oaghm3sh9ukdkvDmO0h6
+ hints:
+ allow:
+ - GET
+ - DELETE
+ client:
+ href: https://{yourOktaDomain}/oauth2/v1/clients/{clientId}
+ title: Client name
+ ListAppLinks:
+ value:
+ - id: 00ub0oNGTSWTBKOLGLNR
+ label: Google Apps Mail
+ linkUrl: https://{yourOktaDomain}/home/google/0oa3omz2i9XRNSRIHBZO/50
+ logoUrl: https://{yourOktaDomain}/img/logos/google-mail.png
+ appName: google
+ appInstanceId: 0oa3omz2i9XRNSRIHBZO
+ appAssignmentId: 0ua3omz7weMMMQJERBKY
+ credentialsSetup: false
+ hidden: false
+ sortOrder: 0
+ - id: 00ub0oNGTSWTBKOLGLNR
+ label: Google Apps Calendar
+ linkUrl: https://{yourOktaDomain}/home/google/0oa3omz2i9XRNSRIHBZO/54
+ logoUrl: https://{yourOktaDomain}/img/logos/google-calendar.png
+ appName: google
+ appInstanceId: 0oa3omz2i9XRNSRIHBZO
+ appAssignmentId: 0ua3omz7weMMMQJERBKY
+ credentialsSetup: false
+ hidden: false
+ sortOrder: 1
+ - id: 00ub0oNGTSWTBKOLGLNR
+ label: Box
+ linkUrl: https://{yourOktaDomain}/home/boxnet/0oa3ompioiQCSTOYXVBK/72
+ logoUrl: https://{yourOktaDomain}/img/logos/box.png
+ appName: boxnet
+ appInstanceId: 0oa3ompioiQCSTOYXVBK
+ appAssignmentId: 0ua3omx46lYEZLPPRWBO
+ credentialsSetup: false
+ hidden: false
+ sortOrder: 3
+ - id: 00ub0oNGTSWTBKOLGLNR
+ label: Salesforce.com
+ linkUrl: https://{yourOktaDomain}/home/salesforce/0oa12ecnxtBQMKOXJSMF/46
+ logoUrl: https://{yourOktaDomain}/img/logos/salesforce_logo.png
+ appName: salesforce
+ appInstanceId: 0oa12ecnxtBQMKOXJSMF
+ appAssignmentId: 0ua173qgj5VAVOBQMCVB
+ credentialsSetup: true
+ hidden: false
+ sortOrder: 2
+ ListAssocAuthServerResponse:
+ summary: List associated Authorization Servers
+ value:
+ - id: '{authorizationServerId}'
+ name: Sample Authorization Server
+ description: Sample Authorization Server description
+ audiences:
+ - https://api.resource.com
+ issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId}
+ issuerMode: CUSTOM_URL
+ status: ACTIVE
+ created: '2023-05-17T22:25:57.000Z'
+ lastUpdated: '2023-05-17T22:25:57.000Z'
+ credentials:
+ signing:
+ rotationMode: DYNAMIC
+ lastRotated: '2023-05-17T22:25:57.000Z'
+ nextRotation: '2023-08-15T22:25:57.000Z'
+ kid: WYQxoK4XAwGFn5Zw5AzLxFvqEKLP79BbsKmWeuc5TB4
+ use: sig
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}
+ hints:
+ allow:
+ - DELETE
+ ListAuthServersResponse:
+ summary: List all custom authorization servers in your org
+ value:
+ - id: '{authorizationServerId}'
+ name: Sample Authorization Server
+ description: Sample Authorization Server description
+ audiences:
+ - https://api.resource.com
+ issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId}
+ issuerMode: ORG_URL
+ status: ACTIVE
+ created: '2023-05-17T22:25:57.000Z'
+ lastUpdated: '2023-05-17T22:25:57.000Z'
+ credentials:
+ signing:
+ rotationMode: AUTO
+ lastRotated: '2023-05-17T22:25:57.000Z'
+ nextRotation: '2023-08-15T22:25:57.000Z'
+ kid: WYQxoK4XAwGFn5Zw5AzLxFvqEKLP79BbsKmWeuc5TB4
+ _links:
+ scopes:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes
+ hints:
+ allow:
+ - GET
+ claims:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims
+ hints:
+ allow:
+ - GET
+ policies:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies
+ hints:
+ allow:
+ - GET
+ self:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}
+ hints:
+ allow:
+ - GET
+ - DELETE
+ - PUT
+ metadata:
+ - name: oauth-authorization-server
+ href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/oauth-authorization-server
+ hints:
+ allow:
+ - GET
+ - name: openid-configuration
+ href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/openid-configuration
+ hints:
+ allow:
+ - GET
+ rotateKey:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/lifecycle/keyRotate
+ hints:
+ allow:
+ - POST
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ ListAuthorizationServerKeys:
+ summary: All Credential Keys
+ value:
+ - status: ACTIVE
+ alg: RS256
+ e: AQAB
+ 'n': g0MirhrysJMPm_wK45jvMbbyanfhl-jmTBv0o69GeifPaISaXGv8LKn3-CyJvUJcjjeHE17KtumJWVxUDRzFqtIMZ1ctCZyIAuWO0n LKilg7_EIDXJrS8k14biqkPO1lXGFwtjo3zLHeFSLw6sWf-CEN9zv6Ff3IAXb-RMYpfh-bVrxIgWsWCxjLW-UKI3la-gs0nWHH2PJr5HLJuI JIOL5HLJuIJIOLWahqTnm_r1LSCSYr6N4C-fh--w2_BW8DzTHalBYe76bNr0d7AqtR4tGazmrvrc79Wa2bjyxmhhN1u9jSaZQqq-3VZEod8q3, WHH2PJ5v1LoXniJQ4a2W8nDVqb6h4E8MUKYOpljTfQ
+ kid: RQ8DuhdxCczyMvy7GNJb4Ka3lQ99vrSo3oFBUiZjzzc
+ kty: RSA
+ use: sig
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/keys/RQ8DuhdxCczyMvy7GNJb4Ka3lQ99vrSo3oFBUiZjzzc
+ hints:
+ allow:
+ - GET
+ - status: NEXT
+ alg: RS256
+ e: AQAB
+ 'n': l1hZ_g2sgBE3oHvu34T-5XP18FYJWgtul_nRNg-5xra5ySkaXEOJUDRERUG0HrR42uqf9jYrUTwg9fp-SqqNIdHRaN8EwRSDRsKAwK 3 HIJ2NJfgmrrO2ABkeyUq6rzHxAumiKv1iLFpSawSIiTEBJERtUCDcjbbqyHVFuivIFgH8L37 - XDIDb0XG - R8DOoOHLJPTpsgH - rJe M5w96VIRZInsGC5OGWkFdtgk6OkbvVd7_TXcxLCpWeg1vlbmX - 0 TmG5yjSj7ek05txcpxIqYu - 7 FIGT0KKvXge_BOSEUlJpBhLKU28 OtsOnmc3NLIGXB - GeDiUZiBYQdPR - myB4ZoQ
+ kid: Y3vBOdYT-l-I0j-gRQ26XjutSX00TeWiSguuDhW3ngo
+ kty: RSA
+ use: sig
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/keys/Y3vBOdYT-l-I0j-gRQ26XjutSX00TeWiSguuDhW3ngo
+ hints:
+ allow:
+ - GET
+ - status: EXPIRED
+ alg: RS256
+ e: AQAB
+ 'n': lC4ehVB6W0OCtNPnz8udYH9Ao83B6EKnHA5eTcMOap_lQZ-nKtS1lZwBj4wXRVc1XmS0d2OQFA1VMQ-dHLDE3CiGfsGqWbaiZFdW7U GLO1nAwfDdH6xp3xwpKOMewDXbAHJlXdYYAe2ap - CE9c5WLTUBU6JROuWcorHCNJisj1aExyiY5t3JQQVGpBz2oUIHo7NRzQoKimvp dMvMzcYnTlk1dhlG11b1GTkBclprm1BmOP7Ltjd7aEumOJWS67nKcAZzl48Zyg5KtV11V9F9dkGt25qHauqFKL7w3wu - DYhT0hmyFc wn - tXS6e6HQbfHhR_MQxysLtDGOk2ViWv8AQ
+ kid: h5Sr3LXcpQiQlAUVPdhrdLFoIvkhRTAVs_h39bQnxlU
+ kty: RSA
+ use: sig
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/keys/h5Sr3LXcpQiQlAUVPdhrdLFoIvkhRTAVs_h39bQnxlU
+ hints:
+ allow:
+ - GET
+ ListAuthorizationServerPolicies:
+ summary: List Authorization Server Policies
+ value:
+ - type: OAUTH_AUTHORIZATION_POLICY
+ id: 00palyaappA22DPkj0h7
+ status: ACTIVE
+ name: Vendor2 Policy
+ description: Vendor2 policy description
+ priority: 1
+ system: false
+ conditions:
+ clients:
+ include:
+ - ALL_CLIENTS
+ created: '2017-05-26T19:43:53.000Z'
+ lastUpdated: '2017-06-07T15:28:17.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies/00palyaappA22DPkj0h7
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies/00palyaappA22DPkj0h7/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ rules:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies/00palyaappA22DPkj0h7/rules
+ hints:
+ allow:
+ - GET
+ ListAuthorizationServerPolicyRules:
+ summary: List Authorization Server Policy Rules
+ value:
+ - type: RESOURCE_ACCESS
+ id: 0prbsjfyl01zfSZ9K0h7
+ status: ACTIVE
+ name: Default Policy Rule
+ priority: 1
+ created: '2017-08-25T16:57:02.000Z'
+ lastUpdated: '2017-08-30T14:51:05.000Z'
+ system: false
+ conditions:
+ people:
+ users:
+ include: []
+ exclude: []
+ groups:
+ include:
+ - EVERYONE
+ exclude: []
+ grantTypes:
+ include:
+ - implicit
+ - client_credentials
+ - authorization_code
+ - password
+ scopes:
+ include:
+ - '*'
+ actions:
+ token:
+ accessTokenLifetimeMinutes: 60
+ refreshTokenLifetimeMinutes: 0
+ refreshTokenWindowMinutes: 10080
+ inlineHook:
+ id: cal4egvp1mbMldrYN0g7
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/0prbsjfyl01zfSZ9K0h7
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/0prbsjfyl01zfSZ9K0h7/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ ListBrandsResponse:
+ value:
+ - id: bnd114iNkrcN6aR680g4
+ name: Okta Default
+ isDefault: true
+ agreeToCustomPrivacyPolicy: false
+ removePoweredByOkta: false
+ customPrivacyPolicyUrl: null
+ locale: en
+ emailDomainId: OeD114iNkrcN6aR680g4
+ defaultApp:
+ appInstanceId: 0oa114iNkrcN6aR680g4
+ appLinkName: null
+ classicApplicationUri: null
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ themes:
+ href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4/themes
+ hints:
+ allow:
+ - GET
+ emailDomain:
+ href: https://{yourOktaDomain}/api/v1/email-domains/OeD114iNkrcN6aR680g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ ListClientsResponse:
+ summary: List all Client resources for which an authorization server has tokens
+ value:
+ - client_id: '{clientId}'
+ client_name: My Web App
+ client_uri: null,
+ logo_uri: null,
+ _links:
+ client:
+ href: https://{yourOktaDomain}/oauth2/v1/clients/{clientId}
+ title: My Web App
+ tokens:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/clients/{clientId}/tokens
+ hints:
+ allow:
+ - GET
+ - DELETE
+ ListCustomTokenClaimsResponse:
+ summary: List all custom token Claims for an authorization server
+ value:
+ - id: '{claimId}'
+ name: sub
+ status: ACTIVE
+ claimType: RESOURCE
+ valueType: EXPRESSION
+ value: '(appuser != null) ? appuser.userName : app.clientId'
+ conditions:
+ scopes:
+ - profile
+ system: true
+ alwaysIncludeInToken: true
+ apiResourceId: null
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims/{claimId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ ListEmailCustomizationResponse:
+ value:
+ - language: en
+ isDefault: true
+ subject: Welcome to ${org.name}!
+ body:
Hello, ${user.profile.firstName}. Click here to activate your account.
+ id: oel11u6DqUiMbQkpl0g4
+ created: '2021-11-09T20:38:10.000Z'
+ lastUpdated: '2021-11-11T20:38:10.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ template:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation
+ hints:
+ allow:
+ - GET
+ preview:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4/preview
+ hints:
+ allow:
+ - GET
+ test:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test
+ hints:
+ allow:
+ - POST
+ ListEmailTemplateResponse:
+ value:
+ - name: UserActivation
+ _embedded:
+ customizationCount: 0
+ settings:
+ recipients: ALL_USERS
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/settings
+ hints:
+ allow:
+ - GET
+ - PUT
+ template:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation
+ hints:
+ allow:
+ - GET
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation
+ hints:
+ allow:
+ - GET
+ settings:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/settings
+ hints:
+ allow:
+ - GET
+ - PUT
+ defaultContent:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/default-content
+ hints:
+ allow:
+ - GET
+ customizations:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations
+ hints:
+ allow:
+ - GET
+ - POST
+ - DELETE
+ test:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test
+ hints:
+ allow:
+ - POST
+ ListFactorsResults:
+ summary: All of the enrolled Factors for the specified User
+ value:
+ - id: ufs2bysphxKODSZKWVCT
+ factorType: question
+ provider: OKTA
+ vendorName: OKTA
+ status: ACTIVE
+ created: '2014-04-15T18:10:06.000Z'
+ lastUpdated: '2014-04-15T18:10:06.000Z'
+ profile:
+ question: favorite_art_piece
+ questionText: What is your favorite piece of art?
+ _links:
+ questions:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/questions
+ hints:
+ allow:
+ - GET
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ufs2bysphxKODSZKWVCT
+ hints:
+ allow:
+ - GET
+ - DELETE
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL
+ hints:
+ allow:
+ - GET
+ - id: ostf2gsyictRQDSGTDZE
+ factorType: token:software:totp
+ provider: OKTA
+ status: PENDING_ACTIVATION
+ created: '2014-06-27T20:27:33.000Z'
+ lastUpdated: '2014-06-27T20:27:33.000Z'
+ profile:
+ credentialId: dade.murphy@example.com
+ _links:
+ next:
+ name: activate
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf2gsyictRQDSGTDZE/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf2gsyictRQDSGTDZE
+ hints:
+ allow:
+ - GET
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL
+ hints:
+ allow:
+ - GET
+ _embedded:
+ activation:
+ timeStep: 30
+ sharedSecret: HE64TMLL2IUZW2ZLB
+ encoding: base32
+ keyLength: 16
+ - id: sms2gt8gzgEBPUWBIFHN
+ factorType: sms
+ provider: OKTA
+ status: ACTIVE
+ created: '2014-06-27T20:27:26.000Z'
+ lastUpdated: '2014-06-27T20:27:26.000Z'
+ profile:
+ phoneNumber: +1-555-415-1337
+ _links:
+ verify:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/sms2gt8gzgEBPUWBIFHN/verify
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/sms2gt8gzgEBPUWBIFHN
+ hints:
+ allow:
+ - GET
+ - DELETE
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL
+ hints:
+ allow:
+ - GET
+ ListFeatureDependenciesResponse:
+ summary: List all dependencies for a feature
+ value:
+ - id: ftrZooGoT8b41iWRiQs7
+ description: Example feature description
+ name: Example feature name
+ stage:
+ state: OPEN
+ value: EA
+ status: ENABLED
+ type: self-service
+ _links:
+ self:
+ hints:
+ allow:
+ - POST
+ href: https://{yourOktaDomain}/api/v1/features/ftrZooGoT8b41iWRiQs7
+ dependents:
+ href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependents
+ dependencies:
+ href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependencies
+ ListFeatureDependentsResponse:
+ summary: List all feature dependents for the specified feature
+ value:
+ - id: ftrZooGoT8b41iWRiQs7
+ description: Example feature description
+ name: Example feature name
+ stage:
+ state: OPEN
+ value: EA
+ status: ENABLED
+ type: self-service
+ _links:
+ self:
+ hints:
+ allow:
+ - POST
+ href: https://{yourOktaDomain}/api/v1/features/ftrZooGoT8b41iWRiQs7
+ dependents:
+ href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependents
+ dependencies:
+ href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependencies
+ ListFeaturesResponse:
+ summary: List all self-service features for your org
+ value:
+ - id: ftrZooGoT8b41iWRiQs7
+ description: Example feature description
+ name: Example feature name
+ stage:
+ state: CLOSED
+ value: BETA
+ status: DISABLED
+ type: self-service
+ _links:
+ self:
+ hints:
+ allow:
+ - POST
+ href: https://{yourOktaDomain}/api/v1/features/ftrZooGoT8b41iWRiQs7
+ dependents:
+ href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependents
+ dependencies:
+ href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependencies
+ ListIdPUsersResponse:
+ summary: List of linked IdP Users
+ value:
+ - id: 00u5cl9lo7nMjHjPr0h7
+ externalId: '109912936038778'
+ created: '2015-11-03T19:10:11.000Z'
+ lastUpdated: '2015-11-03T19:11:49.000Z'
+ profile:
+ firstName: Carol
+ middleName: Lee
+ lastName: Johnson
+ email: carol_johnson@tfbnw.net
+ displayName: Carol Johnson
+ profile: https://www.facebook.com/app_scoped_user_id/109912936038778/
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/idps/0oa4lb6lbtmH355Hx0h7/users/00u5cl9lo7nMjHjPr0h7
+ hints:
+ allow:
+ - GET
+ - DELETE
+ idp:
+ href: https://{yourOktaDomain}/api/v1/idps/0oa4lb6lbtmH355Hx0h7
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00u5cl9lo7nMjHjPr0h7
+ ListLinkedObjects:
+ summary: List all Linked Object definitions
+ value:
+ - primary:
+ name: manager
+ title: manager
+ description: Manager link property
+ type: USER
+ associated:
+ name: subordinate
+ title: subordinate
+ description: Subordinate link property
+ type: USER
+ _links:
+ self:
+ href: http://your-subdomain.okta.com/api/v1/meta/schemas/user/linkedObjects/manager
+ ListLogs:
+ summary: List all system logs
+ value:
+ - actor:
+ id: 00uttidj01jqL21aM1d6
+ type: User
+ alternateId: john.doe@example.com
+ displayName: John Doe
+ detailEntry: null
+ client:
+ userAgent:
+ rawUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
+ os: Mac OS X
+ browser: CHROME
+ zone: null
+ device: Computer
+ id: null
+ ipAddress: 10.0.0.1
+ geographicalContext:
+ city: New York
+ state: New York
+ country: United States
+ postalCode: 10013
+ geolocation:
+ lat: 40.3157
+ lon: -74.01
+ device:
+ id: guofdhyjex1feOgbN1d9
+ name: Mac15,6
+ os_platform: OSX
+ os_version: 14.6.0
+ managed: false
+ registered: true
+ device_integrator: null
+ disk_encryption_type: ALL_INTERNAL_VOLUMES
+ screen_lock_type: BIOMETRIC
+ jailbreak: null
+ secure_hardware_present: true
+ authenticationContext:
+ authenticationProvider: null
+ credentialProvider: null
+ credentialType: null
+ issuer: null
+ interface: null
+ authenticationStep: 0
+ rootSessionId: idxBager62CSveUkTxvgRtonA
+ externalSessionId: idxBager62CSveUkTxvgRtonA
+ displayMessage: User login to Okta
+ eventType: user.session.start
+ outcome:
+ result: SUCCESS
+ reason: null
+ published: '2024-08-13T15:58:20.353Z'
+ securityContext:
+ asNumber: 394089
+ asOrg: ASN 0000
+ isp: google
+ domain: null
+ isProxy: false
+ severity: INFO
+ debugContext:
+ debugData:
+ requestId: ab609228fe84ce59cdcbfa690bcce016
+ requestUri: /idp/idx/authenticators/poll
+ url: /idp/idx/authenticators/poll
+ legacyEventType: core.user_auth.login_success
+ transaction:
+ type: WEB
+ id: ab609228fe84ce59cdcbfa690bgce016
+ detail: null
+ uuid: dc9fd3c0-598c-11ef-8478-2b7584bf8d5a
+ version: 0
+ request:
+ ipChain:
+ - ip: 10.0.0.1
+ geographicalContext:
+ city: New York
+ state: New York
+ country: United States
+ postalCode: 10013
+ geolocation:
+ lat: 40.3157
+ lon: -74.01
+ version: V4
+ source: null
+ target:
+ - id: pfdfdhyjf0HMbkP2e1d7
+ type: AuthenticatorEnrollment
+ alternateId: unknown
+ displayName: Okta Verify
+ detailEntry: null
+ - id: 0oatxlef9sQvvqInq5d6
+ type: AppInstance
+ alternateId: Okta Admin Console
+ displayName: Okta Admin Console
+ detailEntry: null
+ ListMappingsResponse:
+ summary: List all Profile Mappings response
+ value:
+ - id: prm1k47ghydIQOTBW0g4
+ source:
+ id: otysbePhQ3yqt4cVv0g3
+ name: user
+ type: user
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/meta/types/user/otysbePhQ3yqt4cVv0g3
+ schema:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscsbePhQ3yqt4cVv0g3
+ target:
+ id: 0oa1qmn4LZQQEH0wZ0g4
+ name: okta_org2org
+ type: appuser
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/apps/0oa1qmn4LZQQEH0wZ0g4
+ schema:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/apps/0oa1qmn4LZQQEH0wZ0g4/default
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/mappings/prm1k48weFSOnEUnw0g4
+ ListOfSecurityEventsProviderInstances:
+ summary: List of Security Events Providers
+ value:
+ - id: sse1qg25RpusjUP6m0g5
+ name: Security Events Provider with well-known URL
+ type: okta
+ status: ACTIVE
+ settings:
+ well_known_url: https://example.okta.com/.well-known/ssf-configuration
+ issuer: Issuer
+ jwks_url: https://example.okta.com/jwks/path
+ _links:
+ self:
+ href: https://example.okta.com/api/v1/security-events-providers/sse1qg25RpusjUP6m0g5
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://example.okta.com/api/v1/security-events-providers/sse1qg25RpusjUP6m0g5/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ - id: sse1qu4fUtsoD12iF0g5
+ name: Security Events Provider with an issuer and a JWKS URL
+ type: okta
+ status: ACTIVE
+ settings:
+ issuer: Issuer
+ jwks_url: https://example.okta.com/jwks/path
+ _links:
+ self:
+ href: https://example.okta.com/api/v1/security-events-providers/sse1qu4fUtsoD12iF0g5
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://example.okta.com/api/v1/security-events-providers/sse1qu4fUtsoD12iF0g5/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ ListPrivilegedAccounts:
+ summary: List Privileged Accounts with mixed account types
+ value:
+ - accountType: APP_ACCOUNT
+ description: This is for accessing AWS Prod-5
+ id: a747a818-a4c4-4446-8a87-704216495a08
+ name: AWS Prod-5 account
+ ownerGroupIds:
+ - 00g57qp78yZT2XBA40g7
+ ownerUserIds:
+ - 00u11s48P9zGW8yqm0g5
+ status: NO_ISSUES
+ statusDetail: ROTATED
+ created: '2023-04-04T15:56:05.000Z'
+ lastUpdated: '2023-05-05T18:15:44.000Z'
+ details:
+ credentials:
+ username: testuser@example.com
+ oktaApplicationId: aln1aqcs055ZRoizW0g8
+ appInstanceName: AWS Prod-5
+ appGlobalName: AWS Account Federation
+ - accountType: OKTA_USER_ACCOUNT
+ description: Shared admin account for managing AD integrations
+ id: d1b65a78-21ed-429b-8ea3-eec96f2748d6
+ name: AD Integrations Admin
+ ownerGroupIds:
+ - 00g57qp78yZT2XBA40g7
+ ownerUserIds:
+ - 00u11s48P9zGW8yqm0g5
+ status: INFO
+ statusDetail: ROTATING
+ created: '2023-04-04T15:56:05.000Z'
+ lastUpdated: '2023-05-05T18:15:44.000Z'
+ details:
+ credentials:
+ username: shr-ad-admin-01@example.com
+ email: shr-ad-admin-01@example.com
+ oktaUserId: 00u11s48P9zGW8yqm0g5
+ ListRealmAssignmentsResponse:
+ value:
+ - id: rul2jy7jLUlnO3ng00g4
+ status: ACTIVE
+ name: Realm Assignment 1
+ created: '2022-04-04T15:56:05.000Z'
+ lastUpdated: '2022-05-05T18:15:44.000Z'
+ isDefault: false
+ conditions:
+ profileSourceId: 0oa4enoRyjwSCy5hx0g4
+ expression:
+ value: user.profile.role ==\"Manager\"
+ actions:
+ assignUserToRealm:
+ realmId: 00g1b7rvh0xPLKXFf0g5
+ priority: 0
+ _links:
+ self:
+ rel: self
+ href: http://your-subdomain.okta.com/api/v1/realm-assignments/rul2jy7jLUlnO3ng00g4
+ method: GET
+ - id: rul2jy7jLUlnO5ng00g4
+ status: ACTIVE
+ name: Catch-all
+ created: '2022-04-04T15:56:05.000Z'
+ lastUpdated: '2022-05-05T18:15:44.000Z'
+ isDefault: true
+ conditions:
+ profileSourceId: 0oa4enoRyjwSCy6hx0g4,
+ expression:
+ value: string
+ actions:
+ assignUserToRealm:
+ realmId: 00g1b7rvh0xPLKXFf2g5
+ priority: 499
+ _links:
+ self:
+ rel: self
+ href: http://your-subdomain.okta.com/api/v1/realm-assignments/rul2jy7jLUlnO5ng00g4
+ method: GET
+ ListRealmAwareUsersResponse:
+ summary: List all users
+ value:
+ - id: 00u118oQYT4TBGuay0g4
+ status: ACTIVE
+ created: '2022-04-04T15:56:05.000Z'
+ activated: null
+ statusChanged: null
+ lastLogin: '2022-05-04T19:50:52.000Z'
+ lastUpdated: '2022-05-05T18:15:44.000Z'
+ passwordChanged: '2022-04-04T16:00:22.000Z'
+ type:
+ id: oty1162QAr8hJjTaq0g4
+ profile:
+ firstName: Alice
+ lastName: Smith
+ mobilePhone: null
+ secondEmail: null
+ login: alice.smith@example.com
+ email: alice.smith@example.com
+ realmId: guo1afiNtSnZYILxO0g4
+ credentials:
+ password: {}
+ provider:
+ type: OKTA
+ name: OKTA
+ _links:
+ self:
+ href: http://your-subdomain.okta.com/api/v1/users/00u118oQYT4TBGuay0g4
+ ListRealmsResponse:
+ value:
+ - id: guox9jQ16k9V8IFEL0g3
+ created: '2022-04-04T15:56:05.000Z'
+ lastUpdated: '2022-05-05T18:15:44.000Z'
+ isDefault: false
+ profile:
+ name: Car Co
+ realmType: PARTNER
+ _links:
+ self:
+ rel: self
+ href: http://your-subdomain.okta.com/api/v1/realms/guox9jQ16k9V8IFEL0g3
+ method: GET
+ ListRefreshTokensClientsResponse:
+ summary: List all refresh tokens for a Client
+ value:
+ - id: '{refreshTokenId}'
+ status: ACTIVE
+ created: '2023-09-21T19:59:56.000Z'
+ lastUpdated: '2023-09-21T20:00:38.000Z'
+ expiresAt: '2023-09-28T20:00:38.000Z'
+ issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId}
+ client_id: '{clientId}'
+ userId: '{userId}'
+ scopes:
+ - offline_access
+ - openid
+ _embedded:
+ scopes:
+ - id: '{scopeId}'
+ name: openid
+ displayName: openid
+ description: Signals that a request is an OpenID request
+ _links:
+ scope:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes/{scopeId}
+ title: openid
+ - id: '{scopeID}'
+ name: offline_access
+ displayName: Keep you signed in to the app
+ description: This keeps you signed in to the app, even when you aren't using it.
+ _links:
+ scope:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes/{scopeId}
+ itle: Keep you signed in to the app
+ _links:
+ app:
+ href: https://{yourOktaDomain}/api/v1/apps/{appId}
+ title: My Web App
+ authorizationServer:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}
+ title: Authorization Server name
+ self:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/clients/{clientId}/tokens/{tokenId}
+ revoke:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/clients/{clientId}/tokens/{tokenId}
+ hints:
+ allow:
+ - DELETE
+ client:
+ href: https://{yourOktaDomain}/oauth2/v1/clients/{clientId}
+ title: My Web App
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/{userId}
+ title: Joe User
+ ListRiskProviderResponse:
+ summary: List Risk Provider response example
+ value:
+ - id: 00rp12r4skkjkjgsn
+ action: log_only
+ name: Risk-Partner-X
+ clientId: 00ckjsfgjkdkjdkkljjsd
+ created: '2021-01-05 22:18:30'
+ lastUpdated: '2021-01-05 22:18:30'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/risk/providers/00rp12r4skkjkjgsn
+ hints:
+ allow:
+ - GET
+ - PUT
+ ListSessionsResponseForGetSessions:
+ value:
+ - id: aps1qqonvr2SZv6o70h8
+ identitySourceId: 0oa3l6l6WK6h0R0QW0g4
+ status: CREATED
+ importType: INCREMENTAL
+ created: '2022-04-04T15:56:05.000Z'
+ lastUpdated: '2022-05-05T16:15:44.000Z'
+ - id: aps1quck606ngubVq0h8
+ identitySourceId: 0oa3l6l6WK6h0R0QW0g4
+ status: TRIGGERED
+ importType: INCREMENTAL
+ created: '2022-04-04T16:56:05.000Z'
+ lastUpdated: '2022-05-05T17:15:44.000Z'
+ - id: aps1qzy2acb5jDlUc0h8
+ identitySourceId: 0oa3l6l6WK6h0R0QW0g4
+ status: IN_PROGRESS
+ importType: INCREMENTAL
+ created: '2022-04-04T17:56:05.000Z'
+ lastUpdated: '2022-05-05T18:15:44.000Z'
+ - id: aps1qqne8c1JHkMdF0h8
+ identitySourceId: 0oa3l6l6WK6h0R0QW0g4
+ status: EXPIRED
+ importType: INCREMENTAL
+ created: '2022-04-04T18:56:05.000Z'
+ lastUpdated: '2022-05-05T19:15:44.000Z'
+ - id: aps1qqonvr2SZv6o70h8
+ identitySourceId: 0oa3l6l6WK6h0R0QW0g4
+ status: CLOSED
+ importType: INCREMENTAL
+ created: '2022-04-04T19:56:05.000Z'
+ lastUpdated: '2022-05-05T20:15:44.000Z'
+ ListThemesResponse:
+ value:
+ - id: thdul904tTZ6kWVhP0g3
+ logo: https://{yourOktaDomain}/assets/img/logos/okta-logo.47066819ac7db5c13f4c431b2687cef6.png
+ favicon: https://{yourOktaDomain}/favicon.ico
+ backgroundImage: null
+ primaryColorHex: '#1662dd'
+ primaryColorContrastHex: '#000000'
+ secondaryColorHex: '#ebebed'
+ secondaryColorContrastHex: '#000000'
+ signInPageTouchPointVariant: OKTA_DEFAULT
+ endUserDashboardTouchPointVariant: OKTA_DEFAULT
+ errorPageTouchPointVariant: OKTA_DEFAULT
+ emailTemplateTouchPointVariant: OKTA_DEFAULT
+ loadingPageTouchPointVariant: OKTA_DEFAULT
+ ListUISchemaResponse:
+ summary: Lists all UI Schemas response
+ value:
+ - id: uis4a7liocgcRgcxZ0g7
+ uiSchema:
+ type: Group
+ label: Sign in
+ buttonLabel: Submit
+ elements:
+ - type: Control
+ scope: '#/properties/firstName'
+ label: First name
+ options:
+ format: text
+ - type: Control
+ scope: '#/properties/lastName'
+ label: Last name
+ options:
+ format: text
+ - type: Control
+ scope: '#/properties/email'
+ label: Email
+ options:
+ format: text
+ - type: Control
+ scope: '#/properties/countryCode'
+ label: Country code
+ options:
+ format: select
+ - type: Control
+ scope: '#/properties/bool2'
+ label: bool2
+ options:
+ format: checkbox
+ - type: Control
+ scope: '#/properties/date'
+ label: date
+ options:
+ format: text
+ - type: Control
+ scope: '#/properties/enum'
+ label: enum
+ options:
+ format: radio
+ created: '2022-07-25T12:56:31.000Z'
+ lastUpdated: '2022-07-26T11:53:59.000Z'
+ _links:
+ self:
+ href: https://example.com/api/v1/meta/uischemas/uis4a7liocgcRgcxZ0g7
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ - id: uis4abjqkkKXVPGAU0g7
+ uiSchema:
+ type: Group
+ label: Sign in 2
+ buttonLabel: Submit
+ elements:
+ - type: Control
+ scope: '#/properties/firstName'
+ label: First name
+ options:
+ format: text
+ - type: Control
+ scope: '#/properties/lastName'
+ label: Last name
+ options:
+ format: text
+ - type: Control
+ scope: '#/properties/email'
+ label: Email
+ options:
+ format: text
+ - type: Control
+ scope: '#/properties/countryCode'
+ label: Country code
+ options:
+ format: select
+ - type: Control
+ scope: '#/properties/bool2'
+ label: bool2
+ options:
+ format: checkbox
+ - type: Control
+ scope: '#/properties/date'
+ label: date
+ - type: Control
+ scope: '#/properties/enum'
+ label: enum
+ options:
+ format: radio
+ created: '2022-07-25T12:56:31.000Z'
+ lastUpdated: '2022-07-26T11:53:59.000Z'
+ _links:
+ self:
+ href: https://example.com/api/v1/meta/uischemas/uis4abjqkkKXVPGAU0g7
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ ListUserBlocksAnyDevicesResponse:
+ value:
+ - type: DEVICE_BASED
+ appliesTo: ANY_DEVICES
+ ListUserBlocksUnknownDevicesResponse:
+ value:
+ - type: DEVICE_BASED
+ appliesTo: UNKNOWN_DEVICES
+ ListUserClients:
+ value:
+ - client_id: 0oabskvc6442nkvQO0h7
+ client_name: My App
+ client_uri: null
+ logo_uri: null
+ _links:
+ grants:
+ href: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7/clients/0oabskvc6442nkvQO0h7/grants
+ tokens:
+ href: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7/clients/0oabskvc6442nkvQO0h7/tokens
+ ListUserGroups:
+ value:
+ - id: 0gabcd1234
+ profile:
+ name: Cloud App Users
+ description: Users can access cloud apps
+ - id: 0gefgh5678
+ profile:
+ name: Internal App Users
+ description: Users can access internal apps
+ ListUsersResponse:
+ summary: List all users
+ value:
+ - id: 00u118oQYT4TBTemp0g4
+ status: ACTIVE
+ created: '2022-04-04T15:56:05.000Z'
+ activated: null
+ statusChanged: null
+ lastLogin: '2022-05-04T19:50:52.000Z'
+ lastUpdated: '2022-05-05T18:15:44.000Z'
+ passwordChanged: '2022-04-04T16:00:22.000Z'
+ type:
+ id: oty1162QAr8hJjTaq0g4
+ profile:
+ firstName: Alice
+ lastName: Smith
+ mobilePhone: null
+ secondEmail: null
+ login: alice.smith@example.com
+ email: alice.smith@example.com
+ credentials:
+ password: {}
+ provider:
+ type: OKTA
+ name: OKTA
+ _links:
+ self:
+ href: http://your-subdomain.okta.com/api/v1/users/00u118oQYT4TBGuay0g4
+ ListYubikeyOptTokensResponse:
+ summary: List Yubikey OPT Token response
+ value:
+ - id: ykkwcx13nrDq8g4oy0g3
+ created: '2020-01-14T21:53:09.000Z'
+ lastVerified: '2020-01-14T21:53:06.000Z'
+ lastUpdated: '2020-01-14T21:53:09.000Z'
+ status: UNASSIGNED
+ profile:
+ serial: '000003632071'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/org/factors/yubikey_token/tokens/ykkwcx13nrDq8g4oy0g3
+ hints:
+ allow:
+ - GET
+ - DELETE
+ - id: ykkxdtCA1fKVxyu6R0g3
+ created: '2020-06-09T23:42:05.000Z'
+ activated: '2020-06-09T23:47:29.000Z'
+ lastVerified: '2020-06-09T23:47:29.000Z'
+ lastUpdated: '2020-06-09T23:47:29.000Z'
+ status: ACTIVE
+ profile:
+ serial: '000009508427'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/org/factors/yubikey_token/tokens/ykkxdtCA1fKVxyu6R0g3
+ hints:
+ allow:
+ - GET
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00uu0x8sxTr9HcHOo0g3
+ hints:
+ allow:
+ - GET
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/users/00uu0x8sxTr9HcHOo0g3/factors/ykfxduQAhl89YyPrV0g3
+ hints:
+ allow:
+ - DELETE
+ ListsAllUserTypes:
+ summary: Lists all user types
+ value:
+ - id: otyfnly5cQjJT9PnR0g4
+ displayName: New User Type
+ name: newUserType
+ description: A new custom user type
+ createdBy: sprz9fj1ycBcsgopy1d6
+ lastUpdatedBy: sprz9fj1ycBcsgopy1d6
+ created: '2021-07-05T20:40:38.000Z'
+ lastUpdated: '2021-07-05T20:40:38.000Z'
+ default: false
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6
+ schema:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6
+ - id: otyz9fj2jMiRBC1ZT1d6
+ displayName: User
+ name: user
+ description: Okta user profile template with default permission settings
+ createdBy: sprz9fj1ycBcsgopy1d6
+ lastUpdatedBy: sprz9fj1ycBcsgopy1d6
+ created: '2021-07-05T20:40:38.000Z'
+ lastUpdated: '2021-07-05T20:40:38.000Z'
+ default: true
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6
+ schema:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6
+ ListsOwnerOneResponse:
+ summary: Lists a response with one owner
+ value:
+ - id: 00g1gae1k0znUcLuU0h8
+ type: GROUP
+ resolved: true
+ originId: 'null'
+ originType: OKTA_DIRECTORY
+ displayName: Product & Engineering
+ lastUpdated: '2023-03-29 18:18:37.0'
+ ListsOwnersMultipleResponse:
+ summary: Lists a response with multiple owners
+ value:
+ - id: 00u1cmbqjkkmFXeqb0h8
+ type: USER
+ resolved: true
+ originId: 'null'
+ originType: OKTA_DIRECTORY
+ displayName: Mabel Mora
+ lastUpdated: '2023-03-29T18:30:58.000Z'
+ - id: 00u1cmc52x5B86cnZ0h8
+ type: USER
+ resolved: true
+ originId: 'null'
+ originType: OKTA_DIRECTORY
+ displayName: Cinda Canning
+ lastUpdated: '2023-03-29T18:30:55.000Z'
+ LogStreamActivateResponse:
+ summary: Activate Log Stream response
+ value:
+ id: 0oa1orqUGCIoCGNxf0g4
+ type: aws_eventbridge
+ name: Example AWS EventBridge
+ lastUpdated: '2023-03-24T21:22:43.000Z'
+ created: '2023-03-24T21:02:43.000Z'
+ status: ACTIVE
+ settings:
+ accountId: '123456789012'
+ eventSourceName: your-event-source-name
+ region: us-east-2
+ _links:
+ self:
+ href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4
+ method: GET
+ deactivate:
+ href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4/lifecycle/deactivate
+ method: POST
+ LogStreamDeactivateResponse:
+ summary: Deactivate Log Stream response
+ value:
+ id: 0oa7agphh5FT7H521d7
+ type: splunk_cloud_logstreaming
+ name: Splunk Cloud Example
+ lastUpdated: '2023-03-24T21:23:00.000Z'
+ created: '2023-03-24T21:15:13.000Z'
+ status: INACTIVE
+ settings:
+ edition: aws
+ host: okexample.splunkcloud.com
+ _links:
+ self:
+ href: http://{yourOktaDomain}/api/v1/logStreams/0oa7agphh5FT7H521d7
+ method: GET
+ activate:
+ href: http://{yourOktaDomain}/api/v1/logStreams/0oa7agphh5FT7H521d7/lifecycle/activate
+ method: POST
+ LogStreamGetAllResponse:
+ summary: Lists all Log Streams
+ value:
+ - id: 0oa1orqUGCIoCGNxf0g4
+ type: aws_eventbridge
+ name: Example AWS EventBridge
+ lastUpdated: '2023-03-24T21:02:43.000Z'
+ created: '2023-03-24T21:02:43.000Z'
+ status: ACTIVE
+ settings:
+ accountId: '123456789012'
+ eventSourceName: your-event-source-name
+ region: us-east-2
+ _links:
+ self:
+ href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4
+ method: GET
+ deactivate:
+ href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4/lifecycle/deactivate
+ method: POST
+ LogStreamPostRequest:
+ summary: Create an AWS EventBridge Log Stream
+ value:
+ type: aws_eventbridge
+ name: Example AWS EventBridge
+ settings:
+ eventSourceName: your-event-source-name
+ accountId: '123456789012'
+ region: us-east-2
+ LogStreamPostResponse:
+ summary: AWS EventBridge Log Stream response
+ value:
+ id: 0oa1orqUGCIoCGNxf0g4
+ type: aws_eventbridge
+ name: Example AWS EventBridge
+ lastUpdated: '2023-03-24T21:02:43.000Z'
+ created: '2023-03-24T21:02:43.000Z'
+ status: ACTIVE
+ settings:
+ accountId: '123456789012'
+ eventSourceName: your-event-source-name
+ region: us-east-2
+ _links:
+ self:
+ href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4
+ method: GET
+ deactivate:
+ href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4/lifecycle/deactivate
+ method: POST
+ LogStreamPutRequest:
+ summary: Replace AWS EventBridge name
+ value:
+ type: aws_eventbridge
+ name: Updated AWS EventBridge
+ settings:
+ eventSourceName: your-event-source-name
+ accountId: '123456789012'
+ region: us-east-2
+ LogStreamPutResponse:
+ summary: Replace AWS EventBridge name response
+ value:
+ id: 0oa1orqUGCIoCGNxf0g4
+ type: aws_eventbridge
+ name: Updated AWS EventBridge
+ lastUpdated: '2023-03-24T21:12:43.000Z'
+ created: '2023-03-24T21:02:43.000Z'
+ status: ACTIVE
+ settings:
+ accountId: '123456789012'
+ eventSourceName: your-event-source-name
+ region: us-east-2
+ _links:
+ self:
+ href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4
+ method: GET
+ deactivate:
+ href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4/lifecycle/deactivate
+ method: POST
+ LogStreamSchemaAws:
+ value:
+ $schema: https://json-schema.org/draft/2020-12/schema
+ $id: http://{yourOktaDomain}/api/v1/meta/schemas/logStream/aws_eventbridge
+ title: AWS EventBridge
+ type: object
+ properties:
+ settings:
+ description: Configuration properties specific to AWS EventBridge
+ type: object
+ properties:
+ accountId:
+ title: AWS Account ID
+ description: Your Amazon AWS Account ID.
+ type: string
+ writeOnce: true
+ pattern: ^\d{12}$
+ eventSourceName:
+ title: AWS Event Source Name
+ description: An alphanumeric name (no spaces) to identify this event source in AWS EventBridge.
+ type: string
+ writeOnce: true
+ pattern: ^[\.\-_A-Za-z0-9]{1,75}$
+ region:
+ title: AWS Region
+ description: The destination AWS region for your system log events.
+ type: string
+ writeOnce: true
+ oneOf:
+ - title: US East (Ohio)
+ const: us-east-2
+ - title: US East (N. Virginia)
+ const: us-east-1
+ - title: US West (N. California)
+ const: us-west-1
+ - title: US West (Oregon)
+ const: us-west-2
+ - title: Canada (Central)
+ const: ca-central-1
+ - title: Europe (Frankfurt)
+ const: eu-central-1
+ - title: Europe (Ireland)
+ const: eu-west-1
+ - title: Europe (London)
+ const: eu-west-2
+ - title: Europe (Paris)
+ const: eu-west-3
+ - title: Europe (Milan)
+ const: eu-south-1
+ - title: Europe (Stockholm)
+ const: eu-north-1
+ required:
+ - eventSourceName
+ - accountId
+ - region
+ errorMessage:
+ properties:
+ accountId: Account number must be 12 digits.
+ eventSourceName: Event source name can use numbers, letters, the symbols ".", "-" or "_". It must use fewer than 76 characters.
+ name:
+ title: Name
+ description: A name for this log stream in Okta
+ type: string
+ writeOnce: false
+ pattern: ^.{1,100}$
+ required:
+ - name
+ - settings
+ errorMessage:
+ properties:
+ name: Name can't exceed 100 characters.
+ LogStreamSchemaList:
+ value:
+ - $schema: https://json-schema.org/draft/2020-12/schema
+ $id: http://{yourOktaDomain}/api/v1/meta/schemas/logStream/aws_eventbridge
+ title: AWS EventBridge
+ type: object
+ properties:
+ settings:
+ description: Configuration properties specific to AWS EventBridge
+ type: object
+ properties:
+ accountId:
+ title: AWS Account ID
+ description: Your Amazon AWS Account ID.
+ type: string
+ writeOnce: true
+ pattern: ^\d{12}$
+ eventSourceName:
+ title: AWS Event Source Name
+ description: An alphanumeric name (no spaces) to identify this event source in AWS EventBridge.
+ type: string
+ writeOnce: true
+ pattern: ^[\.\-_A-Za-z0-9]{1,75}$
+ region:
+ title: AWS Region
+ description: The destination AWS region for your system log events.
+ type: string
+ writeOnce: true
+ oneOf:
+ - title: US East (Ohio)
+ const: us-east-2
+ - title: US East (N. Virginia)
+ const: us-east-1
+ - title: US West (N. California)
+ const: us-west-1
+ - title: US West (Oregon)
+ const: us-west-2
+ - title: Canada (Central)
+ const: ca-central-1
+ - title: Europe (Frankfurt)
+ const: eu-central-1
+ - title: Europe (Ireland)
+ const: eu-west-1
+ - title: Europe (London)
+ const: eu-west-2
+ - title: Europe (Paris)
+ const: eu-west-3
+ - title: Europe (Milan)
+ const: eu-south-1
+ - title: Europe (Stockholm)
+ const: eu-north-1
+ required:
+ - eventSourceName
+ - accountId
+ - region
+ errorMessage:
+ properties:
+ accountId: Account number must be 12 digits.
+ eventSourceName: Event source name can use numbers, letters, the symbols ".", "-" or "_". It must use fewer than 76 characters.
+ name:
+ title: Name
+ description: A name for this log stream in Okta
+ type: string
+ writeOnce: false
+ pattern: ^.{1,100}$
+ required:
+ - name
+ - settings
+ errorMessage:
+ properties:
+ name: Name can't exceed 100 characters.
+ - $schema: https://json-schema.org/draft/2020-12/schema
+ id: http://{yourOktaDomain}/api/v1/meta/schemas/logStream/splunk_cloud_logstreaming
+ title: Splunk Cloud
+ type: object
+ properties:
+ settings:
+ description: Configuration properties specific to Splunk Cloud
+ type: object
+ properties:
+ host:
+ title: Host
+ description: 'The domain for your Splunk Cloud instance without http or https. For example: acme.splunkcloud.com'
+ type: string
+ writeOnce: false
+ pattern: ^([a-z0-9]+(-[a-z0-9]+)*){1,100}\.splunkcloud(gc|fed)?\.com$
+ token:
+ title: HEC Token
+ description: The token from your Splunk Cloud HTTP Event Collector (HEC).
+ type: string
+ writeOnce: false
+ pattern: '[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}'
+ required:
+ - host
+ - token
+ errorMessage:
+ properties:
+ host: 'Host should be a domain without http or https. For example: acme.splunkcloud.com'
+ name:
+ title: Name
+ description: A name for this log stream in Okta
+ type: string
+ writeOnce: false
+ pattern: ^.{1,100}$
+ required:
+ - name
+ - settings
+ errorMessage:
+ properties:
+ name: Name can't exceed 100 characters.
+ LogStreamSchemaSplunk:
+ value:
+ $schema: https://json-schema.org/draft/2020-12/schema
+ id: http://{yourOktaDomain}/api/v1/meta/schemas/logStream/splunk_cloud_logstreaming
+ title: Splunk Cloud
+ type: object
+ properties:
+ settings:
+ description: Configuration properties specific to Splunk Cloud
+ type: object
+ properties:
+ host:
+ title: Host
+ description: 'The domain for your Splunk Cloud instance without http or https. For example: acme.splunkcloud.com'
+ type: string
+ writeOnce: false
+ pattern: ^([a-z0-9]+(-[a-z0-9]+)*){1,100}\.splunkcloud(gc|fed)?\.com$
+ token:
+ title: HEC Token
+ description: The token from your Splunk Cloud HTTP Event Collector (HEC).
+ type: string
+ writeOnce: false
+ pattern: '[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}'
+ required:
+ - host
+ - token
+ errorMessage:
+ properties:
+ host: 'Host should be a domain without http or https. For example: acme.splunkcloud.com'
+ name:
+ title: Name
+ description: A name for this log stream in Okta
+ type: string
+ writeOnce: false
+ pattern: ^.{1,100}$
+ required:
+ - name
+ - settings
+ errorMessage:
+ properties:
+ name: Name can't exceed 100 characters.
+ LogTargetChangeDetails:
+ summary: Example of the `changeDetails` property on the target
+ value:
+ from:
+ vpnLocationOptions: DISABLED
+ vpnSettingsZones:
+ include: null
+ exclude: null
+ to:
+ message: You must a use VPN to connect to this application
+ vpnLocationOptions: ZONE
+ vpnSettingsZones:
+ include:
+ - ALL_ZONES
+ exclude: null
+ MicrosoftIdPResponse:
+ summary: Microsoft Identity Provider
+ value:
+ id: 0oajmvdFawBih4gey0g3
+ type: MICROSOFT
+ name: Microsoft
+ status: ACTIVE
+ created: '2016-03-29T16:47:36.000Z'
+ lastUpdated: '2016-03-29T16:47:36.000Z'
+ protocol:
+ type: OIDC
+ endpoints:
+ authorization:
+ url: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
+ binding: HTTP-REDIRECT
+ token:
+ url: https://login.microsoftonline.com/common/oauth2/v2.0/token
+ binding: HTTP-POST
+ scopes:
+ - openid
+ - email
+ - profile
+ - https://graph.microsoft.com/User.Read
+ credentials:
+ client:
+ client_id: your-client-id
+ client_secret: your-client-secret
+ policy:
+ provisioning:
+ action: AUTO
+ profileMaster: true
+ groups:
+ action: NONE
+ conditions:
+ deprovisioned:
+ action: NONE
+ suspended:
+ action: NONE
+ accountLink:
+ filter: null
+ action: AUTO
+ subject:
+ userNameTemplate:
+ template: idpuser.userPrincipalName
+ filter: null
+ matchType: USERNAME
+ mapAMRClaims: false
+ maxClockSkew: 0
+ _links:
+ authorize:
+ href: |-
+ https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oajmvdFawBih4gey0g3&
+ client_id={clientId}&response_type={responseType}&response_mode={responseMode}&
+ scope={scopes}&redirect_uri={redirectUri}&state={state}
+ templated: true
+ hints:
+ allow:
+ - GET
+ clientRedirectUri:
+ href: https://{yourOktaDomain}/oauth2/v1/authorize/callback
+ hints:
+ allow:
+ - POST
+ MultipleIdPCsrsResponse:
+ summary: Identity Provider CSRs
+ value:
+ - id: h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50
+ created: '2017-03-28T01:11:10.000Z'
+ csr: MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9/tKvvbFN59T4raoCs/78KRm4fSefHQOv1TKLXo4wTLbsqYWRWc5u0sd5orUMQgPQOyj3i6qh13mALY4BzrT057EG1BUNjGg29QgYlnOk2iX890e5BIDMQQEIKFrvOi2V8cLUkLvE2ydRn0VO1Q1frbUkYeStJYC5Api2JQsYRwa+1ZeDH1ITnIzUaugWhW2WB2lSnwZkenne5KtffxMPYVu+IhNRHoKaRA6Z51YNhMJIx17JM2hs/H4Ka3drk6kzDf7ofk/yBpb9yBWyU7CTSQhdoHidxqFprMDaT66W928t3AeOENHBuwn8c2K9WeGG+bELNyQRJVmawIDAQABoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggxkZXYub2t0YS5jb20wDQYJKoZIhvcNAQELBQADggEBAA2hsVJRVM+A83X9MekjTnIbt19UNT8wX7wlE9jUKirWsxceLiZBpVGn9qfKhhVIpvdaIRSeoFYS2Kg/m1G6bCvjmZLcrQ5FcEBjZH2NKfNppGVnfC2ugtUkBtCB+UUzOhKhRKJtGugenKbP33zRWWIqnd2waF6Cy8TIuqQVPbwEDN9bCbAs7ND6CFYNguY7KYjWzQOeAR716eqpEEXuPYAS4nx/ty4ylonR8cv+gpq51rvq80A4k/36aoeM0Y6I4w64vhTfuvWW2UYFUD+/+y2FA2CSP4JfctySrf1s525v6fzTFZ3qZbB5OZQtP2b8xYWktMzywsxGKDoVDB4wkH4=
+ kty: RSA
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/idps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50
+ hints:
+ allow:
+ - GET
+ - DELETE
+ publish:
+ href: https://{yourOktaDomain}/api/v1/idps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50/lifecycle/publish
+ hints:
+ allow:
+ - POST
+ - id: '-_-BFwAGoUYN-DDvsSKQFdx7OXaPZqrEPpFDO1hu-rg'
+ created: '2017-03-28T01:21:10.000Z'
+ csr: MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9/tKvvbFN59T4raoCs/78KRm4fSefHQOv1TKLXo4wTLbsqYWRWc5u0sd5orUMQgPQOyj3i6qh13mALY4BzrT057EG1BUNjGg29QgYlnOk2iX890e5BIDMQQEIKFrvOi2V8cLUkLvE2ydRn0VO1Q1frbUkYeStJYC5Api2JQsYRwa+1ZeDH1ITnIzUaugWhW2WB2lSnwZkenne5KtffxMPYVu+IhNRHoKaRA6Z51YNhMJIx17JM2hs/H4Ka3drk6kzDf7ofk/yBpb9yBWyU7CTSQhdoHidxqFprMDaT66W928t3AeOENHBuwn8c2K9WeGG+bELNyQRJVmawIDAQABoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggxkZXYub2t0YS5jb20wDQYJKoZIhvcNAQELBQADggEBAA2hsVJRVM+A83X9MekjTnIbt19UNT8wX7wlE9jUKirWsxceLiZBpVGn9qfKhhVIpvdaIRSeoFYS2Kg/m1G6bCvjmZLcrQ5FcEBjZH2NKfNppGVnfC2ugtUkBtCB+UUzOhKhRKJtGugenKbP33zRWWIqnd2waF6Cy8TIuqQVPbwEDN9bCbAs7ND6CFYNguY7KYjWzQOeAR716eqpEEXuPYAS4nx/ty4ylonR8cv+gpq51rvq80A4k/36aoeM0Y6I4w64vhTfuvWW2UYFUD+/+y2FA2CSP4JfctySrf1s525v6fzTFZ3qZbB5OZQtP2b8xYWktMzywsxGKDoVDB4wkH4=
+ kty: RSA
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/idps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/-_-BFwAGoUYN-DDvsSKQFdx7OXaPZqrEPpFDO1hu-rg
+ hints:
+ allow:
+ - GET
+ - DELETE
+ publish:
+ href: https://{yourOktaDomain}/api/v1/idps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/-_-BFwAGoUYN-DDvsSKQFdx7OXaPZqrEPpFDO1hu-rg/lifecycle/publish
+ hints:
+ allow:
+ - POST
+ MultipleIdPKeyCredentialsResponse:
+ summary: Identity Provider Key Credentials
+ value:
+ - kid: your-key-id
+ created: '2016-01-03T18:15:47.000Z'
+ lastUpdated: '2016-01-03T18:15:47.000Z'
+ e: '65537'
+ 'n': '101438407598598116085679865987760095721749307901605456708912786847324207000576780508113360584555007890315805735307890113536927352312915634368993759211767770602174860126854831344273970871509573365292777620005537635317282520456901584213746937262823585533063042033441296629204165064680610660631365266976782082747'
+ kty: RSA
+ use: sig
+ x5c:
+ - MIIDnjCCAoagAwIBAgIGAVG3MN+PMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB2V4YW1wbGUxHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMTUxMjE4MjIyMjMyWhcNMjUxMjE4MjIyMzMyWjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdleGFtcGxlMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtcnyvuVCrsFEKCwHDenS3Ocjed8eWDv3zLtD2K/iZfE8BMj2wpTfn6Ry8zCYey3mWlKdxIybnV9amrujGRnE0ab6Q16v9D6RlFQLOG6dwqoRKuZy33Uyg8PGdEudZjGbWuKCqqXEp+UKALJHV+k4wWeVH8g5d1n3KyR2TVajVJpCrPhLFmq1Il4G/IUnPe4MvjXqB6CpKkog1+ThWsItPRJPAM+RweFHXq7KfChXsYE7Mmfuly8sDQlvBmQyxZnFHVuiPfCvGHJjpvHy11YlHdOjfgqHRvZbmo30+y0X/oY/yV4YEJ00LL6eJWU4wi7ViY3HP6/VCdRjHoRdr5L/DwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCzzhOFkvyYLNFj2WDcq1YqD4sBy1iCia9QpRH3rjQvMKDwQDYWbi6EdOX0TQ/IYR7UWGj+2pXd6v0t33lYtoKocp/4lUvT3tfBnWZ5KnObi+J2uY2teUqoYkASN7F+GRPVOuMVoVgm05ss8tuMb2dLc9vsx93sDt+XlMTv/2qi5VPwaDtqduKkzwW9lUfn4xIMkTiVvCpe0X2HneD2Bpuao3/U8Rk0uiPfq6TooWaoW3kjsmErhEAs9bA7xuqo1KKY9CdHcFhkSsMhoeaZylZHtzbnoipUlQKSLMdJQiiYZQ0bYL83/Ta9fulr1EERICMFt3GUmtYaZZKHpWSfdJp9
+ x5t#S256: wzPVobIrveR1x-PCbjsFGNV-6zn7Rm9KuOWOG4Rk6jE
+ - kty: EC
+ created: '2020-04-24T20:51:20.000Z'
+ lastUpdated: '2020-04-24T20:51:20.000Z'
+ expiresAt: '2040-03-01T20:22:29.000Z'
+ alg: EC
+ x5c:
+ - MIICqDCCAgqgAwIBAgIJAOkmCa/S8dHiMAoGCCqGSM49BAMCMG0xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRAwDgYDVQQKDAdKYW5reUNvMR8wHQYDVQQDDBZUZXN0IElkZW50aXR5IFByb3ZpZGVyMB4XDTIwMDMwNjIwMjIyOVoXDTQwMDMwMTIwMjIyOVowbTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEDAOBgNVBAoMB0phbmt5Q28xHzAdBgNVBAMMFlRlc3QgSWRlbnRpdHkgUHJvdmlkZXIwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABABW/lGHl17mKDtCD4D7gcMYYOWgyWTGno8MTefDOABA8PddessTsbfrguF49Gli6lCzrZaAKhhvgINc3R6t/dYleAE3lY6LAocOoLe9xDkeggXNcSuP5fDc1x5R9GHTXl44vLoJOLSLsMbOXVMXIXoqbPDzTSYUy24aFdv4W4LZxW6ak6NQME4wHQYDVR0OBBYEFChTXNWvs4z1qjRVemPDD/hqlDQ4MB8GA1UdIwQYMBaAFChTXNWvs4z1qjRVemPDD/hqlDQ4MAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDgYsAMIGHAkIBuDhHMNLbBIsorbKtjxJzHJ2ItCSD2wAwqYv/6JBtA2ulKN5gRTSqdNCnqFsZ1/nYY7FFVXHEuQ2N3pPq7Ri8h84CQSgCq1UQyd0lFtb7+57JbiGb6LVaRqRm7vwx8zLRA+tVjIM1DlQ2Gbxkj3nlkzmM93j9wchiqGdQidyKnF6EBnfd
+ x: Vv5Rh5de5ig7Qg-A-4HDGGDloMlkxp6PDE3nwzgAQPD3XXrLE7G364LhePRpYupQs62WgCoYb4CDXN0erf3WJXg
+ 'y': ATeVjosChw6gt73EOR6CBc1xK4_l8NzXHlH0YdNeXji8ugk4tIuwxs5dUxcheips8PNNJhTLbhoV2_hbgtnFbpqT
+ crv: P-521
+ kid: your-kid
+ use: sig
+ x5t#S256: TUx-AIwypm2pZURHNqafk7ZDxqQP_ypzIyUwDDnPOlw
+ MultipleIdPSigningKeyCredentialsResponse:
+ summary: Identity Provider Signing Key Credentials
+ value:
+ - created: '2015-12-10T18:56:23.000Z'
+ expiresAt: '2017-12-10T18:56:22.000Z'
+ x5c:
+ - MIIDqDCCApCgAwIBAgIGAVGNQFX5MA0GCSqGSIb3DQEBBQUAMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTAeFw0xNTEyMTAxODU1MjJaFw0xNzEyMTAxODU2MjJaMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJJjrcnI6cXBiXNq9YDgfYrQe2O5qEHG4MXP8Ue0sMeefFkFEHYHnHUeZCq6WTAGqR+1LFgOl+Eq9We5V+qNlGIfkFkQ3iHGBrIALKqLCd0Et76HicDiegz7j9DtN+lo0hG/gfcw5783L5g5xeQ7zVmCQMkFwoUA0uA3bsfUSrmfORHJL+EMNQT8XIXD8NkG4g6u7ylHVRTLgXbe+W/p04m3EP6l41xl+MhIpBaPxDsyUvcKCNwkZN3aZIin1O9Y4YJuDHxrM64/VtLLp0sC05iawAmfsLunF7rdJAkWUpPn+xkviyNQ3UpvwAYuDr+jKLUdh2reRnm1PezxMIXzBVMCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEARnFIjyitrCGbleFr3KeAwdOyeHiRmgeKupX5ZopgXtcseJoToUIinX5DVw2fVZPahqs0Q7/a0wcVnTRpw6946qZCwKd/PvZ1feVuVEA5Ui3+XvHuSH5xLp7NvYG1snNEvlbN3+NDUMlWj2NEbihowUBt9+UxTpQO3+N08q3aZk3hOZ+tHt+1Te7KEEL/4CM28GZ9MY7fSrS7MAgp1+ZXtn+kRlMrXnQ49qBda37brwDRqmSY9PwNMbev3r+9ZHwxr9W5wXW4Ev4C4xngA7RkVoyDbItSUho0I0M0u/LHuppclnXrw97xyO5Z883eIBvPVjfRcxsJxXJ8jx70ATDskw==
+ kid: akm5hvbbevE341ovl0h7
+ kty: RSA
+ use: sig
+ x5t#S256: 5GOpy9CQVtfvBmu2T8BHvpKE4OGtC3BuS046t7p9pps
+ - created: '2015-12-10T18:55:35.000Z'
+ expiresAt: '2045-01-23T02:15:23.000Z'
+ x5c:
+ - MIIDqDCCApCgAwIBAgIGAVGNQFX5MA0GCSqGSIb3DQEBBQUAMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTAeFw0xNTEyMTAxODU1MjJaFw0xNzEyMTAxODU2MjJaMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJJjrcnI6cXBiXNq9YDgfYrQe2O5qEHG4MXP8Ue0sMeefFkFEHYHnHUeZCq6WTAGqR+1LFgOl+Eq9We5V+qNlGIfkFkQ3iHGBrIALKqLCd0Et76HicDiegz7j9DtN+lo0hG/gfcw5783L5g5xeQ7zVmCQMkFwoUA0uA3bsfUSrmfORHJL+EMNQT8XIXD8NkG4g6u7ylHVRTLgXbe+W/p04m3EP6l41xl+MhIpBaPxDsyUvcKCNwkZN3aZIin1O9Y4YJuDHxrM64/VtLLp0sC05iawAmfsLunF7rdJAkWUpPn+xkviyNQ3UpvwAYuDr+jKLUdh2reRnm1PezxMIXzBVMCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEARnFIjyitrCGbleFr3KeAwdOyeHiRmgeKupX5ZopgXtcseJoToUIinX5DVw2fVZPahqs0Q7/a0wcVnTRpw6946qZCwKd/PvZ1feVuVEA5Ui3+XvHuSH5xLp7NvYG1snNEvlbN3+NDUMlWj2NEbihowUBt9+UxTpQO3+N08q3aZk3hOZ+tHt+1Te7KEEL/4CM28GZ9MY7fSrS7MAgp1+ZXtn+kRlMrXnQ49qBda37brwDRqmSY9PwNMbev3r+9ZHwxr9W5wXW4Ev4C4xngA7RkVoyDbItSUho0I0M0u/LHuppclnXrw97xyO5Z883eIBvPVjfRcxsJxXJ8jx70ATDskw==
+ kid: akm5hvbn1vojA9Fsa0h7
+ kty: RSA
+ use: sig
+ x5t#S256: 7CCyXWwKzH4P6PoBP91B1S_iIZVzuGffVnUXu-BTYQQ
+ MultipleIdPsResponse:
+ summary: Multiple Identity Providers
+ value:
+ - id: 0oa62b57p7c8PaGpU0h7
+ type: FACEBOOK
+ name: Facebook
+ status: ACTIVE
+ created: '2016-03-24T23:18:27.000Z'
+ lastUpdated: '2016-03-24T23:18:27.000Z'
+ protocol:
+ type: OAUTH2
+ endpoints:
+ authorization:
+ url: https://www.facebook.com/dialog/oauth
+ binding: HTTP-REDIRECT
+ token:
+ url: https://graph.facebook.com/v2.5/oauth/access_token
+ binding: HTTP-POST
+ scopes:
+ - public_profile
+ - email
+ credentials:
+ client:
+ client_id: your-client-id
+ client_secret: your-client-secret
+ policy:
+ provisioning:
+ action: AUTO
+ profileMaster: true
+ groups:
+ action: NONE
+ conditions:
+ deprovisioned:
+ action: NONE
+ suspended:
+ action: NONE
+ accountLink:
+ filter: null
+ action: AUTO
+ subject:
+ userNameTemplate:
+ template: idpuser.userPrincipalName
+ filter: null
+ matchType: USERNAME
+ mapAMRClaims: false
+ maxClockSkew: 0
+ _links:
+ authorize:
+ href: https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa62b57p7c8PaGpU0h7&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri={redirectUri}&state={state}
+ templated: true
+ hints:
+ allow:
+ - GET
+ clientRedirectUri:
+ href: https://{yourOktaDomain}/oauth2/v1/authorize/callback
+ hints:
+ allow:
+ - POST
+ - id: 0oa62bc8wppPw0UGr0h7
+ type: SAML2
+ name: Example SAML IdP
+ status: ACTIVE
+ created: '2016-03-24T23:14:54.000Z'
+ lastUpdated: '2016-03-24T23:14:54.000Z'
+ protocol:
+ type: SAML2
+ endpoints:
+ sso:
+ url: https://idp.example.com
+ binding: HTTP-POST
+ destination: https://idp.example.com
+ acs:
+ binding: HTTP-POST
+ type: INSTANCE
+ algorithms:
+ request:
+ signature:
+ algorithm: SHA-256
+ scope: REQUEST
+ response:
+ signature:
+ algorithm: SHA-256
+ scope: ANY
+ settings:
+ nameFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+ credentials:
+ trust:
+ issuer: https://idp.example.com
+ audience: http://www.okta.com/123
+ kid: your-key-id
+ policy:
+ provisioning:
+ action: AUTO
+ profileMaster: true
+ groups:
+ action: NONE
+ conditions:
+ deprovisioned:
+ action: NONE
+ suspended:
+ action: NONE
+ accountLink:
+ filter: null
+ action: AUTO
+ subject:
+ userNameTemplate:
+ template: saml.subjectNameId
+ filter: (\S+@example\.com)
+ matchType: USERNAME
+ mapAMRClaims: false
+ maxClockSkew: 0
+ _links:
+ metadata:
+ href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/metadata.xml
+ type: application/xml
+ hints:
+ allow:
+ - GET
+ acs:
+ href: https://{yourOktaDomain}/sso/saml2/0oa62bc8wppPw0UGr0h7
+ type: application/xml
+ hints:
+ allow:
+ - POST
+ users:
+ href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/users
+ hints:
+ allow:
+ - GET
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ - id: 0oa62bfdiumsUndnZ0h7
+ type: GOOGLE
+ name: Google
+ status: ACTIVE
+ created: '2016-03-24T23:21:49.000Z'
+ lastUpdated: '2016-03-24T23:21:49.000Z'
+ protocol:
+ type: OIDC
+ endpoints:
+ authorization:
+ url: https://accounts.google.com/o/oauth2/auth
+ binding: HTTP-REDIRECT
+ token:
+ url: https://www.googleapis.com/oauth2/v3/token
+ binding: HTTP-POST
+ scopes:
+ - profile
+ - email
+ - openid
+ credentials:
+ client:
+ client_id: your-client-id
+ client_secret: your-client-secret
+ policy:
+ provisioning:
+ action: AUTO
+ profileMaster: true
+ groups:
+ action: NONE
+ conditions:
+ deprovisioned:
+ action: NONE
+ suspended:
+ action: NONE
+ accountLink:
+ filter: null
+ action: AUTO
+ subject:
+ userNameTemplate:
+ template: idpuser.userPrincipalName
+ filter: null
+ matchType: USERNAME
+ mapAMRClaims: false
+ maxClockSkew: 0
+ _links:
+ authorize:
+ href: https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa62bfdiumsUndnZ0h7&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri={redirectUri}&state={state}
+ templated: true
+ hints:
+ allow:
+ - GET
+ clientRedirectUri:
+ href: https://{yourOktaDomain}/oauth2/v1/authorize/callback
+ hints:
+ allow:
+ - POST
+ - id: 0oa62bfdjnK55Z5x80h7
+ type: LINKEDIN
+ name: LinkedIn
+ status: ACTIVE
+ created: '2016-03-24T23:23:59.000Z'
+ lastUpdated: '2016-03-24T23:23:59.000Z'
+ protocol:
+ type: OAUTH2
+ endpoints:
+ authorization:
+ url: https://www.linkedin.com/uas/oauth2/authorization
+ binding: HTTP-REDIRECT
+ token:
+ url: https://www.linkedin.com/uas/oauth2/accessToken
+ binding: HTTP-POST
+ scopes:
+ - r_basicprofile
+ - r_emailaddress
+ credentials:
+ client:
+ client_id: your-client-id
+ client_secret: your-client-secret
+ policy:
+ provisioning:
+ action: AUTO
+ profileMaster: true
+ groups:
+ action: NONE
+ conditions:
+ deprovisioned:
+ action: NONE
+ suspended:
+ action: NONE
+ accountLink:
+ filter: null
+ action: AUTO
+ subject:
+ userNameTemplate:
+ template: idpuser.userPrincipalName
+ filter: null
+ matchType: USERNAME
+ mapAMRClaims: false
+ maxClockSkew: 0
+ _links:
+ authorize:
+ href: https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa62bfdjnK55Z5x80h7&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri={redirectUri}&state={state}
+ templated: true
+ hints:
+ allow:
+ - GET
+ clientRedirectUri:
+ href: https://{yourOktaDomain}/oauth2/v1/authorize/callback
+ hints:
+ allow:
+ - POST
+ - id: 0oajmvdFawBih4gey0g3
+ type: MICROSOFT
+ name: Microsoft
+ status: ACTIVE
+ created: '2016-03-29T16:47:36.000Z'
+ lastUpdated: '2016-03-29T16:47:36.000Z'
+ protocol:
+ type: OIDC
+ endpoints:
+ authorization:
+ url: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
+ binding: HTTP-REDIRECT
+ token:
+ url: https://login.microsoftonline.com/common/oauth2/v2.0/token
+ binding: HTTP-POST
+ scopes:
+ - openid
+ - email
+ - profile
+ - https://graph.microsoft.com/User.Read
+ credentials:
+ client:
+ client_id: your-client-id
+ client_secret: your-client-secret
+ policy:
+ provisioning:
+ action: AUTO
+ profileMaster: true
+ groups:
+ action: NONE
+ conditions:
+ deprovisioned:
+ action: NONE
+ suspended:
+ action: NONE
+ accountLink:
+ filter: null
+ action: AUTO
+ subject:
+ userNameTemplate:
+ template: idpuser.userPrincipalName
+ filter: null
+ matchType: USERNAME
+ mapAMRClaims: false
+ maxClockSkew: 0
+ _links:
+ authorize:
+ href: https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oajmvdFawBih4gey0g3&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri={redirectUri}&state={state}
+ templated: true
+ hints:
+ allow:
+ - GET
+ clientRedirectUri:
+ href: https://{yourOktaDomain}/oauth2/v1/authorize/callback
+ hints:
+ allow:
+ - POST
+ - id: 0oaulob4BFVa4zQvt0g3
+ type: OIDC
+ name: Example OpenID Connect IdP
+ status: ACTIVE
+ created: '2019-02-07T20:07:47.000Z'
+ lastUpdated: '2019-02-07T20:07:47.000Z'
+ protocol:
+ type: OIDC
+ endpoints:
+ authorization:
+ url: https://idp.example.com/authorize
+ binding: HTTP-REDIRECT
+ token:
+ url: https://idp.example.com/token
+ binding: HTTP-POST
+ userInfo:
+ url: https://idp.example.com/userinfo
+ binding: HTTP-REDIRECT
+ jwks:
+ url: https://idp.example.com/keys
+ binding: HTTP-REDIRECT
+ scopes:
+ - openid
+ issuer:
+ url: https://idp.example.com
+ credentials:
+ client:
+ client_id: your-client-id
+ client_secret: your-client-secret
+ policy:
+ provisioning:
+ action: AUTO
+ profileMaster: false
+ groups:
+ action: NONE
+ conditions:
+ deprovisioned:
+ action: NONE
+ suspended:
+ action: NONE
+ accountLink:
+ filter: null
+ action: AUTO
+ subject:
+ userNameTemplate:
+ template: idpuser.email
+ filter: null
+ matchType: USERNAME
+ matchAttribute: null
+ mapAMRClaims: false
+ maxClockSkew: 0
+ _links:
+ authorize:
+ href: https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oaulob4BFVa4zQvt0g3&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri={redirectUri}&state={state}&nonce={nonce}
+ templated: true
+ hints:
+ allow:
+ - GET
+ clientRedirectUri:
+ href: https://{yourOktaDomain}/oauth2/v1/authorize/callback
+ hints:
+ allow:
+ - POST
+ - id: 0oa6jxasyhwM2ZHJh0g4
+ type: X509
+ name: Smart Card IDP Name
+ status: ACTIVE
+ created: '2020-01-07T00:19:27.000Z'
+ lastUpdated: '2020-01-07T00:19:27.000Z'
+ properties:
+ additionalAmr:
+ - sc
+ - hwk
+ - pin
+ - mfa
+ protocol:
+ type: MTLS
+ endpoints:
+ sso:
+ url: https://{yourOktaDomain}.okta.com/login/cert
+ credentials:
+ trust:
+ issuer: CN=Test Smart Card, OU=Test OU, O=Test O, C=US
+ audience: null
+ kid: 45dec5ff-8cdc-48c0-85fe-a4869f1753dc
+ revocation: CRL
+ revocationCacheLifetime: 2880
+ policy:
+ provisioning:
+ action: DISABLED
+ profileMaster: false
+ groups: null
+ subject:
+ userNameTemplate:
+ template: idpuser.subjectAltNameEmail
+ filter: null
+ matchType: EMAIL
+ matchAttribute: null
+ mapAMRClaims: false
+ maxClockSkew: 0
+ _links:
+ deactivate:
+ href: https://{yourOktaDomain}.okta.com/api/v1/idps/0oa6jxasyhwM2ZHJh0g4/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ users:
+ href: https://{yourOktaDomain}.okta.com/api/v1/idps/0oa6jxasyhwM2ZHJh0g4/users
+ hints:
+ allow:
+ - GET
+ keys:
+ href: https://{yourOktaDomain}.okta.com/api/v1/idps/credentials/keys/45dec5ff-8cdc-48c0-85fe-a4869f1753dc
+ hints:
+ allow:
+ - GET
+ NextAuthorizationServerKey:
+ summary: Next Authorization Server Key
+ value:
+ status: NEXT
+ alg: RS256
+ e: AQAB
+ 'n': l1hZ_g2sgBE3oHvu34T-5XP18FYJWgtul_nRNg-5xra5ySkaXEOJUDRERUG0HrR42uqf9jYrUTwg9fp-SqqNIdHRaN8EwRSDRsKAwK 3 HIJ2NJfgmrrO2ABkeyUq6rzHxAumiKv1iLFpSawSIiTEBJERtUCDcjbbqyHVFuivIFgH8L37 - XDIDb0XG - R8DOoOHLJPTpsgH - rJe M5w96VIRZInsGC5OGWkFdtgk6OkbvVd7_TXcxLCpWeg1vlbmX - 0 TmG5yjSj7ek05txcpxIqYu - 7 FIGT0KKvXge_BOSEUlJpBhLKU28 OtsOnmc3NLIGXB - GeDiUZiBYQdPR - myB4ZoQ
+ kid: Y3vBOdYT-l-I0j-gRQ26XjutSX00TeWiSguuDhW3ngo
+ kty: RSA
+ use: sig
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/keys/Y3vBOdYT-l-I0j-gRQ26XjutSX00TeWiSguuDhW3ngo
+ hints:
+ allow:
+ - GET
+ NzErrorApiValidationFailed:
+ summary: API Validation Failed
+ value:
+ errorCode: E0000003
+ errorSummary: The request body was not well-formed.
+ errorLink: E0000003
+ errorId: samplewNxQUR9iohr4QYlD0eg
+ errorCauses: []
+ NzErrorResourceNotFound:
+ summary: Resource Not Found
+ value:
+ errorCode: E0000007
+ errorSummary: 'Not found: Resource not found: itd (NetworkZone)'
+ errorLink: E0000007
+ errorId: samplejCSVaKFDkCMElmKQ
+ errorCauses: []
+ OAuth2RefreshTokenResponseEx:
+ summary: OAuth 2.0 refresh token example
+ value:
+ id: oar579Mcp7OUsNTlo0g3
+ status: ACTIVE
+ created: '2023-03-09T03:18:06.000Z'
+ lastUpdated: '2023-03-09T03:18:06.000Z'
+ expiresAt: '2023-03-16T03:18:06.000Z'
+ issuer: https://{yourOktaDomain}/oauth2/ausain6z9zIedDCxB0h7
+ clientId: 0oabskvc6442nkvQO0h7
+ userId: 00u5t60iloOHN9pBi0h7
+ scopes:
+ - offline_access
+ - car:drive
+ _embedded:
+ scopes:
+ - id: scppb56cIl4GvGxy70g3
+ name: offline_access
+ description: Requests a refresh token by default and is used to obtain more access tokens without re-prompting the user for authentication
+ _links:
+ scope:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7/scopes/scppb56cIl4GvGxy70g3
+ title: offline_access
+ - id: scp142iq2J8IGRUCS0g4
+ name: car:drive
+ displayName: Drive car
+ description: Allows the user to drive a car
+ _links:
+ scope:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7/scopes/scp142iq2J8IGRUCS0g4
+ title: Drive car
+ _links:
+ app:
+ href: https://{yourOktaDomain}/api/v1/apps/0oabskvc6442nkvQO0h7
+ title: Native
+ self:
+ href: https://{yourOktaDomain}/api/v1/apps/0oabskvc6442nkvQO0h7/tokens/oar579Mcp7OUsNTlo0g3
+ revoke:
+ href: https://{yourOktaDomain}/api/v1/apps/0oabskvc6442nkvQO0h7/tokens/oar579Mcp7OUsNTlo0g3
+ hints:
+ allow:
+ - DELETE
+ client:
+ href: https://{yourOktaDomain}/oauth2/v1/clients/0oabskvc6442nkvQO0h7
+ title: Example Client App
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00upcgi9dyWEOeCwM0g3
+ title: Saml Jackson
+ authorizationServer:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7
+ title: Example Authorization Server
+ OAuth2RefreshTokenResponseListEx:
+ summary: App refresh token list example
+ value:
+ - id: oar579Mcp7OUsNTlo0g3
+ status: ACTIVE
+ created: '2023-03-09T03:18:06.000Z'
+ lastUpdated: '2023-03-09T03:18:06.000Z'
+ expiresAt: '2023-03-16T03:18:06.000Z'
+ issuer: https://{yourOktaDomain}/oauth2/ausain6z9zIedDCxB0h7
+ clientId: 0oabskvc6442nkvQO0h7
+ userId: 00u5t60iloOHN9pBi0h7
+ scopes:
+ - offline_access
+ - car:drive
+ _embedded:
+ scopes:
+ - id: scppb56cIl4GvGxy70g3
+ name: offline_access
+ description: Requests a refresh token by default and is used to obtain more access tokens without re-prompting the user for authentication
+ _links:
+ scope:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7/scopes/scppb56cIl4GvGxy70g3
+ title: offline_access
+ - id: scp142iq2J8IGRUCS0g4
+ name: car:drive
+ displayName: Drive car
+ description: Allows the user to drive a car
+ _links:
+ scope:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7/scopes/scp142iq2J8IGRUCS0g4
+ title: Drive car
+ _links:
+ app:
+ href: https://{yourOktaDomain}/api/v1/apps/0oabskvc6442nkvQO0h7
+ title: Native
+ self:
+ href: https://{yourOktaDomain}/api/v1/apps/0oabskvc6442nkvQO0h7/tokens/oar579Mcp7OUsNTlo0g3
+ revoke:
+ href: https://{yourOktaDomain}/api/v1/apps/0oabskvc6442nkvQO0h7/tokens/oar579Mcp7OUsNTlo0g3
+ hints:
+ allow:
+ - DELETE
+ client:
+ href: https://{yourOktaDomain}/oauth2/v1/clients/0oabskvc6442nkvQO0h7
+ title: Example Client App
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00upcgi9dyWEOeCwM0g3
+ title: Saml Jackson
+ authorizationServer:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7
+ title: Example Authorization Server
+ OpenidConnectEx:
+ summary: OPENID_CONNECT
+ value:
+ name: oidc_client
+ label: Sample Client profile
+ signOnMode: OPENID_CONNECT
+ credentials:
+ oauthClient:
+ token_endpoint_auth_method: client_secret_post
+ profile:
+ label: oauth2 client app 1
+ settings:
+ oauthClient:
+ client_uri: http://localhost:8080
+ logo_uri: http://developer.okta.com/assets/images/logo-new.png
+ redirect_uris:
+ - https://example.com/oauth2/callback
+ - myapp://callback
+ response_types:
+ - token
+ - id_token
+ - code
+ grant_types:
+ - authorization_code
+ application_type: native
+ participate_slo: false
+ OpenidConnectPutEx:
+ summary: OPENID_CONNECT
+ value:
+ name: oidc_client
+ label: Sample Client profile updated
+ signOnMode: OPENID_CONNECT
+ OpenidConnectPutResponseEx:
+ summary: OPENID_CONNECT
+ value:
+ id: 0oafxqCAJWWGELFTYASJ
+ status: ACTIVE
+ lastUpdated: '2023-01-21T14:11:24.000Z'
+ created: '2023-01-21T14:11:24.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
+ _links:
+ uploadLogo:
+ href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo
+ hints:
+ allow:
+ - POST
+ appLinks:
+ - name: customswaapp_link
+ href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4
+ type: text/html
+ groups:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups
+ logo:
+ - name: medium
+ href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png
+ type: image/png
+ users:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate
+ visibility:
+ autoLaunch: false
+ autoSubmitToolbar: false
+ hide:
+ iOS: true
+ web: true
+ appLinks:
+ oidc_client_link: true
+ name: oidc_client
+ label: Sample Client profile updated
+ features: []
+ signOnMode: OPENID_CONNECT
+ credentials:
+ userNameTemplate:
+ template: ${source.email}
+ type: BUILT_IN
+ signing:
+ kid: H34mvc6VrfV5yvy5wA8ikMFws6WInx4nvsAs-7EYbVc
+ oauthClient:
+ autoKeyRotation: true
+ client_id: 0oahonkqCRR6TSNlg4
+ client_secret: wj9bOsLK0BRNJqy7KMMnaE7m8qrW51bPO2n1-PYvkOmhHRYgcuOecQkEwq9MPYa5
+ token_endpoint_auth_method: client_secret_post
+ pkce_required: true
+ settings:
+ app: {}
+ oauthClient:
+ client_uri: http://localhost:8080
+ logo_uri: http://developer.okta.com/assets/images/logo-new.png
+ redirect_uris:
+ - https://example.com/oauth2/callback
+ - myapp://callback
+ response_types:
+ - token
+ - id_token
+ - code
+ grant_types:
+ - authorization_code
+ application_type: native
+ issuer_mode: DYNAMIC
+ idp_initiated_login:
+ mode: DISABLED
+ default_scope: []
+ wildcard_redirect: DISABLED
+ dpop_bound_access_tokens: false
+ notifications:
+ vpn:
+ network:
+ connection: DISABLED
+ message: null
+ helpUrl: null
+ manualProvisioning: false
+ implicitAssignment: false
+ notes:
+ admin: null
+ enduser: null
+ OpenidConnectResponseEx:
+ summary: OPENID_CONNECT
+ value:
+ id: 0oafxqCAJWWGELFTYASJ
+ status: ACTIVE
+ lastUpdated: '2023-01-21T14:11:24.000Z'
+ created: '2023-01-21T14:11:24.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
+ _links:
+ uploadLogo:
+ href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo
+ hints:
+ allow:
+ - POST
+ appLinks:
+ - name: customswaapp_link
+ href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4
+ type: text/html
+ groups:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups
+ logo:
+ - name: medium
+ href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png
+ type: image/png
+ users:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate
+ visibility:
+ autoLaunch: false
+ autoSubmitToolbar: false
+ hide:
+ iOS: true
+ web: true
+ appLinks:
+ oidc_client_link: true
+ name: oidc_client
+ label: Sample Client profile
+ features: []
+ signOnMode: OPENID_CONNECT
+ credentials:
+ userNameTemplate:
+ template: ${source.email}
+ type: BUILT_IN
+ signing:
+ kid: H34mvc6VrfV5yvy5wA8ikMFws6WInx4nvsAs-7EYbVc
+ oauthClient:
+ autoKeyRotation: true
+ client_id: 0oahonkqCRR6TSNlg4
+ client_secret: wj9bOsLK0BRNJqy7KMMnaE7m8qrW51bPO2n1-PYvkOmhHRYgcuOecQkEwq9MPYa5
+ token_endpoint_auth_method: client_secret_post
+ pkce_required: true
+ settings:
+ app: {}
+ oauthClient:
+ client_uri: http://localhost:8080
+ logo_uri: http://developer.okta.com/assets/images/logo-new.png
+ redirect_uris:
+ - https://example.com/oauth2/callback
+ - myapp://callback
+ response_types:
+ - token
+ - id_token
+ - code
+ grant_types:
+ - authorization_code
+ application_type: native
+ issuer_mode: DYNAMIC
+ idp_initiated_login:
+ mode: DISABLED
+ default_scope: []
+ wildcard_redirect: DISABLED
+ dpop_bound_access_tokens: false
+ notifications:
+ vpn:
+ network:
+ connection: DISABLED
+ message: null
+ helpUrl: null
+ manualProvisioning: false
+ implicitAssignment: false
+ notes:
+ admin: null
+ enduser: null
+ profile:
+ label: oauth2 client app 1
+ OperationResponse:
+ value:
+ id: rre4mje4ez6B2a7B60g7
+ type: realm:assignment
+ status: COMPLETED
+ created: '2023-10-25T21:02:54.000Z'
+ started: '2023-10-25T21:02:54.000Z'
+ completed: '2023-10-25T21:02:54.000Z'
+ realmId: 00g1b7rvh0xPLKXFf0g5
+ realmName: Realm Name
+ assignmentOperation:
+ configuration:
+ id: 0pr1b7rxZj2ibQzfP0g5
+ name: Realm Assignment 1
+ conditions:
+ profileSourceId: 0oa4enoRyjwSCy5hx0g4
+ expression:
+ value: string
+ actions:
+ assignUserToRealm:
+ realmId: 00g1b7rvh0xPLKXFf0g5
+ numUserMoved: 50
+ _links:
+ self:
+ rel: self
+ href: http://your-subdomain.okta.com/api/v1/operations/rre4mje4ez6B2a7B60g7
+ method: GET
+ OptInStatusResponse:
+ summary: Opt in response
+ value:
+ optInStatus: OPTING_IN
+ _links:
+ optInStatus:
+ href: http://your-subdomain.okta.com/api/v1/iam/governance/optIn
+ OptOutStatusResponse:
+ summary: Opt out response
+ value:
+ optInStatus: OPTING_OUT
+ _links:
+ optInStatus:
+ href: http://your-subdomain.okta.com/api/v1/iam/governance/optIn
+ OrgCAPTCHASettingsConfigured:
+ summary: Org-wide Captcha Settings are configured
+ value:
+ captchaId: abcd4567
+ enabledPages:
+ - SSR
+ - SIGN_IN
+ _links:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/captchas/abcd4567
+ hints:
+ allow:
+ - GET
+ - POST
+ - PUT
+ - DELETE
+ OrgCAPTCHASettingsDisable:
+ summary: Disable Org-wide Captcha Settings
+ value:
+ captchaId: 'null'
+ enabledPages: 'null'
+ OrgCAPTCHASettingsDisabled:
+ summary: Disabled Org-wide Captcha Settings
+ value:
+ captchaId: 'null'
+ enabledPages: '[]'
+ _links:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/captchas/
+ hints:
+ allow:
+ - GET
+ - PUT
+ OrgCAPTCHASettingsEmpty:
+ summary: Org-wide Captcha Settings aren't configured
+ value:
+ captchaId: null
+ enabledPages: []
+ _links:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/captchas
+ hints:
+ allow:
+ - GET
+ - POST
+ - PUT
+ - DELETE
+ OrgCAPTCHASettingsUpdate:
+ summary: Update Org-wide Captcha Settings
+ value:
+ captchaId: abcd4567
+ enabledPages:
+ - SSR
+ - SIGN_IN
+ OrgCAPTCHASettingsUpdated:
+ summary: Updated Org-wide Captcha Settings
+ value:
+ captchaId: abcd4567
+ enabledPages:
+ - SSR
+ - SIGN_IN
+ _links:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/captchas/abcd4567
+ hints:
+ allow:
+ - GET
+ - POST
+ - PUT
+ - DELETE
+ OrgSettingResponse:
+ summary: Org setting response
+ value:
+ address1: 100 1st St
+ address2: 6th floor
+ city: San Fransico
+ companyName: okta
+ country: United States
+ endUserSupportHelpURL: support.okta.com
+ phoneNumber: '+18887227871'
+ postalCode: '94105'
+ state: California
+ supportPhoneNumber: '+18887227871'
+ website: www.okta.com
+ id: 00o3qqiw0vSCIwu8I0g7
+ created: '2024-01-24T14:15:22Z'
+ lastUpdated: '2024-07-21T14:15:22Z'
+ expiresAt: '2024-12-24T14:15:22Z'
+ status: ACTIVE
+ subdomain: okta
+ _links:
+ preferences:
+ href: https://{yourOktaDomain}/v1/org/preferences
+ uploadLogo:
+ href: https://{yourOktaDomain}/api/v1/org/logo
+ hints:
+ allow:
+ - POST
+ oktaCommunication:
+ href: https://{yourOktaDomain}/api/v1/org/privacy/oktaCommunication
+ logo: null
+ oktaSupport:
+ href: https://{yourOktaDomain}/api/v1/org/privacy/oktaSupport
+ contacts:
+ href: https://vantest.oktapreview.com/api/v1/org/contacts
+ PasswordImportPayloadExample:
+ summary: An example password import inline hook request body
+ value:
+ eventId: 3o9jBzq1SmOGmmsDsqyyeQ
+ eventTime: '2020-01-17T21:23:56.000Z'
+ eventType: com.okta.user.credential.password.import
+ eventTypeVersion: '1.0'
+ contentType: application/json
+ cloudEventVersion: '0.1'
+ source: https://${yourOktaDomain}/api/v1/inlineHooks/cbl2ad6phv9fsPLcF0g7
+ data:
+ context:
+ request:
+ id: XiIl6wn7005Rr@fjYqeC7CCDBxw
+ method: POST
+ url:
+ value: /idp/idx/challenge/answer
+ ipAddress: 66.124.153.138
+ credential:
+ username: isaac.brock@example.com
+ password: Okta
+ action:
+ credential: UNVERIFIED
+ PasswordImportUnVerifiedResponse:
+ summary: An example password hook response for an unverified user password
+ value:
+ commands:
+ - type: com.okta.action.update
+ value:
+ credential: UNVERIFIED
+ PasswordImportVerifiedResponse:
+ summary: An example password hook response for a verified user password
+ value:
+ commands:
+ - type: com.okta.action.update
+ value:
+ credential: VERIFIED
+ PerClientRateLimitSettingsEnforceDefault:
+ value:
+ defaultMode: ENFORCE
+ PerClientRateLimitSettingsEnforceDefaultWithOverrides:
+ value:
+ defaultMode: ENFORCE
+ useCaseModeOverrides:
+ OAUTH2_AUTHORIZE: PREVIEW
+ OIE_APP_INTENT: DISABLE
+ PerClientRateLimitSettingsPreviewDefaultWithOverrides:
+ value:
+ defaultMode: PREVIEW
+ useCaseModeOverrides:
+ LOGIN_PAGE: ENFORCE
+ PermissionResponse:
+ value:
+ label: okta.users.manage
+ created: '2021-02-06T16:20:57.000Z'
+ lastUpdated: '2021-02-06T16:20:57.000Z'
+ _links:
+ role:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3
+ self:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.users.manage
+ PermissionResponseWithConditions:
+ value:
+ label: okta.users.read
+ conditions:
+ include:
+ okta:ResourceAttribute/User/Profile:
+ - city
+ - state
+ - zipCode
+ created: '2021-02-06T16:20:57.000Z'
+ lastUpdated: '2021-02-06T16:20:57.000Z'
+ _links:
+ role:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3
+ self:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.users.read
+ PermissionsResponse:
+ value:
+ permissions:
+ - label: okta.users.create
+ created: '2021-02-06T16:20:57.000Z'
+ lastUpdated: '2021-02-06T16:20:57.000Z'
+ _links:
+ role:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3
+ self:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.users.create
+ - label: okta.users.read
+ created: '2021-02-06T16:20:57.000Z'
+ lastUpdated: '2021-02-06T16:20:57.000Z'
+ conditions:
+ include:
+ okta:ResourceAttribute/User/Profile:
+ - city
+ - state
+ - zipCode
+ _links:
+ role:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3
+ self:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.users.read
+ - label: okta.groups.read
+ created: '2021-02-06T16:20:57.000Z'
+ lastUpdated: '2021-02-06T16:20:57.000Z'
+ _links:
+ role:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3
+ self:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.groups.read
+ - label: okta.users.userprofile.manage
+ created: '2021-02-06T16:20:57.000Z'
+ lastUpdated: '2021-02-06T16:20:57.000Z'
+ _links:
+ role:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3
+ self:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.users.userprofile.manage
+ PreviewEmailCustomizationResponse:
+ value:
+ subject: Welcome to Okta!
+ body:
Hello, John. Click here to activate your account.
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel2kk1zYJBJbeaGo0g4/preview
+ hints:
+ allow:
+ - GET
+ template:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation
+ hints:
+ allow:
+ - GET
+ test:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test
+ hints:
+ allow:
+ - POST
+ PreviewEmailTemplateDefaultContentResponse:
+ value:
+ subject: Welcome to Okta!
+ body:
Hello, John. Click here to activate your account.
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/default-content/preview
+ hints:
+ allow:
+ - GET
+ template:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation
+ hints:
+ allow:
+ - GET
+ defaultContent:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test/default-content
+ hints:
+ allow:
+ - POST
+ PrincipalRateLimitEntityRequestEmptyPercentages:
+ value:
+ principalId: token1234
+ principalType: SSWS_TOKEN
+ PrincipalRateLimitEntityRequestSSWSToken:
+ value:
+ principalId: token1234
+ principalType: SSWS_TOKEN
+ defaultPercentage: 50
+ defaultConcurrencyPercentage: 75
+ PrincipalRateLimitEntityResponseSSWSToken:
+ value:
+ id: abcd1234
+ orgId: org1234
+ principalId: token1234
+ principalType: SSWS_TOKEN
+ defaultPercentage: 50
+ defaultConcurrencyPercentage: 75
+ createdDate: '2022-05-19T20:05:32.720Z'
+ createdBy: user1234
+ lastUpdate: '2022-05-20T21:13:07.410Z'
+ lastUpdatedBy: user4321
+ PrivilegedResourceClaimAppAccountResponse:
+ value:
+ id: opa100xTfFs4MasRf0g4
+ resourceType: APP_ACCOUNT
+ containerDetails:
+ appName: google,
+ containerId: 0oa103099SBEb3Z2b0g4,
+ displayName: Google App1,
+ globalAppId: 964b82aa-85b4-5645-b790-83312c473480,
+ passwordPushSupported: true,
+ provisioningEnabled: true,
+ _links:
+ login:
+ href: https://appinstance-admin.oktapreview.com/home/google/0oa103099SBEb3Z2b0g4,
+ logo:
+ href: https://appinstance-admin.oktapreview.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png,
+ credentials:
+ userName: testuser@example.com
+ created: '2024-06-10T11:11:01.000Z'
+ lastUpdated: '2024-06-10T11:11:01.000Z'
+ status: ACTIVE
+ credentialSyncInfo:
+ secretVersionId: ''
+ syncTime: ''
+ syncState: NOT_SYNCED
+ errorCode: ''
+ errorReason: ''
+ PrivilegedResourceClaimOktaAccountResponse:
+ value:
+ id: opa100xTfFs4MasRf0g4
+ resourceType: OKTA_USER_ACCOUNT
+ resourceId: 00u100xTfFs4MasRf0g4,
+ credentials:
+ userName: username
+ profile:
+ email: testuser@example.com
+ created: '2024-06-10T11:11:01.000Z'
+ lastUpdated: '2024-06-10T11:11:01.000Z'
+ status: ACTIVE
+ credentialSyncInfo:
+ secretVersionId: ''
+ syncTime: ''
+ syncState: NOT_SYNCED
+ errorCode: ''
+ errorReason: ''
+ PrivilegedResourceCreateAppAccountRequest:
+ value:
+ resourceType: APP_ACCOUNT
+ containerDetails:
+ containerId: 0oa103099SBEb3Z2b0g4
+ credentials:
+ userName: testuser@example.com
+ PrivilegedResourceCreateAppAccountResponse:
+ value:
+ id: opa100xTfFs4MasRf0g4
+ resourceType: APP_ACCOUNT
+ containerDetails:
+ appName: google,
+ containerId: 0oa103099SBEb3Z2b0g4,
+ displayName: Google App1,
+ globalAppId: 964b82aa-85b4-5645-b790-83312c473480,
+ passwordPushSupported: true,
+ provisioningEnabled: true,
+ _links:
+ login:
+ href: https://appinstance-admin.oktapreview.com/home/google/0oa103099SBEb3Z2b0g4,
+ logo:
+ href: https://appinstance-admin.oktapreview.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png,
+ credentials:
+ userName: testuser@example.com
+ created: '2024-06-10T11:11:01.000Z'
+ lastUpdated: '2024-06-10T11:11:01.000Z'
+ status: INACTIVE
+ credentialSyncInfo:
+ secretVersionId: ''
+ syncTime: ''
+ syncState: NOT_SYNCED
+ errorCode: ''
+ errorReason: ''
+ PrivilegedResourceCreateOktaAccountRequestConvert:
+ value:
+ resourceType: OKTA_USER_ACCOUNT
+ resourceId: 00u100xTfFs4MasRf0g4
+ PrivilegedResourceCreateOktaAccountRequestNew:
+ value:
+ resourceType: OKTA_USER_ACCOUNT
+ credentials:
+ userName: username
+ profile:
+ email: testuser@example.com
+ PrivilegedResourceCreateOktaAccountResponse:
+ value:
+ id: opa100xTfFs4MasRf0g4
+ resourceType: OKTA_USER_ACCOUNT
+ resourceId: 00u100xTfFs4MasRf0g4,
+ credentials:
+ userName: username
+ profile:
+ email: testuser@example.com
+ created: '2024-06-10T11:11:01.000Z'
+ lastUpdated: '2024-06-10T11:11:01.000Z'
+ status: INACTIVE
+ credentialSyncInfo:
+ secretVersionId: ''
+ syncTime: ''
+ syncState: NOT_SYNCED
+ errorCode: ''
+ errorReason: ''
+ PrivilegedResourceRotatePasswordAppAccountResponse:
+ value:
+ id: opa100xTfFs4MasRf0g4
+ resourceType: APP_ACCOUNT
+ containerDetails:
+ appName: google,
+ containerId: 0oa103099SBEb3Z2b0g4,
+ displayName: Google App1,
+ globalAppId: 964b82aa-85b4-5645-b790-83312c473480,
+ passwordPushSupported: true,
+ provisioningEnabled: true,
+ _links:
+ login:
+ href: https://appinstance-admin.oktapreview.com/home/google/0oa103099SBEb3Z2b0g4,
+ logo:
+ href: https://appinstance-admin.oktapreview.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png,
+ credentials:
+ userName: testuser@example.com
+ created: '2024-06-10T11:11:01.000Z'
+ lastUpdated: '2024-06-10T11:11:01.000Z'
+ status: ACTIVE
+ credentialSyncInfo:
+ secretVersionId: 9f8400-e29b-41d4-a716-926655440034
+ syncTime: ''
+ syncState: SYNCING
+ errorCode: ''
+ errorReason: ''
+ PrivilegedResourceRotatePasswordOktaAccountResponse:
+ value:
+ id: opa100xTfFs4MasRf0g4
+ resourceType: OKTA_USER_ACCOUNT
+ resourceId: 00u100xTfFs4MasRf0g4,
+ credentials:
+ userName: username
+ profile:
+ email: testuser@example.com
+ created: '2024-06-10T11:11:01.000Z'
+ lastUpdated: '2024-06-10T11:11:01.000Z'
+ status: ACTIVE
+ credentialSyncInfo:
+ secretVersionId: 9f8400-e29b-41d4-a716-926655440034
+ syncTime: '2024-06-11T11:11:01.000Z'
+ syncState: SYNCED
+ errorCode: ''
+ errorReason: ''
+ PrivilegedResourcesAppAccountUpdateRequest:
+ value:
+ username: username
+ PrivilegedResourcesGetAppAccountResponse:
+ value:
+ id: opa100xTfFs4MasRf0g4
+ resourceType: APP_ACCOUNT
+ containerDetails:
+ appName: google,
+ containerId: 0oa103099SBEb3Z2b0g4,
+ displayName: Google App1,
+ globalAppId: 964b82aa-85b4-5645-b790-83312c473480,
+ passwordPushSupported: true,
+ provisioningEnabled: true,
+ _links:
+ login:
+ href: https://appinstance-admin.oktapreview.com/home/google/0oa103099SBEb3Z2b0g4,
+ logo:
+ href: https://appinstance-admin.oktapreview.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png,
+ credentials:
+ userName: testuser@example.com
+ created: '2024-06-10T11:11:01.000Z'
+ lastUpdated: '2024-06-10T11:11:01.000Z'
+ status: ACTIVE
+ credentialSyncInfo:
+ secretVersionId: 9f8400-e29b-41d4-a716-926655440034
+ syncTime: '2024-06-10T11:30:01.000Z'
+ syncState: SYNC_FAILED
+ errorCode: UNKNOWN_ERROR
+ errorReason: Password update failed
+ PrivilegedResourcesGetOktaAccountResponse:
+ value:
+ id: opa100xTfFs4MasRf0g4
+ resourceType: OKTA_USER_ACCOUNT
+ resourceId: 00u100xTfFs4MasRf0g4,
+ credentials:
+ userName: testuser@example.com
+ profile:
+ email: testuser@example.com
+ created: '2024-06-10T11:11:01.000Z'
+ lastUpdated: '2024-06-10T11:11:01.000Z'
+ status: ACTIVE
+ credentialSyncInfo:
+ secretVersionId: 9f8400-e29b-41d4-a716-926655440034
+ syncTime: '2024-06-10T11:30:01.000Z'
+ syncState: SYNCED
+ errorCode: ''
+ errorReason: ''
+ PrivilegedResourcesOktaUserAccountUpdateRequest:
+ value:
+ username: username
+ profile:
+ email: testuser@example.com
+ ProfileEnrollmentRequest:
+ summary: An example registration hook profile enrollment (SSR) inline hook request body
+ value:
+ eventId: 04Dmt8BcT_aEgM
+ eventTime: '2022-04-25T17:35:27.000Z'
+ eventType: com.okta.user.pre-registration
+ eventTypeVersion: 1
+ contentType: application/json
+ cloudEventVersion: 0.1
+ source: regt4qeBKU29vSoPz0g3
+ requestType: self.service.registration
+ data:
+ context:
+ request:
+ method: POST
+ ipAddress: 127.0.0.1
+ id: 123testId456
+ url:
+ value: /idp/idx/enroll/new
+ userProfile:
+ firstName: Rosario
+ lastName: Jones
+ login: rosario.jones@example.com
+ email: rosario.jones@example.com
+ action: ALLOW
+ ProfileEnrollmentResponse:
+ summary: An example registration hook profile enrollment (SSR) inline hook response
+ value:
+ commands:
+ - type: com.action.update
+ value:
+ registration: ALLOW
+ ProfileEnrollmentResponseDeny:
+ summary: An example Profile Enrollment (SSR) inline hook Deny response
+ value:
+ commands:
+ - type: com.action.update
+ value:
+ registration: DENY
+ error:
+ errorSummary: Incorrect email address. Please contact your admin.
+ errorCauses:
+ - errorSummary: Only example.com emails can register.
+ reason: INVALID_EMAIL_DOMAIN
+ locationType: body
+ location: data.userProfile.email
+ domain: end-user
+ ProgressiveProfileRequest:
+ summary: An example Progressive Profile inline hook request
+ value:
+ eventId: vzYp_zMwQu2htIWRbNJdfw
+ eventTime: '2022-04-25T04:04:41.000Z'
+ eventType: com.okta.user.pre-registration
+ eventTypeVersion: 1
+ contentType: application/json
+ cloudEventVersion: 0.1
+ source: regt4qeBKU29vS
+ requestType: progressive.profile
+ data:
+ context:
+ request:
+ method: POST
+ ipAddress: 127.0.0.1
+ id: 123dummyId456
+ url:
+ value: /idp/idx/enroll/update
+ user:
+ passwordChanged: '2022-01-01T00:00:00.000Z'
+ _links:
+ groups:
+ href: /api/v1/users/00u48gwcu01WxvNol0g7/groups
+ factors:
+ href: /api/v1/users/00u48gwcu01WxvNol0g7/factors
+ profile:
+ firstName: Rosario
+ lastName: Jones"
+ timeZone: America/Los_Angeles
+ login: rosario.jones@example.com
+ locale: en_US
+ id: 00u48gwcu01WxvNo
+ action: ALLOW
+ userProfileUpdate:
+ employeeNumber: 1234
+ ProgressiveProfileResponse:
+ summary: An example Progressive Profile inline hook response
+ value:
+ commands:
+ - type: com.okta.user.progressive.profile.update'
+ value: request.body.data.userProfileUpdate['employeeNumber']
+ ProgressiveProfileResponseDeny:
+ summary: An example Progressive Profile inline hook Deny response
+ value:
+ commands:
+ - type: com.action.update
+ value:
+ registration: DENY
+ error:
+ errorSummary: Incorrect employee number. Enter an employee number with 4 digits.
+ errorCauses:
+ - errorSummary: Only employee numbers with 4 digits can register.
+ reason: INVALID_EMPLOYEE_NUMBER
+ locationType: body
+ location: data.userProfile.employeeNumber
+ domain: end-user
+ ProvisioningConnectionOauthO365RequestEx:
+ summary: Provisioning Connection with OAuth 2.0 for Microsoft Office 365 app
+ value:
+ profile:
+ authScheme: OAUTH2
+ settings:
+ adminUsername: office_admin-username
+ adminPassword: office_admin-password
+ ProvisioningConnectionOauthRequestEx:
+ summary: Provisioning Connection with OAuth 2.0
+ value:
+ profile:
+ authScheme: OAUTH2
+ ProvisioningConnectionOauthResponseEx:
+ summary: Provisioning Connection with OAuth 2.0 for Microsoft Office 365 app
+ value:
+ status: ENABLED
+ profile:
+ authScheme: OAUTH2
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/apps/${appId}/connections/default
+ hints:
+ allow:
+ - GET
+ - POST
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/${appId}/connections/default/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ authorize:
+ href: https://login.microsoftonline.com/myofficetenant.onmicrosoft.com/oauth2/authorize?response_type=code&state=>&client_id=&redirect_uri=&scope=
+ hints:
+ allow:
+ - GET
+ guidance:
+ - Specifies the URI to invoke in a browser for granting scope consent required to complete the OAuth 2.0 connection.
+ ProvisioningConnectionTokenOrg2OrgRequestEx:
+ summary: Provisioning Connection with token for Okta Org2Org app
+ value:
+ profile:
+ authScheme: TOKEN
+ clientId: 0oa2h6su6bVFyJzIf1d7
+ ProvisioningConnectionTokenRequestEx:
+ summary: Provisioning Connection with token for Zscaler 2.0 (`zscalerbyz`) app
+ value:
+ baseUrl: https://scim.zscalerbeta.net/1234567/890/scim
+ profile:
+ authScheme: TOKEN
+ token: 00NgAPZqUVy8cX9ehNzzahEE5b-On9sImTcInvWp-x
+ ProvisioningConnectionTokenResponseWithProfileOrg2OrgEx:
+ summary: Provisioning Connection with token for Okta Org2Org (`okta_org2org`) app
+ value:
+ authScheme: TOKEN
+ status: ENABLED
+ baseUrl: https://targetorg.okta.com
+ profile:
+ authScheme: TOKEN
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/apps/${appId}/connections/default
+ hints:
+ allow:
+ - GET
+ - POST
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/${appId}/connections/default/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ ProvisioningConnectionTokenResponseWithProfileZscalerEx:
+ summary: Provisioning Connection with token for Zscaler 2.0 (`zscalerbyz`) app
+ value:
+ authScheme: TOKEN
+ status: ENABLED
+ baseUrl: https://scim.zscalerbeta.net/1234567/890/scim
+ profile:
+ authScheme: TOKEN
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/apps/${appId}/connections/default
+ hints:
+ allow:
+ - GET
+ - POST
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/${appId}/connections/default/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ PushProviderAPNsRequest:
+ value:
+ name: APNs Example
+ providerType: APNS
+ configuration:
+ keyId: KEY_ID
+ teamId: TEAM_ID
+ tokenSigningKey: '-----BEGIN PRIVATE KEY-----\nPRIVATE_KEY\n-----END PRIVATE KEY-----\n'
+ fileName: fileName.p8
+ PushProviderAPNsResponse:
+ value:
+ id: ppctekcmngGaqeiBxB0g4
+ name: APNs Example
+ providerType: APNS
+ lastUpdatedDate: '2022-01-01T00:00:00.000Z'
+ configuration:
+ keyId: KEY_ID
+ teamId: TEAM_ID
+ fileName: fileName.p8
+ _links:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/push-providers/ppctekcmngGaqeiBxB0g4
+ hints:
+ allow:
+ - DELETE
+ - GET
+ - PUT
+ PushProviderFCMRequest:
+ value:
+ name: FCM Example
+ providerType: FCM
+ configuration:
+ serviceAccountJson:
+ type: service_account
+ project_id: PROJECT_ID
+ private_key_id: KEY_ID
+ private_key: '-----BEGIN PRIVATE KEY-----\nPRIVATE_KEY\n-----END PRIVATE KEY-----\n'
+ client_email: SERVICE_ACCOUNT_EMAIL
+ client_id: CLIENT_ID
+ auth_uri: https://accounts.google.com/o/oauth2/auth
+ token_uri: https://accounts.google.com/o/oauth2/token
+ auth_provider_x509_cert_url: https://www.googleapis.com/oauth2/v1/certs
+ client_x509_cert_url: https://www.googleapis.com/robot/v1/metadata/x509/SERVICE_ACCOUNT_EMAIL
+ fileName: fileName.json
+ PushProviderFCMResponse:
+ value:
+ id: ppctekcmngGaqeiBxB0g4
+ name: FCM Example
+ providerType: FCM
+ lastUpdatedDate: '2022-01-01T00:00:00.000Z'
+ configuration:
+ projectId: PROJECT_ID
+ fileName: fileName.p8
+ _links:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/push-providers/ppctekcmngGaqeiBxB0g4
+ hints:
+ allow:
+ - DELETE
+ - GET
+ - PUT
+ RateLimitAdminNotificationsDisabled:
+ value:
+ notificationsEnabled: false
+ RateLimitAdminNotificationsEnabled:
+ value:
+ notificationsEnabled: true
+ RateLimitWarningThresholdValidExample:
+ value:
+ warningThreshold: 66
+ RealmResponse:
+ value:
+ id: guox9jQ16k9V8IFEL0g3
+ created: '2022-04-04T15:56:05.000Z'
+ lastUpdated: '2022-05-05T18:15:44.000Z'
+ isDefault: false
+ profile:
+ name: Car Co
+ _links:
+ self:
+ rel: self
+ href: http://your-subdomain.okta.com/api/v1/realms/guox9jQ16k9V8IFEL0g3
+ method: GET
+ RefreshCurrentSessionResponse:
+ summary: Refresh current session
+ value:
+ amr:
+ - pwd
+ createdAt: '2019-08-24T14:15:22Z'
+ expiresAt: '2019-08-24T14:15:22Z'
+ id: l7FbDVqS8zHSy65uJD85
+ idp:
+ id: 01a2bcdef3GHIJKLMNOP
+ type: ACTIVE_DIRECTORY
+ lastFactorVerification: '2019-08-24T14:15:22Z'
+ lastPasswordVerification: '2019-08-24T14:15:22Z'
+ login: user@example.com
+ status: ACTIVE
+ userId: 00u0abcdefGHIJKLMNOP
+ _links:
+ self:
+ hints:
+ allow:
+ - GET
+ - DELETE
+ href: https://{yourOktaDomain}/api/v1/sessions/me
+ refresh:
+ hints:
+ allow:
+ - POST
+ href: https://{yourOktaDomain}/api/v1/sessions/me/lifecycle/refresh
+ user:
+ hints:
+ allow:
+ - GET
+ href: https://{yourOktaDomain}/api/v1/users/me
+ name: User Name
+ RefreshSessionResponse:
+ summary: Refresh an existing Session using the session ID
+ value:
+ amr:
+ - pwd
+ createdAt: '2019-08-25T14:17:22Z'
+ expiresAt: '2019-08-25T14:17:22Z'
+ id: l7FbDVqS8zHSy65uJD85
+ idp:
+ id: 01a2bcdef3GHIJKLMNOP
+ type: ACTIVE_DIRECTORY
+ lastFactorVerification: '2019-08-24T14:15:22Z'
+ lastPasswordVerification: '2019-08-24T14:15:22Z'
+ login: user@example.com
+ status: ACTIVE
+ userId: 00u0abcdefGHIJKLMNOP
+ _links:
+ self:
+ hints:
+ allow:
+ - DELETE
+ href: https://{yourOktaDomain}/api/v1/sessions/l7FbDVqS8zHSy65uJD85
+ RemoveMappingBody:
+ summary: Update an existing profile mapping by removing one or more properties
+ value:
+ properties:
+ nickName:
+ expression: null
+ pushStatus: null
+ RemoveMappingResponse:
+ summary: Update an existing profile mapping by removing one or more properties
+ value:
+ id: prm1k47ghydIQOTBW0g4
+ source:
+ id: otysbePhQ3yqt4cVv0g3
+ name: user
+ type: user
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/meta/types/user/otysbePhQ3yqt4cVv0g3
+ schema:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscsbePhQ3yqt4cVv0g3
+ target:
+ id: 0oa1qmn4LZQQEH0wZ0g4
+ name: okta_org2org
+ type: appuser
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/apps/0oa1qmn4LZQQEH0wZ0g4
+ schema:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/apps/0oa1qmn4LZQQEH0wZ0g4/default
+ properties:
+ fullName:
+ expression: user.firstName + user.lastName
+ pushStatus: PUSH
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/mappings/prm1k48weFSOnEUnw0g4
+ ReplaceAnEventHookWithFilter:
+ summary: Replace an event hook
+ value:
+ name: Event Hook with Filter
+ description: An event hook using an Okta Expression Language filter
+ events:
+ type: EVENT_TYPE
+ items:
+ - group.user_membership.add
+ filter:
+ type: EXPRESSION_LANGUAGE
+ eventFilterMap:
+ - event: group.user_membership.add
+ condition:
+ expression: event.target.?[type eq 'UserGroup'].size()>0 && event.target.?[displayName eq 'Sales'].size()>0
+ channel:
+ type: HTTP
+ version: 1.0.0
+ config:
+ uri: https://example_external_service/userAdded
+ authScheme:
+ type: HEADER
+ key: Authorization
+ value: my-shared-secret
+ ReplaceAuthServerBody:
+ summary: Replace a custom authorization server
+ value:
+ name: New Authorization Server
+ description: Authorization Server description
+ audiences:
+ - api://default
+ credentials:
+ signing:
+ rotationMode: AUTO
+ use: sig
+ issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId}
+ issuerMode: ORG_URL
+ status: ACTIVE
+ ReplaceAuthServerResponse:
+ summary: Replace a custom authorization server
+ value:
+ id: '{authorizationServerId}'
+ name: Sample Authorization Server
+ description: Sample Authorization Server description
+ audiences:
+ - https://api.resource.com
+ issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId}
+ issuerMode: ORG_URL
+ status: ACTIVE
+ created: '2023-05-17T22:25:57.000Z'
+ lastUpdated: '2023-05-17T22:25:57.000Z'
+ credentials:
+ signing:
+ rotationMode: AUTO
+ lastRotated: '2023-05-17T22:25:57.000Z'
+ nextRotation: '2023-08-15T22:25:57.000Z'
+ kid: WYQxoK4XAwGFn5Zw5AzLxFvqEKLP79BbsKmWeuc5TB4
+ _links:
+ scopes:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes
+ hints:
+ allow:
+ - GET
+ claims:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims
+ hints:
+ allow:
+ - GET
+ policies:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies
+ hints:
+ allow:
+ - GET
+ self:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}
+ hints:
+ allow:
+ - GET
+ - DELETE
+ - PUT
+ metadata:
+ - name: oauth-authorization-server
+ href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/oauth-authorization-server
+ hints:
+ allow:
+ - GET
+ - name: openid-configuration
+ href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/openid-configuration
+ hints:
+ allow:
+ - GET
+ rotateKey:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/lifecycle/keyRotate
+ hints:
+ allow:
+ - POST
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ ReplaceCustomTokenClaimBody:
+ summary: Replace a custom token Claim
+ value:
+ - alwaysIncludeInToken: true
+ claimType: IDENTITY
+ conditions:
+ scopes:
+ - profile
+ group_filter_type: CONTAINS
+ name: Knowledge_Base
+ status: ACTIVE
+ system: false
+ value: Knowledge Base
+ valueType: GROUPS
+ ReplaceCustomTokenClaimResponse:
+ summary: Replace a custom token Claim response
+ value:
+ - id: '{claimId}'
+ name: Knowledge_Base
+ status: ACTIVE
+ claimType: IDENTITY
+ valueType: GROUPS
+ value: Knowledge Base
+ conditions:
+ scopes:
+ - profile
+ system: false
+ alwaysIncludeInToken: true
+ apiResourceId: null
+ group_filter_type: CONTAINS
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims/{claimId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ ReplaceIdPRequestResponse:
+ summary: Replace an Identity Provider
+ value:
+ id: 0oa62bc8wppPw0UGr0h7
+ type: SAML2
+ name: Example SAML IdP
+ status: INACTIVE
+ created: null
+ lastUpdated: '2016-03-29T21:23:45.000Z'
+ protocol:
+ type: SAML2
+ endpoints:
+ sso:
+ url: https://idp.example.com/saml2/sso
+ binding: HTTP-REDIRECT
+ destination: https://idp.example.com/saml2/sso
+ acs:
+ binding: HTTP-POST
+ type: INSTANCE
+ algorithms:
+ request:
+ signature:
+ algorithm: SHA-256
+ scope: REQUEST
+ response:
+ signature:
+ algorithm: SHA-256
+ scope: ANY
+ settings:
+ nameFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+ credentials:
+ trust:
+ issuer: https://idp.example.com
+ audience: https://www.okta.com/saml2/service-provider/spCQJRNaaxs7ANqKBO7M
+ kid: your-key-id
+ policy:
+ provisioning:
+ action: AUTO
+ profileMaster: true
+ groups:
+ action: NONE
+ conditions:
+ deprovisioned:
+ action: NONE
+ suspended:
+ action: NONE
+ accountLink:
+ filter: null
+ action: AUTO
+ subject:
+ userNameTemplate:
+ template: idpuser.subjectNameId
+ filter: null
+ matchType: USERNAME
+ mapAMRClaims: false
+ maxClockSkew: 120000
+ _links:
+ metadata:
+ href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/metadata.xml
+ type: application/xml
+ hints:
+ allow:
+ - GET
+ acs:
+ href: https://{yourOktaDomain}/sso/saml2/0oa62bc8wppPw0UGr0h7
+ type: application/xml
+ hints:
+ allow:
+ - POST
+ users:
+ href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/users
+ hints:
+ allow:
+ - GET
+ activate:
+ href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ ReplaceKeyResponse:
+ summary: Replace a key response example
+ value:
+ id: HKY1p7jWLndGQV9M60g4
+ keyId: 7fbc27fd-e3df-4522-86bf-1930110256ad
+ name: My updated new key
+ created: '2022-08-31T18:09:58.000Z'
+ lastUpdated: '2022-08-31T18:16:59.000Z'
+ isUsed: 'false'
+ ReplaceNetworkZone:
+ summary: Replace a Network Zone
+ value:
+ type: IP
+ id: nzovw2rFz2YoqmvwZ0g9
+ name: UpdatedNetZone
+ status: ACTIVE
+ system: false
+ usage: POLICY
+ gateways:
+ - type: CIDR
+ value: 10.2.3.4/24
+ - type: CIDR
+ value: 12.2.3.4/24
+ - type: RANGE
+ value: 13.4.5.6-13.4.5.8
+ - type: CIDR
+ value: 14.2.3.4/24
+ proxies:
+ - type: CIDR
+ value: 12.2.3.4/24
+ - type: CIDR
+ value: 13.3.4.5/24
+ - type: RANGE
+ value: 14.4.5.6-14.4.5.8
+ - type: RANGE
+ value: 15.5.6.7/24-15.5.6.9
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/zones/nzovw2rFz2YoqmvwZ0g9
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/zones/nzovw2rFz2YoqmvwZ0g9/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ ReplaceNetworkZoneResponse:
+ summary: Replace Network Zone
+ value:
+ type: IP
+ id: nzovw2rFz2YoqmvwZ0g9
+ name: UpdatedNetZone
+ status: ACTIVE
+ usage: POLICY
+ created: '2022-05-08T18:25:05.000Z'
+ lastUpdated: '2022-05-10T13:15:22.000Z'
+ system: false
+ gateways:
+ - type: CIDR
+ value: 10.2.3.4/24
+ - type: CIDR
+ value: 12.2.3.4/24
+ - type: RANGE
+ value: 13.4.5.6-13.4.5.8
+ - type: CIDR
+ value: 14.2.3.4/24
+ proxies:
+ - type: CIDR
+ value: 12.2.3.4/24
+ - type: CIDR
+ value: 13.3.4.5/24
+ - type: RANGE
+ value: 14.4.5.6-14.4.5.8
+ - type: RANGE
+ value: 15.5.6.7/24-15.5.6.9
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/zones/nzovw2rFz2YoqmvwZ0g9
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/zones/nzovw2rFz2YoqmvwZ0g9/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ ReplaceResourceSetRequest:
+ value:
+ label: SF-IT-People
+ description: People in the IT department of San Francisco
+ ReplaceRoleRequest:
+ value:
+ label: UserCreator
+ description: Create users
+ ReplaceUserTypePutRequest:
+ summary: Replace user type request
+ value:
+ displayName: Replacement Display Name
+ description: Replacement description
+ name: newUserType
+ ReplaceUserTypePutResponse:
+ summary: Replace user type response
+ value:
+ id: otyfnly5cQjJT9PnR0g4
+ displayName: Replacement Display Name
+ name: newUserType
+ description: Replacement description
+ createdBy: sprz9fj1ycBcsgopy1d6
+ lastUpdatedBy: sprz9fj1ycBcsgopy1d6
+ created: '2021-07-05T20:40:38.000Z'
+ lastUpdated: '2021-07-05T20:40:38.000Z'
+ default: false
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6
+ schema:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6
+ ResetPwdWithoutSendingEmailResponse:
+ value:
+ summary: Reset password without sending email
+ resetPasswordUrl: https://{yourOktaDomain}/reset_password/XE6wE17zmphl3KqAPFxO
+ ResourceSelectorCreateRequestExample:
+ value:
+ name: All applications except Workday applications
+ description: All applications except Workday applications
+ schema: /api/v1/apps
+ filter: name ne "workday"
+ ResourceSelectorCreateResponseExample:
+ value:
+ id: rsl1hx31gVEa6x10v0g5
+ name: All applications except Workday applications
+ description: All applications except Workday applications
+ orn: orn:okta:idp:00o5rb5mt2H3d1TJd0h7:resource_selectors:rsl1hx31gVEa6x10v0g5:apps
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/resource-selectors/rsl1hx31gVEa6x10v0g5
+ resources:
+ href: https://{yourOktaDomain}/api/v1/apps?filter="name ne "workday""
+ ResourceSelectorPatchRequestExample:
+ value:
+ name: All applications except Facebook applications
+ description: All applications except Facebook applications
+ filter: name ne "facebook"
+ ResourceSelectorPatchResponseExample:
+ value:
+ id: rsl1hx31gVEa6x10v0g5
+ name: All applications except Facebook applications
+ description: All applications except Facebook applications
+ orn: orn:okta:idp:00o5rb5mt2H3d1TJd0h7:resource_selectors:rsl1hx31gVEa6x10v0g5:apps
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/resource-selectors/rsl1hx31gVEa6x10v0g5
+ resources:
+ href: https://{yourOktaDomain}/api/v1/apps?filter="name ne "facebook""
+ ResourceSelectorResponseExample:
+ value:
+ id: rsl1hx31gVEa6x10v0g5
+ name: All applications except a specific application
+ description: All applications except a specific application
+ orn: orn:okta:idp:00o5rb5mt2H3d1TJd0h7:resource_selectors:rsl1hx31gVEa6x10v0g5:apps
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/resource-selectors/rsl1hx31gVEa6x10v0g5
+ resources:
+ href: https://{yourOktaDomain}/api/v1/apps?filter="id ne 0oafxqAAJWWGELFTYASH"
+ ResourceSelectorsResponseExample:
+ value:
+ resourceSelectors:
+ - id: rsl1hx31gVEa6x10v0g5
+ name: All applications except Workday applications
+ description: All applications except Workday applications
+ orn: orn:okta:idp:00o5rb5mt2H3d1TJd0h7:resource_selectors:rsl1hx31gVEa6x10v0g5:apps
+ _links:
+ resources:
+ href: http://${yourOktaDomain}/api/v1/apps?filter="id ne 0oafxqCAJWWGELFTYASJ"
+ - id: rsl1hx31gVEa6x10v0g6
+ name: All applications except Facebook applications
+ description: All applications except Facebook applications
+ orn: orn:okta:idp:00o5rb5mt2H3d1TJd0h7:resource_selectors:rsl1hx31gVEa6x10v0g6:apps
+ _links:
+ resources:
+ href: http://${yourOktaDomain}/api/v1/apps?filter="id ne 0oafxqAAJWWGELFTYASH
+ _links:
+ next:
+ href: https://{yourOktaDomain}/api/v1/resource-selectors?after=rsl1hx31gVEa6x10v0g6
+ ResourceSetBindingAddMembersRequestExample:
+ value:
+ additions:
+ - https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3
+ - https://{yourOktaDomain}/api/v1/users/00u67DU2qNCjNZYO0g3
+ ResourceSetBindingCreateRequestExample:
+ value:
+ role: cr0Yq6IJxGIr0ouum0g3
+ members:
+ - https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3
+ ResourceSetBindingMemberResponse:
+ value:
+ id: irb1qe6PGuMc7Oh8N0g4
+ created: '2021-02-06T16:20:57.000Z'
+ lastUpdated: '2021-02-06T16:20:57.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00uuk41Hjga5qGfQ30g3
+ ResourceSetBindingMembersResponse:
+ value:
+ members:
+ - id: irb1qe6PGuMc7Oh8N0g4
+ created: '2021-02-06T16:20:57.000Z'
+ lastUpdated: '2021-02-06T16:20:57.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00uuk41Hjga5qGfQ30g3
+ - id: irb1q92TFAHzySt3x0g4
+ created: '2021-02-06T16:20:57.000Z'
+ lastUpdated: '2021-02-06T16:20:57.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3
+ _links:
+ binding:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3
+ next:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3/members?after=0ouRq6IJmGIr3ouum0g3
+ ResourceSetBindingResponseExample:
+ value:
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3
+ bindings:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings
+ resource-set:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g
+ ResourceSetBindingResponseWithIdExample:
+ value:
+ id: cr0Yq6IJxGIr0ouum0g3
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3
+ bindings:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings
+ resource-set:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g
+ ResourceSetBindingsResponse:
+ value:
+ roles:
+ - id: cr0WxyzJxGIr0ouum0g4
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr0WxyzJxGIr0ouum0g4
+ members:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0WxyzJxGIr0ouum0g4/members
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings
+ resource-set:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g
+ next:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings?after=cr0WxyzJxGIr0ouum0g4
+ ResourceSetRequest:
+ value:
+ label: SF-IT-People
+ description: People in the IT department of San Francisco
+ resources:
+ - https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3
+ - https://{yourOktaDomain}/api/v1/groups/00gu67DU2qNCjNZYO0g3/users
+ - https://{yourOktaDomain}/api/v1/users
+ ResourceSetResourcePatchRequestExample:
+ value:
+ additions:
+ - https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3
+ - https://{yourOktaDomain}/api/v1/groups/00gu67DU2qNCjNZYO0g3/users
+ ResourceSetResourcePostRequestExample:
+ summary: Resource Set with conditions request
+ value:
+ resourceOrnOrUrl: https://{yourOktaDomain}/api/v1/apps
+ conditions:
+ Exclude:
+ okta:ORN:
+ - orn:okta:idp:00o5rb5mt2H3d1TJd0h7:apps:0oa1014FmyZ2H0oRY0g4
+ - orn:okta:idp:00o5rb5mt2H3d1TJd0h7:apps:slack
+ ResourceSetResourcePutRequestExample:
+ value:
+ conditions:
+ Exclude:
+ okta:ORN:
+ - orn:okta:idp:00o5rb5mt2H3d1TJd0h7:apps:0oa1014FmyZ2H0oRY0g4
+ - orn:okta:idp:00o5rb5mt2H3d1TJd0h7:apps:slack
+ ResourceSetResourceResponse:
+ summary: Resource Set response
+ value:
+ id: ire106sQKoHoXXsAe0g4
+ orn: orn:okta:idp:00o5rb5mt2H3d1TJd0h7:apps
+ conditions:
+ Exclude:
+ okta:ORN:
+ - orn:okta:idp:00o5rb5mt2H3d1TJd0h7:apps:0oa1014FmyZ2H0oRY0g4
+ - orn:okta:idp:00o5rb5mt2H3d1TJd0h7:apps:slack
+ created: '2021-02-06T16:20:57.000Z'
+ lastUpdated: '2021-02-06T16:20:57.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/apps
+ resource:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources/ire2snv2xSY7a4iSe0g1
+ ResourceSetResourcesResponse:
+ value:
+ resources:
+ - id: ire106sQKoHoXXsAe0g4
+ orn: orn:{partition}:directory:{yourOrgId}:groups:00guaxWZ0AOa5NFAj0g3
+ created: '2021-02-06T16:20:57.000Z'
+ lastUpdated: '2021-02-06T16:20:57.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3
+ resource:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources/ire2snv2xSY7a4iSe0g1
+ - id: ire106riDrTYl4qA70g4
+ orn: orn:{partition}:directory:{yourOrgId}:groups:00gu67DU2qNCjNZYO0g3:contained_resources
+ created: '2021-02-06T16:20:57.000Z'
+ lastUpdated: '2021-02-06T16:20:57.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/groups/00gu67DU2qNCjNZYO0g3/users
+ resource:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources/ire2snv2xSY7a4iSe0g2
+ - id: irezvo4AwE2ngpMw40g3
+ orn: orn:{partition}:directory:{yourOrgId}:users
+ created: '2021-02-06T16:20:57.000Z'
+ lastUpdated: '2021-02-06T16:20:57.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/users
+ users:
+ href: https://{yourOktaDomain}/api/v1/users
+ - id: ire2j4iDnxHhUFaZN0g4
+ orn: orn:{partition}:directory:{yourOrgId}:groups
+ created: '2021-02-06T16:20:57.000Z'
+ lastUpdated: '2021-02-06T16:20:57.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/groups
+ groups:
+ href: https://{yourOktaDomain}/api/v1/groups
+ resource:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources/ire2snv2xSY7a4iSe0g3
+ _links:
+ next:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources?after=irezvn1ZZxLSIBM2J0g3
+ resource-set:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g
+ ResourceSetResponse:
+ value:
+ id: iamoJDFKaJxGIr0oamd9g
+ label: SF-IT-People
+ description: People in the IT department of San Francisco
+ created: '2021-02-06T16:20:57.000Z'
+ lastUpdated: '2021-02-06T16:20:57.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g
+ resources:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources
+ bindings:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings
+ ResourceSetsResponse:
+ value:
+ resource-sets:
+ - id: iamoJDFKaJxGIr0oamd9g
+ label: SF-IT-1
+ description: First San Francisco IT Resource Set
+ created: '2021-02-06T16:20:57.000Z'
+ lastUpdated: '2021-02-06T16:20:57.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g
+ resources:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources
+ bindings:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings
+ - id: iamoJDFKaJxGIr0oamd0q
+ label: SF-IT-2
+ description: Second San Francisco IT Resource Set
+ created: '2021-02-06T16:20:57.000Z'
+ lastUpdated: '2021-02-06T16:20:57.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd0q
+ resources:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd0q/resources
+ bindings:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd0q/bindings
+ _links:
+ next:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets?after=iamoJDFKaJxGIr0oamd0q
+ RetrieveADeactivatedEventHook:
+ summary: Deactivated event hook
+ value:
+ id: who8vt36qfNpCGz9H1e6
+ status: INACTIVE
+ verificationStatus: VERIFIED
+ name: Event Hook Test
+ description: null
+ created: '2023-07-07T13:41:56.000Z'
+ createdBy: 00u7xut94qEWYx5ss1e5
+ lastUpdated: '2023-07-07T13:43:03.000Z'
+ events:
+ type: EVENT_TYPE
+ items:
+ - group.user_membership.add
+ filter: null
+ channel:
+ type: HTTP
+ version: 1.0.0
+ config:
+ uri: https://example_external_service/userAdded
+ headers:
+ - key: X-Other-Header
+ value: my-header-value
+ method: POST
+ authScheme:
+ type: HEADER
+ key: authorization
+ _links:
+ self:
+ href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6
+ verify:
+ href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/verify
+ hints:
+ allow:
+ - POST
+ deactivate:
+ href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ RetrieveAllEventHooks:
+ summary: Retrieves all event hooks
+ value:
+ - id: who8tsqyrhCdmetzx135
+ status: ACTIVE
+ verificationStatus: VERIFIED
+ name: Event Hook Test
+ description: null
+ created: '2023-07-07T17:41:56.000Z'
+ createdBy: 00u7xut94qEWYx5ss1e5
+ lastUpdated: '2023-07-07T17:43:03.000Z'
+ events:
+ type: EVENT_TYPE
+ items:
+ - user.lifecycle.deactivate
+ - user.lifecycle.activate
+ filter: null
+ channel:
+ type: HTTP
+ version: 1.0.0
+ config:
+ uri: https://example_external_service/userDeactivate
+ headers: []
+ method: POST
+ authScheme:
+ type: HEADER
+ key: authorization
+ _links:
+ self:
+ href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx135
+ verify:
+ href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx135/lifecycle/verify
+ hints:
+ allow:
+ - POST
+ deactivate:
+ href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx135/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ - id: who8vt36qfNpCGz9H1e6
+ status: ACTIVE
+ verificationStatus: VERIFIED
+ name: Event Hook with Filter
+ description: An event hook using an Okta Expression Language filter
+ created: '2023-07-07T13:41:56.000Z'
+ createdBy: 00u7xut94qEWYx5ss1e5
+ lastUpdated: '2023-07-07T13:43:03.000Z'
+ events:
+ type: EVENT_TYPE
+ items:
+ - group.user_membership.add
+ filter:
+ type: EXPRESSION_LANGUAGE
+ eventFilterMap:
+ - event: group.user_membership.add
+ condition:
+ version: null
+ expression: event.target.?[type eq 'UserGroup'].size()>0 && event.target.?[displayName eq 'Sales'].size()>0
+ channel:
+ type: HTTP
+ version: 1.0.0
+ config:
+ uri: https://example_external_service/userAdded
+ headers: []
+ method: POST
+ authScheme:
+ type: HEADER
+ key: authorization
+ _links:
+ self:
+ href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6
+ verify:
+ href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/verify
+ hints:
+ allow:
+ - POST
+ deactivate:
+ href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ RetrieveAllZones:
+ summary: Retrieves all Network Zones
+ value:
+ - type: DYNAMIC_V2
+ id: nzok0oz2xYHOZtIch0g4
+ name: testZone106
+ status: ACTIVE
+ usage: BLOCKLIST
+ create: '2024-05-13T16:33:44.000Z'
+ lastUpdated: '2024-05-13T16:33:44.000Z'
+ system: false
+ locations:
+ include: []
+ exclude: []
+ asns:
+ include: []
+ exclude: []
+ ipServiceCategories:
+ include:
+ - ALL_ANONYMIZERS
+ exclude: []
+ _links:
+ self:
+ href: http://{yourOktaDomain}/api/v1/zones/nzok0oz2xYHOZtIch0g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: http://{yourOktaDomain}/api/v1/zones/nzok0oz2xYHOZtIch0g4/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ - type: DYNAMIC
+ id: nzoy0ox5xADOZtKrh0g6
+ name: test
+ status: ACTIVE
+ usage: POLICY
+ created: '2022-05-19T15:33:32.000Z'
+ lastUpdated: '2022-05-19T15:33:32.000Z'
+ system: false
+ locations:
+ - country: AF
+ region: AF-BGL
+ proxyType: ANY
+ asns:
+ - '23457'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/zones/nzoy0ox5xADOZtKrh0g6
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/zones/nzoy0ox5xADOZtKrh0g6/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ - type: IP
+ id: nzowc1U5Jh5xuAK0o0g3
+ name: MyIpZone
+ status: ACTIVE
+ usage: POLICY
+ created: '2021-06-24T20:37:32.000Z'
+ lastUpdated: '2021-06-24T20:37:32.000Z'
+ system: false
+ gateways:
+ - type: CIDR
+ value: 1.2.3.4/24
+ proxies:
+ - type: RANGE
+ value: 3.3.4.5-3.3.4.15
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ - type: IP
+ id: nzou3u0stMCmgOzXK1d6
+ name: BlockedIpZone
+ status: ACTIVE
+ usage: BLOCKLIST
+ created: '2021-06-09T21:32:46.000Z'
+ lastUpdated: '2021-06-09T21:32:46.000Z'
+ system: true
+ gateways: null
+ proxies: null
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/zones/nzou3u0stMCmgOzXK1d6
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/zones/nzou3u0stMCmgOzXK1d6/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ - type: DYNAMIC_V2
+ id: nzohcnxFrSgsiwyHp0g4
+ name: DefaultEnhancedDynamicZone
+ status: ACTIVE
+ usage: BLOCKLIST
+ created: '2024-05-06T19:12:29.000Z'
+ lastUpdated: '2024-05-09T21:02:31.000Z'
+ system: true
+ locations:
+ include: []
+ exclude: []
+ ipServiceCategories:
+ include:
+ - ALL_ANONYMIZERS
+ exclue: []
+ asns:
+ include: []
+ exclude: []
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/zones/nzou3u0stMCmgOzXK1d6
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/zones/nzou3u0stMCmgOzXK1d6/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ - type: IP
+ id: nzou3u0ssJfZjYsWL1d6
+ name: LegacyIpZone
+ status: ACTIVE
+ usage: POLICY
+ created: '2021-06-09T21:32:46.000Z'
+ lastUpdated: '2021-06-09T21:32:46.000Z'
+ system: true
+ gateways: null
+ proxies: null
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/zones/nzou3u0ssJfZjYsWL1d6
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/zones/nzou3u0ssJfZjYsWL1d6/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ RetrieveAllZonesWithFilter:
+ summary: Retrieves Network Zones with filter
+ value:
+ - type: IP
+ id: nzowc1U5Jh5xuAK0o0g3
+ name: MyIpZone
+ status: ACTIVE
+ usage: POLICY
+ created: '2021-06-24T20:37:32.000Z'
+ lastUpdated: '2021-06-24T20:37:32.000Z'
+ system: false
+ gateways:
+ - type: CIDR
+ value: 1.2.3.4/24
+ proxies:
+ - type: RANGE
+ value: 3.3.4.5-3.3.4.15
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ RetrieveAnEventHook:
+ summary: Retrieve an event hook
+ value:
+ id: who8vt36qfNpCGz9H1e6
+ status: ACTIVE
+ verificationStatus: VERIFIED
+ name: Event Hook Test
+ description: null
+ created: '2023-07-07T13:41:56.000Z'
+ createdBy: 00u7xut94qEWYx5ss1e5
+ lastUpdated: '2023-07-07T13:43:03.000Z'
+ events:
+ type: EVENT_TYPE
+ items:
+ - group.user_membership.add
+ filter: null
+ channel:
+ type: HTTP
+ version: 1.0.0
+ config:
+ uri: https://example_external_service/userAdded
+ headers:
+ - key: X-Other-Header
+ value: my-header-value
+ method: POST
+ authScheme:
+ type: HEADER
+ key: authorization
+ _links:
+ self:
+ href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6
+ verify:
+ href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/verify
+ hints:
+ allow:
+ - POST
+ deactivate:
+ href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ RetrieveAnEventHookWithFilter:
+ summary: Retrieve an event hook
+ value:
+ id: who8vt36qfNpCGz9H1e6
+ status: ACTIVE
+ verificationStatus: VERIFIED
+ name: Event Hook with Filter
+ description: An event hook using an Okta Expression Language filter
+ created: '2023-07-07T13:41:56.000Z'
+ createdBy: 00u7xut94qEWYx5ss1e5
+ lastUpdated: '2023-07-07T13:43:03.000Z'
+ events:
+ type: EVENT_TYPE
+ items:
+ - group.user_membership.add
+ filter:
+ type: EXPRESSION_LANGUAGE
+ eventFilterMap:
+ - event: group.user_membership.add
+ condition:
+ version: null
+ expression: event.target.?[type eq 'UserGroup'].size()>0 && event.target.?[displayName eq 'Sales'].size()>0
+ channel:
+ type: HTTP
+ version: 1.0.0
+ config:
+ uri: https://example_external_service/userAdded
+ method: POST
+ authScheme:
+ type: HEADER
+ key: authorization
+ _links:
+ self:
+ href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6
+ verify:
+ href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/verify
+ hints:
+ allow:
+ - POST
+ deactivate:
+ href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ RetrieveAuthServerResponse:
+ summary: Retrieve a custom authorization server
+ value:
+ id: '{authorizationServerId}'
+ name: Sample Authorization Server
+ description: Sample Authorization Server description
+ audiences:
+ - https://api.resource.com
+ issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId}
+ issuerMode: ORG_URL
+ status: ACTIVE
+ created: '2023-05-17T22:25:57.000Z'
+ lastUpdated: '2023-05-17T22:25:57.000Z'
+ credentials:
+ signing:
+ rotationMode: AUTO
+ lastRotated: '2023-05-17T22:25:57.000Z'
+ nextRotation: '2023-08-15T22:25:57.000Z'
+ kid: WYQxoK4XAwGFn5Zw5AzLxFvqEKLP79BbsKmWeuc5TB4
+ _links:
+ scopes:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes
+ hints:
+ allow:
+ - GET
+ claims:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims
+ hints:
+ allow:
+ - GET
+ policies:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies
+ hints:
+ allow:
+ - GET
+ self:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}
+ hints:
+ allow:
+ - GET
+ - DELETE
+ - PUT
+ metadata:
+ - name: oauth-authorization-server
+ href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/oauth-authorization-server
+ hints:
+ allow:
+ - GET
+ - name: openid-configuration
+ href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/openid-configuration
+ hints:
+ allow:
+ - GET
+ rotateKey:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/lifecycle/keyRotate
+ hints:
+ allow:
+ - POST
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ RetrieveCurrentSessionResponse:
+ summary: Retrieve current session
+ value:
+ amr:
+ - pwd
+ createdAt: '2019-08-24T14:15:22Z'
+ expiresAt: '2019-08-24T14:15:22Z'
+ id: l7FbDVqS8zHSy65uJD85
+ idp:
+ id: 01a2bcdef3GHIJKLMNOP
+ type: ACTIVE_DIRECTORY
+ lastFactorVerification: '2019-08-24T14:15:22Z'
+ lastPasswordVerification: '2019-08-24T14:15:22Z'
+ login: user@example.com
+ status: ACTIVE
+ userId: 00u0abcdefGHIJKLMNOP
+ _links:
+ self:
+ hints:
+ allow:
+ - GET
+ - DELETE
+ href: https://{yourOktaDomain}/api/v1/sessions/me
+ refresh:
+ hints:
+ allow:
+ - POST
+ href: https://{yourOktaDomain}/api/v1/sessions/me/lifecycle/refresh
+ user:
+ hints:
+ allow:
+ - GET
+ href: https://{yourOktaDomain}/api/v1/users/me
+ name: User Name
+ RetrieveCustomTokenClaimResponse:
+ summary: Retrieve a custom token Claim response
+ value:
+ - id: '{claimId}'
+ name: Support
+ status: ACTIVE
+ claimType: IDENTITY
+ valueType: GROUPS
+ value: Support
+ conditions:
+ scopes:
+ - profile
+ system: false
+ alwaysIncludeInToken: true
+ apiResourceId: null
+ group_filter_type: CONTAINS
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims/{claimId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ RetrieveFeaturesResponse:
+ summary: Retrieve a feature by ID
+ value:
+ id: ftrZooGoT8b41iWRiQs7
+ description: Example feature description
+ name: Example feature name
+ stage:
+ state: CLOSED
+ value: BETA
+ status: DISABLED
+ type: self-service
+ _links:
+ self:
+ hints:
+ allow:
+ - POST
+ href: https://{yourOktaDomain}/api/v1/features/ftrZooGoT8b41iWRiQs7
+ dependents:
+ href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependents
+ dependencies:
+ href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependencies
+ RetrieveKeyResponse:
+ summary: Retrieve a key by id response example
+ value:
+ id: HKY1p7jWLndGQV9M60g4
+ keyId: 7fbc27fd-e3df-4522-86bf-1930110256ad
+ name: My new key
+ created: '2022-08-31T18:09:58.000Z'
+ lastUpdated: '2022-08-31T18:09:58.000Z'
+ isUsed: 'false'
+ RetrieveMappingsResponse:
+ summary: Retrieve a single Profile Mapping
+ value:
+ id: prm1k47ghydIQOTBW0g4
+ source:
+ id: otysbePhQ3yqt4cVv0g3
+ name: user
+ type: user
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/meta/types/user/otysbePhQ3yqt4cVv0g3
+ schema:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscsbePhQ3yqt4cVv0g3
+ target:
+ id: 0oa1qmn4LZQQEH0wZ0g4
+ name: okta_org2org
+ type: appuser
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/apps/0oa1qmn4LZQQEH0wZ0g4
+ schema:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/apps/0oa1qmn4LZQQEH0wZ0g4/default
+ properties:
+ firstName:
+ expression: user.firstName
+ pushStatus: PUSH
+ lastName:
+ expression: user.lastName
+ pushStatus: PUSH
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/mappings/prm1k48weFSOnEUnw0g4
+ RetrieveNetworkZoneDynamic:
+ summary: Dynamic Network Zone
+ value:
+ type: DYNAMIC
+ id: nzoy0ox5xADOZtKrh0g6
+ name: test
+ status: ACTIVE
+ usage: POLICY
+ created: '2022-05-19T15:33:32.000Z'
+ lastUpdated: '2022-05-19T15:33:32.000Z'
+ system: false
+ locations:
+ - country: AF
+ region: AF-BGL
+ proxyType: ANY
+ asns:
+ - '23457'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/zones/nzoy0ox5xADOZtKrh0g6
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/zones/nzoy0ox5xADOZtKrh0g6/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ RetrieveNetworkZoneIP:
+ summary: IP Network Zone
+ value:
+ type: IP
+ id: nzowc1U5Jh5xuAK0o0g3
+ name: MyIpZone
+ status: ACTIVE
+ usage: POLICY
+ created: '2021-06-24T20:37:32.000Z'
+ lastUpdated: '2021-06-24T20:37:32.000Z'
+ system: false
+ gateways:
+ - type: CIDR
+ value: 1.2.3.4/24
+ proxies:
+ - type: RANGE
+ value: 3.3.4.5-3.3.4.15
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ RetrievePublicKeyResponse:
+ summary: Retrieve Public Key response example
+ value:
+ _embedded:
+ kty: RSA
+ alg: RSA
+ kid: 7fbc27fd-e3df-4522-86bf-1930110256ad
+ use: null
+ e: AQAB
+ 'n': 2naqCnv6r4xNQs7207lRtKQvdtnlVND-8k5iYBIiqoKGY3CqUmRm1jleoOniiQoMkFX8Wj2DmVqr002efF3vOQ7_gjtTatBTVUNbNIQLybun4dkVoUtfP7pRc5SLpcP3eGPRVar734ZrpQXzmCEdpqBt3jrVjwYjNE5DqOjbYXFJtMsy8CWE9LRJ3kyHEoHPzo22dG_vMrXH0_sAQoCk_4TgNCbvyzVmGVYXI_BkUnp0hv2pR4bQVRYzGB9dKJdctOh8zULqc_EJ8tiYsS05YnF7whrWEyARK0rH-e4d4W-OmBTga_zhY4kJ4NsoQ4PyvcatZkxjPO92QHQOFDnf3w`
+ RetrieveRefreshTokenClientResponse:
+ summary: Retrieve a refresh token for a Client
+ value:
+ - id: '{refreshTokenId}'
+ status: ACTIVE
+ created: '2023-09-21T19:59:56.000Z'
+ lastUpdated: '2023-09-21T20:00:38.000Z'
+ expiresAt: '2023-09-28T20:00:38.000Z'
+ issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId}
+ client_id: '{clientId}'
+ userId: '{userId}'
+ scopes:
+ - offline_access
+ - openid
+ _embedded:
+ scopes:
+ - id: '{scopeID}'
+ name: offline_access
+ displayName: Keep you signed in to the app
+ description: This keeps you signed in to the app, even when you aren't using it.
+ _links:
+ scope:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes/{scopeId}
+ title: Keep you signed in to the app
+ - id: '{scopeId}'
+ name: openid
+ displayName: openid
+ description: Signals that a request is an OpenID request
+ _links:
+ scope:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes/{scopeId}
+ title: openid
+ _links:
+ app:
+ href: https://{yourOktaDomain}/api/v1/apps/{appId}
+ title: My Web App
+ authorizationServer:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}
+ title: Authorization Server name
+ self:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/clients/{clientId}/tokens/{tokenId}
+ revoke:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/clients/{clientId}/tokens/{tokenId}
+ hints:
+ allow:
+ - DELETE
+ client:
+ href: https://{yourOktaDomain}/oauth2/v1/clients/{clientId}
+ title: My Web App
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/{userId}
+ title: Joe User
+ RetrieveSessionResponse:
+ summary: Retrieve Session information for a single session ID
+ value:
+ amr:
+ - pwd
+ createdAt: '2019-08-24T14:15:22Z'
+ expiresAt: '2019-08-24T14:15:22Z'
+ id: l7FbDVqS8zHSy65uJD85
+ idp:
+ id: 01a2bcdef3GHIJKLMNOP
+ type: ACTIVE_DIRECTORY
+ lastFactorVerification: '2019-08-24T14:15:22Z'
+ lastPasswordVerification: '2019-08-24T14:15:22Z'
+ login: user@example.com
+ status: ACTIVE
+ userId: 00u0abcdefGHIJKLMNOP
+ _links:
+ self:
+ hints:
+ allow:
+ - DELETE
+ href: https://{yourOktaDomain}/api/v1/sessions/l7FbDVqS8zHSy65uJD85
+ RetrieveUISchemaResponse:
+ summary: Retrieves a UI Schema response
+ value:
+ id: uis4a7liocgcRgcxZ0g7
+ uiSchema:
+ type: Group
+ label: Sign in
+ buttonLabel: Submit
+ elements:
+ - type: Control
+ scope: '#/properties/firstName'
+ label: First name
+ options:
+ format: text
+ - type: Control
+ scope: '#/properties/lastName'
+ label: Last name
+ options:
+ format: text
+ - type: Control
+ scope: '#/properties/email'
+ label: Email
+ options:
+ format: text
+ - type: Control
+ scope: '#/properties/countryCode'
+ label: Country code
+ options:
+ format: select
+ - type: Control
+ scope: '#/properties/bool2'
+ label: bool2
+ options:
+ format: checkbox
+ - type: Control
+ scope: '#/properties/date'
+ label: date
+ - type: Control
+ scope: '#/properties/enum'
+ label: enum
+ options:
+ format: radio
+ created: '2022-07-25T12:56:31.000Z'
+ lastUpdated: '2022-07-26T11:53:59.000Z'
+ _links:
+ self:
+ href: https://exmaple.com/api/v1/meta/uischemas/uis4a7liocgcRgcxZ0g7
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ RiskEventsRequestExample:
+ summary: Risk Events payload example
+ value:
+ - timestamp: '2021-01-20T00:00:00.001Z'
+ subjects:
+ - ip: 6.7.6.7
+ riskLevel: MEDIUM
+ - ip: 1.1.1.1
+ riskLevel: HIGH
+ message: Detected Attack tooling and suspicious activity
+ - timestamp: '2021-01-20T01:00:00.001Z'
+ subjects:
+ - ip: 6.7.6.7
+ riskLevel: LOW
+ - ip: 2.2.2.2
+ riskLevel: HIGH
+ RiskProviderPutRequest:
+ summary: Replace Risk Provider request example
+ value:
+ name: Risk-Partner-Y
+ action: enforce_and_log
+ clientId: 00ckjsfgjkdkjdkkljjsd
+ RiskProviderPutResponse:
+ summary: Replace Risk Provider response example
+ value:
+ id: 00rp12r4skkjkjgsn
+ action: enforce_and_log
+ name: Risk-Partner-Y
+ clientId: 00ckjsfgjkdkjdkkljjsd
+ created: '2021-01-05 22:18:30'
+ lastUpdated: '2021-01-05 23:18:30'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/risk/providers/00rp12r4skkjkjgsn
+ hints:
+ allow:
+ - GET
+ - PUT
+ RiskProviderRequest:
+ summary: Risk Provider payload example
+ value:
+ name: Risk-Partner-X
+ action: log_only
+ clientId: 00ckjsfgjkdkjdkkljjsd
+ RiskProviderResponse:
+ summary: Risk Provider response example
+ value:
+ id: 00rp12r4skkjkjgsn
+ action: log_only
+ name: Risk-Partner-X
+ clientId: 00ckjsfgjkdkjdkkljjsd
+ created: '2021-01-05 22:18:30'
+ lastUpdated: '2021-01-05 22:18:30'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/risk/providers/00rp12r4skkjkjgsn
+ hints:
+ allow:
+ - GET
+ - PUT
+ RoleAssignedUsersResponseExample:
+ value:
+ value:
+ - id: 00u118oQYT4TBGuay0g4
+ orn: orn:okta:00o5rb5mt2H3d1TJd0h7:users:00u118oQYT4TBGuay0g4
+ _links:
+ self:
+ href: http://your-subdomain.okta.com/api/v1/users/00u118oQYT4TBGuay0g4
+ roles:
+ href: http://your-subdomain.okta.com/api/v1/users/00u118oQYT4TBGuay0g4/roles
+ _links:
+ next:
+ href: http://your-subdomain.okta.com/api/v1/iam/assignees/users?after=00u118oQYT4TBGuay0g4&limit=1
+ RoleRequest:
+ value:
+ label: UserCreator
+ description: Create users
+ permissions:
+ - okta.users.create
+ - okta.users.read
+ - okta.groups.read
+ - okta.users.userprofile.manage
+ RoleResponse:
+ value:
+ id: cr0Yq6IJxGIr0ouum0g3
+ label: UserCreator
+ description: Create users
+ created: '2021-02-06T16:20:57.000Z'
+ lastUpdated: '2021-02-06T16:20:57.000Z'
+ _links:
+ permissions:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions
+ self:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3
+ RolesResponse:
+ value:
+ roles:
+ - id: cr0Yq6IJxGIr0ouum0g3
+ label: UserCreator
+ description: Create users
+ created: '2021-02-06T16:20:57.000Z'
+ lastUpdated: '2021-02-06T16:20:57.000Z'
+ _links:
+ permissions:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions
+ self:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3
+ - id: cr0Fw7HKcWIroo88m3r1
+ label: GroupMembershipManager
+ description: Manage group membership
+ created: '2021-02-06T16:20:57.000Z'
+ lastUpdated: '2021-02-06T16:20:57.000Z'
+ _links:
+ permissions:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Fw7HKcWIroo88m3r1/permissions
+ self:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Fw7HKcWIroo88m3r1
+ _links:
+ next:
+ href: https://{yourOktaDomain}/api/v1/iam/roles?after=cr0Fw7HKcWIroo88m3r1
+ SAMLHookResponseExample:
+ summary: An example SAML assertion inline hook response
+ value:
+ commands:
+ - type: com.okta.assertion.patch
+ value:
+ - op: replace
+ path: /claims/array/attributeValues/1/value
+ value: replacementValue
+ - op: replace
+ path: /authentication/authnContext
+ value:
+ authnContextClassRef: replacementValue
+ - op: add
+ path: /claims/extPatientId
+ value:
+ attributes:
+ NameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:basic
+ attributeValues:
+ - attributes:
+ xsi:type: xs:string
+ value: '4321'
+ - op: add
+ path: /authentication/sessionLifetime
+ value: 300
+ - type: com.okta.assertion.patch
+ value:
+ - op: replace
+ path: /authentication/sessionIndex
+ value: exampleSession
+ SAMLHookResponseWithURIFormat:
+ summary: An example with `replace` and `add` operations with the URI formatted claim encoded
+ value:
+ commands:
+ - type: com.okta.assertion.patch
+ value:
+ - op: replace
+ path: /claims/http:~1~1schemas.xmlsoap.org~1ws~12005~105~1identity~1claims~1foo/attributeValues/0/value
+ value: replacementValue
+ - op: replace
+ path: /claims/http:~1~1schemas.xmlsoap.org~1ws~12005~105~1identity~1claims~1foo/attributes
+ value:
+ attributes:
+ NameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:basic
+ - op: add
+ path: /claims/http:~1~1schemas.xmlsoap.org~1ws~12005~105~1identity~1claims~1bar
+ value:
+ attributes:
+ NameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:basic
+ attributeValues:
+ - attributes:
+ xsi:type: xs:string
+ value: bearer
+ SAMLPayLoadExample:
+ summary: An example SAML assertion inline hook request body
+ value:
+ source: https://${yourOktaDomain}/app/saml20app_1/exkth8lMzFm0HZOTU0g3/sso/saml
+ eventId: XMFoHCM1S4Wi_SGWzL8T9A
+ eventTime: '2019-03-28T19:15:23.000Z'
+ data:
+ context:
+ request:
+ id: reqqXypjzYJRSu2j1G1imUovA
+ method: GET
+ url:
+ value: https://${yourOktaDomain}/app/saml20app_1/exkth8lMzFm0HZOTU0g3/sso/saml
+ ipAddress: 127.0.0.1
+ protocol:
+ type: SAML2.0
+ issuer:
+ id: 0oath92zlO60urQOP0g3
+ name: SAML 2.0 App
+ uri: http://www.okta.com/exkth8lMzFm0HZOTU0g3
+ session:
+ id: 102LN9Bnuc4S_ewfc9BYwageA
+ userId: 00uq8tMo3zV0OfJON0g3
+ login: user@example.com
+ createdAt: '2019-03-28T16:45:55.000Z'
+ expiresAt: '2019-03-28T21:15:23.000Z'
+ status: ACTIVE
+ lastPasswordVerification: '2019-03-28T16:45:55.000Z'
+ amr:
+ - PASSWORD
+ idp:
+ id: 00oq6kcVwvrDY2YsS0g3
+ type: OKTA
+ mfaActive: false
+ user:
+ id: 00uq8tMo3zV0OfJON0g3
+ passwordChanged: '2018-09-11T23:19:12.000Z'
+ profile:
+ login: user@example.com
+ firstName: Admin
+ lastName: Last
+ locale: en
+ timeZone: America/Los_Angeles
+ _links:
+ groups:
+ href: https://${yourOktaDomain}/00uq8tMo3zV0OfJON0g3/groups
+ factors:
+ href: https://${yourOktaDomain}/api/v1/users/00uq8tMo3zV0OfJON0g3/factors
+ assertion:
+ subject:
+ nameId: user@example.com
+ nameFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+ confirmation:
+ method: urn:oasis:names:tc:SAML:2.0:cm:bearer
+ data:
+ recipient: http://www.example.com:7070/saml/sso
+ authentication:
+ sessionIndex: id1553800523546.312669168
+ authnContext:
+ authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+ conditions:
+ audienceRestriction:
+ - urn:example:sp
+ claims:
+ extPatientId:
+ attributes:
+ NameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
+ attributeValues:
+ - attributes:
+ xsi:type: xs:integer
+ value: '4321'
+ array:
+ attributes:
+ NameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
+ attributeValues:
+ - attributes:
+ xsi:type: xs:string
+ value: Array 1
+ - attributes:
+ xsi:type: xs:string
+ value: Array2
+ - attributes:
+ xsi:type: xs:string
+ value: Array3
+ middle:
+ attributes:
+ NameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
+ attributeValues:
+ - attributes:
+ xsi:type: xs:string
+ value: admin
+ firstAndLast:
+ attributes:
+ NameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
+ attributeValues:
+ - attributes:
+ xsi:type: xs:string
+ value: 7d6a50c8-4d7e-4058-9c5b-2cc98cecd294
+ lifetime:
+ expiration: 300
+ eventTypeVersion: '1.0'
+ cloudEventVersion: '0.1'
+ eventType: com.okta.saml.tokens.transform
+ contentType: application/json
+ SMSTemplateEditablePropertyValues:
+ value:
+ name: Custom
+ type: SMS_VERIFY_CODE
+ template: '${org.name}: your verification code is ${code}'
+ translations:
+ es: '${org.name}: el código de verificación es ${code}'
+ fr: '${org.name}: votre code de vérification est ${code}'
+ it: '${org.name}: il codice di verifica è ${code}'
+ SMSTemplateListResponse:
+ value:
+ - id: 6NQUJ5yR3bpgEiYmq8IC
+ name: Custom
+ type: SMS_VERIFY_CODE
+ template: '${org.name}: your verification code is ${code}'
+ translations:
+ es: '${org.name}: el código de verificación es ${code}'
+ fr: '${org.name}: votre code de vérification est ${code}'
+ it: '${org.name}: il codice di verifica è ${code}'
+ created: '2024-04-25T17:35:02.000Z'
+ lastUpdated: '2024-04-25T17:35:02.000Z'
+ SMSTemplateResponseValues:
+ value:
+ id: 6NQUJ5yR3bpgEiYmq8IC
+ name: Custom
+ type: SMS_VERIFY_CODE
+ template: '${org.name}: your verification code is ${code}'
+ translations:
+ es: '${org.name}: el código de verificación es ${code}'
+ fr: '${org.name}: votre code de vérification est ${code}'
+ it: '${org.name}: il codice di verifica è ${code}'
+ created: '2024-04-25T17:35:02.000Z'
+ lastUpdated: '2024-04-25T17:35:02.000Z'
+ Saml2.0Ex:
+ summary: SAML_2_0
+ value:
+ label: Example Custom SAML 2.0 App
+ visibility:
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ signOnMode: SAML_2_0
+ settings:
+ signOn:
+ defaultRelayState: ''
+ ssoAcsUrl: http://testorgone.okta
+ idpIssuer: http://www.okta.com/${org.externalKey}
+ audience: asdqwe123
+ recipient: http://testorgone.okta
+ destination: http://testorgone.okta
+ subjectNameIdTemplate: ${user.userName}
+ subjectNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+ responseSigned: true
+ assertionSigned: true
+ signatureAlgorithm: RSA_SHA256
+ digestAlgorithm: SHA256
+ honorForceAuthn: true
+ authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+ samlAssertionLifetimeSeconds: 3600
+ slo:
+ enabled: true
+ issuer: https://testorgone.okta.com
+ logoutUrl: https://testorgone.okta.com/logout
+ participateSlo:
+ enabled: true
+ logoutRequestUrl: https://testorgone.okta.com/logout/participate
+ sessionIndexRequired: true
+ bindingType: REDIRECT
+ spCertificate:
+ x5c:
+ - "MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV\r\n"
+ requestCompressed: false
+ allowMultipleAcsEndpoints: true
+ acsEndpoints:
+ - url: http://testorgone.okta
+ index: 0
+ - url: http://testorgone.okta/1
+ index: 1
+ attributeStatements:
+ - type: EXPRESSION
+ name: Attribute
+ namespace: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
+ values:
+ - Value
+ Saml2.0PutEx:
+ summary: SAML_2_0
+ value:
+ label: Example Custom SAML 2.0 App updated
+ visibility:
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ signOnMode: SAML_2_0
+ settings:
+ signOn:
+ defaultRelayState: ''
+ ssoAcsUrl: http://testorgone.okta
+ idpIssuer: http://www.okta.com/${org.externalKey}
+ audience: asdqwe123
+ recipient: http://testorgone.okta
+ destination: http://testorgone.okta
+ subjectNameIdTemplate: ${user.userName}
+ subjectNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+ responseSigned: true
+ assertionSigned: true
+ signatureAlgorithm: RSA_SHA256
+ digestAlgorithm: SHA256
+ honorForceAuthn: true
+ authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+ samlAssertionLifetimeSeconds: 3600
+ slo:
+ enabled: true
+ issuer: https://testorgone.okta.com
+ logoutUrl: https://testorgone.okta.com/logout
+ participateSlo:
+ enabled: true
+ logoutRequestUrl: https://testorgone.okta.com/logout/participate
+ sessionIndexRequired: true
+ bindingType: REDIRECT
+ spCertificate:
+ x5c:
+ - "MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV\r\n..."
+ requestCompressed: false
+ allowMultipleAcsEndpoints: true
+ acsEndpoints:
+ - url: http://testorgone.okta
+ index: 0
+ - url: http://testorgone.okta/1
+ index: 1
+ attributeStatements:
+ - type: EXPRESSION
+ name: Attribute
+ namespace: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
+ values:
+ - Value
+ Saml2.0PutResponseEx:
+ summary: SAML_2_0
+ value:
+ id: 0oafxqCAJWWGELFTYASJ
+ status: ACTIVE
+ lastUpdated: '2023-01-21T14:11:24.000Z'
+ created: '2023-01-21T14:11:24.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
+ _links:
+ uploadLogo:
+ href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo
+ hints:
+ allow:
+ - POST
+ appLinks:
+ - name: customswaapp_link
+ href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4
+ type: text/html
+ groups:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups
+ logo:
+ - name: medium
+ href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png
+ type: image/png
+ users:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate
+ visibility:
+ autoLaunch: false
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ testorgone_examplecustomsaml20app_1_link: true
+ name: testorgone_examplecustomsaml20app_1
+ label: Example Custom SAML 2.0 App updated
+ features: []
+ signOnMode: SAML_2_0
+ credentials:
+ userNameTemplate:
+ template: ${source.email}
+ type: BUILT_IN
+ signing:
+ kid: mh_16Cc8sIfHMFDMlHnp194cxKvJ6yXqs_mNn_6ZC0Q
+ settings:
+ app: {}
+ signOn:
+ defaultRelayState: null
+ ssoAcsUrl: http://testorgone.okta
+ idpIssuer: http://www.okta.com/${org.externalKey}
+ audience: asdqwe123
+ recipient: http://testorgone.okta
+ destination: http://testorgone.okta
+ subjectNameIdTemplate: ${user.userName}
+ subjectNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+ responseSigned: true
+ assertionSigned: true
+ signatureAlgorithm: RSA_SHA256
+ digestAlgorithm: SHA256
+ honorForceAuthn: true
+ authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+ spIssuer: https://testorgone.okta.com
+ samlAssertionLifetimeSeconds: 3600
+ slo:
+ enabled: true
+ issuer: https://testorgone.okta.com
+ logoutUrl: https://testorgone.okta.com/logout
+ requestCompressed: false
+ allowMultipleAcsEndpoints: false
+ acsEndpoints: []
+ samlSignedRequestEnabled: false
+ attributeStatements:
+ - type: EXPRESSION
+ name: Attribute
+ namespace: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
+ values:
+ - Value
+ inlineHooks: []
+ notifications:
+ vpn:
+ network:
+ connection: DISABLED
+ message: null
+ helpUrl: null
+ manualProvisioning: false
+ implicitAssignment: false
+ notes:
+ admin: null
+ enduser: null
+ Saml2.0ResponseEx:
+ summary: SAML_2_0
+ value:
+ id: 0oafxqCAJWWGELFTYASJ
+ status: ACTIVE
+ lastUpdated: '2023-01-21T14:11:24.000Z'
+ created: '2023-01-21T14:11:24.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
+ _links:
+ uploadLogo:
+ href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo
+ hints:
+ allow:
+ - POST
+ appLinks:
+ - name: customswaapp_link
+ href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4
+ type: text/html
+ groups:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups
+ logo:
+ - name: medium
+ href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png
+ type: image/png
+ users:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate
+ visibility:
+ autoLaunch: false
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ testorgone_examplecustomsaml20app_1_link: true
+ name: testorgone_examplecustomsaml20app_1
+ label: Example Custom SAML 2.0 App
+ features: []
+ signOnMode: SAML_2_0
+ credentials:
+ userNameTemplate:
+ template: ${source.email}
+ type: BUILT_IN
+ signing:
+ kid: mh_16Cc8sIfHMFDMlHnp194cxKvJ6yXqs_mNn_6ZC0Q
+ settings:
+ app: {}
+ signOn:
+ defaultRelayState: null
+ ssoAcsUrl: http://testorgone.okta
+ idpIssuer: http://www.okta.com/${org.externalKey}
+ audience: asdqwe123
+ recipient: http://testorgone.okta
+ destination: http://testorgone.okta
+ subjectNameIdTemplate: ${user.userName}
+ subjectNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+ responseSigned: true
+ assertionSigned: true
+ signatureAlgorithm: RSA_SHA256
+ digestAlgorithm: SHA256
+ honorForceAuthn: true
+ authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+ spIssuer: https://testorgone.okta.com
+ samlAssertionLifetimeSeconds: 3600
+ slo:
+ enabled: true
+ issuer: https://testorgone.okta.com
+ logoutUrl: https://testorgone.okta.com/logout
+ requestCompressed: false
+ allowMultipleAcsEndpoints: false
+ acsEndpoints: []
+ samlSignedRequestEnabled: false
+ attributeStatements:
+ - type: EXPRESSION
+ name: Attribute
+ namespace: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
+ values:
+ - Value
+ inlineHooks: []
+ notifications:
+ vpn:
+ network:
+ connection: DISABLED
+ message: null
+ helpUrl: null
+ manualProvisioning: false
+ implicitAssignment: false
+ notes:
+ admin: null
+ enduser: null
+ SamlIdPResponse:
+ summary: SAML 2.0 Identity Provider
+ value:
+ id: 0oa62bc8wppPw0UGr0h7
+ type: SAML2
+ name: Example SAML IdP
+ status: ACTIVE
+ created: '2016-03-24T23:14:54.000Z'
+ lastUpdated: '2016-03-24T23:14:54.000Z'
+ protocol:
+ type: SAML2
+ endpoints:
+ sso:
+ url: https://idp.example.com
+ binding: HTTP-POST
+ destination: https://idp.example.com
+ acs:
+ binding: HTTP-POST
+ type: INSTANCE
+ algorithms:
+ request:
+ signature:
+ algorithm: SHA-256
+ scope: REQUEST
+ response:
+ signature:
+ algorithm: SHA-256
+ scope: ANY
+ settings:
+ nameFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+ credentials:
+ trust:
+ issuer: https://idp.example.com
+ audience: http://www.okta.com/123
+ kid: your-key-id
+ policy:
+ provisioning:
+ action: AUTO
+ profileMaster: true
+ groups:
+ action: NONE
+ conditions:
+ deprovisioned:
+ action: NONE
+ suspended:
+ action: NONE
+ accountLink:
+ filter: null
+ action: AUTO
+ subject:
+ userNameTemplate:
+ template: saml.subjectNameId
+ filter: (\S+@example\.com)
+ matchType: USERNAME
+ mapAMRClaims: false
+ maxClockSkew: 0
+ _links:
+ metadata:
+ href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/metadata.xml
+ type: application/xml
+ hints:
+ allow:
+ - GET
+ acs:
+ href: https://{yourOktaDomain}/sso/saml2/0oa62bc8wppPw0UGr0h7
+ type: application/xml
+ hints:
+ allow:
+ - POST
+ users:
+ href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/users
+ hints:
+ allow:
+ - GET
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ SecurePasswordStoreEx:
+ summary: SECURE_PASSWORD_STORE
+ value:
+ name: template_sps
+ label: Example SWA App
+ signOnMode: SECURE_PASSWORD_STORE
+ settings:
+ app:
+ url: https://example.com/login.html
+ passwordField: '#txtbox-password'
+ usernameField: '#txtbox-username'
+ optionalField1: param1
+ optionalField1Value: somevalue
+ optionalField2: param2
+ optionalField2Value: yetanothervalue
+ optionalField3: param3
+ optionalField3Value: finalvalue
+ SecurePasswordStorePutEx:
+ summary: SECURE_PASSWORD_STORE
+ value:
+ name: template_sps
+ label: Example SWA App updated
+ signOnMode: SECURE_PASSWORD_STORE
+ settings:
+ app:
+ url: https://example.com/login.html
+ passwordField: '#txtbox-password'
+ usernameField: '#txtbox-username'
+ optionalField1: param1
+ optionalField1Value: somevalue_updated
+ optionalField2: param2
+ optionalField2Value: yetanothervalue
+ optionalField3: param3
+ optionalField3Value: finalvalue_updated
+ SecurePasswordStorePutResponseEx:
+ summary: SECURE_PASSWORD_STORE
+ value:
+ id: 0oafxqCAJWWGELFTYASJ
+ status: ACTIVE
+ lastUpdated: '2023-01-21T14:11:24.000Z'
+ created: '2023-01-21T14:11:24.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
+ _links:
+ uploadLogo:
+ href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo
+ hints:
+ allow:
+ - POST
+ appLinks:
+ - name: customswaapp_link
+ href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4
+ type: text/html
+ groups:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups
+ logo:
+ - name: medium
+ href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png
+ type: image/png
+ users:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate
+ visibility:
+ autoLaunch: false
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ login: true
+ name: template_sps
+ label: Example SWA App updated
+ features: []
+ signOnMode: SECURE_PASSWORD_STORE
+ credentials:
+ scheme: EDIT_USERNAME_AND_PASSWORD
+ userNameTemplate:
+ template: ${source.email}
+ type: BUILT_IN
+ revealPassword: false
+ signing: {}
+ settings:
+ app:
+ url: https://example.com/login.html
+ passwordField: '#txtbox-password'
+ usernameField: '#txtbox-username'
+ optionalField1: param1
+ optionalField1Value: somevalue_updated
+ optionalField2: param2
+ optionalField2Value: yetanothervalue
+ optionalField3: param3
+ optionalField3Value: finalvalue_updated
+ notifications:
+ vpn:
+ network:
+ connection: DISABLED
+ message: null
+ helpUrl: null
+ manualProvisioning: false
+ implicitAssignment: false
+ notes:
+ admin: null
+ enduser: null
+ SecurePasswordStoreResponseEx:
+ summary: SECURE_PASSWORD_STORE
+ value:
+ id: 0oafxqCAJWWGELFTYASJ
+ status: ACTIVE
+ lastUpdated: '2023-01-21T14:11:24.000Z'
+ created: '2023-01-21T14:11:24.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
+ _links:
+ uploadLogo:
+ href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo
+ hints:
+ allow:
+ - POST
+ appLinks:
+ - name: customswaapp_link
+ href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4
+ type: text/html
+ groups:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups
+ logo:
+ - name: medium
+ href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png
+ type: image/png
+ users:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate
+ visibility:
+ autoLaunch: false
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ login: true
+ name: template_sps
+ label: Example SWA App
+ features: []
+ signOnMode: SECURE_PASSWORD_STORE
+ credentials:
+ scheme: EDIT_USERNAME_AND_PASSWORD
+ userNameTemplate:
+ template: ${source.email}
+ type: BUILT_IN
+ revealPassword: false
+ signing: {}
+ settings:
+ app:
+ url: https://example.com/login.html
+ passwordField: '#txtbox-password'
+ usernameField: '#txtbox-username'
+ optionalField1: param1
+ optionalField1Value: somevalue
+ optionalField2: param2
+ optionalField2Value: yetanothervalue
+ optionalField3: param3
+ optionalField3Value: finalvalue
+ notifications:
+ vpn:
+ network:
+ connection: DISABLED
+ message: null
+ helpUrl: null
+ manualProvisioning: false
+ implicitAssignment: false
+ notes:
+ admin: null
+ enduser: null
+ SecurityEventsProviderRequestIssuerAndJwksUrl:
+ summary: Provider with issuer and JWKS
+ value:
+ name: Security Events Provider with an issuer and a JWKS URL
+ type: okta
+ settings:
+ issuer: Issuer
+ jwks_url: https://example.okta.com/jwks/path
+ SecurityEventsProviderRequestWellKnownUrl:
+ summary: Provider with well-known URL
+ value:
+ name: Security Events Provider with well-known URL
+ type: okta
+ settings:
+ well_known_url: https://example.okta.com/.well-known/ssf-configuration
+ SecurityEventsProviderResponseIssuerAndJwksUrl:
+ summary: Provider with issuer and JWKS
+ value:
+ id: sse1qu4fUtsoD12iF0g5
+ name: Security Events Provider with an issuer and a JWKS URL
+ type: okta
+ status: ACTIVE
+ settings:
+ issuer: Issuer
+ jwks_url: https://example.okta.com/jwks/path
+ _links:
+ self:
+ href: https://example.okta.com/api/v1/security-events-providers/sse1qu4fUtsoD12iF0g5
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://example.okta.com/api/v1/security-events-providers/sse1qu4fUtsoD12iF0g5/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ SecurityEventsProviderResponseWellKnownUrl:
+ summary: Provider with well-known URL
+ value:
+ id: sse1qg25RpusjUP6m0g5
+ name: Security Events Provider with well-known URL
+ type: okta
+ status: ACTIVE
+ settings:
+ well_known_url: https://example.okta.com/.well-known/ssf-configuration
+ issuer: Issuer
+ jwks_url: https://example.okta.com/jwks/path
+ _links:
+ self:
+ href: https://example.okta.com/api/v1/security-events-providers/sse1qg25RpusjUP6m0g5
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://example.okta.com/api/v1/security-events-providers/sse1qg25RpusjUP6m0g5/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ SimulatePolicyBody:
+ summary: Simulate policy request body
+ description: Simulate policy request body
+ value:
+ policyType:
+ - OKTA_SIGN_ON
+ - MFA_ENROLL
+ appInstance: 0oa4eroj3nYCIJIW70g7
+ policyContext:
+ groups:
+ ids:
+ - 00g4eralvekR5RLuS0g7
+ - 00g4eralvekR5RLuS0g8
+ risk:
+ level: LOW
+ zones:
+ ids:
+ - nzo4eralxcRnbIHYJ0g7
+ device:
+ platform: IOS
+ registered: true
+ managed: true
+ SimulatePolicyElExpressionBody:
+ summary: Simulate policy request body with EL context
+ description: Simulate policy request body with EL context
+ value:
+ appInstance: 0oa4fdudGhhB5FNKR0g4
+ policyContext:
+ user:
+ id: 00u10wvS3zms2JVaO0g4
+ status: ACTIVE
+ created: '2024-04-29T18:05:24.000Z'
+ lastUpdated: '2024-04-29T18:05:24.000Z'
+ passwordChanged: '2024-04-29T18:05:24.000Z'
+ lastLogin: '2024-04-29T18:05:24.000Z'
+ profile:
+ city: string
+ costCenter: string
+ countryCode: st
+ department: string
+ displayName: string
+ division: string
+ email: user@example.com
+ employeeNumber: string
+ firstName: string
+ honorificPrefix: string
+ honorificSuffix: string
+ lastName: string
+ locale: string
+ login: string
+ manager: string
+ managerId: string
+ middleName: string
+ mobilePhone: string
+ nickName: string
+ organization: string
+ postalAddress: string
+ preferredLanguage: string
+ primaryPhone: string
+ profileUrl: string
+ secondEmail: user@example.com
+ state: string
+ streetAddress: string
+ timezone: string
+ title: string
+ userType: string
+ zipCode: string
+ SimulatePolicyElExpressionResponse:
+ summary: Simulate policy response body with EL Context
+ description: Simulate policy response body with EL Context
+ value:
+ evaluation:
+ - status: null
+ policyType: OKTA_SIGN_ON
+ result:
+ policies:
+ - id: 00p4eromwukk6qUku0g7
+ name: test policy
+ status: MATCH
+ conditions: []
+ rules:
+ - id: 0pr4erof85nGcyC7Y0g7
+ name: test rule
+ status: MATCH
+ conditions:
+ - type: people.groups.include
+ status: MATCH
+ undefined:
+ policies: []
+ evaluated:
+ policies: []
+ - status: null
+ policyType: MFA_ENROLL
+ result:
+ policies:
+ - id: 00p4eram2kw1aLcrx0g7
+ name: Default Policy
+ status: MATCH
+ conditions: []
+ rules:
+ - id: 0pr4eram2lMQT5FZF0g7
+ name: null
+ status: MATCH
+ conditions: []
+ undefined:
+ policies: []
+ evaluated:
+ policies: []
+ - status: null
+ policyType: ACCESS_POLICY
+ result:
+ policies:
+ - id: rst4eram06ZKZewEe0g7
+ name: Any two factors
+ status: MATCH
+ conditions: []
+ rules:
+ - id: rul4eram07VsWgybo0g7
+ name: Catch-all rule
+ status: MATCH
+ conditions: []
+ undefined:
+ policies: []
+ evaluated:
+ policies: []
+ - status: null
+ policyType: PROFILE_ENROLLMENT
+ result:
+ policies:
+ - id: rst4eram08ZSjPTOl0g7
+ name: Default Policy
+ status: MATCH
+ conditions: []
+ rules:
+ - id: rul4eram094PrQ2BX0g7
+ name: Catch-all rule
+ status: MATCH
+ conditions: []
+ undefined:
+ policies: []
+ evaluated:
+ policies: []
+ SimulatePolicyResponse:
+ summary: Simulate policy response body
+ description: Simulate policy response body
+ value:
+ evaluation:
+ - status: null
+ policyType: OKTA_SIGN_ON
+ result:
+ policies:
+ - id: 00p4eromwukk6qUku0g7
+ name: test policy
+ status: MATCH
+ conditions: []
+ rules:
+ - id: 0pr4erof85nGcyC7Y0g7
+ name: test rule
+ status: MATCH
+ conditions:
+ - type: people.groups.include
+ status: MATCH
+ undefined:
+ policies: []
+ evaluated:
+ policies: []
+ - status: null
+ policyType: MFA_ENROLL
+ result:
+ policies:
+ - id: 00p4eram2kw1aLcrx0g7
+ name: Default Policy
+ status: MATCH
+ conditions: []
+ rules:
+ - id: 0pr4eram2lMQT5FZF0g7
+ name: null
+ status: MATCH
+ conditions: []
+ undefined:
+ policies: []
+ evaluated:
+ policies: []
+ - status: null
+ policyType: ACCESS_POLICY
+ result:
+ policies:
+ - id: rst4eram06ZKZewEe0g7
+ name: Any two factors
+ status: MATCH
+ conditions: []
+ rules:
+ - id: rul4eram07VsWgybo0g7
+ name: Catch-all rule
+ status: MATCH
+ conditions: []
+ undefined:
+ policies: []
+ evaluated:
+ policies: []
+ - status: null
+ policyType: PROFILE_ENROLLMENT
+ result:
+ policies:
+ - id: rst4eram08ZSjPTOl0g7
+ name: Default Policy
+ status: MATCH
+ conditions: []
+ rules:
+ - id: rul4eram094PrQ2BX0g7
+ name: Catch-all rule
+ status: MATCH
+ conditions: []
+ undefined:
+ policies: []
+ evaluated:
+ policies: []
+ SmartCardIdPResponse:
+ summary: SmartCard Identity Provider
+ value:
+ id: 0oa6jxasyhwM2ZHJh0g4
+ type: X509
+ name: Smart Card IDP Name
+ status: ACTIVE
+ created: '2020-01-07T00:19:27.000Z'
+ lastUpdated: '2020-01-07T00:19:27.000Z'
+ properties:
+ additionalAmr:
+ - sc
+ - hwk
+ - pin
+ - mfa
+ protocol:
+ type: MTLS
+ endpoints:
+ sso:
+ url: https://{yourOktaDomain}.okta.com/login/cert
+ credentials:
+ trust:
+ issuer: CN=Test Smart Card, OU=Test OU, O=Test O, C=US
+ audience: null
+ kid: 45dec5ff-8cdc-48c0-85fe-a4869f1753dc
+ revocation: CRL
+ revocationCacheLifetime: 2880
+ policy:
+ provisioning:
+ action: DISABLED
+ profileMaster: false
+ groups: null
+ subject:
+ userNameTemplate:
+ template: idpuser.subjectAltNameEmail
+ filter: null
+ matchType: EMAIL
+ matchAttribute: null
+ mapAMRClaims: false
+ maxClockSkew: 120000
+ _links:
+ deactivate:
+ href: https://{yourOktaDomain}.okta.com/api/v1/idps/0oa6jxasyhwM2ZHJh0g4/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ users:
+ href: https://{yourOktaDomain}.okta.com/api/v1/idps/0oa6jxasyhwM2ZHJh0g4/users
+ hints:
+ allow:
+ - GET
+ keys:
+ href: https://{yourOktaDomain}.okta.com/api/v1/idps/credentials/keys/45dec5ff-8cdc-48c0-85fe-a4869f1753dc
+ hints:
+ allow:
+ - GET
+ SocialAuthTokensResponse:
+ summary: Social Authentication Tokens
+ value:
+ - id:
+ token: JBTWGV22G4ZGKV3N
+ tokenType: urn:ietf:params:oauth:token-type:access_token
+ tokenAuthScheme: Bearer
+ expiresAt: '2014-08-06T16:56:31.000Z'
+ scopes:
+ - openid
+ - foo
+ - id:
+ token: JBTWGV22G4ZJBRXJ
+ tokenType: urn:ietf:params:oauth:token-type:id_token
+ tokenAuthScheme: null
+ StandardAndCustomRolesListResponse:
+ value:
+ - id: IFIFAX2BIRGUSTQ
+ label: Application administrator
+ type: APP_ADMIN
+ status: ACTIVE
+ created: '2019-02-06T16:17:40.000Z'
+ lastUpdated: '2019-02-06T16:17:40.000Z'
+ assignmentType: USER
+ _links:
+ assignee:
+ href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3
+ - id: JBCUYUC7IRCVGS27IFCE2SKO
+ label: Help Desk administrator
+ type: HELP_DESK_ADMIN
+ status: ACTIVE
+ created: '2019-02-06T16:17:40.000Z'
+ lastUpdated: '2019-02-06T16:17:40.000Z'
+ assignmentType: USER
+ _links:
+ assignee:
+ href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3
+ - id: ra125eqBFpETrMwu80g4
+ label: Organization administrator
+ type: ORG_ADMIN
+ status: ACTIVE
+ created: '2019-02-06T16:17:40.000Z'
+ lastUpdated: '2019-02-06T16:17:40.000Z'
+ assignmentType: USER
+ _links:
+ assignee:
+ href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3
+ - id: gra25fapn1prGTBKV0g4
+ label: API Access Management administrator
+ type: API_ACCESS_MANAGEMENT_ADMIN
+ status: ACTIVE
+ created: '2019-02-06T16:20:57.000Z'
+ lastUpdated: '2019-02-06T16:20:57.000Z'
+ assignmentType: GROUP
+ _links:
+ assignee:
+ href: https://{yourOktaDomain}/api/v1/groups/00g1ousb3XCr9Dkr20g4
+ - id: irb1q92TFAHzySt3x0g4
+ role: cr0Yq6IJxGIr0ouum0g3
+ label: UserCreatorRole
+ type: CUSTOM
+ status: ACTIVE
+ created: '2019-02-06T16:20:57.000Z'
+ lastUpdated: '2019-02-06T16:20:57.000Z'
+ assignmentType: USER
+ resource-set: iamoJDFKaJxGIr0oamd9g
+ _links:
+ assignee:
+ href": https://{yourOktaDomain}/api/v1/users/00u1gytb3XCr9Dkr18r2
+ resource-set:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g
+ member:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3/members/irb1qe6PGuMc7Oh8N0g4
+ role:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3
+ permissions:
+ href: https://{yourOktaDomain}/api/v1/iam/permission-sets/cr0Yq6IJxGIr0ouum0g3/permissions
+ - id: irb5e92YgBazyyQ3x1q5
+ role: cr0Yq6IJxGIr0ouum0g3
+ label: UserCreatorRole
+ type: CUSTOM
+ status: ACTIVE
+ created: '2019-02-06T16:20:57.000Z'
+ lastUpdated: '2019-02-06T16:20:57.000Z'
+ assignmentType: GROUP
+ resource-set: iamoakjsdQaJxGIr03int1o
+ _links:
+ assignee:
+ href: https://{ yourOktaDomain }/api/v1/groups/00g1ousb3XCr9Dkr20g4
+ resource-set:
+ href: https://{ yourOktaDomain }/api/v1/iam/resource-sets/iamoakjsdQaJxGIr03int1o
+ member:
+ href: https://{ yourOktaDomain }/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3/members/irb1qe6PGuMc7Oh8N0g4
+ role:
+ href: https://{ yourOktaDomain }/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3
+ permissions:
+ href: https://{ yourOktaDomain }/api/v1/iam/permission-sets/cr0Yq6IJxGIr0ouum0g3/permissions
+ StandardRoleAssignmentRequest:
+ value:
+ type: HELP_DESK_ADMIN
+ StandardRoleResponseClient:
+ value:
+ id: JBCUYUC7IRCVGS27IFCE2SKO
+ label: Help Desk Administrator
+ type: HELP_DESK_ADMIN
+ status: ACTIVE
+ created: '2023-05-01T14:24:54.000Z'
+ lastUpdated: '2023-05-01T14:24:54.000Z'
+ assignmentType: CLIENT
+ _links:
+ assignee:
+ href: https://{yourOktaDomain}/oauth2/v1/clients/0jrabyQWm4B9zVJPbotY/roles
+ StandardRoleResponseUser:
+ value:
+ id: ra1b8anIk7rx7em7L0g4
+ label: Super Organization administrator
+ type: SUPER_ADMIN
+ status: ACTIVE
+ created: '2015-09-06T15:28:47.000Z'
+ lastUpdated: '2015-09-06T15:28:47.000Z'
+ assignmentType: USER
+ _links:
+ assignee:
+ href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR
+ StandardRolesListResponse:
+ value:
+ - id: IFIFAX2BIRGUSTQ
+ label: Application administrator
+ type: APP_ADMIN
+ status: ACTIVE
+ created: '2019-02-06T16:17:40.000Z'
+ lastUpdated: '2019-02-06T16:17:40.000Z'
+ assignmentType: USER
+ _links:
+ assignee:
+ href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3
+ - id: JBCUYUC7IRCVGS27IFCE2SKO
+ label: Help Desk administrator
+ type: HELP_DESK_ADMIN
+ status: ACTIVE
+ created: '2019-02-06T16:17:40.000Z'
+ lastUpdated: '2019-02-06T16:17:40.000Z'
+ assignmentType: USER
+ _links:
+ assignee:
+ href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3
+ - id: ra125eqBFpETrMwu80g4
+ label: Organization administrator
+ type: ORG_ADMIN
+ status: ACTIVE
+ created: '2019-02-06T16:17:40.000Z'
+ lastUpdated: '2019-02-06T16:17:40.000Z'
+ assignmentType: USER
+ _links:
+ assignee:
+ href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3
+ - id: gra25fapn1prGTBKV0g4
+ label: API Access Management administrator
+ type: API_ACCESS_MANAGEMENT_ADMIN
+ status: ACTIVE
+ created": '2019-02-06T16:20:57.000Z'
+ lastUpdated": '2019-02-06T16:20:57.000Z'
+ assignmentType": GROUP
+ _links":
+ assignee":
+ href": https://{yourOktaDomain}/api/v1/groups/00g1ousb3XCr9Dkr20g4
+ StandardRolesListResponseClient:
+ value:
+ - id: JBCUYUC7IRCVGS27IFCE2SKO
+ label: Help Desk Administrator
+ type: HELP_DESK_ADMIN
+ status: ACTIVE
+ created: '2023-05-01T14:24:54.000Z'
+ lastUpdated: '2023-05-01T14:24:54.000Z'
+ assignmentType: CLIENT
+ _links:
+ assignee:
+ href: https://{yourOktaDomain}/oauth2/v1/clients/0jrabyQWm4B9zVJPbotY/roles
+ StandardRolesListResponseGroup:
+ value:
+ - id: IFIFAX2BIRGUSTQ
+ label: Application Administrator
+ type: APP_ADMIN
+ status: ACTIVE
+ created: '2019-02-06T16:17:40.000Z'
+ lastUpdated: '2019-02-06T16:17:40.000Z'
+ assignmentType: GROUP
+ _links:
+ assignee:
+ href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3
+ SubmissionOidcRequest:
+ summary: Submission OIDC request example
+ value:
+ name: Strawberry Central
+ description: Your one source for in-season strawberry deals
+ logo: https://acme.okta.com/bc/image/fileStoreRecord?id=fs03xxd3KmkDBwJU80g4
+ sso:
+ oidc:
+ redirectUris:
+ - https://${org.subdomain}.example.com/strawberry/oidc/login
+ initiateLoginUri: https://${org.subdomain}.example.com/strawberry/oidc/sp-init
+ postLogoutUris:
+ - https://${org.subdomain}.example.com/strawberry/oidc/logged-out
+ doc: https://example.com/strawberry/help/oidcSetup
+ config:
+ - name: subdomain
+ label: Subdomain
+ SubmissionOidcResponse:
+ summary: Submission OIDC response example
+ value:
+ id: acme_strawberrycentral_1
+ name: Strawberry Central
+ description: Your one source for in-season strawberry deals
+ logo: https://acme.okta.com/bc/image/fileStoreRecord?id=fs03xxd3KmkDBwJU80g4
+ sso:
+ oidc:
+ redirectUris:
+ - https://${org.subdomain}.example.com/strawberry/oidc/login
+ initiateLoginUri: https://${org.subdomain}.example.com/strawberry/oidc/sp-init
+ postLogoutUris:
+ - https://${org.subdomain}.example.com/strawberry/oidc/logged-out
+ doc: https://example.com/strawberry/help/oidcSetup
+ config:
+ - name: subdomain
+ label: Subdomain
+ status: New
+ lastUpdated: '2023-08-24T14:15:22.000Z'
+ lastUpdatedBy: 00ub0oNGTSWTBKOLGLNR
+ lastPublished: '2023-09-01T13:23:45.000Z'
+ SubmissionSamlRequest:
+ summary: Submission SAML request example
+ value:
+ name: Strawberry Central
+ description: Your one source for in-season strawberry deals
+ logo: https://acme.okta.com/bc/image/fileStoreRecord?id=fs03xxd3KmkDBwJU80g4
+ sso:
+ saml:
+ acs:
+ - url: https://${org.subdomain}.example.com/saml/login
+ entityId: https://${org.subdomain}.example.com
+ claims:
+ - name: manager
+ values:
+ - ${user.manager}
+ groups:
+ - name: groups
+ doc: https://example.com/strawberry/help/samlSetup
+ config:
+ - name: subdomain
+ label: Subdomain
+ SubmissionSamlResponse:
+ summary: Submission SAML response example
+ value:
+ id: acme_strawberrycentral_1
+ name: Strawberry Central
+ description: Your one source for in-season strawberry deals
+ logo: https://acme.okta.com/bc/image/fileStoreRecord?id=fs03xxd3KmkDBwJU80g4
+ sso:
+ saml:
+ acs:
+ - url: https://${org.subdomain}.example.com/saml/login
+ entityId: https://${org.subdomain}.example.com
+ claims:
+ - name: manager
+ values:
+ - ${user.manager}
+ groups:
+ - name: groups
+ doc: https://example.com/strawberry/help/samlSetup
+ config:
+ - name: subdomain
+ label: Subdomain
+ status: To be reviewed by Okta
+ lastUpdated: '2023-08-24T14:15:22.000Z'
+ lastUpdatedBy: 00ub0oNGTSWTBKOLGLNR
+ lastPublished: null
+ SubmissionsResponse:
+ summary: Submission list example
+ value:
+ - id: acme_strawberrycentral_1
+ name: Strawberry Central
+ description: Your one source for in-season strawberry deals
+ logo: https://acme.okta.com/bc/image/fileStoreRecord?id=fs03xxd3KmkDBwJU80g4
+ sso:
+ saml:
+ acs:
+ - url: https://${org.subdomain}.example.com/saml/login
+ entityId: https://${org.subdomain}.example.com
+ claims:
+ - name: manager
+ values:
+ - ${user.manager}
+ groups:
+ - name: groups
+ doc: https://example.com/strawberry/help/samlSetup
+ config:
+ - name: subdomain
+ label: Subdomain
+ status: Complete
+ lastUpdated: '2023-08-24T14:15:22.000Z'
+ lastUpdatedBy: 00ub0oNGTSWTBKOLGLNR
+ lastPublished: '2023-09-01T13:23:45.000Z'
+ SupportedFactorResults:
+ value:
+ - factorType: question
+ provider: OKTA
+ vendorName: OKTA
+ _links:
+ questions:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/questions
+ hints:
+ allow:
+ - GET
+ enroll:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors
+ hints:
+ allow:
+ - POST
+ - factorType: token:software:totp
+ provider: OKTA
+ _links:
+ enroll:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors
+ hints:
+ allow:
+ - POST
+ - factorType: token:software:totp
+ provider: GOOGLE
+ _links:
+ enroll:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors
+ hints:
+ allow:
+ - POST
+ - factorType: sms
+ provider: OKTA
+ vendorName: OKTA
+ _links:
+ enroll:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors
+ hints:
+ allow:
+ - POST
+ _embedded:
+ phones:
+ - id: mblldntFJevYKbyQQ0g3
+ profile:
+ phoneNumber: '+14081234567'
+ status: ACTIVE
+ - factorType: call
+ provider: OKTA
+ _links:
+ enroll:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors
+ hints:
+ allow:
+ - POST
+ - factorType: token
+ provider: RSA
+ _links:
+ enroll:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors
+ hints:
+ allow:
+ - POST
+ - factorType: token
+ provider: SYMANTEC
+ _links:
+ enroll:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors
+ hints:
+ allow:
+ - POST
+ TelephonyFailureResponse:
+ summary: An example telephony hook response for an external web service returning failure
+ value:
+ error:
+ - errorSummary: Failed to deliver SMS OTP to test.user@okta.com
+ - errorCauses:
+ errorSummary: Provider could not deliver OTP
+ reason: The content of the message is not supported
+ location: South Africa
+ TelephonyPayloadExample:
+ summary: An example telephony inline hook request body
+ value:
+ eventId: uS5871kJThSsU8qlA1LTcg
+ eventTime: '2020-01-17T21:23:56.000Z'
+ eventType: com.okta.telephony.provider
+ eventTypeVersion: '1.0'
+ contentType: application/json
+ cloudEventVersion: '0.1'
+ source: https://${yourOktaDomain}/api/v1/inlineHooks/cbl2ad6phv9fsPLcF0g7
+ data:
+ context:
+ request:
+ id: reqRgSk8IBBRhuo0YdlEDTmUw
+ method: POST
+ url:
+ value: /api/internal/v1/inlineHooks/com.okta.telephony.provider/generatePreview
+ ipAddress: 127.0.0.1
+ userProfile:
+ firstName: test
+ lastName: user
+ login: test.user@okta.com
+ userId: 00uyxxSknGtK8022w0g3
+ messageProfile:
+ msgTemplate: (HOOK)Your code is 11111
+ phoneNumber: 9876543210
+ otpExpires: '2022-01-28T21:48:34.321Z'
+ deliveryChannel: SMS
+ otpCode: 11111
+ locale: EN-US
+ TelephonySuccessResponse:
+ summary: An example telephony hook response for an external web service returning success
+ value:
+ commands:
+ - type: com.okta.telephony.action
+ - value:
+ status: FAILURE
+ provider: VONAGE
+ transactionId: SM49a8ece2822d44e4adaccd7ed268f954
+ transactionMetadata: Duration=300ms
+ TestInfoOidcRequest:
+ summary: OIDC SSO Submission Testing Information request
+ value:
+ testAccount:
+ url: https://example.com/strawberry/login
+ username: test@example.com
+ password: sUperP@ssw0rd
+ instructions: Go to your app URL from a browser and enter your credentials
+ escalationSupportContact: strawberry.support@example.com
+ oidcTestConfiguration:
+ jit: false
+ spInitiateUrl: https://test.example.com/strawberry/oidc/sp-init
+ TestInfoOidcResponse:
+ summary: OIDC SSO Submission Testing Information response
+ value:
+ testAccount:
+ url: https://example.com/strawberry/login
+ username: test@example.com
+ password: sUperP@ssw0rd
+ instructions: Go to your app URL from a browser and enter your credentials
+ escalationSupportContact: strawberry.support@example.com
+ oidcTestConfiguration:
+ idp: true
+ sp: true
+ jit: false
+ spInitiateUrl: https://test.example.com/strawberry/oidc/sp-init
+ TestInfoSamlRequest:
+ summary: SAML SSO Submission Testing Information request
+ value:
+ testAccount:
+ url: https://example.com/strawberry/login
+ username: test@example.com
+ password: sUperP@ssw0rd
+ instructions: Go to your app URL from a browser and enter your credentials
+ escalationSupportContact: strawberry.support@example.com
+ samlTestConfiguration:
+ idp: true
+ sp: true
+ jit: false
+ spInitiateUrl: https://test.example.com/strawberry/saml/sp-init
+ spInitiateDescription: Go to the app URL from a browser and enter your username
+ TestInfoSamlResponse:
+ summary: SAML SSO Submission Testing Information response
+ value:
+ testAccount:
+ url: https://example.com/strawberry/login
+ username: test@example.com
+ password: sUperP@ssw0rd
+ instructions: Go to your app URL from a browser and enter your credentials
+ escalationSupportContact: strawberry.support@example.com
+ samlTestConfiguration:
+ idp: true
+ sp: true
+ jit: false
+ spInitiateUrl: https://test.example.com/strawberry/saml/sp-init
+ spInitiateDescription: Go to the app URL from a browser and enter your username
+ ThreatInsightResponseExample:
+ summary: ThreatInsight response
+ value:
+ action: none
+ excludeZones: []
+ created: '2020-08-05T22:18:30.629Z'
+ lastUpdated: '2020-08-05T22:18:30.629Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/threats/configuration
+ hints:
+ allow:
+ - GET
+ - POST
+ ThreatInsightUpdateRequestExample:
+ summary: ThreatInsight update request
+ value:
+ action: audit
+ excludeZones:
+ - nzo1q7jEOsoCnoKcj0g4
+ - nzouagptWUz5DlLfM0g3
+ ThreatInsightUpdateResponseExample:
+ summary: ThreatInsight update response
+ value:
+ action: audit
+ excludeZones:
+ - nzo1q7jEOsoCnoKcj0g4
+ - nzouagptWUz5DlLfM0g3
+ created: '2020-08-05T22:18:30.629Z'
+ lastUpdated: '2020-10-13T21:23:10.178Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/threats/configuration
+ hints:
+ allow:
+ - GET
+ - POST
+ TokenHookErrorExample:
+ summary: Error response
+ value:
+ error:
+ errorSummary: Human-readable summary of the error
+ TokenHookModifyLifetime:
+ summary: Modify token lifetime
+ value:
+ commands:
+ - type: com.okta.identity.patch
+ value:
+ - op: replace
+ path: /token/lifetime/expiration
+ value: 36000
+ - type: com.okta.access.patch
+ value:
+ - op: replace
+ path: /token/lifetime/expiration
+ value: 36000
+ TokenHookRemoveClaim:
+ summary: Remove claim
+ value:
+ commands:
+ - type: com.okta.identity.patch
+ value:
+ - op: remove
+ path: /claims/birthdate
+ value: null
+ - type: com.okta.access.patch
+ value:
+ - op: remove
+ path: /claims/external_guid
+ TokenHookRemoveFromArray:
+ summary: Remove from array
+ value:
+ commands:
+ - type: com.okta.identity.patch
+ value:
+ - op: remove
+ path: /claims/preferred_airports/1
+ TokenHookRemoveFromObject:
+ summary: Remove from JSON object
+ value:
+ commands:
+ - type: com.okta.identity.patch
+ value:
+ - op: remove
+ path: /claims/employee_profile/email
+ TokenHookReplaceExisting:
+ summary: Replace an existing claim
+ value:
+ commands:
+ - type: com.okta.identity.patch
+ value:
+ - op: replace
+ path: /claims/extPatientId
+ value: '1234'
+ - op: replace
+ path: /claims/external_guid
+ value: F0384685-F87D-474B-848D-2058AC5655A7
+ TokenHookReplaceInPath:
+ summary: Replace within JSON object
+ value:
+ commands:
+ - type: com.okta.identity.patch
+ value:
+ - op: replace
+ path: /claims/employee_profile/email
+ value: anna@company.com
+ TokenHookResponse:
+ description: Token inline hook response
+ summary: An example token inline hook response that adds a claim
+ value:
+ commands:
+ - type: com.okta.assertion.patch
+ value:
+ - op: add
+ path: /claims/extPatientId
+ value: '1234'
+ - type: com.okta.assertion.patch
+ value:
+ - op: add
+ path: /claims/external_guid
+ value: F0384685-F87D-474B-848D-2058AC5655A7
+ TokenHookResponseAppendArray:
+ summary: Append to array
+ value:
+ commands:
+ - type: com.okta.identity.patch
+ value:
+ - op: add
+ path: /claims/preferred_airports/3
+ value: lax
+ TokenHookResponseWithURIFormat:
+ summary: Add new members to existing JSON objects
+ value:
+ commands:
+ - type: com.okta.identity.patch
+ value:
+ - op: add
+ path: /claims/employee_profile/department_id
+ value: '4947'
+ TokenPayLoadExample:
+ summary: An example token inline hook request body
+ description: An example token inline hook request body
+ value:
+ source: https://{yourOktaDomain}/oauth2/default/v1/authorize
+ eventId: 3OWo4oo-QQ-rBWfRyTmQYw
+ eventTime: '2019-01-15T23:20:47.000Z'
+ eventTypeVersion: '1.0'
+ cloudEventVersion: '0.1'
+ contentType: application/json
+ eventType: com.okta.oauth2.tokens.transform
+ data: null
+ context:
+ request:
+ id: reqv66CbCaCStGEFc8AdfS0ng
+ method: GET
+ url:
+ value: https://{yourOktaDomain}/oauth2/default/v1/authorize?scope=openid+profile+email&response_type=token+id_token&redirect_uri=https%3A%2F%2Fhttpbin.org%2Fget&state=foobareere&nonce=asf&client_id=customClientIdNative
+ ipAddress: 127.0.0.1
+ protocol:
+ type: OAUTH2.0
+ request:
+ scope: openid profile email
+ state: foobareere
+ redirect_uri: https://httpbin.org/get
+ response_mode: fragment
+ response_type: token id_token
+ client_id: customClientIdNative
+ issuer:
+ uri: https://{yourOktaDomain}/oauth2/default
+ client:
+ id: customClientIdNative
+ name: Native client
+ type: PUBLIC
+ session:
+ id: 102Qoe7t5PcRnSxr8j3I8I6pA
+ userId: 00uq8tMo3zV0OfJON0g3
+ login: administrator1@clouditude.net
+ createdAt: '2019-01-15T23:17:09.000Z'
+ expiresAt: '2019-01-16T01:20:46.000Z'
+ status: ACTIVE
+ lastPasswordVerification: '2019-01-15T23:17:09.000Z'
+ amr:
+ - PASSWORD
+ idp:
+ id: 00oq6kcVwvrDY2YsS0g3
+ type: OKTA
+ mfaActive: false
+ user:
+ id: 00uq8tMo3zV0OfJON0g3
+ passwordChanged: '2018-09-11T23:19:12.000Z'
+ profile:
+ login: administrator1@clouditude.net
+ firstName: Add-Min
+ lastName: O'Cloudy Tud
+ locale: en
+ timeZone: America/Los_Angeles
+ _links:
+ groups:
+ href: https://{yourOktaDomain}/00uq8tMo3zV0OfJON0g3/groups
+ factors:
+ href: https://{yourOktaDomain}/api/v1/users/00uq8tMo3zV0OfJON0g3/factors
+ policy:
+ id: 00pq8lGaLlI8APuqY0g3
+ rule:
+ id: 0prq8mLKuKAmavOvq0g3
+ identity:
+ claims:
+ sub: 00uq8tMo3zV0OfJON0g3
+ name: Add-Min O'Cloudy Tud
+ email: administrator1@clouditude.net
+ ver: 1
+ iss: https://{yourOktaDomain}/oauth2/default
+ aud: customClientIdNative
+ jti: ID.YxF2whJfB3Eu4ktG_7aClqtCgjDq6ab_hgpiV7-ZZn0
+ amr:
+ - pwd
+ idp: 00oq6kcVwvrDY2YsS0g3
+ nonce: asf
+ preferred_username: administrator1@clouditude.net
+ auth_time: 1547594229
+ token:
+ lifetime:
+ expiration: 3600
+ access:
+ claims:
+ ver: 1
+ jti: AT.W-rrB-z-kkZQmHW0e6VS3Or...QfEN_YvoWJa46A7HAA
+ iss: https://{yourOktaDomain}/oauth2/default
+ aud: api://default
+ cid: customClientIdNative
+ uid: 00uq8tMo3zV0OfJON0g3
+ sub: administrator1@clouditude.net
+ firstName: Add-Min
+ preferred_username: administrator1@clouditude.net
+ token:
+ lifetime:
+ expiration: 3600
+ scopes:
+ openid:
+ id: scpq7bW1cp6dcvrz80g3
+ action: GRANT
+ profile:
+ id: scpq7cWJ81CIP5Qkr0g3
+ action: GRANT
+ email:
+ id: scpq7dxsoz6LQlRj00g3
+ action: GRANT
+ refresh_token:
+ jti: oarob4a0tckCkGcyo1d6
+ TriggerSessionResponse:
+ value:
+ - id: aps1qqonvr2SZv6o70h8
+ identitySourceId: 0oa3l6l6WK6h0R0QW0g4
+ status: TRIGGERED
+ importType: INCREMENTAL
+ created: '2022-04-04T15:56:05.000Z'
+ lastUpdated: '2022-05-05T18:15:44.000Z'
+ TrustedOriginBody:
+ summary: Trusted origin request body
+ value:
+ name: New Trusted Origin
+ origin: http://example.com
+ scopes:
+ - type: CORS
+ - type: REDIRECT
+ TrustedOriginBodyWithIframeEmbedding:
+ summary: Trusted origin request body with iFrame embedding (Okta End-User Dashboard and Okta sign-in page)
+ description: |
+ Creates a new Trusted Origin for iFrame embedding of an Okta resource within that origin. In this example, the type
+ of Okta resource is both the Okta End-User Dashboard and the Okta sign-in page.
+ value:
+ name: New Trusted Origin
+ origin: http://example.com
+ scopes:
+ - type: IFRAME_EMBED
+ allowedOktaApps:
+ - OKTA_ENDUSER
+ TrustedOriginBodyWithIframeEmbeddingSignIn:
+ summary: Trusted origin request body with iFrame embedding (Okta sign-in page)
+ description: |
+ Creates a new Trusted Origin for iFrame embedding of an Okta resource within that origin. In this example, the Okta
+ resource is the Okta sign-in page.
+ value:
+ name: New Trusted Origin
+ origin: http://example.com
+ scopes:
+ - type: IFRAME_EMBED
+ allowedOktaApps: []
+ TrustedOriginInactiveResponse:
+ summary: Trusted origin response
+ value:
+ id: tos10hu7rkbtrFt1M0g4
+ name: New Trusted Origin
+ origin: http://example.com
+ status: INACTIVE
+ scopes:
+ - type: CORS
+ - type: REDIRECT
+ created: '2018-01-13T01:11:44.000Z'
+ createdBy: 00ut5t92p6IEOi4bu0g3
+ lastedUpdated: '2018-01-13T01:11:44.000Z'
+ lastedUpdatedBy: 00ut5t92p6IEOi4bu0g3
+ _links:
+ activate:
+ href: https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ TrustedOriginPut:
+ value:
+ id: tosue7JvguwJ7U6kz0g3
+ name: Updated Example Trusted Origin
+ origin: http://updated.example.com
+ scopes:
+ - type: CORS
+ - type: REDIRECT
+ status: ACTIVE
+ created: '2017-12-16T05:01:12.000Z'
+ createdBy: 00ut5t92p6IEOi4bu0g3
+ lastUpdated: '2017-12-16T05:01:12.000Z'
+ lastUpdatedBy: 00ut5t92p6IEOi4bu0g3
+ _links:
+ self:
+ href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ TrustedOriginPutBody:
+ summary: Trusted origin request body
+ value:
+ value:
+ id: tosue7JvguwJ7U6kz0g3
+ name: Updated Example Trusted Origin
+ origin: http://updated.example.com
+ scopes:
+ - type: CORS
+ - type: REDIRECT
+ status: ACTIVE
+ created: '2017-12-16T05:01:12.000Z'
+ createdBy: 00ut5t92p6IEOi4bu0g3
+ lastUpdated: '2017-12-16T05:01:12.000Z'
+ lastUpdatedBy: 00ut5t92p6IEOi4bu0g3
+ _links:
+ self:
+ href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ TrustedOriginPutBodyWithIframeEmbedding:
+ summary: Trusted origin request body with iFrame embedding
+ value:
+ value:
+ id: tosue7JvguwJ7U6kz0g3
+ name: Updated Example Trusted Origin
+ origin: http://updated.example.com
+ scopes:
+ - type: IFRAME_EMBED
+ allowedOktaApps:
+ - OKTA_ENDUSER
+ status: ACTIVE
+ created: '2017-12-16T05:01:12.000Z'
+ createdBy: 00ut5t92p6IEOi4bu0g3
+ lastUpdated: '2017-12-16T05:01:12.000Z'
+ lastUpdatedBy: 00ut5t92p6IEOi4bu0g3
+ _links:
+ self:
+ href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ TrustedOriginPutResponse:
+ summary: Trusted origin response body
+ value:
+ value:
+ id: tosue7JvguwJ7U6kz0g3
+ name: Updated Example Trusted Origin
+ origin: http://updated.example.com
+ scopes:
+ - type: CORS
+ - type: REDIRECT
+ status: ACTIVE
+ created: '2017-12-16T05:01:12.000Z'
+ createdBy: 00ut5t92p6IEOi4bu0g3
+ lastUpdated: '2017-12-16T05:01:12.000Z'
+ lastUpdatedBy: 00ut5t92p6IEOi4bu0g3
+ _links:
+ self:
+ href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ TrustedOriginPutResponseWithIframeEmbedding:
+ summary: Trusted origin response body with iFrame embedding
+ value:
+ value:
+ id: tosue7JvguwJ7U6kz0g3
+ name: Updated Example Trusted Origin
+ origin: http://updated.example.com
+ scopes:
+ - type: IFRAME_EMBED
+ allowedOktaApps:
+ - OKTA_ENDUSER
+ status: ACTIVE
+ created: '2017-12-16T05:01:12.000Z'
+ createdBy: 00ut5t92p6IEOi4bu0g3
+ lastUpdated: '2017-12-16T05:01:12.000Z'
+ lastUpdatedBy: 00ut5t92p6IEOi4bu0g3
+ _links:
+ self:
+ href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ TrustedOriginPutWithIframeEmbedding:
+ value:
+ id: tosue7JvguwJ7U6kz0g3
+ name: Updated Example Trusted Origin
+ origin: http://updated.example.com
+ scopes:
+ - type: IFRAME_EMBED
+ allowedOktaApps:
+ - OKTA_ENDUSER
+ status: ACTIVE
+ created: '2017-12-16T05:01:12.000Z'
+ createdBy: 00ut5t92p6IEOi4bu0g3
+ lastUpdated: '2017-12-16T05:01:12.000Z'
+ lastUpdatedBy: 00ut5t92p6IEOi4bu0g3
+ _links:
+ self:
+ href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ TrustedOriginResponse:
+ summary: Trusted origin response
+ value:
+ id: tos10hu7rkbtrFt1M0g4
+ name: New Trusted Origin
+ origin: http://example.com
+ status: ACTIVE
+ scopes:
+ - type: CORS
+ - type: REDIRECT
+ created: '2018-01-13T01:11:44.000Z'
+ createdBy: 00ut5t92p6IEOi4bu0g3
+ lastedUpdated: '2018-01-13T01:11:44.000Z'
+ lastedUpdatedBy: 00ut5t92p6IEOi4bu0g3
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ TrustedOriginResponseWithIframeEmbedding:
+ summary: Trusted origin response with iFrame embedding (End-User Dashboard and Okta sign-in page)
+ value:
+ id: tos10hu7rkbtrFt1M0g4
+ name: New Trusted Origin
+ origin: http://example.com
+ status: ACTIVE
+ scopes:
+ - type: IFRAME_EMBED
+ allowedOktaApps:
+ - OKTA_ENDUSER
+ created: '2018-01-13T01:11:44.000Z'
+ createdBy: 00ut5t92p6IEOi4bu0g3
+ lastedUpdated: '2018-01-13T01:11:44.000Z'
+ lastedUpdatedBy: 00ut5t92p6IEOi4bu0g3
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ TrustedOriginResponseWithIframeEmbeddingSignIn:
+ summary: Trusted origin response with iFrame embedding (Okta sign-in page)
+ value:
+ id: tos10hu7rkbtrFt1M0g4
+ name: New Trusted Origin
+ origin: http://example.com
+ status: ACTIVE
+ scopes:
+ - type: IFRAME_EMBED
+ allowedOktaApps: []
+ created: '2018-01-13T01:11:44.000Z'
+ createdBy: 00ut5t92p6IEOi4bu0g3
+ lastedUpdated: '2018-01-13T01:11:44.000Z'
+ lastedUpdatedBy: 00ut5t92p6IEOi4bu0g3
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ TrustedOriginsResponse:
+ summary: Trusted origins response
+ value:
+ - id: tos10hu7rkbtrFt1M0g4
+ name: New Trusted Origin
+ origin: http://example.com
+ status: ACTIVE
scopes:
- okta.agentPools.manage: Read or modify Agent Pools
- okta.agentPools.read: Read Agent Pools
- okta.apiToken.read: Read API Tokens.
- okta.apiToken.manage: Read or modify API Tokens.
- okta.apps.read: Read Apps.
- okta.apps.manage: Read or modify Apps.
- okta.authenticators.read: Read Authenticators.
- okta.authenticators.manage: Read or modify Authenticators.
- okta.authorizationServers.read: Read Authorization Servers.
- okta.authorizationServers.manage: Read or modify Authorization Servers.
- okta.behaviors.read: Read Behavior Detection Rules.
- okta.behaviors.manage: Read or modify Behavior Detection Rules.
- okta.brands.read: Read Brands.
- okta.brands.manage: Read or modify Brands.
- okta.captchas.manage: Read or modify CAPTCHA instances in your org.
- okta.captchas.read: Read CAPTCHA instances in your org.
- okta.domains.read: Read Domains.
- okta.domains.manage: Read or modify Domains.
- okta.eventHooks.read: Read Event Hooks.
- okta.eventHooks.manage: Read or modify Event Hooks.
- okta.groups.read: Read Groups.
- okta.groups.manage: Read or modify Groups.
- okta.roles.read: Read Roles.
- okta.roles.manage: Read or modify Roles.
- okta.idps.read: Read Identity Providers.
- okta.idps.manage: Read or modify Identity Providers.
- okta.users.read: Read Users.
- okta.users.manage: Read or modify Users.
- okta.inlineHooks.read: Read Inline Hooks.
- okta.inlineHooks.manage: Read or modify Inline Hooks.
- okta.logs.read: Read Logs.
- okta.profileMappings.read: Read Profile Mappings.
- okta.profileMappings.manage: Read or modify Profile Mappings.
- okta.schemas.read: Read Schemas.
- okta.schemas.manage: Read or modify Schemas.
- okta.linkedObjects.read: Read Linked Objects.
- okta.linkedObjects.manage: Read or modify Linked Objects.
- okta.userTypes.read: Read Usertypes.
- okta.userTypes.manage: Read or modify Usertypes.
- okta.orgs.read: Read Org Settings.
- okta.orgs.manage: Read or modify Org Settings.
- okta.policies.read: Read Policies.
- okta.policies.manage: Read or modify Policies.
- okta.principalRateLimits.read: Read Principal Rate Limits.
- okta.principalRateLimits.manage: Read or modify Principal Rate Limits.
- okta.pushProviders.read: Read Push Providers such as APNs and FCM.
- okta.pushProviders.manage: Read or modify Push Providers such as APNs and FCM.
- okta.sessions.read: Read Sessions.
- okta.sessions.manage: Read or modify Sessions.
- okta.templates.read: Read Templates.
- okta.templates.manage: Read or modify Templates.
- okta.trustedOrigins.read: Read Trusted Origins.
- okta.trustedOrigins.manage: Read or modify Trusted Origins.
- okta.deviceAssurance.read: Read device assurance policies.
- okta.deviceAssurance.manage: Read or modify device assurance policies.
- examples:
- ApiTokenListMetadataResponse:
+ - type: CORS
+ - type: REDIRECT
+ created: '2018-01-13T01:11:44.000Z'
+ createdBy: 00ut5t92p6IEOi4bu0g3
+ lastedUpdated: '2018-01-13T01:11:44.000Z'
+ lastedUpdatedBy: 00ut5t92p6IEOi4bu0g3
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ UpdateAppFeatureRequestEx:
+ summary: Update USER_PROVISIONING request
+ value:
+ create:
+ lifecycleCreate:
+ status: ENABLED
+ update:
+ lifecycleDeactivate:
+ status: ENABLED
+ profile:
+ status: ENABLED
+ password:
+ status: ENABLED
+ seed: RANDOM
+ change: CHANGE
+ UpdateAppFeatureResponseEx:
+ summary: Update USER_PROVISIONING response
+ value:
+ name: USER_PROVISIONING
+ status: ENABLED
+ description: User provisioning settings from Okta to a downstream application
+ capabilities:
+ create:
+ lifecycleCreate:
+ status: ENABLED
+ update:
+ lifecycleDeactivate:
+ status: ENABLED
+ profile:
+ status: ENABLED
+ password:
+ status: ENABLED
+ seed: RANDOM
+ change: CHANGE
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/apps/${appId}/features/USER_PROVISIONING
+ hints:
+ allow:
+ - GET
+ - PUT
+ UpdateAuthorizationServerPolicyRequest:
+ summary: Update Authorization Server Policy
+ value:
+ id: 00p5m9xrrBffPd9ah0g4
+ type: OAUTH_AUTHORIZATION_POLICY
+ status: ACTIVE
+ name: Default Policy
+ description: Default policy description
+ priority: 1
+ system: false
+ conditions:
+ clients":
+ include":
+ - ALL_CLIENTS
+ UpdateAuthorizationServerPolicyRuleRequest:
+ summary: Update Authorization Server Policy Rule
+ value:
+ type: RESOURCE_ACCESS
+ name: Default Policy Rule
+ priority: 1
+ status: ACTIVE
+ conditions:
+ people:
+ groups:
+ include:
+ - EVERYONE
+ grantTypes:
+ include:
+ - implicit
+ - client_credentials
+ - authorization_code
+ - password
+ scopes:
+ include:
+ - '*'
+ actions:
+ token:
+ accessTokenLifetimeMinutes: 60
+ refreshTokenLifetimeMinutes: 0
+ refreshTokenWindowMinutes: 10080
+ inlineHook:
+ id: cal4egvp1mbMldrYN0g7
+ UpdateBrandRequest:
+ value:
+ customPrivacyPolicyUrl: https://www.someHost.com/privacy-policy
+ agreeToCustomPrivacyPolicy: true
+ removePoweredByOkta: true
+ name: New Name For Brand
+ emailDomainId: OeD114iNkrcN6aR680g4
+ locale: en
+ defaultApp:
+ appInstanceId: 0oa114iNkrcN6aR680g4
+ appLinkName: null
+ classicApplicationUri: null
+ UpdateBrandResponse:
+ value:
+ id: bnd114iNkrcN6aR680g4
+ removePoweredByOkta: true
+ agreeToCustomPrivacyPolicy: true
+ name: New Name For Brand
+ isDefault: true
+ customPrivacyPolicyUrl: https://www.someHost.com/privacy-policy
+ emailDomainId: OeD114iNkrcN6aR680g4
+ defaultApp:
+ appInstanceId: 0oa114iNkrcN6aR680g4
+ appLinkName: null
+ classicApplicationUri: null
+ locale: en
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ themes:
+ href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4/themes
+ hints:
+ allow:
+ - GET
+ emailDomain:
+ href: https://{yourOktaDomain}/api/v1/email-domains/OeD114iNkrcN6aR680g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ UpdateEmailDomainRequest:
+ value:
+ displayName: IT Admin
+ userName: noreply
+ UpdateFeatureLifecycleResponse:
+ summary: Update the feature lifecycle status
+ value:
+ description: Example feature description
+ id: ftrZooGoT8b41iWRiQs7
+ name: Example feature name
+ stage:
+ state: OPEN
+ value: BETA
+ status: DISABLED
+ type: self-service
+ _links:
+ self:
+ hints:
+ allow:
+ - POST
+ href: https://{yourOktaDomain}/api/v1/features/ftrZooGoT8b41iWRiQs7
+ dependents:
+ href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependents
+ dependencies:
+ href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependencies
+ UpdateInboundProvisioningFeatureRequestEx:
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ summary: Update INBOUND_PROVISIONING request
+ value:
+ capabilities:
+ importSettings:
+ username:
+ userNameFormat: EMAIL
+ schedule:
+ status: ENABLED
+ fullImport:
+ expression: 0 0 * * 0
+ timezone: America/New_York
+ incrementalImport:
+ expression: 0 */3 * * *
+ timezone: America/New_York
+ importRules:
+ userCreateAndMatch:
+ exactMatchCriteria: EMAIL
+ allowPartialMatch: false
+ autoConfirmPartialMatch: false
+ autoConfirmExactMatch: false
+ autoConfirmNewUsers: false
+ autoActivateNewUsers: false
+ UpdateInboundProvisioningFeatureResponseEx:
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ summary: Update INBOUND_PROVISIONING response
+ value:
+ name: INBOUND_PROVISIONING
+ status: ENABLED
+ description: In-bound provisioning settings from an application to Okta
+ capabilities:
+ importSettings:
+ username:
+ userNameFormat: EMAIL
+ schedule:
+ status: ENABLED
+ fullImport:
+ expression: 0 0 * * 0
+ timezone: America/New_York
+ incrementalImport:
+ expression: 0 */3 * * *
+ timezone: America/New_York
+ importRules:
+ userCreateAndMatch:
+ exactMatchCriteria: EMAIL
+ allowPartialMatch: false
+ autoConfirmPartialMatch: false
+ autoConfirmExactMatch: false
+ autoConfirmNewUsers: false
+ autoActivateNewUsers: false
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/apps/${appId}/features/INBOUND_PROVISIONING
+ hints:
+ allow:
+ - GET
+ - PUT
+ UpdateMappingBody:
+ summary: Update an existing profile mapping by updating one or more properties
+ value:
+ properties:
+ nickName:
+ expression: user.honorificPrefix + user.displayName
+ pushStatus: DONT_PUSH
+ UpdateMappingResponse:
+ summary: Update an existing profile mapping by updating one or more properties
+ value:
+ id: prm1k47ghydIQOTBW0g4
+ source:
+ id: otysbePhQ3yqt4cVv0g3
+ name: user
+ type: user
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/meta/types/user/otysbePhQ3yqt4cVv0g3
+ schema:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscsbePhQ3yqt4cVv0g3
+ target:
+ id: 0oa1qmn4LZQQEH0wZ0g4
+ name: okta_org2org
+ type: appuser
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/apps/0oa1qmn4LZQQEH0wZ0g4
+ schema:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/apps/0oa1qmn4LZQQEH0wZ0g4/default
+ properties:
+ fullName:
+ expression: user.firstName + user.lastName
+ pushStatus: PUSH
+ nickName:
+ expression: user.honorificPrefix + user.displayName
+ pushStatus: DONT_PUSH
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/mappings/prm1k48weFSOnEUnw0g4
+ UpdateOAuth2ScopeRequest:
+ summary: Example scope
+ value:
+ description: Order car
+ name: car:order
+ metadataPublish: ALL_CLIENTS
+ UpdateOrgSettingEx:
+ summary: Org setting request
+ value:
+ address1: 100 1st St
+ address2: 6th floor
+ city: San Fransico
+ companyName: okta
+ country: United States
+ endUserSupportHelpURL: support.okta.com
+ phoneNumber: '+18887227871'
+ postalCode: '94105'
+ state: California
+ supportPhoneNumber: '+18887227871'
+ website: www.okta.com
+ UpdateRecQuestionRequest:
+ value:
+ password:
+ value: tlpWENT2m
+ recovery_question:
+ question: How many roads must a man walk down?
+ answer: forty two
+ UpdateRecQuestionResponse:
+ value:
+ password: {}
+ recovery_question:
+ question: How many roads must a man walk down?
+ provider:
+ type: OKTA
+ name: OKTA
+ UpdateSMSTemplateRequest:
+ value:
+ translations:
+ de: '${org.name}: ihre bestätigungscode ist ${code}.'
+ UpdateSMSTemplateResponse:
+ value:
+ id: 6NQUJ5yR3bpgEiYmq8IC
+ name: Custom
+ type: SMS_VERIFY_CODE
+ template: '${org.name}: your verification code is ${code}'
+ translations:
+ es: '${org.name}: el código de verificación es ${code}'
+ fr: '${org.name}: votre code de vérification est ${code}'
+ it: '${org.name}: il codice di verifica è ${code}'
+ de: '${org.name}: ihre bestätigungscode ist ${code}.'
+ created: '2024-04-25T17:35:02.000Z'
+ lastUpdated: '2024-04-25T17:35:02.000Z'
+ UpdateThemeRequest:
+ value:
+ primaryColorHex: '#1662dd'
+ primaryColorContrastHex: '#000000'
+ secondaryColorHex: '#ebebed'
+ secondaryColorContrastHex: '#000000'
+ signInPageTouchPointVariant: OKTA_DEFAULT
+ endUserDashboardTouchPointVariant: OKTA_DEFAULT
+ errorPageTouchPointVariant: OKTA_DEFAULT
+ emailTemplateTouchPointVariant: OKTA_DEFAULT
+ loadingPageTouchPointVariant: OKTA_DEFAULT
+ UpdateThemeResponse:
+ value:
+ id: thdul904tTZ6kWVhP0g3
+ logo: https://{yourOktaDomain}/assets/img/logos/okta-logo.47066819ac7db5c13f4c431b2687cef6.png
+ favicon: https://{yourOktaDomain}/favicon.ico
+ backgroundImage: null
+ primaryColorHex: '#1662dd'
+ primaryColorContrastHex: '#000000'
+ secondaryColorHex: '#ebebed'
+ secondaryColorContrastHex: '#000000'
+ signInPageTouchPointVariant: OKTA_DEFAULT
+ endUserDashboardTouchPointVariant: OKTA_DEFAULT
+ errorPageTouchPointVariant: OKTA_DEFAULT
+ emailTemplateTouchPointVariant: OKTA_DEFAULT
+ loadingPageTouchPointVariant: OKTA_DEFAULT
+ UpdateUserTypePostRequest:
+ summary: Update user type request
+ value:
+ displayName: Updated Display Name
+ UpdateUserTypePostResponse:
+ summary: Update user type response
+ value:
+ id: otyfnly5cQjJT9PnR0g4
+ displayName: Updated Display Name
+ name: newUserType
+ description: A new custom user type
+ createdBy: sprz9fj1ycBcsgopy1d6
+ lastUpdatedBy: sprz9fj1ycBcsgopy1d6
+ created: '2021-07-05T20:40:38.000Z'
+ lastUpdated: '2021-07-05T20:40:38.000Z'
+ default: false
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6
+ schema:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6
+ UpdatedEmailDomainResponse:
+ value:
+ id: OeD114iNkrcN6aR680g4
+ validationStatus: NOT_STARTED
+ displayName: IT Admin
+ userName: noreply
+ domain: example.com
+ validationSubdomain: mail
+ dnsValidationRecords:
+ - recordType: TXT
+ fqdn: _oktaverification.example.com
+ verificationValue: 759080212bda43e3bc825a7d73b4bb64
+ - recordType: CNAME
+ fqdn: mail.example.com
+ verificationValue: u22224444.wl024.sendgrid.net
+ - recordType: CNAME
+ fqdn: t02._domainkey.example.com
+ verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net
+ - recordType: CNAME
+ fqdn: t022._domainkey.example.com
+ verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net
+ UpdatedOAuth2ScopeResponse:
+ summary: Updated scope
+ value:
+ id: scp5yu8kLOnDzo7lh0g4
+ name: car:order
+ description: Order car
+ system: false
+ default: false
+ displayName: Saml Jackson
+ consent: REQUIRED
+ optional: false
+ metadataPublish: ALL_CLIENTS
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes/scp5yu8kLOnDzo7lh0g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ UploadYubikeyTokenSeedRequest:
+ summary: Yubikey OTP Seed
+ value:
+ serialNumber: '7886622'
+ publicId: ccccccijgibu
+ privateId: b74be6169486
+ aesKey: 1fcc6d8ce39bf1604e0b17f3e0a11067
+ UploadYubikeyTokenSeedResponse:
+ value:
+ id: ykkut4G6ti62DD8Dy0g3
+ created: '2020-01-10T23:04:10.000Z'
+ lastVerified: '2020-01-10T23:04:10.000Z'
+ lastUpdated: '2020-01-10T23:04:10.000Z'
+ status: UNASSIGNED
+ profile:
+ serial: '000007886622'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/org/factors/yubikey_token/tokens/ykkut4G6ti62DD8Dy0g3
+ hints:
+ allow:
+ - GET
+ - DELETE
+ UserFactorChallengeCallResponse:
+ summary: call challenge
+ value:
+ factorResult: CHALLENGE
+ profile:
+ phoneNumber: '+12532236986'
+ phoneExtension: '1234'
+ _links:
+ verify:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/clff17zuKEUMYQAQGCOV/verify
+ hints:
+ allow:
+ - POST
+ factor:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/clff17zuKEUMYQAQGCOV
+ hints:
+ allow:
+ - GET
+ - DELETE
+ UserFactorChallengeEmailResponse:
+ summary: email challenge
+ value:
+ factorResult: CHALLENGE
+ _links:
+ verify:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/emfnf3gSScB8xXoXK0g3/verify
+ hints:
+ allow:
+ - POST
+ factor:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/emfnf3gSScB8xXoXK0g3
+ hints:
+ allow:
+ - GET
+ - DELETE
+ UserFactorChallengePushResponse:
+ summary: push challenge
+ value:
+ expiresAt: '2015-04-01T15:57:32.000Z'
+ factorResult: WAITING
+ _links:
+ poll:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/transactions/mst1eiHghhPxf0yhp0g
+ hints:
+ allow:
+ - GET
+ cancel:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/transactions/mst1eiHghhPxf0yhp0g
+ hints:
+ allow:
+ - DELETE
+ UserFactorChallengeSmsResponse:
+ summary: sms challenge
+ value:
+ factorResult: CHALLENGE
+ profile:
+ phoneNumber: '+12532236986'
+ _links:
+ verify:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/smsszf1YNUtGWTx4j0g3/verify
+ hints:
+ allow:
+ - POST
+ factor:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/smsszf1YNUtGWTx4j0g3
+ hints:
+ allow:
+ - GET
+ - DELETE
+ UserFactorChallengeU2fResponse:
+ summary: u2f challenge
+ value:
+ factorResult: CHALLENGE
+ profile:
+ credentialId: GAiiLsVab2m3-zL1Fi3bVtNrM9G6_MntUITHKjxkV24ktGKjLSCRnz72wCEdHCe18IvC69Aia0sE4UpsO0HpFQ
+ version: U2F_V2
+ _links:
+ verify:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fuf2rovRxogXJ0nDy0g4/verify
+ hints:
+ allow:
+ - POST
+ factor:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fuf2rovRxogXJ0nDy0g4
+ hints:
+ allow:
+ - GET
+ - DELETE
+ _embedded:
+ challenge:
+ nonce: vQFwTt6zKzMV7HFPzjS2
+ timeoutSeconds: 20
+ UserFactorChallengeWebauthnResponse:
+ summary: webAuthn challenge
+ value:
+ factorResult: CHALLENGE
+ profile:
+ credentialId: l3Br0n-7H3g047NqESqJynFtIgf3Ix9OfaRoNwLoloso99Xl2zS_O7EXUkmPeAIzTVtEL4dYjicJWBz7NpqhGA
+ authenticatorName: MacBook Touch ID
+ _links:
+ verify:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fwf2rovRxogXJ0nDy0g4/verify
+ hints:
+ allow:
+ - POST
+ factor:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fwf2rovRxogXJ0nDy0g4
+ hints:
+ allow:
+ - GET
+ - DELETE
+ _embedded:
+ challenge:
+ challenge: vQFwTt6zKzMV7HFPzjS2
+ extensions: {}
+ UserFactorVerifyCallSuccessResponse:
+ summary: call verify
+ value:
+ factorResult: SUCCESS
+ UserFactorVerifyEmailSuccessResponse:
+ summary: email verify
+ value:
+ factorResult: SUCCESS
+ UserFactorVerifyPushRejectedResponse:
+ summary: push verification rejected
+ value:
+ factorResult: REJECTED
+ profile:
+ credentialId: jane.doe@example.com
+ _links:
+ verify:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/verify
+ hints:
+ allow:
+ - POST
+ factor:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3
+ hints:
+ allow:
+ - GET
+ - DELETE
+ UserFactorVerifyPushTransactionApproved:
+ summary: SUCCESS
+ value:
+ factorResult: SUCCESS
+ UserFactorVerifyPushTransactionRejected:
+ summary: REJECTED
+ value:
+ factorResult: REJECTED
+ profile:
+ credentialId: jane.doe@example.com
+ _links:
+ verify:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/verify
+ hints:
+ allow:
+ - POST
+ factor:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3
+ hints:
+ allow:
+ - GET
+ - DELETE
+ UserFactorVerifyPushTransactionTimeout:
+ summary: TIMEOUT
+ value:
+ factorResult: TIMEOUT
+ profile:
+ credentialId: jane.doe@example.com
+ _links:
+ verify:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/verify
+ hints:
+ allow:
+ - POST
+ factor:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3
+ hints:
+ allow:
+ - GET
+ - DELETE
+ UserFactorVerifyPushTransactionWaiting:
+ summary: WAITING
+ value:
+ expiresAt: '2015-04-01T15:57:32.000Z'
+ factorResult: WAITING
+ profile:
+ credentialId: jane.doe@example.com
+ _links:
+ poll:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/transactions/v2mst.GldKV5VxTrifyeZmWSQguA
+ hints:
+ allow:
+ - GET
+ cancel:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/transactions/v2mst.GldKV5VxTrifyeZmWSQguA
+ hints:
+ allow:
+ - DELETE
+ UserFactorVerifySecurityQuestionRequest:
+ summary: security question verify
+ value:
+ answer: mayonnaise
+ UserFactorVerifySuccessSmsResponse:
+ summary: sms verify
+ value:
+ factorResult: SUCCESS
+ UserFactorVerifySuccessSqResponse:
+ summary: security question verify
+ value:
+ factorResult: SUCCESS
+ UserFactorVerifySuccessTokenResponse:
+ summary: token verify
+ value:
+ factorResult: SUCCESS
+ UserFactorVerifySuccessTotpResponse:
+ summary: totp verify
+ value:
+ factorResult: SUCCESS
+ UserFactorVerifySuccessYubikeyResponse:
+ summary: yubikey verify
+ value:
+ factorResult: SUCCESS
+ UserFactorVerifyU2fRequest:
+ summary: u2f verify
+ value:
+ clientData: eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZ2V0QXNzZXJ0aW9uIiwiY2hhbGxlbmdlIjoiS2NCLXRqUFU0NDY0ZThuVFBudXIiLCJvcmlnaW4iOiJodHRwczovL2xvY2FsaG9zdDozMDAwIiwiY2lkX3B1YmtleSI6InVudXNlZCJ9
+ signatureData: AQAAACYwRgIhAKPktdpH0T5mlPSm_9uGW5w-VaUy-LhI9tIacexpgItkAiEAncRVZURVPOq7zDwIw-OM5LtSkdAxOkfv0ZDVUx3UFHc
+ UserFactorVerifyU2fResponse:
+ summary: u2f verify response
+ value:
+ factorResult: SUCCESS
+ profile:
+ credentialId: h1bFwJFU9wnelYkexJuQfoUHZ5lX3CgQMTZk4H3I8kM9Nn6XALiQ-BIab4P5EE0GQrA7VD-kAwgnG950aXkhBw
+ version: U2F_V2
+ UserFactorVerifyWebauthnRequest:
+ summary: WebAuthn verify challenge (posts a signed assertion using the challenge `nonce`)
+ value:
+ clientData: eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZ2V0QXNzZXJ0aW9uIiwiY2hhbGxlbmdlIjoiS2NCLXRqUFU0NDY0ZThuVFBudXIiLCJvcmlnaW4iOiJodHRwczovL2xvY2FsaG9zdDozMDAwIiwiY2lkX3B1YmtleSI6InVudXNlZCJ9
+ authenticatorData: SBv04caJ+NLZ0bTeotGq9esMhHJ8YC5z4bMXXPbT95UFXbDsOg==
+ signatureData: AQAAACYwRgIhAKPktdpH0T5mlPSm_9uGW5w-VaUy-LhI9tIacexpgItkAiEAncRVZURVPOq7zDwIw-OM5LtSkdAxOkfv0ZDVUx3UFHc
+ UserFactorVerifyWebauthnResponse:
+ summary: WebAuthn verify
+ value:
+ factorResult: SUCCESS
+ profile:
+ credentialId: l3Br0n-7H3g047NqESqJynFtIgf3Ix9OfaRoNwLoloso99Xl2zS_O7EXUkmPeAIzTVtEL4dYjicJWBz7NpqhGA
+ authenticatorName: MacBook Touch ID
+ UserImportChangeAppUserProfileExample:
+ summary: An example user import inline hook response that updates an app user's profile
+ value:
+ commands:
+ - type: com.okta.appUser.profile.update
+ value:
+ firstName: Stan
+ UserImportChangeUserProfileExample:
+ summary: Update an Okta user's profile response
+ value:
+ commands:
+ - type: com.okta.user.profile.update
+ value:
+ firstName: Stan
+ UserImportCreateANewUserExample:
+ summary: Create a new Okta user profile response
+ value:
+ commands:
+ - type: com.okta.action.update
+ value:
+ result: CREATE_USER
+ UserImportErrorExample:
+ summary: Return an error object
+ value:
+ error:
+ errorSummary: Error at third-party service. Please contact your admin.
+ UserImportMatchExample:
+ summary: Match an existing Okta user response
+ value:
+ commands:
+ - type: com.okta.action.update
+ value:
+ result: LINK_USER
+ - type: com.okta.user.update
+ value:
+ id: 00garwpuyxHaWOkdV0g3
+ UserImportPayloadExample:
+ summary: An example user import request body
+ value:
+ source: cal7eyxOsnb20oWbZ0g4
+ eventId: JUGOUiYZTaKPmH6db0nDag
+ eventTime: '2019-02-27T20:59:04.000Z'
+ eventTypeVersion: '1.0'
+ cloudEventVersion: '0.1'
+ eventType: com.okta.import.transform
+ contentType: application/json
+ data:
+ context:
+ conflicts:
+ - login
+ application:
+ name: test_app
+ id: 0oa7ey7aLRuBvcYUD0g4
+ label: Test App
+ status: ACTIVE
+ job:
+ id: ij17ez2AWtMZRfCZ60g4
+ type: import:users
+ matches: []
+ policy:
+ - EMAIL
+ - FIRST_AND_LAST_NAME
+ action:
+ result: CREATE_USER
+ appUser:
+ profile:
+ firstName: Sally2
+ lastName: Admin2
+ mobilePhone: null
+ accountType: PRO
+ secondEmail: null
+ failProvisioning: null
+ failDeprovisioning: null
+ externalId: user221
+ groups:
+ - everyone@examplee.net
+ - tech@example.net
+ userName: administrator2
+ email: sally.admin@example.net
+ user:
+ profile:
+ lastName: Admin2
+ zipCode: null
+ city: null
+ secondEmail: null
+ postAddress: null
+ login: sally.admin@example.net
+ firstName: Sally2
+ primaryPhone: null
+ mobilePhone: null
+ streetAddress: null
+ countryCode: null
+ typeId: null
+ state: null
+ email: sally.admin@example.net
+ UserRiskNoneResponse:
+ summary: Example User Risk with NONE risk level response
+ value:
+ riskLevel: NONE
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/{userId}/risk
+ hints:
+ allow:
+ - GET
+ - PUT
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/{userId}
+ hints:
+ allow:
+ - GET
+ UserRiskRequest:
+ summary: Example upsert the risk for a user request
+ value:
+ riskLevel: HIGH
+ UserRiskResponse:
+ summary: Example User Risk response
+ value:
+ riskLevel: HIGH
+ reason: Admin override risk
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/{userId}/risk
+ hints:
+ allow:
+ - GET
+ - PUT
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/{userId}
+ hints:
+ allow:
+ - GET
+ UserSchemaAddRequest:
+ value:
+ definitions:
+ custom:
+ id: '#custom'
+ type: object
+ properties:
+ twitterUserName:
+ title: Twitter username
+ description: Twitter Username
+ type: string
+ required: false
+ minLength: 1
+ maxLength: 20
+ permissions:
+ - principal: SELF
+ action: READ_WRITE
+ required: []
+ UserSchemaResponse:
+ value:
+ id: https://{yourOktaDomain}/meta/schemas/user/default
+ $schema: http://json-schema.org/draft-04/schema#
+ name: user
+ title: Default Okta User
+ lastUpdated: '2015-09-05T10:40:45.000Z'
+ created: '2015-02-02T10:27:36.000Z'
+ definitions:
+ base:
+ id: '#base'
+ type: object
+ properties:
+ login:
+ title: Username
+ type: string
+ required: true
+ minLength: 5
+ maxLength: 100
+ permissions:
+ - principal: SELF
+ action: READ_WRITE
+ firstName:
+ title: First name
+ type: string
+ required: true
+ minLength: 1
+ maxLength: 50
+ permissions:
+ - principal: SELF
+ action: READ_WRITE
+ lastName:
+ title: Last name
+ type: string
+ required: true
+ minLength: 1
+ maxLength: 50
+ permissions:
+ - principal: SELF
+ action: READ_WRITE
+ email:
+ title: Primary email
+ type: string
+ required: true
+ format: email
+ permissions:
+ - principal: SELF
+ action: READ_WRITE
+ required:
+ - login
+ - firstName
+ - lastName
+ - email
+ custom:
+ id: '#custom'
+ type: object
+ properties:
+ twitterUserName:
+ title: Twitter username
+ description: User's username for twitter.com
+ type: string
+ required: false
+ minLength: 1
+ maxLength: 20
+ permissions:
+ - principal: SELF
+ action: READ_WRITE
+ required: []
+ type: object
+ properties:
+ profile:
+ allOf:
+ - $ref: '#/definitions/base'
+ - $ref: '#/definitions/custom'
+ VerifiedEmailDomainResponse:
+ value:
+ id: OeD114iNkrcN6aR680g4
+ validationStatus: VERIFIED
+ displayName: IT Admin
+ userName: noreply
+ domain: example.com
+ validationSubdomain: mail
+ dnsValidationRecords:
+ - recordType: TXT
+ fqdn: _oktaverification.example.com
+ verificationValue: 759080212bda43e3bc825a7d73b4bb64
+ - recordType: CNAME
+ fqdn: mail.example.com
+ verificationValue: u22224444.wl024.sendgrid.net
+ - recordType: CNAME
+ fqdn: t02._domainkey.example.com
+ verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net
+ - recordType: CNAME
+ fqdn: t022._domainkey.example.com
+ verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net
+ WSFederationEx:
+ summary: WS_FEDERATION
+ value:
+ name: template_wsfed
+ label: Sample WS-Fed App
+ signOnMode: WS_FEDERATION
+ settings:
+ app:
+ audienceRestriction: urn:example:app
+ groupValueFormat: windowsDomainQualifiedName
+ wReplyURL: https://example.com/
+ nameIDFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+ authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+ siteURL: https://example.com
+ usernameAttribute: username
+ WSFederationPutEx:
+ summary: WS_FEDERATION
+ value:
+ name: template_wsfed
+ label: Sample WS-Fed App updated
+ signOnMode: WS_FEDERATION
+ settings:
+ app:
+ audienceRestriction: urn:exampleupdated:app
+ groupValueFormat: windowsDomainQualifiedName
+ wReplyURL: https://example.com/
+ nameIDFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+ authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+ siteURL: https://example.com
+ usernameAttribute: username
+ WSFederationPutResponseEx:
+ summary: WS_FEDERATION
+ value:
+ id: 0oafxqCAJWWGELFTYASJ
+ status: ACTIVE
+ lastUpdated: '2023-01-21T14:11:24.000Z'
+ created: '2023-01-21T14:11:24.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
+ _links:
+ uploadLogo:
+ href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo
+ hints:
+ allow:
+ - POST
+ appLinks:
+ - name: customswaapp_link
+ href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4
+ type: text/html
+ groups:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups
+ logo:
+ - name: medium
+ href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png
+ type: image/png
+ users:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate
+ visibility:
+ autoLaunch: false
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ login: true
+ name: template_wsfed
+ label: Sample WS-Fed App updated
+ features: []
+ signOnMode: WS_FEDERATION
+ credentials:
+ userNameTemplate:
+ template: ${source.email}
+ type: BUILT_IN
+ signing:
+ kid: FzJvvXtBHvs_-n70T4C2Rb2d64AyN4fqOme6piHOUKU
+ settings:
+ app:
+ groupFilter: null
+ siteURL: https://example.com
+ authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+ wReplyOverride: false
+ digestAlgorithm: SHA1
+ usernameAttribute: username
+ signatureAlgorithm: RSA_SHA1
+ audienceRestriction: urn:exampleupdated:app
+ wReplyURL: https://example.com/
+ groupName: http://schemas.microsoft.com/ws/2008/06/identity/claims/role
+ attributeStatements: null
+ nameIDFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+ realm: urn:okta:app:exkarjfNMKUjTmzTZ0g4
+ groupValueFormat: windowsDomainQualifiedName
+ notifications:
+ vpn:
+ network:
+ connection: DISABLED
+ message: null
+ helpUrl: null
+ manualProvisioning: false
+ implicitAssignment: false
+ notes:
+ admin: null
+ enduser: null
+ WSFederationResponseEx:
+ summary: WS_FEDERATION
+ value:
+ id: 0oafxqCAJWWGELFTYASJ
+ status: ACTIVE
+ lastUpdated: '2023-01-21T14:11:24.000Z'
+ created: '2023-01-21T14:11:24.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
+ _links:
+ uploadLogo:
+ href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo
+ hints:
+ allow:
+ - POST
+ appLinks:
+ - name: customswaapp_link
+ href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4
+ type: text/html
+ groups:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups
+ logo:
+ - name: medium
+ href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png
+ type: image/png
+ users:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate
+ visibility:
+ autoLaunch: false
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ login: true
+ name: template_wsfed
+ label: Sample WS-Fed App
+ features: []
+ signOnMode: WS_FEDERATION
+ credentials:
+ userNameTemplate:
+ template: ${source.email}
+ type: BUILT_IN
+ signing:
+ kid: FzJvvXtBHvs_-n70T4C2Rb2d64AyN4fqOme6piHOUKU
+ settings:
+ app:
+ groupFilter: null
+ siteURL: https://example.com
+ authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+ wReplyOverride: false
+ digestAlgorithm: SHA1
+ usernameAttribute: username
+ signatureAlgorithm: RSA_SHA1
+ audienceRestriction: urn:example:app
+ wReplyURL: https://example.com/
+ groupName: http://schemas.microsoft.com/ws/2008/06/identity/claims/role
+ attributeStatements: null
+ nameIDFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+ realm: urn:okta:app:exkarjfNMKUjTmzTZ0g4
+ groupValueFormat: windowsDomainQualifiedName
+ notifications:
+ vpn:
+ network:
+ connection: DISABLED
+ message: null
+ helpUrl: null
+ manualProvisioning: false
+ implicitAssignment: false
+ notes:
+ admin: null
+ enduser: null
+ WellKnownAppAuthenticatorConfigurationCustomApp:
+ value:
+ - authenticatorId: aut22f6xzargnJZYE3l7
+ orgId: 00o1vhf34q20MfCFC3l7
+ type: app
+ key: custom_app
+ name: EnergyAus Authenticator
+ createdDate: '2022-10-11T08:56:45.000Z'
+ lastUpdated: '2023-09-07T11:31:35.000Z'
+ settings:
+ userVerification: PREFERRED
+ supportedMethods:
+ - type: push
+ status: ACTIVE
+ settings:
+ algorithms:
+ - RS256
+ - ES256
+ keyProtection: ANY
+ appAuthenticatorEnrollEndpoint: https://{yourOktaDomain}/idp/myaccount/app-authenticators
+ WellKnownOrgMetadataResponseClassic:
+ value:
+ id: 00o5rb5mt2H3d1TJd0h7
+ _links:
+ organization:
+ href: https://{{yourOktaDomain}}
+ pipeline: v1
+ settings:
+ analyticsCollectionEnabled: false
+ bugReportingEnabled: true
+ omEnabled: true
+ WellKnownOrgMetadataResponseCustomUrlOie:
+ value:
+ id: 00o47wwoytgsDqEtz0g7
+ _links:
+ organization:
+ href: https://{yourSubdomain}.okta.com
+ alternate:
+ href: https://{yourCustomDomain}
+ pipeline: idx
+ settings:
+ analyticsCollectionEnabled: false
+ bugReportingEnabled: true
+ omEnabled: false
+ activateOAuth2ClientSecretResponse:
+ summary: Activate Secret response example
+ value:
+ id: ocs2f50kZB0cITmYU0g4
+ status: ACTIVE
+ client_secret: DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B
+ secret_hash: 0WOOvBSzV9clc4Nr7Rbaug
+ created: '2023-04-06T21:32:33.000Z'
+ lastUpdated: '2023-04-06T21:32:33.000Z'
+ _links:
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f50kZB0cITmYU0g4/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ activeAPIServiceIntegrationInstanceSecretResponse:
+ summary: Activate Secret response example
+ value:
+ id: ocs2f50kZB0cITmYU0g4
+ status: ACTIVE
+ client_secret: '***MQGQ'
+ secret_hash: 0WOOvBSzV9clc4Nr7Rbaug
+ created: '2023-04-06T21:32:33.000Z'
+ lastUpdated: '2023-04-06T21:32:33.000Z'
+ _links:
+ deactivate:
+ href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f50kZB0cITmYU0g4/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ bulkDeletePayload:
+ value:
+ entityType: USERS
+ profiles:
+ - externalId: EXT123456784C2IF
+ - externalId: EXT123456784C3IF
+ - externalId: EXT123456784C4IF
+ bulkUpsertPayload:
+ value:
+ entityType: USERS
+ profiles:
+ - externalId: EXT123456784C2IF
+ profile:
+ userName: isaac.brock@example.com
+ firstName: Isaac
+ lastName: Brock
+ email: isaac.brock@example.com
+ secondEmail: isaac2.brock@example.com
+ mobilePhone: 123-456-7890
+ homeAddress: Kirkland, WA
+ cloud-rule:
+ summary: Global session policy - Challenge cloud users
+ description: This global session policy uses a rule to challenge cloud users
+ value:
+ type: SIGN_ON
+ name: Challenge Cloud Users
+ conditions:
+ people:
+ users:
+ include: []
+ exclude: []
+ groups:
+ include: []
+ exclude: []
+ network:
+ connection: ZONE
+ include:
+ - 00u7yq5goxNFTiMjW1d7
+ authContext:
+ authType: ANY
+ actions:
+ signon:
+ access: ALLOW
+ requireFactor: true
+ factorPromptMode: ALWAYS
+ rememberDeviceByDefault: false
+ session:
+ usePersistentCookie: false
+ maxSessionIdleMinutes: 720
+ maxSessionLifetimeMinutes: 0
+ cloud-rule-response:
+ summary: Global session policy - Challenge cloud users
+ description: The response body from the creation of a global session policy that uses a rule to challenge cloud users
+ value:
+ id: rule8jjozjGMGbHyC1d6
+ status: ACTIVE
+ type: SIGN_ON
+ name: Challenge Cloud Users
+ priority: 0
+ created: '2024-04-25T17:35:02.000Z'
+ lastUpdated: '2024-04-25T17:35:02.000Z'
+ system: false
+ conditions:
+ people:
+ users:
+ include: []
+ exclude: []
+ groups:
+ include: []
+ exclude: []
+ network:
+ connection: ZONE
+ include:
+ - 00u7yq5goxNFTiMjW1d7
+ authContext:
+ authType: ANY
+ risk:
+ behaviors: []
+ riskScore:
+ level: ANY
+ identityProvider:
+ provider: ANY
+ actions:
+ signon:
+ access: ALLOW
+ requireFactor: true
+ primaryFactor: PASSWORD_IDP_ANY_FACTOR
+ factorPromptMode: ALWAYS
+ rememberDeviceByDefault: false
+ session:
+ usePersistentCookie: false
+ maxSessionIdleMinutes: 720
+ maxSessionLifetimeMinutes: 0
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ create-auth-policy-rule-condition:
+ summary: Authentication policy - Create rule with conditions
+ description: Creates an authentication policy rule with a conditions object.
+ value:
+ system: false
+ type: ACCESS_POLICY
+ name: Rule with conditions
+ conditions:
+ userType:
+ include: []
+ exclude:
+ - otyezu4m0xN6w5JEa1d7
+ network:
+ connection: ZONE
+ exclude:
+ - 00u7yq5goxNFTiMjW1d7
+ riskScore:
+ level: ANY
+ people:
+ users:
+ exclude:
+ - 00u7yq5goxNFTiMjW1d7
+ include: []
+ groups:
+ include:
+ - 00g9i12jictsYdZdi1d7
+ exclude: []
+ platform:
+ include:
+ - type: MOBILE
+ os:
+ type: IOS
+ - type: MOBILE
+ os:
+ type: ANDROID
+ - type: DESKTOP
+ os:
+ type: MACOS
+ elCondition:
+ condition: security.risk.level == 'HIGH'
+ actions:
+ appSignOn:
+ access: ALLOW
+ verificationMethod:
+ factorMode: 2FA
+ reauthenticateIn: PT2H
+ constraints:
+ - knowledge:
+ reauthenticateIn: PT2H
+ types:
+ - password
+ type: ASSURANCE
+ create-auth-policy-rule-condition-response:
+ summary: Authentication policy - Policy rule with conditions
+ description: The response body from the creation of an authentication policy rule with conditions.
+ value:
+ id: rule8jjozjGMGbHyC1d6
+ status: ACTIVE
+ name: Rule with conditions
+ priority: 0
+ created: '2024-04-25T17:35:02.000Z'
+ lastUpdated: '2024-04-25T17:35:02.000Z'
+ system: false
+ conditions:
+ people:
+ users:
+ exclude:
+ - 00u7yq5goxNFTiMjW1d7
+ groups:
+ include:
+ - 00g9i12jictsYdZdi1d7
+ network:
+ connection: ZONE
+ exclude:
+ - nzo9o4rctwQCJNE6y1d7
+ platform:
+ include:
+ - type: MOBILE
+ os:
+ type: IOS
+ - type: MOBILE
+ os:
+ type: ANDROID
+ - type: DESKTOP
+ os:
+ type: MACOS
+ exclude: []
+ riskScore:
+ level: ANY
+ userType:
+ include: []
+ exclude:
+ - otyezu4m0xN6w5JEa1d7
+ elCondition:
+ condition: security.risk.level == 'HIGH'
+ actions:
+ appSignOn:
+ access: ALLOW
+ verificationMethod:
+ factorMode: 2FA
+ type: ASSURANCE
+ reauthenticateIn: PT2H
+ constraints:
+ knowledge:
+ required: true
+ types:
+ - password
+ reauthenticateIn: PT2H
+ type: ACCESS_POLICY
+ _links:
+ self:
+ href: https://sampleorg.okta.com/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://sampleorg.okta.com/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ create-group-rule-request-example:
+ summary: Create group rule request example
+ value:
+ type: group_rule
+ name: Engineering group rule
+ conditions:
+ people:
+ users:
+ exclude:
+ - 00u22w79JPMEeeuLr0g4
+ groups:
+ exclude: []
+ expression:
+ value: user.role=="Engineer"
+ type: urn:okta:expression:1.0
+ actions:
+ assignUserToGroups:
+ groupIds:
+ - 00gjitX9HqABSoqTB0g3
+ create-user-in-group-request:
+ description: See [Create user in group](/openapi/okta-management/management/tag/User/#create-user--in-group) for description.
+ value:
+ profile:
+ firstName: Isaac
+ lastName: Brock
+ email: isaac.brock@example.com
+ login: isaac.brock@example.com
+ mobilePhone: 555-415-1337
+ groupIds:
+ - 00g1emaKYZTWRYYRRTSK
+ - 00garwpuyxHaWOkdV0g4
+ create-user-in-group-response:
+ value:
+ id: 00ub0oNGTSWTBKOLGLNR
+ status: STAGED
+ created: '2013-07-02T21:36:25.344Z'
+ activated: null
+ statusChanged: null
+ lastLogin: null
+ lastUpdated: '2013-07-02T21:36:25.344Z'
+ passwordChanged: null
+ profile:
+ firstName: Isaac
+ lastName: Brock
+ email: isaac.brock@example.com
+ login: isaac.brock@example.com
+ mobilePhone: 555-415-1337
+ credentials:
+ provider:
+ type: OKTA
+ name: OKTA
+ _links:
+ activate:
+ href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/activate
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR
+ create-user-with-authentication-provider-request:
+ description: Set `activate` parameter to `true`. See [Create user with authentication provider](/openapi/okta-management/management/tag/User/#create-user-with-authentication-provider) for description.
+ value:
+ profile:
+ firstName: Isaac
+ lastName: Brock
+ email: isaac.brock@example.com
+ login: isaac.brock@example.com
+ mobilePhone: 555-415-1337
+ credentials:
+ provider:
+ type: FEDERATION
+ name: FEDERATION
+ create-user-with-authentication-provider-response:
+ value:
+ id: 00uijntSwJjSHtDY70g3
+ status: ACTIVE
+ created: '2016-01-19T22:02:08.000Z'
+ activated: '2016-01-19T22:02:08.000Z'
+ statusChanged: '2016-01-19T22:02:08.000Z'
+ lastLogin: null
+ lastUpdated: '2016-01-19T22:02:08.000Z'
+ passwordChanged: null
+ profile:
+ login: isaac.brock@example.com
+ firstName: Isaac
+ lastName: Brock
+ mobilePhone: 555-415-1337
+ email: isaac.brock@example.com
+ secondEmail: null
+ credentials:
+ provider:
+ type: FEDERATION
+ name: FEDERATION
+ _links:
+ resetPassword:
+ href: https://{yourOktaDomain}/api/v1/users/00uijntSwJjSHtDY70g3/lifecycle/reset_password
+ method: POST
+ changeRecoveryQuestion:
+ href: https://{yourOktaDomain}/api/v1/users/00uijntSwJjSHtDY70g3/credentials/change_recovery_question
+ method: POST
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/users/00uijntSwJjSHtDY70g3/lifecycle/deactivate
+ method: POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR
+ create-user-with-imported-hashed-password-request:
+ description: Set `activate` parameter to `true`. See [Create user with imported hashed password](/openapi/okta-management/management/tag/User/#create-user-with-password) for description.
+ value:
+ profile:
+ firstName: Isaac
+ lastName: Brock
+ email: isaac.brock@example.com
+ login: isaac.brock@example.com
+ mobilePhone: 555-415-1337
+ credentials:
+ password:
+ hash:
+ algorithm: BCRYPT
+ workFactor: 10
+ salt: rwh3vH166HCH/NT9XV5FYu
+ value: qaMqvAPULkbiQzkTCWo5XDcvzpk8Tna
+ create-user-with-imported-hashed-password-response:
+ value:
+ id: 00ub0oNGTSWTBKOLGLNR
+ status: ACTIVE
+ created: '2013-07-02T21:36:25.344Z'
+ activated: null
+ statusChanged: null
+ lastLogin: null
+ lastUpdated: '2013-07-02T21:36:25.344Z'
+ passwordChanged: '2013-07-02T21:36:25.344Z'
+ profile:
+ firstName: Isaac
+ lastName: Brock
+ email: isaac.brock@example.com
+ login: isaac.brock@example.com
+ mobilePhone: 555-415-1337
+ credentials:
+ password: {}
+ provider:
+ type: IMPORT
+ name: IMPORT
+ _links:
+ activate:
+ href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/activate
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR
+ create-user-with-non-default-user-type-request:
+ description: See [Create user with non-default user type](/openapi/okta-management/management/tag/User/#create-user-with-non-default-user-type) for description.
+ value:
+ profile:
+ firstName: Isaac
+ lastName: Brock
+ email: isaac.brock@example.com
+ login: isaac.brock@example.com
+ mobilePhone: 555-415-1337
+ type:
+ id: otyfnjfba4ye7pgjB0g4
+ create-user-with-non-default-user-type-response:
+ value:
+ id: 00ub0oNGTSWTBKOLGLNR
+ status: STAGED
+ created: '2013-07-02T21:36:25.344Z'
+ activated: null
+ statusChanged: null
+ lastLogin: null
+ lastUpdated: '2013-07-02T21:36:25.344Z'
+ passwordChanged: null
+ type:
+ id: otyfnjfba4ye7pgjB0g4
+ profile:
+ firstName: Isaac
+ lastName: Brock
+ email: isaac.brock@example.com
+ login: isaac.brock@example.com
+ mobilePhone: 555-415-1337
+ credentials:
+ provider:
+ type: OKTA
+ name: OKTA
+ _links:
+ schema:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscfnjfba4ye7pgjB0g4
+ activate:
+ href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/activate
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR
+ type:
+ href: https://{yourOktaDomain}/api/v1/meta/types/user/otyfnjfba4ye7pgjB0g4
+ create-user-with-password-and-recovery-question-request:
+ description: See [Create user with password and recovery question](/openapi/okta-management/management/tag/User/#create-user-with-password-and-recovery-question) for description.
+ value:
+ profile:
+ firstName: Isaac
+ lastName: Brock
+ email: isaac.brock@example.com
+ login: isaac.brock@example.com
+ mobilePhone: 555-415-1337
+ credentials:
+ password:
+ value: tlpWENT2m
+ recovery_question:
+ question: Who is a major player in the cowboy scene?
+ answer: Annie Oakley
+ create-user-with-password-and-recovery-question-response:
+ value:
+ id: 00ub0oNGTSWTBKOLGLNR
+ status: STAGED
+ created: '2013-07-02T21:36:25.344Z'
+ activated: null
+ statusChanged: null
+ lastLogin: null
+ lastUpdated: '2013-07-02T21:36:25.344Z'
+ passwordChanged: '2013-07-02T21:36:25.344Z'
+ profile:
+ firstName: Isaac
+ lastName: Brock
+ email: isaac.brock@example.com
+ login: isaac.brock@example.com
+ mobilePhone: 555-415-1337
+ credentials:
+ password: {}
+ recovery_question:
+ question: Who's a major player in the cowboy scene?
+ provider:
+ type: OKTA
+ name: OKTA
+ _links:
+ activate:
+ href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/activate
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR
+ create-user-with-password-import-inline-hook-request:
+ description: Set `activate` parameter to `true`. See [Create user with password inline hook](/openapi/okta-management/management/tag/User/#create-user-with-password-inline-hook) for description.
+ value:
+ profile:
+ firstName: Isaac
+ lastName: Brock
+ email: isaac.brock@example.com
+ login: isaac.brock@example.com
+ mobilePhone: 555-415-1337
+ credentials:
+ password:
+ hook:
+ type: default
+ create-user-with-password-import-inline-hook-response:
+ value:
+ id: 00ub0oNGTSWTBKOLGLNR
+ status: ACTIVE
+ created: '2013-07-02T21:36:25.344Z'
+ activated: null
+ statusChanged: null
+ lastLogin: null
+ lastUpdated: '2013-07-02T21:36:25.344Z'
+ passwordChanged: '2013-07-02T21:36:25.344Z'
+ profile:
+ firstName: Isaac
+ lastName: Brock
+ email: isaac.brock@example.com
+ login: isaac.brock@example.com
+ mobilePhone: 555-415-1337
+ credentials:
+ password: {}
+ provider:
+ type: IMPORT
+ name: IMPORT
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR
+ create-user-with-password-request:
+ description: Set `activate` parameter to `true`. See [Create user with password](/openapi/okta-management/management/tag/User/#create-user-with-password) for description.
+ value:
+ profile:
+ firstName: Isaac
+ lastName: Brock
+ email: isaac.brock@example.com
+ login: isaac.brock@example.com
+ mobilePhone: 555-415-1337
+ credentials:
+ password:
+ value: tlpWENT2m
+ create-user-with-password-response:
+ value:
+ id: 00ub0oNGTSWTBKOLGLNR
+ status: ACTIVE
+ created: '2013-07-02T21:36:25.344Z'
+ activated: null
+ statusChanged: null
+ lastLogin: null
+ lastUpdated: '2013-07-02T21:36:25.344Z'
+ passwordChanged: '2013-07-02T21:36:25.344Z'
+ profile:
+ firstName: Isaac
+ lastName: Brock
+ email: isaac.brock@example.com
+ login: isaac.brock@example.com
+ mobilePhone: 555-415-1337
+ credentials:
+ password: {}
+ provider:
+ type: OKTA
+ name: OKTA
+ _links:
+ activate:
+ href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/activate
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR
+ create-user-with-recovery-question-request:
+ description: See [Create user with recovery question](/openapi/okta-management/management/tag/User/#create-user-with-recovery-question) for description.
+ value:
+ profile:
+ firstName: Isaac
+ lastName: Brock
+ email: isaac.brock@example.com
+ login: isaac.brock@example.com
+ mobilePhone: 555-415-1337
+ credentials:
+ recovery_question:
+ question: Who is a major player in the cowboy scene?
+ answer: Annie Oakley
+ create-user-with-recovery-question-response:
+ value:
+ id: 00ub0oNGTSWTBKOLGLNR
+ status: STAGED
+ created: '2013-07-02T21:36:25.344Z'
+ activated: null
+ statusChanged: null
+ lastLogin: null
+ lastUpdated: '2013-07-02T21:36:25.344Z'
+ passwordChanged: null
+ profile:
+ firstName: Isaac
+ lastName: Brock
+ email: isaac.brock@example.com
+ login: isaac.brock@example.com
+ mobilePhone: 555-415-1337
+ credentials:
+ recovery_question:
+ question: Who's a major player in the cowboy scene?
+ provider:
+ type: OKTA
+ name: OKTA
+ _links:
+ activate:
+ href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/activate
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR
+ create-user-without-credentials-request:
+ value:
+ profile:
+ firstName: Isaac
+ lastName: Brock
+ email: isaac.brock@example.com
+ login: isaac.brock@example.com
+ mobilePhone: 555-415-1337
+ create-user-without-credentials-response:
+ value:
+ id: 00ub0oNGTSWTBKOLGLNR
+ status: STAGED
+ created: '2013-07-02T21:36:25.344Z'
+ activated: null
+ statusChanged: null
+ lastLogin: null
+ lastUpdated: '2013-07-02T21:36:25.344Z'
+ passwordChanged: null
+ profile:
+ firstName: Isaac
+ lastName: Brock
+ email: isaac.brock@example.com
+ login: isaac.brock@example.com
+ mobilePhone: 555-415-1337
+ credentials:
+ provider:
+ type: OKTA
+ name: OKTA
+ _links:
+ activate:
+ href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/activate
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR
+ createOAuth2ClientSecretCustomRequestBody:
+ summary: Add a user provided client secret
+ value:
+ client_secret: DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B
+ status: ACTIVE
+ createOAuth2ClientSecretSystemGeneratedRequestBody:
+ summary: Add a system-generated client secret
+ value: {}
+ deactivateOAuth2ClientJsonWebKeyResponse:
+ summary: Deactivate JSON Web Key example
+ value:
+ id: pks2f50kZB0cITmYU0g4
+ kid: ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B
+ kty: RSA
+ alg: RS256
+ use: sig
+ e: AQAB
+ 'n': AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn=
+ status: INACTIVE
+ created: '2023-04-06T21:32:33.000Z'
+ lastUpdated: '2023-04-06T21:32:33.000Z'
+ _links:
+ activate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/jwks/pks2f50kZB0cITmYU0g4/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ deactivateOAuth2ClientSecretResponse:
+ summary: Deactivate Secret response example
+ value:
+ id: ocs2f4zrZbs8nUa7p0g4
+ status: INACTIVE
+ client_secret: DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B
+ secret_hash: yk4SVx4sUWVJVbHt6M-UPA
+ created: '2023-02-21T20:08:24.000Z'
+ lastUpdated: '2023-02-21T20:08:24.000Z'
+ _links:
+ activate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ delete:
+ href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4
+ hints:
+ allow:
+ - DELETE
+ deny-rule:
+ summary: Global session policy - Deny users
+ description: This global session policy uses a rule to deny users
+ value:
+ type: SIGN_ON
+ name: Deny users
+ conditions:
+ network:
+ connection: ANYWHERE
+ authContext:
+ authType: ANY
+ actions:
+ signon:
+ access: DENY
+ requireFactor: false
+ deny-rule-response:
+ summary: Global session policy - Deny users
+ description: The response body from the creation of a global session policy that uses a rule to deny users
+ value:
+ id: rule8jjozjGMGbHyC1d6
+ status: ACTIVE
+ type: SIGN_ON
+ name: Deny
+ priority: 0
+ created: '2024-04-25T17:35:02.000Z'
+ lastUpdated: '2024-04-25T17:35:02.000Z'
+ system: false
+ conditions:
+ people:
+ users:
+ exclude: []
+ network:
+ connection: ANYWHERE
+ authContext:
+ authType: ANY
+ risk:
+ behaviors: []
+ riskScore:
+ level: ANY
+ identityProvider:
+ provider: ANY
+ actions:
+ signon:
+ access: DENY
+ requireFactor: false
+ primaryFactor: PASSWORD_IDP
+ rememberDeviceByDefault: false
+ session:
+ usePersistentCookie: false
+ maxSessionIdleMinutes: 120
+ maxSessionLifetimeMinutes: 0
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ editFeatureExample:
+ summary: Enable Okta Personal admin settings
+ value:
+ enableExportApps: true
+ enableEnduserEntryPoints: true
+ getBlockListExample:
+ summary: List of blocked email domains
+ value:
+ domains:
+ - yahoo.com
+ - google.com
+ group-example:
+ summary: Group example
+ description: Example of a Group
+ value:
+ id: 00g1emaKYZTWRYYRRTSK
+ created: '2015-02-06T10:11:28.000Z'
+ lastUpdated: '2015-10-05T19:16:43.000Z'
+ lastMembershipUpdated: '2015-11-28T19:15:32.000Z'
+ objectClass:
+ - okta:user_group
+ type: OKTA_GROUP
+ profile:
+ name: West Coast Users
+ description: All Users West of The Rockies
+ _links:
+ logo:
+ - name: medium
+ href: https://{yourOktaDomain}/img/logos/groups/okta-medium.png
+ type: image/png
+ - name: large
+ href: https://{yourOktaDomain}/img/logos/groups/okta-large.png
+ type: image/png
+ users:
+ href: https://{yourOktaDomain}/api/v1/groups/00g1emaKYZTWRYYRRTSK/users
+ apps:
+ href: https://{yourOktaDomain}/api/v1/groups/00g1emaKYZTWRYYRRTSK/apps
+ group-rule-example:
+ summary: Group rule example
+ description: Example of a group rule
+ value:
+ type: group_rule
+ id: 0pr3f7zMZZHPgUoWO0g4
+ status: INACTIVE
+ name: Engineering group rule
+ created: '2016-12-01T14:40:04.000Z'
+ lastUpdated: '2016-12-01T14:40:04.000Z'
+ conditions:
+ people:
+ users:
+ exclude:
+ - 00u22w79JPMEeeuLr0g4
+ groups:
+ exclude: []
+ expression:
+ value: user.role=="Engineer"
+ type: urn:okta:expression:1.0
+ actions:
+ assignUserToGroups:
+ groupIds:
+ - 00gjitX9HqABSoqTB0g3
+ idp-discovery-dynamic-routing-rule:
+ summary: IdP discovery policy - Dynamic routing rule
+ description: This routing rule uses a dynamic Identity Provider.
+ value:
+ name: Dynamic routing rule
+ priority: 1
+ status: ACTIVE
+ conditions:
+ network:
+ connection: ANYWHERE
+ actions:
+ idp:
+ providers: []
+ idpSelectionType: DYNAMIC
+ matchCriteria:
+ - providerExpression: login.identifier.substringAfter('@')
+ propertyName: name
+ system: false
+ type: IDP_DISCOVERY
+ idp-discovery-dynamic-routing-rule-response:
+ summary: IdP discovery policy - Dynamic routing rule
+ value:
+ id: ruleId
+ _links:
+ self:
+ href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ name: Dynamic routing rule
+ priority: 1
+ status: ACTIVE
+ conditions:
+ network:
+ connection: ANYWHERE
+ actions:
+ idp:
+ providers: []
+ idpSelectionType: DYNAMIC
+ matchCriteria:
+ - providerExpression: login.identifier.substringAfter('@')
+ propertyName: name
+ system: false
+ type: IDP_DISCOVERY
+ idp-discovery-policy-response:
+ summary: IDP_DISCOVERY
+ value:
+ type: IDP_DISCOVERY
+ id: policyId
+ status: ACTIVE
+ name: Policy name
+ description: Policy description
+ priority: 1
+ system: true
+ created: createdDate
+ lastUpdated: lastUpdated
+ conditions: null
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ rules:
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules
+ hints:
+ allow:
+ - POST
+ - GET
+ idp-discovery-specific-routing-rule:
+ summary: IdP discovery policy - Specific routing rule
+ description: This routing rule uses a specific Identity Provider.
+ value:
+ name: Specific routing rule
+ priority: 1
+ status: ACTIVE
+ conditions:
+ network:
+ connection: ANYWHERE
+ actions:
+ idp:
+ providers:
+ - type: GOOGLE
+ id: 0oa5ks3WmHLRh8Ivr0g4
+ idpSelectionType: SPECIFIC
+ system: false
+ type: IDP_DISCOVERY
+ idp-discovery-specific-routing-rule-response:
+ summary: IdP discovery policy - Specific routing rule
+ value:
+ id: ruleId
+ _links:
+ self:
+ href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ name: Specific routing rule
+ priority: 1
+ status: ACTIVE
+ conditions:
+ network:
+ connection: ANYWHERE
+ actions:
+ idp:
+ providers:
+ - type: GOOGLE
+ id: 0oa5ks3WmHLRh8Ivr0g4
+ idpSelectionType: SPECIFIC
+ system: false
+ type: IDP_DISCOVERY
+ inactiveAPIServiceIntegrationInstanceSecretResponse:
+ summary: Deactivate Secret response example
+ value:
+ id: ocs2f4zrZbs8nUa7p0g4
+ status: INACTIVE
+ client_secret: '***DhOW'
+ secret_hash: yk4SVx4sUWVJVbHt6M-UPA
+ created: '2023-02-21T20:08:24.000Z'
+ lastUpdated: '2023-02-21T20:08:24.000Z'
+ _links:
+ activate:
+ href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ delete:
+ href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4
+ hints:
+ allow:
+ - DELETE
+ list-all-idp-discovery-policy-rule-response:
+ summary: IDP_DISCOVERY
+ value:
+ - id: 0prgu3bb10hce267M1d7
+ status: ACTIVE
+ name: Test rule
+ priority: 1
+ created: '2024-08-27T19:51:15.000Z'
+ lastUpdated: '2024-08-27T19:51:15.000Z'
+ system: true
+ conditions:
+ network:
+ connection: ANYWHERE
+ platform:
+ include: []
+ exclude: []
+ userIdentifier:
+ patterns: []
+ app:
+ include: []
+ exclude: []
+ actions:
+ idp:
+ providers:
+ - type: OKTA
+ idpSelectionType: SPECIFIC
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ type: IDP_DISCOVERY
+ list-all-mfa-enroll-policy-rule-response:
+ summary: MFA_ENROLL
+ value:
+ - id: 0prgu3g4mon9ARm9F1d7
+ status: ACTIVE
+ name: Test Rule
+ priority: 1
+ created: '2024-08-27T19:51:39.000Z'
+ lastUpdated: '2024-08-27T19:51:39.000Z'
+ system: true
+ conditions:
+ people:
+ users:
+ exclude: []
+ network:
+ connection: ANYWHERE
+ actions:
+ enroll:
+ self: CHALLENGE
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ type: MFA_ENROLL
+ list-all-password-policy-rule-response:
+ summary: PASSWORD
+ value:
+ - id: 0prgu3baytQGHuVEv1d7
+ status: ACTIVE
+ name: Test Rule
+ priority: 1
+ created: '2024-08-27T19:51:11.000Z'
+ lastUpdated: '2024-08-27T19:51:17.000Z'
+ system: true
+ conditions:
+ people:
+ users:
+ exclude: []
+ network:
+ connection: ANYWHERE
+ actions:
+ passwordChange:
+ access: ALLOW
+ selfServicePasswordReset:
+ access: ALLOW
+ requirement:
+ primary:
+ methods:
+ - email
+ stepUp:
+ required: false
+ selfServiceUnlock:
+ access: DENY
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ type: PASSWORD
+ list-all-profile-enrollment-policy-rule-response:
+ summary: PROFILE_ENROLLMENT
+ value:
+ - id: rulgu3bb4oWR7qbMi1d7
+ status: ACTIVE
+ name: Test Rule
+ priority: 99
+ created: '2024-08-27T19:51:18.000Z'
+ lastUpdated: '2024-08-27T19:51:22.000Z'
+ system: true
+ conditions: null
+ actions:
+ profileEnrollment:
+ access: ALLOW
+ preRegistrationInlineHooks: null
+ profileAttributes:
+ - name: email
+ label: Email
+ required: true
+ - name: firstName
+ label: First name
+ required: true
+ - name: lastName
+ label: Last name
+ required: true
+ targetGroupIds: null
+ unknownUserAction: DENY
+ activationRequirements:
+ emailVerification: true
+ uiSchemaId: uisgu3bb4zTbvwD8S1d7
+ progressiveProfilingAction: DISABLED
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ type: PROFILE_ENROLLMENT
+ list-all-sign-on-policy-rule-response:
+ summary: OKTA_SIGN_ON
+ value:
+ - id: 0prh1sd28q5sXGW08697
+ status: ACTIVE
+ name: Test rule
+ priority: 0
+ created: '2024-04-25T17:35:02.000Z'
+ lastUpdated: '2024-04-25T17:35:02.000Z'
+ system: false
+ conditions:
+ people:
+ users:
+ exclude: []
+ network:
+ connection: ANYWHERE
+ risk:
+ behaviors: []
+ riskScore:
+ level: ANY
+ identityProvider:
+ provider: ANY
+ actions:
+ signon:
+ requireFactor: false
+ factorPromptMode: ALWAYS
+ factorLifetime: 15
+ access: ALLOW
+ primaryFactor: PASSWORD_IDP_ANY_FACTOR
+ session:
+ maxSessionIdleMinutes: 720
+ maxSessionLifetimeMinutes: 0
+ usePersistentCookie: false
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}
+ hints:
+ allow:
+ - POST
+ type: SIGN_ON
+ list-apps-example:
+ summary: List apps example
+ description: List all apps example
+ value:
+ - id: 0oafwvZDWJKVLDCUWUAC
+ name: template_basic_auth
+ label: Sample Basic Auth App
+ status: ACTIVE
+ lastUpdated: '2013-09-30T00:56:52.000Z'
+ created: '2013-09-30T00:56:52.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ visibility:
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ login: true
+ features: []
+ signOnMode: BASIC_AUTH
+ credentials:
+ scheme: EDIT_USERNAME_AND_PASSWORD
+ userNameTemplate:
+ template: ${source.login}
+ type: BUILT_IN
+ settings:
+ app:
+ url: https://example.com/login.html
+ authURL: https://example.com/auth.html
+ _links:
+ appLinks:
+ - href: https://{yourOktaDomain}/home/template_basic_auth/0oafwvZDWJKVLDCUWUAC/1438
+ name: login
+ type: text/html
+ users:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafwvZDWJKVLDCUWUAC/users
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafwvZDWJKVLDCUWUAC/lifecycle/deactivate
+ groups:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafwvZDWJKVLDCUWUAC/groups
+ list-group-rules-example:
+ summary: List Group rules example
+ description: List all group rules example
+ value:
+ - type: group_rule
+ id: 0pr3f7zMZZHPgUoWO0g4
+ status: INACTIVE
+ name: Engineering group rule
+ created: '2016-12-01T14:40:04.000Z'
+ lastUpdated: '2016-12-01T14:40:04.000Z'
+ conditions:
+ people:
+ users:
+ exclude:
+ - 00u22w79JPMEeeuLr0g4
+ groups:
+ exclude: []
+ expression:
+ value: user.role=="Engineer"
+ type: urn:okta:expression:1.0
+ actions:
+ assignUserToGroups:
+ groupIds:
+ - 00gjitX9HqABSoqTB0g3
+ list-groups-examples:
+ summary: List all groups example
+ description: Lists an example of an OKTA_GROUP and an APP_GROUP
+ value:
+ - id: 00g1emaKYZTWRYYRRTSK
+ created: '2015-02-06T10:11:28.000Z'
+ lastUpdated: '2015-10-05T19:16:43.000Z'
+ lastMembershipUpdated: '2015-11-28T19:15:32.000Z'
+ objectClass:
+ - okta:user_group
+ type: OKTA_GROUP
+ profile:
+ name: West Coast Users
+ description: All Users West of The Rockies
+ _links:
+ logo:
+ - name: medium
+ href: https://{yourOktaDomain}/img/logos/groups/okta-medium.png
+ type: image/png
+ - name: large
+ href: https://{yourOktaDomain}/img/logos/groups/okta-large.png
+ type: image/png
+ users:
+ href: https://{yourOktaDomain}/api/v1/groups/00g1emaKYZTWRYYRRTSK/users
+ apps:
+ href: https://{yourOktaDomain}/api/v1/groups/00g1emaKYZTWRYYRRTSK/apps
+ - id: 00garwpuyxHaWOkdV0g4
+ created: '2015-08-15T19:15:17.000Z'
+ lastUpdated: '2015-11-18T04:02:19.000Z'
+ lastMembershipUpdated: '2015-08-15T19:15:17.000Z'
+ objectClass:
+ - okta:windows_security_principal
+ type: APP_GROUP
+ profile:
+ name: Engineering Users
+ description: corp.example.com/Engineering/Engineering Users
+ groupType: Security
+ samAccountName: Engineering Users
+ objectSid: S-1-5-21-717838489-685202119-709183397-1177
+ groupScope: Global
+ dn: CN=Engineering Users,OU=Engineering,DC=corp,DC=example,DC=com
+ windowsDomainQualifiedName: CORP\Engineering Users
+ externalId: OZJdWdONCU6h7WjQKp+LPA==
+ source:
+ id: 0oa2v0el0gP90aqjJ0g7
+ _links:
+ logo:
+ - name: medium
+ href: https://{yourOktaDomain}/img/logos/groups/active_directory-medium.png
+ type: image/png
+ - name: large
+ href: https://{yourOktaDomain}/img/logos/groups/active_directory-large.png
+ type: image/png
+ source:
+ href: https://{yourOktaDomain}/api/v1/apps/0oa2v0el0gP90aqjJ0g7
+ users:
+ href: https://{yourOktaDomain}/api/v1/groups/00garwpuyxHaWOkdV0g4/users
+ apps:
+ href: https://{yourOktaDomain}/api/v1/groups/00garwpuyxHaWOkdV0g4/apps
+ list-user-example:
+ value:
+ - id: 00u1f96ECLNVOKVMUSEA
+ status: ACTIVE
+ created: '2013-12-12T16:14:22.000Z'
+ activated: '2013-12-12T16:14:22.000Z'
+ statusChanged: '2013-12-12T22:14:22.000Z'
+ lastLogin: '2013-12-12T22:14:22.000Z'
+ lastUpdated: '2015-11-15T19:23:32.000Z'
+ passwordChanged: '2013-12-12T22:14:22.000Z'
+ profile:
+ firstName: Easy
+ lastName: E
+ email: easy-e@example.com
+ login: easy-e@example.com
+ mobilePhone: null
+ credentials:
+ password: {}
+ provider:
+ type: OKTA
+ name: OKTA
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u1f96ECLNVOKVMUSEA
+ listStreamConfigurationExample:
+ summary: List of SSF Stream configurations example
+ value:
+ - aud: https://example.com
+ delivery:
+ method: urn:ietf:rfc:8935
+ endpoint_url: https://example.com
+ events_delivered:
+ - https://schemas.openid.net/secevent/caep/event-type/session-revoked
+ - https://schemas.openid.net/secevent/caep/event-type/credential-change
+ events_requested:
+ - https://schemas.openid.net/secevent/caep/event-type/session-revoked
+ - https://schemas.openid.net/secevent/caep/event-type/credential-change
+ events_supported:
+ - https://schemas.openid.net/secevent/caep/event-type/session-revoked
+ - https://schemas.openid.net/secevent/caep/event-type/credential-change
+ format: iss_sub
+ iss: https://{yourOktaDomain}
+ min_verification_interval: 0
+ stream_id: esc1k235GIIztAuGK0g5
+ mfa-enroll-policy-response:
+ summary: MFA_ENROLL
+ value:
+ type: MFA_ENROLL
+ id: policyId
+ status: ACTIVE
+ name: Policy name
+ description: Policy description
+ priority: 1
+ system: true
+ created: createdDate
+ lastUpdated: lastUpdated
+ conditions:
+ people:
+ groups:
+ include:
+ - groupId
+ settings:
+ factors:
+ okta_otp:
+ enroll:
+ self: OPTIONAL
+ consent:
+ type: NONE
+ okta_push:
+ enroll:
+ self: OPTIONAL
+ consent:
+ type: NONE
+ okta_password:
+ enroll:
+ self: OPTIONAL
+ consent:
+ type: NONE
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ rules:
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules
+ hints:
+ allow:
+ - POST
+ - GET
+ newAPIServiceIntegrationInstanceSecretResponse:
+ summary: New secret response example
+ value:
+ id: ocs2f50kZB0cITmYU0g4
+ status: ACTIVE
+ client_secret: DRUFXGF9XbLnS9k-Sla3x3POBiIxDreBCdZuFs5B
+ secret_hash: FpCwXwSjTRQNtEI11I00-g
+ created: '2023-04-06T21:32:33.000Z'
+ lastUpdated: '2023-04-06T21:32:33.000Z'
+ _links:
+ deactivate:
+ href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f50kZB0cITmYU0g4/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ oAuth2ClientSecretResponse:
+ summary: Client secret response example
+ value:
+ id: ocs2f50kZB0cITmYU0g4
+ status: ACTIVE
+ client_secret: DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B
+ secret_hash: FpCwXwSjTRQNtEI11I00-g
+ created: '2023-04-06T21:32:33.000Z'
+ lastUpdated: '2023-04-06T21:32:33.000Z'
+ _links:
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f50kZB0cITmYU0g4/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ oAuthClientJsonWebKey:
+ summary: JSON Web Key example
+ value:
+ id: pks2f50kZB0cITmYU0g4
+ kid: ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B
+ kty: RSA
+ alg: RS256
+ use: sig
+ e: AQAB
+ 'n': AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn=
+ status: ACTIVE
+ created: '2023-04-06T21:32:33.000Z'
+ lastUpdated: '2023-04-06T21:32:33.000Z'
+ _links:
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/jwks/pks2f50kZB0cITmYU0g4/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ oAuthClientJsonWebKeyListResponse:
+ summary: JSON Web Key list response example
+ value:
+ jwks:
+ keys:
+ - id: pks2f4zrZbs8nUa7p0g4
+ kid: DRUFXGF9XbLnS9k-Sla3x3POBiIxDreBCdZuFs5B
+ kty: RSA
+ alg: RS256
+ use: sig
+ e: AQAB
+ 'n': AJncrKuine49_CEVR4GPn.....zOrouIUCSMlRL0HU=
+ status: INACTIVE
+ created: '2023-02-21T20:08:24.000Z'
+ lastUpdated: '2023-02-21T20:08:24.000Z'
+ _links:
+ activate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/jwks/pks2f4zrZbs8nUa7p0g4/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ delete:
+ href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/jwks/pks2f4zrZbs8nUa7p0g4
+ hints:
+ allow:
+ - DELETE
+ - id: pks2f50kZB0cITmYU0g4
+ kid: ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B
+ kty: RSA
+ alg: RS256
+ use: sig
+ e: AQAB
+ 'n': AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn=
+ status: ACTIVE
+ created: '2023-04-06T21:32:33.000Z'
+ lastUpdated: '2023-04-06T21:32:33.000Z'
+ _links:
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/jwks/pks2f50kZB0cITmYU0g4/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ oAuthClientJsonWebKeyRequest:
+ summary: JSON Web Key Request example
+ value:
+ id: pks2f50kZB0cITmYU0g4
+ kid: ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B
+ kty: RSA
+ alg: RS256
+ use: sig
+ e: AQAB
+ 'n': AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn=
+ status: ACTIVE
+ oAuthClientSecretListResponse:
+ summary: Secrets list response example
+ value:
+ - id: ocs2f4zrZbs8nUa7p0g4
+ status: INACTIVE
+ client_secret: DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B
+ secret_hash: yk4SVx4sUWVJVbHt6M-UPA
+ created: '2023-02-21T20:08:24.000Z'
+ lastUpdated: '2023-02-21T20:08:24.000Z'
+ _links:
+ activate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ delete:
+ href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4
+ hints:
+ allow:
+ - DELETE
+ - id: ocs2f50kZB0cITmYU0g4
+ status: ACTIVE
+ client_secret: HAGDTYU9XbLnS......3xasFDDwecdZuFs5B
+ secret_hash: 0WOOvBSzV9clc4Nr7Rbaug
+ created: '2023-04-06T21:32:33.000Z'
+ lastUpdated: '2023-04-06T21:32:33.000Z'
+ _links:
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f50kZB0cITmYU0g4/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ oamp-id-proofing-policy-rule:
+ summary: Account Management Policy - Account management policy rule with ID proofing enabled
+ description: This account management policy rule enables ID proofing for enrollment processes
+ value:
+ id: ruleId
+ name: Account Management Policy Rule
+ priority: 1
+ status: ACTIVE
+ conditions:
+ people:
+ users:
+ exclude: []
+ network:
+ connection: ANYWHERE
+ actions:
+ appSignOn:
+ access: ALLOW
+ verificationMethod:
+ id: entity_id
+ type: ID_PROOFING
+ oamp-id-proofing-policy-rule-response:
+ summary: Account Management Policy - Account management policy rule with ID proofing enabled
+ description: This account management policy rule response enables ID proofing for enrollment processes
+ value:
+ id: ruleId
+ _links:
+ self:
+ href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ name: Account Management Policy Rule
+ priority: 1
+ status: ACTIVE
+ conditions:
+ people:
+ users:
+ exclude: []
+ network:
+ connection: ANYWHERE
+ actions:
+ appSignOn:
+ access: ALLOW
+ verificationMethod:
+ id: entity_id
+ type: ID_PROOFING
+ orgCommunicationOptInResponse:
+ summary: Opt in to communication emails
+ value:
+ optOutEmailUsers: false
+ _links:
+ optOut:
+ href: https://{yourOktaDomain}/api/v1/org/privacy/oktaCommunication/optOut
+ hints:
+ allow:
+ - POST
+ orgCommunicationOptOutResponse:
+ summary: Opt out of communication emails
+ value:
+ optOutEmailUsers: true
+ _links:
+ optIn:
+ href: https://{yourOktaDomain}/api/v1/org/privacy/oktaCommunication/optIn
+ hints:
+ allow:
+ - POST
+ orgContactTypeResponse:
+ summary: Org Contact Types
+ value:
+ - contactType: BILLING
+ _links:
+ billing:
+ href: https://{yourOktaDomain}/api/v1/org/contacts/billing
+ - contactType: TECHNICAL
+ _links:
+ technical:
+ href: https://{yourOktaDomain}/api/v1/org/contacts/technical
+ orgContactUserResponse:
+ summary: Contact User
+ value:
+ userId: 00ux3u0ujW1r5AfZC1d7
+ _links:
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00ux3u0ujW1r5AfZC1d7
+ orgHideFooterPrefResponse:
+ summary: Hide footer response
+ value:
+ showEndUserFooter: false
+ _links:
+ showEndUserFooter:
+ href: https://{yourOktaDomain}/api/v1/org/preferences/showEndUserFooter
+ hints:
+ allow:
+ - POST
+ orgShowFooterPrefResponse:
+ summary: Show footer response
+ value:
+ showEndUserFooter: true
+ _links:
+ hideEndUserFooter:
+ href: https://{yourOktaDomain}/api/v1/org/preferences/hideEndUserFooter
+ hints:
+ allow:
+ - POST
+ orgSupportSettingsResponse:
+ summary: Org Support Settings
+ value:
+ support: ENABLED
+ expiration: '2024-01-24T11:13:14.000Z'
+ _links:
+ extend:
+ href: https://{yourOktaDomain}/api/v1/org/privacy/oktaSupport/extend
+ hints:
+ allow:
+ - POST
+ revoke:
+ href: https://{yourOktaDomain}/api/v1/org/privacy/oktaSupport/revoke
+ hints:
+ allow:
+ - POST
+ orgSupportSettingsRevokeResponse:
+ summary: Revoked Org Support
+ value:
+ support: DISABLED
+ expiration: null
+ _links:
+ grant:
+ href: https://{yourOktaDomain}/api/v1/org/privacy/oktaSupport/grant
+ hints:
+ allow:
+ - POST
+ password-policy-response:
+ summary: PASSWORD
+ value:
+ type: PASSWORD
+ id: policyId
+ status: ACTIVE
+ name: Policy name
+ description: Policy description
+ priority: 1
+ system: true
+ created: createdDate
+ lastUpdated: lastUpdated
+ conditions:
+ people:
+ groups:
+ include:
+ - groupId
+ authProvider:
+ provider: provider
+ settings:
+ password:
+ complexity:
+ minLength: 8
+ minLowerCase: 1
+ minUpperCase: 1
+ minNumber: null
+ minSymbol: 0
+ excludeUsername: true
+ dictionary:
+ common:
+ exclude: false
+ excludeAttributes: []
+ age:
+ maxAgeDays: 0
+ expireWarnDays: 0
+ minAgeMinutes: 0
+ historyCount: 4
+ lockout:
+ maxAttempts: 0
+ autoUnlockMinutes: 0
+ userLockoutNotificationChannels: []
+ showLockoutFailures: false
+ recovery:
+ factors:
+ recovery_question:
+ status: ACTIVE
+ properties:
+ complexity:
+ complexity: 4
+ okta_email:
+ status: ACTIVE
+ properties:
+ recoveryToken:
+ tokenLifetimeMinutes: 10080
+ okta_sms:
+ status: INACTIVE
+ okta_call:
+ status: INACTIVE
+ delegation:
+ options:
+ skipUnlock: false
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ rules:
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules
+ hints:
+ allow:
+ - POST
+ - GET
+ policy-mapping-list-response:
+ summary: List all Mappings for a policy
+ value:
+ - id: policyId
+ _links:
+ application:
+ href: https://{yourOktaDomain}/api/v1/apps/{appId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ self:
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}/mappings/{mappingId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ policy:
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ policy-mapping-response:
+ summary: Policy Mapping for a Policy
+ value:
+ id: policyId
+ _links:
+ application:
+ href: https://{yourOktaDomain}/api/v1/apps/{appId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ self:
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}/mappings/{mappingId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ policy:
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ postAPIServiceIntegrationRequest:
+ value:
+ type: my_app_cie
+ grantedScopes:
+ - okta.logs.read
+ - okta.groups.read
+ - okta.users.read
+ postAPIServiceIntegrationResponse:
+ summary: Post response example
+ value:
+ id: 0oa72lrepvp4WqEET1d9
+ type: my_app_cie
+ name: My App Cloud Identity Engine
+ createdAt: '2023-02-21T20:08:24.000Z'
+ createdBy: 00uu3u0ujW1P6AfZC2d5
+ clientSecret: CkF69kXtag0q0P4pXU8OnP5IAzgGlwx6eqGy7Fmg
+ configGuideUrl: https://{docDomain}/my-app-cie/configuration-guide
+ grantedScopes:
+ - okta.logs.read
+ - okta.groups.read
+ - okta.users.read
+ _links:
+ self:
+ href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa72lrepvp4WqEET1d9
+ hints:
+ allow:
+ - GET
+ - DELETE
+ client:
+ href: https://{yourOktaDomain}/oauth2/v1/clients/0oa72lrepvp4WqEET1d9
+ hints:
+ allow:
+ - GET
+ logo:
+ name: small
+ href: https://{logoDomain}/{logoPath}/my_app_cie_small_logo
+ profile-enrollment-policy-response:
+ summary: PROFILE_ENROLLMENT
+ value:
+ type: PROFILE_ENROLLMENT
+ id: policyId
+ status: ACTIVE
+ name: Policy name
+ description: Policy description
+ priority: 1
+ system: true
+ created: createdDate
+ lastUpdated: lastUpdated
+ conditions: null
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ rules:
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules
+ hints:
+ allow:
+ - POST
+ - GET
+ radius-rule:
+ summary: Global session policy - Challenge VPN users with Radius
+ description: This global session policy uses a rule to challenge VPN users with Radius
+ value:
+ type: SIGN_ON
+ status: ACTIVE
+ name: Challenge VPN users
+ conditions:
+ network:
+ connection: ANYWHERE
+ authContext:
+ authType: RADIUS
+ people:
+ users:
+ exclude: []
+ risk:
+ behaviors: []
+ riskScore:
+ level: ANY
+ identityProvider:
+ provider: ANY
+ actions:
+ signon:
+ access: ALLOW
+ requireFactor: true
+ primaryFactor: PASSWORD_IDP_ANY_FACTOR
+ factorPromptMode: ALWAYS
+ rememberDeviceByDefault: false
+ session:
+ usePersistentCookie: false
+ maxSessionIdleMinutes: 720
+ maxSessionLifetimeMinutes: 0
+ radius-rule-response:
+ summary: Global session policy - Challenge VPN users with Radius
+ description: The response body from the creation of a global session policy that uses a rule to challenge VPN users with Radius
+ value:
+ id: rule8jjozjGMGbHyC1d6
+ status: ACTIVE
+ type: SIGN_ON
+ name: Challenge VPN users
+ priority: 0
+ created: '2024-04-25T17:35:02.000Z'
+ lastUpdated: '2024-04-25T17:35:02.000Z'
+ system: false
+ conditions:
+ network:
+ connection: ANYWHERE
+ authContext:
+ authType: RADIUS
+ actions:
+ signon:
+ access: ALLOW
+ requireFactor: true
+ factorPromptMode: ALWAYS
+ rememberDeviceByDefault: false
+ session:
+ usePersistentCookie: false
+ maxSessionIdleMinutes: 720
+ maxSessionLifetimeMinutes: 0
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ replace-user-request:
+ value:
+ credentials:
+ password:
+ value: tlpWENT2m
+ recovery_question:
+ question: Who's a major player in the cowboy scene?
+ answer: Annie Oakley
+ provider:
+ type: OKTA
+ name: OKTA
+ profile:
+ firstName: Isaac
+ lastName: Brock
+ email: isaac.brock@example.com
+ login: isaac.brock@example.com
+ mobilePhone: 555-415-1337
+ settingsResponseBaseEx:
+ value:
+ notifications:
+ vpn:
+ network:
+ connection: DISABLED
+ message: null
+ helpUrl: null
+ manualProvisioning: false
+ implicitAssignment: false
+ notes:
+ admin: null
+ enduser: null
+ sign-on-policy-rule:
+ summary: Sign-on policy - Rule with factor mode always
+ description: Sign-on policy rule with a factor mode always
+ value:
+ type: SIGN_ON
+ name: Test Sign On
+ conditions:
+ network:
+ connection: ANYWHERE
+ riskScore:
+ level: ANY
+ identityProvider:
+ provider: ANY
+ authContext:
+ authType: ANY
+ actions:
+ signon:
+ requireFactor: false
+ factorPromptMode: ALWAYS
+ factorLifetime: 15
+ access: ALLOW
+ session:
+ maxSessionIdleMinutes: 720
+ maxSessionLifetimeMinutes: 0
+ usePersistentCookie: false
+ primaryFactor: PASSWORD_IDP_ANY_FACTOR
+ sign-on-policy-rule-response:
+ summary: Sign-on policy - Rule with factor mode always
+ description: Sign-on policy rule with a factor mode always
+ value:
+ type: SIGN_ON
+ name: Test Sign On
+ id: 0prh1sd28q5sXGW08697
+ priority: 0
+ created: '2024-04-25T17:35:02.000Z'
+ lastUpdated: '2024-04-25T17:35:02.000Z'
+ system: false
+ status: ACTIVE
+ conditions:
+ network:
+ connection: ANYWHERE
+ riskScore:
+ level: ANY
+ identityProvider:
+ provider: ANY
+ authContext:
+ authType: ANY
+ people:
+ users:
+ exclude: []
+ actions:
+ signon:
+ requireFactor: false
+ factorPromptMode: ALWAYS
+ factorLifetime: 15
+ access: ALLOW
+ session:
+ maxSessionIdleMinutes: 720
+ maxSessionLifetimeMinutes: 0
+ usePersistentCookie: false
+ primaryFactor: PASSWORD_IDP_ANY_FACTOR
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ skip-factor-challenge-on-prem-rule:
+ summary: Global session policy - Skip factor challenge for on-prem sign-in use
+ description: This global session policy uses a rule to skip factor challenge for on-prem sign-in use
+ value:
+ type: SIGN_ON
+ status: ACTIVE
+ name: Skip Factor Challenge when On-Prem
+ conditions:
+ network:
+ connection: ZONE
+ include:
+ - 00u7yq5goxNFTiMjW1d7
+ authContext:
+ authType: ANY
+ actions:
+ signon:
+ access: ALLOW
+ requireFactor: false
+ rememberDeviceByDefault: false
+ session:
+ usePersistentCookie: false
+ maxSessionIdleMinutes: 720
+ maxSessionLifetimeMinutes: 0
+ skip-factor-challenge-on-prem-rule-response:
+ summary: Global session policy - Skip factor challenge for on-prem sign-in use
+ description: The response body from the creation of a global session policy that uses a rule to skip the factor challenge for on-prem sign-in use
+ value:
+ id: rule8jjozjGMGbHyC1d6
+ status: ACTIVE
+ name: Skip Factor Challenge when On-Prem
+ priority: 0
+ created: '2024-04-25T17:35:02.000Z'
+ lastUpdated: '2024-04-25T17:35:02.000Z'
+ system: false
+ conditions:
+ network:
+ connection: ZONE
+ include:
+ - 00u7yq5goxNFTiMjW1d7
+ authContext:
+ authType: ANY
+ people:
+ users:
+ exclude: []
+ risk:
+ behaviors: []
+ riskScore:
+ level: ANY
+ identityProvider:
+ provider: ANY
+ actions:
+ signon:
+ access: ALLOW
+ requireFactor: false
+ primaryFactor: PASSWORD_IDP_ANY_FACTOR
+ rememberDeviceByDefault: false
+ session:
+ usePersistentCookie: false
+ maxSessionIdleMinutes: 720
+ maxSessionLifetimeMinutes: 0
+ type: SIGN_ON
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ sspr-enabled-OAMP:
+ summary: Password policy - SSPR with Okta account management policy
+ description: This policy defers to the Okta account management policy to define SSPR authentication requirements.
+ value:
+ name: SSPR Rule
+ priority: 1
+ status: ACTIVE
+ conditions:
+ people:
+ users:
+ exclude: []
+ network:
+ connection: ANYWHERE
+ actions:
+ passwordChange:
+ access: ALLOW
+ selfServicePasswordReset:
+ access: ALLOW
+ requirement:
+ accessControl: AUTH_POLICY
+ primary:
+ methods:
+ - sms
+ - email
+ stepUp:
+ required: false
+ selfServiceUnlock:
+ access: ALLOW
+ system: false
+ type: PASSWORD
+ sspr-enabled-OAMP-response:
+ summary: Password policy - SSPR with access control set to Okta account management policy
+ value:
+ id: ruleId
+ _links:
+ self:
+ href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ name: SSPR Rule
+ priority: 1
+ status: ACTIVE
+ conditions:
+ people:
+ users:
+ exclude: []
+ network:
+ connection: ANYWHERE
+ actions:
+ passwordChange:
+ access: ALLOW
+ selfServicePasswordReset:
+ access: ALLOW
+ requirement:
+ accessControl: AUTH_POLICY
+ primary:
+ methods:
+ - sms
+ - email
+ stepUp:
+ required: false
+ selfServiceUnlock:
+ access: ALLOW
+ system: false
+ type: PASSWORD
+ sspr-enabled-OAMP-update:
+ summary: Password policy - SSPR with Okta account management policy
+ description: This policy defers to the Okta account management policy to define SSPR authentication requirements.
+ value:
+ id: ruleId
+ name: SSPR Rule
+ priority: 1
+ status: ACTIVE
+ conditions:
+ people:
+ users:
+ exclude: []
+ network:
+ connection: ANYWHERE
+ actions:
+ passwordChange:
+ access: ALLOW
+ selfServicePasswordReset:
+ access: ALLOW
+ requirement:
+ accessControl: AUTH_POLICY
+ primary:
+ methods:
+ - sms
+ - email
+ stepUp:
+ required: false
+ selfServiceUnlock:
+ access: ALLOW
+ system: false
+ type: PASSWORD
+ sspr-enabled-no-step-up:
+ summary: Password policy - SSPR with no step up
+ description: This password policy permits self-service password change, reset, and unlock. Phone SMS or email are initial authenticators with no secondary authentication required.
+ value:
+ name: SSPR Rule
+ priority: 1
+ status: ACTIVE
+ conditions:
+ people:
+ users:
+ exclude: []
+ network:
+ connection: ANYWHERE
+ actions:
+ passwordChange:
+ access: ALLOW
+ selfServicePasswordReset:
+ access: ALLOW
+ requirement:
+ primary:
+ methods:
+ - sms
+ - email
+ stepUp:
+ required: false
+ selfServiceUnlock:
+ access: ALLOW
+ system: false
+ type: PASSWORD
+ sspr-enabled-no-step-up-response:
+ summary: Password policy - SSPR with no step up
+ value:
+ id: ruleId
+ _links:
+ self:
+ href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ name: SSPR Rule
+ priority: 1
+ status: ACTIVE
+ conditions:
+ people:
+ users:
+ exclude: []
+ network:
+ connection: ANYWHERE
+ actions:
+ passwordChange:
+ access: ALLOW
+ selfServicePasswordReset:
+ access: ALLOW
+ requirement:
+ primary:
+ methods:
+ - sms
+ - email
+ stepUp:
+ required: false
+ selfServiceUnlock:
+ access: ALLOW
+ system: false
+ type: PASSWORD
+ sspr-enabled-no-step-up-update:
+ summary: Password policy - SSPR with no step up
+ description: This password policy permits self-service password change, reset, and unlock. Phone SMS or email are initial authenticators with no secondary authentication required.
+ value:
+ id: ruleId
+ name: SSPR Rule
+ priority: 1
+ status: ACTIVE
+ conditions:
+ people:
+ users:
+ exclude: []
+ network:
+ connection: ANYWHERE
+ actions:
+ passwordChange:
+ access: ALLOW
+ selfServicePasswordReset:
+ access: ALLOW
+ requirement:
+ primary:
+ methods:
+ - sms
+ - email
+ stepUp:
+ required: false
+ selfServiceUnlock:
+ access: ALLOW
+ system: false
+ type: PASSWORD
+ sspr-enabled-sq-step-up:
+ summary: Password policy - SSPR with security question as step-up auth
+ description: This password policy permits self-service password change, reset, and unlock. Phone SMS and Okta Verify push are the initial authenticators, and the secondary authentication is a security question.
+ value:
+ name: SSPR Rule
+ priority: 1
+ status: ACTIVE
+ conditions:
+ people:
+ users:
+ exclude: []
+ network:
+ connection: ANYWHERE
+ actions:
+ passwordChange:
+ access: ALLOW
+ selfServicePasswordReset:
+ access: ALLOW
+ requirement:
+ primary:
+ methods:
+ - push
+ - sms
+ stepUp:
+ required: true
+ methods:
+ - security_question
+ selfServiceUnlock:
+ access: ALLOW
+ system: false
+ type: PASSWORD
+ sspr-enabled-sq-step-up-response:
+ summary: Password policy - SSPR with security question as step up
+ value:
+ id: ruleId
+ _links:
+ self:
+ href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ name: SSPR Rule
+ priority: 1
+ status: ACTIVE
+ conditions:
+ people:
+ users:
+ exclude: []
+ network:
+ connection: ANYWHERE
+ actions:
+ passwordChange:
+ access: ALLOW
+ selfServicePasswordReset:
+ access: ALLOW
+ requirement:
+ primary:
+ methods:
+ - push
+ - sms
+ stepUp:
+ required: true
+ methods:
+ - security_question
+ selfServiceUnlock:
+ access: ALLOW
+ system: false
+ type: PASSWORD
+ sspr-enabled-sq-step-up-update:
+ summary: Password policy - SSPR with security question as step up
+ description: This password policy permits self-service password change, reset, and unlock. Phone SMS and Okta Verify push are initial authenticators, and the secondary authentication is a security question.
+ value:
+ id: ruleId
+ name: SSPR Rule
+ priority: 1
+ status: ACTIVE
+ conditions:
+ people:
+ users:
+ exclude: []
+ network:
+ connection: ANYWHERE
+ actions:
+ passwordChange:
+ access: ALLOW
+ selfServicePasswordReset:
+ access: ALLOW
+ requirement:
+ primary:
+ methods:
+ - push
+ - sms
+ stepUp:
+ required: true
+ methods:
+ - security_question
+ selfServiceUnlock:
+ access: ALLOW
+ system: false
+ type: PASSWORD
+ sspr-enabled-sso-step-up:
+ summary: Password policy - SSPR with any SSO authenticator as step up
+ description: This password policy permits self-service password change, reset, and unlock. Phone SMS or email are initial authenticators. The step-up authentication required is any active SSO authenticator.
+ value:
+ name: SSPR Rule
+ priority: 1
+ status: ACTIVE
+ conditions:
+ people:
+ users:
+ exclude: []
+ network:
+ connection: ANYWHERE
+ actions:
+ passwordChange:
+ access: ALLOW
+ selfServicePasswordReset:
+ access: ALLOW
+ requirement:
+ primary:
+ methods:
+ - push
+ - sms
+ stepUp:
+ required: true
+ selfServiceUnlock:
+ access: ALLOW
+ system: false
+ type: PASSWORD
+ sspr-enabled-sso-step-up-response:
+ summary: Password policy - SSPR with any SSO authenticator as step up
+ value:
+ id: ruleId
+ _links:
+ self:
+ href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ name: SSPR Rule
+ priority: 1
+ status: ACTIVE
+ conditions:
+ people:
+ users:
+ exclude: []
+ network:
+ connection: ANYWHERE
+ actions:
+ passwordChange:
+ access: ALLOW
+ selfServicePasswordReset:
+ access: ALLOW
+ requirement:
+ primary:
+ methods:
+ - push
+ - sms
+ stepUp:
+ required: true
+ selfServiceUnlock:
+ access: ALLOW
+ system: false
+ type: PASSWORD
+ sspr-enabled-sso-step-up-update:
+ summary: Password policy - SSPR with any SSO authenticator as step up
+ description: This password policy permits self-service password change, reset, and unlock. Phone SMS or email are initial authenticators. The step-up authentication required is any active SSO authenticator.
+ value:
+ id: ruleId
+ name: SSPR Rule
+ priority: 1
+ status: ACTIVE
+ conditions:
+ people:
+ users:
+ exclude: []
+ network:
+ connection: ANYWHERE
+ actions:
+ passwordChange:
+ access: ALLOW
+ selfServicePasswordReset:
+ access: ALLOW
+ requirement:
+ primary:
+ methods:
+ - push
+ - sms
+ stepUp:
+ required: true
+ selfServiceUnlock:
+ access: ALLOW
+ system: false
+ type: PASSWORD
+ sspr-enabled-sso-step-up-with-constraints:
+ summary: Password policy - Enable SSPR with OTP enabled and Google authenticator constraint
+ description: This password policy permits self-service password change, reset, and unlock. Okta Verify push, Phone SMS, or Google OTP are initial authenticators. The secondary authentication required is any SSO authenticator. The `methodConstraints` property limits OTP authenticators to Google.
+ value:
+ id: ruleId
+ name: SSPR Rule
+ priority: 1
+ status: ACTIVE
+ conditions:
+ people:
+ users:
+ exclude: []
+ network:
+ connection: ANYWHERE
+ actions:
+ passwordChange:
+ access: ALLOW
+ selfServicePasswordReset:
+ access: ALLOW
+ requirement:
+ primary:
+ methods:
+ - push
+ - sms
+ - otp
+ methodConstraints:
+ - method: otp
+ allowedAuthenticators:
+ - key: google_otp
+ stepUp:
+ required: true
+ selfServiceUnlock:
+ access: ALLOW
+ system: false
+ type: PASSWORD
+ sspr-enabled-sso-step-up-with-constraints-response:
+ summary: Password policy - Enable SSPR with OTP enabled and Google authenticator constraint
+ value:
+ id: ruleId
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ name: SSPR Rule
+ priority: 1
+ status: ACTIVE
+ conditions:
+ people:
+ users:
+ exclude: []
+ network:
+ connection: ANYWHERE
+ actions:
+ passwordChange:
+ access: ALLOW
+ selfServicePasswordReset:
+ access: ALLOW
+ requirement:
+ primary:
+ methods:
+ - push
+ - sms
+ - otp
+ methodConstraints:
+ - method: otp
+ allowedAuthenticators:
+ - key: google_otp
+ stepUp:
+ required: true
+ selfServiceUnlock:
+ access: ALLOW
+ system: false
+ type: PASSWORD
+ sspr-enabled-sso-step-up-with-constraints-update:
+ summary: Password policy - Enable SSPR with OTP enabled and Google authenticator constraint
+ description: This password policy permits self-service password change, reset, and unlock. Okta Verify push, Phone SMS, or Google OTP are initial authenticators. The secondary authentication required is any SSO authenticator. The `methodConstraints` property limits OTP authenticators to Google.
+ value:
+ id: ruleId
+ name: SSPR Rule
+ priority: 1
+ status: ACTIVE
+ conditions:
+ people:
+ users:
+ exclude: []
+ network:
+ connection: ANYWHERE
+ actions:
+ passwordChange:
+ access: ALLOW
+ selfServicePasswordReset:
+ access: ALLOW
+ requirement:
+ primary:
+ methods:
+ - push
+ - sms
+ - otp
+ methodConstraints:
+ - method: otp
+ allowedAuthenticators:
+ - key: google_otp
+ stepUp:
+ required: true
+ selfServiceUnlock:
+ access: ALLOW
+ system: false
+ type: PASSWORD
+ streamConfigurationExample:
+ summary: SSF Stream configuration example
+ value:
+ aud: https://example.com
+ delivery:
+ method: urn:ietf:rfc:8935
+ endpoint_url: https://example.com
+ events_delivered:
+ - https://schemas.openid.net/secevent/caep/event-type/session-revoked
+ - https://schemas.openid.net/secevent/caep/event-type/credential-change
+ events_requested:
+ - https://schemas.openid.net/secevent/caep/event-type/session-revoked
+ - https://schemas.openid.net/secevent/caep/event-type/credential-change
+ events_supported:
+ - https://schemas.openid.net/secevent/caep/event-type/session-revoked
+ - https://schemas.openid.net/secevent/caep/event-type/credential-change
+ format: iss_sub
+ iss: https://{yourOktaDomain}
+ min_verification_interval: 0
+ stream_id: esc1k235GIIztAuGK0g5
+ twofa-enabled-disallow-password-allow-phishing:
+ summary: Authentication policy - 2FA with granular authentication
+ description: This two-factor authentication policy uses a rule to disallow passwords and require phishing resistance for possession authenticators for authentication.
+ value:
+ name: Passwordless 2FA
+ actions:
+ appSignOn:
+ access: ALLOW
+ verificationMethod:
+ factorMode: 2FA
+ type: ASSURANCE
+ reauthenticateIn: PT0S
+ constraints:
+ knowledge:
+ excludedAuthenticationMethods:
+ key: okta_password
+ possession:
+ deviceBound: REQUIRED
+ phishingREsistant: REQUIRED
+ type: ACCESS_POLICY
+ twofa-enabled-disallow-password-allow-phishing-response:
+ summary: Authentication policy - 2FA with granular authentication
+ description: The rule from a two-factor authentication policy that disallows passwords and requires phishing resistance
+ value:
+ id: rul7yut96gmsOzKAA1d6
+ status: ACTIVE
+ name: Passwordless 2FA
+ priority: 0
+ created: '2023-05-01T21:13:15.000Z'
+ lastUpdated: '2023-05-01T21:13:15.000Z'
+ system: false
+ conditions: null
+ actions:
+ appSignOn:
+ access: ALLOW
+ verificationMethod:
+ factorMode: 2FA
+ type: ASSURANCE
+ reauthenticateIn: PT0S
+ constraints:
+ knowledge:
+ excludedAuthenticationMethods:
+ key: okta_password
+ required: false
+ possession:
+ deviceBound: REQUIRED
+ phishingREsistant: REQUIRED
+ required: true
+ type: ACCESS_POLICY
+ _links:
+ self:
+ href: https://sampleorg.okta.com/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6
+ hints:
+ allow:
+ - GET
+ - PUT
+ twofa-enabled-post-auth-kmsi-disabled:
+ summary: Authentication policy - 2FA with granular authentication (KMSI disabled)
+ description: This two-factor authentication policy uses a rule that doesn't prompt the user to stay signed in post-authentication.
value:
- - name: My API Token
- userId: 00uabcdefg1234567890
- tokenWindow: P30D
- id: 00Tabcdefg1234567890
- clientName: Okta API
- expiresAt: 2021-12-11T20:38:10.000Z
- created: 2021-11-09T20:38:10.000Z
- lastUpdated: 2021-11-11T20:38:10.000Z
+ name: 2FA with Post Auth KMSI prompt disabled
+ actions:
+ appSignOn:
+ access: ALLOW
+ verificationMethod:
+ factorMode: 2FA
+ type: ASSURANCE
+ reauthenticateIn: PT2H
+ constraints:
+ knowledge:
+ excludedAuthenticationMethods:
+ key: okta_password
+ keepMeSignedIn:
+ postAuth: NOT_ALLOWED
+ type: ACCESS_POLICY
+ twofa-enabled-post-auth-kmsi-disabled-response:
+ summary: Authentication policy - 2FA with granular authentication (KMSI disabled)
+ description: This two-factor authentication policy uses a rule that doesn't prompt the user to stay signed in post-authentication.
+ value:
+ id: rul7yut96gmsOzKAA1d6
+ status: ACTIVE
+ name: 2FA with Post Auth KMSI prompt disabled
+ priority: 0
+ created: '2023-05-01T21:13:15.000Z'
+ lastUpdated: '2023-05-01T21:13:15.000Z'
+ system: false
+ conditions: null
+ actions:
+ appSignOn:
+ access: ALLOW
+ verificationMethod:
+ factorMode: 2FA
+ type: ASSURANCE
+ reauthenticateIn: PT0S
+ constraints:
+ knowledge:
+ excludedAuthenticationMethods:
+ key: okta_password
+ required: true
+ keepMeSignedIn:
+ postAuth: NOT_ALLOWED
+ type: ACCESS_POLICY
+ _links:
+ self:
+ href: https://sampleorg.okta.com/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6
+ hints:
+ allow:
+ - GET
+ - PUT
+ deactivate:
+ href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ twofa-enabled-post-auth-kmsi-enabled:
+ summary: Authentication policy - 2FA with granular authentication (KMSI enabled)
+ description: This two-factor authentication policy uses a rule to prompt the user to stay signed in post authentication.
+ value:
+ name: 2FA with Post Auth KMSI prompt enabled
+ actions:
+ appSignOn:
+ access: ALLOW
+ verificationMethod:
+ factorMode: 2FA
+ type: ASSURANCE
+ reauthenticateIn: PT2H
+ constraints:
+ knowledge:
+ excludedAuthenticationMethods:
+ key: okta_password
+ keepMeSignedIn:
+ postAuth: ALLOWED
+ postAuthPromptFrequency: P30D
+ twofa-enabled-post-auth-kmsi-enabled-response:
+ summary: Authentication policy - 2FA with granular authentication (KMSI enabled)
+ description: This two-factor authentication policy uses a rule to prompt the user to stay signed in post authentication.
+ value:
+ id: rul7yut96gmsOzKAA1d6
+ status: ACTIVE
+ name: 2FA with Post Auth KMSI prompt enabled
+ priority: 0
+ created: '2023-05-01T21:13:15.000Z'
+ lastUpdated: '2023-05-01T21:13:15.000Z'
+ system: false
+ conditions: null
+ actions:
+ appSignOn:
+ access: ALLOW
+ verificationMethod:
+ factorMode: 2FA
+ type: ASSURANCE
+ reauthenticateIn: PT0S
+ constraints:
+ knowledge:
+ excludedAuthenticationMethods:
+ key: okta_password
+ required: true
+ keepMeSignedIn:
+ postAuth: ALLOWED
+ postAuthPromptFrequency: PT720H
+ type: ACCESS_POLICY
+ _links:
+ self:
+ href: https://sampleorg.okta.com/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6
+ hints:
+ allow:
+ - GET
+ - PUT
+ deactivate:
+ href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ update-auth-policy-rule-condition:
+ summary: Authentication policy - Update rule with conditions
+ description: Updates the conditions object on the request body of an authentication policy rule.
+ value:
+ type: ACCESS_POLICY
+ name: Rule with conditions - exclude a group
+ description: Updated policy rule
+ conditions:
+ userType:
+ include: []
+ exclude:
+ - otyezu4m0xN6w5JEa1d7
+ network:
+ connection: ZONE
+ exclude:
+ - nzo9o4rctwQCJNE6y1d7
+ riskScore:
+ level: ANY
+ people:
+ users:
+ exclude:
+ - 00u7yq5goxNFTiMjW1d7
+ include: []
+ groups:
+ include: []
+ exclude:
+ - 00g8vta8qzkxPEfKC1d7
+ platform:
+ include:
+ - type: MOBILE
+ os:
+ type: IOS
+ - type: MOBILE
+ os:
+ type: ANDROID
+ - type: DESKTOP
+ os:
+ type: MACOS
+ elCondition:
+ condition: security.risk.level == 'HIGH'
+ update-auth-policy-rule-condition-response:
+ summary: Authentication policy - Update rule with conditions
+ description: The response body from an updated conditions object of an authentication policy rule.
+ value:
+ id: rulezuo73ySrHndLb1d7
+ status: ACTIVE
+ name: Rule with conditions - exclude a group
+ priority: 0
+ created: '2024-04-25T17:35:02.000Z'
+ lastUpdated: '2024-04-25T17:35:02.000Z'
+ system: false
+ conditions:
+ people:
+ users:
+ exclude: []
+ groups:
+ exclude:
+ - 00u7yq5goxNFTiMjW1d7
+ network:
+ connection: ZONE
+ exclude:
+ - nzo9o4rctwQCJNE6y1d7
+ platform:
+ include:
+ - type: MOBILE
+ os:
+ type: IOS
+ - type: MOBILE
+ os:
+ type: ANDROID
+ - type: DESKTOP
+ os:
+ type: MACOS
+ exclude: []
+ riskScore:
+ level: ANY
+ userType:
+ include: []
+ exclude:
+ - otyezu4m0xN6w5JEa1d7
+ elCondition:
+ condition: security.risk.level == 'HIGH'
+ actions:
+ appSignOn:
+ access: ALLOW
+ verificationMethod:
+ factorMode: 2FA
+ type: ASSURANCE
+ reauthenticateIn: PT2H
+ constraints:
+ knowledge:
+ required: true
+ types:
+ - password
+ reauthenticateIn: PT2H
+ type: ACCESS_POLICY
_links:
self:
- href: https://${yourOktaDomain}/api/v1/api-tokens/00Tabcdefg1234567890
- hints:
- allow:
- - GET
- - DELETE
- user:
- href: https://${yourOktaDomain}/api/v1/users/00uabcdefg1234567890
- hints:
- allow:
- - GET
- - name: Another API Token
- userId: 00uabcdefg1234567890
- tokenWindow: PT5M
- id: 00T1234567890abcdefg
- clientName: Okta API
- expiresAt: 2021-11-11T20:43:10.000Z
- created: 2021-11-09T20:38:10.000Z
- lastUpdated: 2021-11-11T20:38:10.000Z
- _links:
+ href: https://sampleorg.okta.com/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://sampleorg.okta.com/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ update-user-profile-request:
+ value:
+ profile:
+ firstName: Isaac
+ email: isaac.brock@update.example.com
+ mobilePhone: 555-415-1337
+ update-user-set-password-request:
+ value:
+ credentials:
+ password:
+ value: uTVM,TPw55
+ update-user-set-recovery-question-and-answer:
+ value:
+ credentials:
+ recovery_question:
+ question: How many roads must a man walk down?
+ answer: forty two
+ user-example:
+ summary: User example
+ value:
+ id: 00ub0oNGTSWTBKOLGLNR
+ status: ACTIVE
+ created: '2013-06-24T16:39:18.000Z'
+ activated: '2013-06-24T16:39:19.000Z'
+ statusChanged: '2013-06-24T16:39:19.000Z'
+ lastLogin: '2013-06-24T17:39:19.000Z'
+ lastUpdated: '2013-07-02T21:36:25.344Z'
+ passwordChanged: '2013-07-02T21:36:25.344Z'
+ profile:
+ login: isaac.brock@example.com
+ firstName: Isaac
+ lastName: Brock
+ nickName: issac
+ displayName: Isaac Brock
+ email: isaac.brock@example.com
+ secondEmail: isaac@example.org
+ profileUrl: http://www.example.com/profile
+ preferredLanguage: en-US
+ userType: Employee
+ organization: Okta
+ title: Director
+ division: R&D
+ department: Engineering
+ costCenter: '10'
+ employeeNumber: '187'
+ mobilePhone: +1-555-415-1337
+ primaryPhone: +1-555-514-1337
+ streetAddress: 301 Brannan St.
+ city: San Francisco
+ state: CA
+ zipCode: '94107'
+ countryCode: US
+ credentials:
+ password: {}
+ recovery_question:
+ question: What's my childhood elementary school?
+ provider:
+ type: OKTA
+ name: OKTA
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u1f96ECLNVOKVMUSEA
+ userNameTemplateResponseBaseEx:
+ value:
+ userNameTemplate:
+ template: ${source.email}
+ type: BUILT_IN
+ wellKnownSSFMetadataExample:
+ summary: Well-Known SSF Metadata example
+ value:
+ configuration_endpoint: https://{yourOktaDomain}/api/v1/ssf/stream
+ delivery_methods_supported:
+ - https://schemas.openid.net/secevent/risc/delivery-method/push
+ - urn:ietf:rfc:8935
+ issuer: https://{yourOktaDomain}
+ jwks_uri: https://{yourOktaDomain}/oauth2/v1/keys
+ parameters:
+ OktaResponse:
+ name: Content-Type
+ in: header
+ description: |-
+ Specifies the media type of the resource. Optional `okta-response` value can be included for performance optimization.
+
+ Complex DelAuth configurations may degrade performance when fetching specific parts of the response, and passing this parameter can omit these parts, bypassing the bottleneck.
+
+ Enum values for `okta-response`:
+ * `omitCredentials`: Omits the credentials subobject from the response.
+ * `omitCredentialsLinks`: Omits the following HAL links from the response: Change Password, Change Recovery Question, Forgot Password, Reset Password, Reset Factors, Unlock.
+ * `omitTransitioningToStatus`: Omits the `transitioningToStatus` field from the response.
+ required: false
+ schema:
+ type: string
+ examples:
+ Omit credentials subobject and credentials links:
+ value: application/json; okta-response=omitCredentials,omitCredentialsLinks
+ summary: Omits the credentials subobject and credentials links from the response. Does not apply performance optimization.
+ Omit credentials, credentials links, and `transitioningToStatus` field:
+ value: application/json; okta-response="omitCredentials,omitCredentialsLinks, omitTransitioningToStatus"
+ summary: Omits the credentials, credentials links, and `transitioningToStatus` field from the response. Applies performance optimization.
+ UISchemaId:
+ name: id
+ description: The unique ID of the UI Schema
+ in: path
+ required: true
+ schema:
+ type: string
+ example: uis4a7liocgcRgcxZ0g7
+ appInstanceId:
+ name: appInstanceId
+ in: path
+ description: ID of the AD AppInstance in Okta
+ schema:
+ type: string
+ required: true
+ assignmentId:
+ name: assignmentId
+ description: '`id` of the Realm Assignment'
+ in: path
+ required: true
+ schema:
+ type: string
+ example: rul2jy7jLUlnO3ng00g4
+ authenticatorEnrollmentId:
+ name: authenticatorEnrollmentId
+ in: path
+ required: true
+ description: ID for a WebAuthn Preregistration Factor in Okta
+ schema:
+ type: string
+ domain:
+ name: domain
+ in: path
+ description: The okta domain name of your org or one of your custom domains
+ required: true
+ schema:
+ type: string
+ inlineHookType:
+ name: type
+ description: One of the supported inline hook types
+ in: query
+ schema:
+ type: string
+ enum:
+ - com.okta.import.transform
+ - com.okta.oauth2.tokens.transform
+ - com.okta.saml.tokens.transform
+ - com.okta.user.credential.password.import
+ - com.okta.user.pre-registration
+ - com.okta.telephony.provider
+ limitParameter:
+ name: limit
+ in: query
+ schema:
+ type: string
+ description: Defines the number of policy rules returned. See [Pagination](https://developer.okta.com/docs/api/#pagination).
+ pathApiServiceId:
+ name: apiServiceId
+ in: path
+ schema:
+ type: string
+ required: true
+ description: '`id` of the API Service Integration instance'
+ example: 000lr2rLjZ6NsGn1P0g3
+ pathApiTokenId:
+ name: apiTokenId
+ in: path
+ schema:
+ type: string
+ example: 00Tabcdefg1234567890
+ required: true
+ description: id of the API Token
+ pathAppId:
+ name: appId
+ description: Application ID
+ in: path
+ required: true
+ schema:
+ type: string
+ example: 0oafxqCAJWWGELFTYASJ
+ pathAppName:
+ name: appName
+ description: Application name for the app type
+ in: path
+ required: true
+ schema:
+ type: string
+ example: oidc_client
+ pathAppUserId:
+ name: userId
+ description: ID of an existing Okta user
+ in: path
+ required: true
+ schema:
+ type: string
+ example: 00u13okQOVWZJGDOAUVR
+ pathAssociatedServerId:
+ name: associatedServerId
+ description: '`id` of the associated Authorization Server'
+ in: path
+ required: true
+ schema:
+ type: string
+ example: aus6xt9jKPmCyn6kg0g4
+ pathAuthServerId:
+ name: authServerId
+ description: '`id` of the Authorization Server'
+ in: path
+ required: true
+ schema:
+ type: string
+ example: GeGRTEr7f3yu2n7grw22
+ pathAuthenticatorId:
+ name: authenticatorId
+ description: '`id` of the Authenticator'
+ in: path
+ required: true
+ schema:
+ type: string
+ example: aut1nd8PQhGcQtSxB0g4
+ pathBehaviorId:
+ name: behaviorId
+ in: path
+ schema:
+ type: string
+ example: abcd1234
+ required: true
+ description: id of the Behavior Detection Rule
+ pathBrandId:
+ name: brandId
+ in: path
+ required: true
+ schema:
+ type: string
+ description: The ID of the brand
+ pathBundleId:
+ name: bundleId
+ in: path
+ schema:
+ type: string
+ example: 08ab2db568c7c300079fefd0
+ required: true
+ description: The `id` of a bundle
+ pathCaptchaId:
+ name: captchaId
+ in: path
+ schema:
+ type: string
+ required: true
+ description: The unique key used to identify your CAPTCHA instance
+ pathClaimId:
+ name: claimId
+ description: '`id` of Claim'
+ in: path
+ required: true
+ schema:
+ type: string
+ example: hNJ3Uk76xLagWkGx5W3N
+ pathClientId:
+ name: clientId
+ description: '`client_id` of the app'
+ in: path
+ required: true
+ schema:
+ type: string
+ example: 52Uy4BUWVBOjFItcg2jWsmnd83Ad8dD
+ pathClientSecretId:
+ name: secretId
+ in: path
+ schema:
+ type: string
+ required: true
+ description: Unique `id` of the OAuth 2.0 Client Secret
+ example: ocs2f4zrZbs8nUa7p0g4
+ pathContactType:
+ name: contactType
+ in: path
+ required: true
+ schema:
+ type: string
+ description: Type of contact
+ enum:
+ - BILLING
+ - TECHNICAL
+ example: BILLING
+ pathCredentialKeyId:
+ name: keyId
+ description: '`id` of the certificate key'
+ in: path
+ required: true
+ schema:
+ type: string
+ example: P7jXpG-LG2ObNgY9C0Mn2uf4InCQTmRZMDCZoVNxdrk
+ pathCsrId:
+ name: csrId
+ description: '`id` of the CSR'
+ in: path
+ required: true
+ schema:
+ type: string
+ example: fd7x1h7uTcZFx22rU1f7
+ pathCustomizationId:
+ name: customizationId
+ in: path
+ required: true
+ schema:
+ type: string
+ description: The ID of the email customization
+ pathDeviceAssuranceId:
+ in: path
+ name: deviceAssuranceId
+ required: true
+ description: Id of the device assurance policy
+ schema:
+ type: string
+ pathDeviceCheckId:
+ in: path
+ name: deviceCheckId
+ required: true
+ description: Id of the Device Check
+ schema:
+ type: string
+ pathDeviceId:
+ name: deviceId
+ in: path
+ schema:
+ type: string
+ example: guo4a5u7JHHhjXrMK0g4
+ required: true
+ description: '`id` of the device'
+ pathDomainId:
+ name: domainId
+ description: '`id` of the Domain'
+ in: path
+ required: true
+ schema:
+ type: string
+ example: OmWNeywfTzElSLOBMZsL
+ pathEmailDomainId:
+ name: emailDomainId
+ in: path
+ required: true
+ schema:
+ type: string
+ description: The ID of the email domain.
+ pathEmailServerId:
+ name: emailServerId
+ in: path
+ required: true
+ schema:
+ type: string
+ description: ID of your SMTP Server configuration
+ pathEntitlementId:
+ name: entitlementId
+ in: path
+ schema:
+ type: string
+ example: 0obfxqCAJWWGELFTYASJ
+ required: true
+ description: The `id` of a bundle entitlement
+ pathEventHookId:
+ name: eventHookId
+ description: '`id` of the Event Hook'
+ in: path
+ required: true
+ schema:
+ type: string
+ example: who8vt36qfNpCGz9H1e6
+ pathFactorId:
+ name: factorId
+ description: ID of an existing user Factor
+ in: path
+ required: true
+ schema:
+ type: string
+ example: zAgrsaBe0wVGRugDYtdv
+ pathFeatureId:
+ name: featureId
+ description: '`id` of the feature'
+ in: path
+ required: true
+ schema:
+ type: string
+ example: R5HjqNn1pEqWGy48E9jg
+ pathFeatureName:
+ name: featureName
+ description: Name of the Feature
+ in: path
+ required: true
+ schema:
+ $ref: '#/components/schemas/ApplicationFeatureType'
+ pathFirstPartyAppName:
+ name: appName
+ description: |
+ The key name for the Okta app.
+ Supported apps:
+ * Okta Admin Console (`admin-console`)
+ in: path
+ required: true
+ schema:
+ type: string
+ example: admin-console
+ pathGrantId:
+ name: grantId
+ description: Grant ID
+ in: path
+ required: true
+ schema:
+ type: string
+ example: iJoqkwx50mrgX4T9LcaH
+ pathGroupId:
+ name: groupId
+ description: The `id` of the group
+ in: path
+ required: true
+ schema:
+ type: string
+ example: 00g1emaKYZTWRYYRRTSK
+ pathGroupRuleId:
+ name: groupRuleId
+ description: The `id` of the group rule
+ in: path
+ required: true
+ schema:
+ type: string
+ example: 0pr3f7zMZZHPgUoWO0g4
+ pathHookKeyId:
+ name: id
+ description: ID of the Hook Key
+ in: path
+ required: true
+ schema:
+ type: string
+ example: XreKU5laGwBkjOTehusG
+ pathId:
+ name: id
+ description: '`id`, `login`, or `login shortname` (as long as it is unambiguous) of a user'
+ in: path
+ required: true
+ schema:
+ type: string
+ pathIdentitySourceId:
+ name: identitySourceId
+ in: path
+ required: true
+ description: The ID of the Identity Source for which the session is created
+ example: 0oa3l6l6WK6h0R0QW0g4
+ schema:
+ type: string
+ pathIdentitySourceSessionId:
+ name: sessionId
+ in: path
+ required: true
+ description: The ID of the Identity Source Session
+ example: aps1qqonvr2SZv6o70h8
+ schema:
+ type: string
+ pathIdpCsrId:
+ name: idpCsrId
+ description: '`id` of the IdP CSR'
+ in: path
+ required: true
+ schema:
+ type: string
+ example: 1uEhyE65oV3H6KM9gYcN
+ pathIdpId:
+ name: idpId
+ description: '`id` of IdP'
+ in: path
+ required: true
+ schema:
+ type: string
+ example: 0oa62bfdjnK55Z5x80h7
+ pathInlineHookId:
+ name: inlineHookId
+ description: '`id` of the Inline Hook'
+ in: path
+ required: true
+ schema:
+ type: string
+ example: Y7Rzrd4g4xj6WdKzrBHH
+ pathJsonWebKeyId:
+ name: keyId
+ in: path
+ schema:
+ type: string
+ required: true
+ description: Unique `id` of the OAuth 2.0 Client JSON Web Key
+ example: pks2f4zrZbs8nUa7p0g4
+ pathKeyId:
+ name: keyId
+ description: ID of the Key Credential for the application
+ in: path
+ required: true
+ schema:
+ type: string
+ example: sjP9eiETijYz110VkhHN
+ pathKid:
+ name: kid
+ description: Unique `id` of the IdP Key Credential
+ in: path
+ required: true
+ schema:
+ type: string
+ example: KmMo85SSsU7TZzOShcGb
+ pathLifecycle:
+ name: lifecycle
+ description: Whether to `ENABLE` or `DISABLE` the feature
+ in: path
+ required: true
+ schema:
+ $ref: '#/components/schemas/FeatureLifecycle'
+ pathLinkedObjectName:
+ name: linkedObjectName
+ description: Primary or Associated name
+ in: path
+ required: true
+ schema:
+ type: string
+ pathLogStreamId:
+ name: logStreamId
+ in: path
+ schema:
+ type: string
+ example: 0oa1orzg0CHSgPcjZ0g4
+ required: true
+ description: Unique identifier for the Log Stream
+ pathLogStreamType:
+ name: logStreamType
+ in: path
+ required: true
+ schema:
+ $ref: '#/components/schemas/LogStreamType'
+ pathMappingId:
+ name: mappingId
+ description: '`id` of the Mapping'
+ in: path
+ required: true
+ schema:
+ type: string
+ example: cB6u7X8mptebWkffatKA
+ pathMemberId:
+ name: memberId
+ in: path
+ schema:
+ type: string
+ example: irb1qe6PGuMc7Oh8N0g4
+ required: true
+ description: '`id` of the Member'
+ pathMethodType:
+ name: methodType
+ description: Type of authenticator method
+ in: path
+ required: true
+ schema:
+ $ref: '#/components/schemas/AuthenticatorMethodType'
+ pathNotificationType:
+ name: notificationType
+ in: path
+ required: true
+ schema:
+ $ref: '#/components/schemas/NotificationType'
+ pathOAuthProvisioningAppName:
+ name: appName
+ in: path
+ required: true
+ schema:
+ $ref: '#/components/schemas/OAuthProvisioningEnabledApp'
+ pathOperation:
+ name: operation
+ in: path
+ required: true
+ schema:
+ type: string
+ pathOwnerId:
+ description: The `id` of the group owner
+ name: ownerId
+ in: path
+ required: true
+ schema:
+ type: string
+ example: 00u1emaK22TWRYd3TtG
+ pathPermissionType:
+ name: permissionType
+ in: path
+ schema:
+ type: string
+ example: okta.users.manage
+ required: true
+ description: An okta permission type
+ pathPolicyId:
+ name: policyId
+ description: '`id` of the Policy'
+ in: path
+ required: true
+ schema:
+ type: string
+ example: 00plrilJ7jZ66Gn0X0g3
+ pathPolicyMappingId:
+ name: mappingId
+ description: '`id` of the policy resource Mapping'
+ in: path
+ required: true
+ schema:
+ type: string
+ example: maplr2rLjZ6NsGn1P0g3
+ pathPoolId:
+ name: poolId
+ in: path
+ description: Id of the agent pool for which the settings will apply
+ schema:
+ type: string
+ required: true
+ pathPrimaryRelationshipName:
+ name: primaryRelationshipName
+ description: Name of the `primary` relationship being assigned
+ in: path
+ required: true
+ schema:
+ type: string
+ example: manager
+ pathPrimaryUserId:
+ name: primaryUserId
+ description: User ID to be assigned to the `primary` relationship for the `associated` user
+ in: path
+ required: true
+ schema:
+ type: string
+ pathPrincipalRateLimitId:
+ name: principalRateLimitId
+ in: path
+ schema:
+ type: string
+ example: abcd1234
+ required: true
+ description: id of the Principal Rate Limit
+ pathPublicKeyId:
+ name: keyId
+ description: id" of the Public Key
+ in: path
+ required: true
+ schema:
+ type: string
+ example: FcH2P9Eg7wr0o8N2FuV0
+ pathPushProviderId:
+ in: path
+ name: pushProviderId
+ required: true
+ description: Id of the push provider
+ schema:
+ type: string
+ pathQueryRoleExpand:
+ name: expand
+ description: 'An optional parameter used to return targets configured for the standard Role Assignment in the `embedded` property. Supported values: `targets/groups` or `targets/catalog/apps`'
+ in: query
+ required: false
+ schema:
+ type: string
+ examples:
+ groupTarget:
+ value: targets/groups
+ summary: Return Group targets
+ appTarget:
+ value: targets/catalog/apps
+ summary: Return App targets
+ pathRealmId:
+ name: realmId
+ description: '`id` of the Realm'
+ in: path
+ required: true
+ schema:
+ type: string
+ example: vvrcFogtKCrK9aYq3fgV
+ pathRelationshipName:
+ name: relationshipName
+ description: Name of the `primary` or `associated` relationship being queried
+ in: path
+ required: true
+ schema:
+ type: string
+ examples:
+ manager:
+ value: manager
+ summary: Example of a `primary` name
+ subordinate:
+ value: subordinate
+ summary: Example of an `associated` name
+ pathResourceId:
+ name: resourceId
+ in: path
+ schema:
+ type: string
+ example: ire106sQKoHoXXsAe0g4
+ required: true
+ description: '`id` of the Resource'
+ pathResourceSelectorId:
+ name: resourceSelectorId
+ in: path
+ schema:
+ type: string
+ example: rsl1hx31gVEa6x10v0g5
+ required: true
+ description: '`id` of a Resource Selector'
+ pathResourceSetIdOrLabel:
+ name: resourceSetIdOrLabel
+ in: path
+ schema:
+ type: string
+ example: iamoJDFKaJxGIr0oamd9g
+ required: true
+ description: '`id` or `label` the Resource Set'
+ pathRiskProviderId:
+ name: riskProviderId
+ in: path
+ schema:
+ type: string
+ example: 00rp12r4skkjkjgsn
+ required: true
+ description: '`id` of the Risk Provider object'
+ pathRoleAssignmentId:
+ name: roleAssignmentId
+ description: The `id` of the role assignment
+ in: path
+ required: true
+ schema:
+ type: string
+ example: JBCUYUC7IRCVGS27IFCE2SKO
+ pathRoleId:
+ name: roleId
+ description: '`id` of the role'
+ in: path
+ required: true
+ schema:
+ type: string
+ example: 3Vg1Pjp3qzw4qcCK5EdO
+ pathRoleIdOrLabel:
+ name: roleIdOrLabel
+ in: path
+ schema:
+ type: string
+ example: cr0Yq6IJxGIr0ouum0g3
+ required: true
+ description: '`id` or `label` of the Role'
+ pathRoleRef:
+ name: roleRef
+ in: path
+ description: A reference to an existing role. Standard roles require a `roleType`, while Custom Roles require a `roleId`. See [Standard Roles](/openapi/okta-management/guides/roles/#standard-roles).
+ required: true
+ schema:
+ oneOf:
+ - title: roleType
+ type: string
+ $ref: '#/components/schemas/RoleType'
+ - title: roleId
+ type: string
+ pathRuleId:
+ name: ruleId
+ description: '`id` of the Policy Rule'
+ in: path
+ required: true
+ schema:
+ type: string
+ example: ruld3hJ7jZh4fn0st0g3
+ pathSchemaId:
+ name: schemaId
+ in: path
+ required: true
+ schema:
+ type: string
+ pathScopeId:
+ name: scopeId
+ description: '`id` of Scope'
+ in: path
+ required: true
+ schema:
+ type: string
+ example: 0TMRpCWXRKFjP7HiPFNM
+ pathSecretId:
+ name: secretId
+ in: path
+ schema:
+ type: string
+ required: true
+ description: '`id` of the API Service Integration instance Secret'
+ example: ocs2f4zrZbs8nUa7p0g4
+ pathSection:
+ name: section
+ in: path
+ required: true
+ schema:
+ type: string
+ pathSecurityEventProviderId:
+ name: securityEventProviderId
+ in: path
+ schema:
+ type: string
+ example: sse1qg25RpusjUP6m0g5
+ required: true
+ description: '`id` of the Security Events Provider instance'
+ pathSessionId:
+ name: sessionId
+ description: '`id` of the Session'
+ in: path
+ required: true
+ schema:
+ type: string
+ example: l7FbDVqS8zHSy65uJD85
+ pathSubmissionId:
+ name: submissionId
+ description: OIN Integration ID
+ in: path
+ required: true
+ schema:
+ type: string
+ example: acme_submissionapp_1
+ pathTargetGroupId:
+ name: targetGroupId
+ in: path
+ required: true
+ schema:
+ type: string
+ example: 00g1e9dfjHeLAsdX983d
+ pathTemplateId:
+ name: templateId
+ description: '`id` of the Template'
+ in: path
+ required: true
+ schema:
+ type: string
+ example: 6NQUJ5yR3bpgEiYmq8IC
+ pathTemplateName:
+ name: templateName
+ in: path
+ required: true
+ schema:
+ type: string
+ description: The name of the email template
+ pathThemeId:
+ name: themeId
+ in: path
+ required: true
+ schema:
+ type: string
+ description: The ID of the theme
+ pathTokenId:
+ name: tokenId
+ description: '`id` of Token'
+ in: path
+ required: true
+ schema:
+ type: string
+ example: sHHSth53yJAyNSTQKDJZ
+ pathTransactionId:
+ name: transactionId
+ description: ID of an existing Factor verification transaction
+ in: path
+ required: true
+ schema:
+ type: string
+ example: gPAQcN3NDjSGOCAeG2Jv
+ pathTrustedOriginId:
+ name: trustedOriginId
+ description: '`id` of the Trusted Origin'
+ in: path
+ required: true
+ schema:
+ type: string
+ example: 7j2PkU1nyNIDe26ZNufR
+ pathTypeId:
+ name: typeId
+ in: path
+ required: true
+ schema:
+ type: string
+ description: The unique key for the User Type
+ pathUpdateId:
+ name: updateId
+ in: path
+ description: Id of the update
+ schema:
+ type: string
+ required: true
+ pathUserId:
+ name: userId
+ description: ID of an existing Okta user
+ in: path
+ required: true
+ schema:
+ type: string
+ example: 00ub0oNGTSWTBKOLGLNR
+ pathUserIdOrLogin:
+ name: userIdOrLogin
+ description: |-
+ If for the `self` link, the ID of the User for whom you want to get the primary User ID. If for the `associated` relation, the User ID or login value of the User assigned the associated relationship.
+
+ This can be `me` to represent the current session User.
+ in: path
+ required: true
+ schema:
+ type: string
+ examples:
+ manager:
+ value: 00u5zex6ztMbOZhF50h7
+ summary: Example ID of `primary`
+ subordinate:
+ value: 00u5zex6ztMbOZhF50h7
+ summary: Example ID of `associated`
+ pathZoneId:
+ name: zoneId
+ in: path
+ schema:
+ type: string
+ required: true
+ description: '`id` of the Network Zone'
+ example: nzowc1U5Jh5xuAK0o0g3
+ privilegedAccountId:
+ name: id
+ in: path
+ description: ID of an existing Privileged Account
+ required: true
+ schema:
+ type: string
+ privilegedResourceId:
+ name: id
+ in: path
+ description: ID of an existing privileged resource
+ required: true
+ schema:
+ type: string
+ queryAfter:
+ name: after
+ in: query
+ schema:
+ type: string
+ description: The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination).
+ queryAppAfter:
+ name: after
+ in: query
+ description: Specifies the pagination cursor for the next page of results. Treat this as an opaque value obtained through the next link relationship. See [Pagination](/#pagination).
+ schema:
+ type: string
+ example: 16275000448691
+ queryAppGrantsExpand:
+ name: expand
+ in: query
+ description: 'An optional parameter to return scope details in the `_embedded` property. Valid value: `scope`'
+ schema:
+ type: string
+ example: scope
+ queryAppLimit:
+ name: limit
+ in: query
+ schema:
+ type: integer
+ format: int32
+ minimum: 1
+ maximum: 500
+ default: 50
+ description: |
+ Specifies the number of objects to return per page.
+ If there are multiple pages of results, the Link header contains a `next` link that you need to use as an opaque value (follow it, don't parse it).
+ See [Pagination](/#pagination).
+ queryAppUserExpand:
+ name: expand
+ in: query
+ description: |-
+ An optional query parameter to return the corresponding [User](/openapi/okta-management/management/tag/User/) object in the `_embedded` property.
+ Valid value: `user`
+ schema:
+ type: string
+ example: user
+ queryAppUserQ:
+ name: q
+ in: query
+ schema:
+ type: string
+ example: sam
+ description: |
+ Specifies a filter for the list of Application Users returned based on their profile attributes.
+ The value of `q` is matched against the beginning of the following profile attributes: `userName`, `firstName`, `lastName`, and `email`.
+ This filter only supports the `startsWith` operation that matches the `q` string against the beginning of the attribute values.
+ > **Note:** For OIDC apps, user profiles don't contain the `firstName` or `lastName` attributes. Therefore, the query only matches against the `userName` or `email` attributes.
+ queryAppsExpand:
+ name: expand
+ in: query
+ description: |-
+ An optional parameter used for link expansion to embed more resources in the response.
+ Only supports `expand=user/{userId}` and must be used with the `user.id eq "{userId}"` filter query for the same user.
+ Returns the assigned [Application User](/openapi/okta-management/management/tag/ApplicationUsers/) in the `_embedded` property.
+ schema:
+ type: string
+ example: user/0oa1gjh63g214q0Hq0g4
+ queryExpand:
+ name: expand
+ in: query
+ schema:
+ type: string
+ description: 'Valid value: `scope`. If specified, scope details are included in the `_embedded` attribute.'
+ queryExpandBrand:
+ name: expand
+ in: query
+ style: form
+ explode: false
+ required: false
+ schema:
+ type: array
+ items:
+ type: string
+ enum:
+ - themes
+ - domains
+ - emailDomain
+ description: Specifies additional metadata to be included in the response
+ queryExpandEmailDomain:
+ name: expand
+ in: query
+ style: form
+ explode: false
+ required: false
+ schema:
+ type: array
+ items:
+ type: string
+ enum:
+ - brands
+ description: Specifies additional metadata to be included in the response
+ queryExpandEmailTemplate:
+ name: expand
+ in: query
+ style: form
+ explode: false
+ required: false
+ schema:
+ type: array
+ items:
+ type: string
+ enum:
+ - settings
+ - customizationCount
+ description: Specifies additional metadata to be included in the response
+ queryExpandPageRoot:
+ name: expand
+ in: query
+ style: form
+ explode: false
+ required: false
+ schema:
+ type: array
+ items:
+ type: string
+ enum:
+ - default
+ - customized
+ - customizedUrl
+ - preview
+ - previewUrl
+ description: Specifies additional metadata to be included in the response
+ queryFilter:
+ name: q
+ in: query
+ description: Searches the records for matching value
+ schema:
+ type: string
+ queryGroupAssignmentLimit:
+ name: limit
+ in: query
+ description: |-
+ Specifies the number of objects to return per page.
+ If there are multiple pages of results, the Link header contains a `next` link that you need to use as an opaque value (follow it, don't parse it).
+ See [Pagination](/#pagination).
+ examples:
+ min:
+ value: 20
+ summary: Minimum limit value
+ hundred:
+ value: 100
+ summary: Sample limit value
+ max:
+ value: 200
+ summary: Maximum limit value
+ schema:
+ type: integer
+ format: int32
+ default: 20
+ minimum: 20
+ maximum: 200
+ queryGroupAssignmentWithGroupExpand:
+ name: expand
+ in: query
+ description: |-
+ An optional query parameter to return the corresponding assigned [Group](/openapi/okta-management/management/tag/Group/) or
+ the group assignment metadata details in the `_embedded` property.
+ schema:
+ type: string
+ example: group
+ examples:
+ group:
+ value: group
+ summary: Embedded assigned Group
+ metadata:
+ value: metadata
+ summary: Embedded group assignment metadata
+ queryGroupAssignmentWithMetadataExpand:
+ name: expand
+ in: query
+ description: |-
+ An optional query parameter to return the corresponding assigned [Group](/openapi/okta-management/management/tag/Group/) or
+ the group assignment metadata details in the `_embedded` property.
+ schema:
+ type: string
+ example: metadata
+ examples:
+ group:
+ value: group
+ summary: Embedded assigned Group
+ metadata:
+ value: metadata
+ summary: Embedded group assignment metadata
+ queryLanguage:
+ name: language
+ schema:
+ $ref: '#/components/schemas/Language'
+ in: query
+ description: The language to use for the email. Defaults to the current user's language if unspecified.
+ queryLimit:
+ name: limit
+ in: query
+ schema:
+ type: integer
+ minimum: 1
+ maximum: 200
+ default: 20
+ description: A limit on the number of objects to return
+ queryLimitPerPoolType:
+ name: limitPerPoolType
+ in: query
+ schema:
+ type: integer
+ default: 5
+ required: false
+ description: Maximum number of AgentPools being returned
+ queryPoolType:
+ name: poolType
+ in: query
+ schema:
+ $ref: '#/components/schemas/AgentType'
+ required: false
+ description: Agent type to search for
+ queryScheduled:
+ name: scheduled
+ in: query
+ description: Scope the list only to scheduled or ad-hoc updates. If the parameter is not provided we will return the whole list of updates.
+ schema:
+ type: boolean
+ required: false
+ queryUserExpand:
+ name: expand
+ in: query
+ description: 'An optional parameter to include metadata in the `_embedded` attribute. Valid value: `blocks`'
+ required: false
+ schema:
+ type: string
+ example: blocks
+ simulateParameter:
+ name: expand
+ description: Use `expand=EVALUATED` to include a list of evaluated but not matched policies and policy rules. Use `expand=RULE` to include details about why a rule condition wasn't matched.
+ in: query
+ schema:
+ type: string
+ example: EVALUATED
+ yubikeyTokenId:
+ name: tokenId
+ description: ID of a Yubikey token
+ in: path
+ required: true
+ schema:
+ type: string
+ example: ykkxdtCA1fKVxyu6R0g3
+ requestBodies:
+ AuthenticatorRequestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/AuthenticatorBase'
+ examples:
+ Duo:
+ $ref: '#/components/examples/AuthenticatorRequestDuo'
+ required: true
+ responses:
+ ErrorAppUserForbidden403:
+ description: Forbidden
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Error'
+ examples:
+ AppUserProvEx:
+ $ref: '#/components/examples/ErrorAppUserForbiddenAction'
+ AccessDenied:
+ $ref: '#/components/examples/ErrorAccessDenied'
+ ErrorAppUserUpdateBadRequest400:
+ description: Bad Request
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Error'
+ examples:
+ AppUserUpdateCredEx:
+ $ref: '#/components/examples/ErrorAppUserUpdateBadRequest'
+ APIValidationFailed:
+ $ref: '#/components/examples/ErrorApiValidationFailed'
+ AuthenticatorResponse:
+ description: OK
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/AuthenticatorBase'
+ examples:
+ Duo:
+ $ref: '#/components/examples/AuthenticatorResponseDuo'
+ Email:
+ $ref: '#/components/examples/AuthenticatorResponseEmail'
+ Password:
+ $ref: '#/components/examples/AuthenticatorResponsePassword'
+ Phone:
+ $ref: '#/components/examples/AuthenticatorResponsePhone'
+ WebAuthn:
+ $ref: '#/components/examples/AuthenticatorResponseWebAuthn'
+ SecurityQuestion:
+ $ref: '#/components/examples/AuthenticatorResponseSecurityQuestion'
+ AuthenticatorResponseInactiveWebAuthn:
+ description: OK
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/AuthenticatorBase'
+ examples:
+ WebAuthn:
+ $ref: '#/components/examples/AuthenticatorResponseInactiveWebAuthn'
+ ErrorApiValidationFailed400:
+ description: Bad Request
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Error'
+ examples:
+ APIValidationFailed:
+ $ref: '#/components/examples/ErrorApiValidationFailed'
+ ErrorMissingRequiredParameter400:
+ description: Bad Request
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Error'
+ examples:
+ MissingRequiredParameter:
+ $ref: '#/components/examples/ErrorMissingRequiredParameter'
+ ErrorInvalidToken401:
+ description: Unauthorized
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Error'
+ examples:
+ InvalidTokenProvided:
+ $ref: '#/components/examples/ErrorInvalidTokenProvided'
+ ErrorAccessDenied403:
+ description: Forbidden
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Error'
+ examples:
+ AccessDenied:
+ $ref: '#/components/examples/ErrorAccessDenied'
+ ErrorResourceNotFound404:
+ description: Not Found
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Error'
+ examples:
+ ResourceNotFound:
+ $ref: '#/components/examples/ErrorResourceNotFound'
+ ErrorTooManyRequests429:
+ description: Too Many Requests
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Error'
+ examples:
+ TooManyRequests:
+ $ref: '#/components/examples/ErrorTooManyRequests'
+ Error502NoConnectedAgents:
+ description: There are no connected agents.
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Error'
+ examples:
+ AgentTimeOut:
+ $ref: '#/components/examples/ErrorAgentTimeOut'
+ Error504AgentTimeOut:
+ description: Timed out waiting for agent.
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Error'
+ examples:
+ AgentTimeOut:
+ $ref: '#/components/examples/ErrorNoConnectedAgents'
+ DRStatusResponse:
+ description: OK
+ content:
+ application/json:
+ schema:
+ description: List of domains and their disaster recovery status
+ type: array
+ items:
+ $ref: '#/components/schemas/DRStatusItem'
+ headers:
+ Link:
+ description: A link to the next page of responses
+ schema:
+ type: string
+ ErrorResponse:
+ description: |
+ 400 - When request validation fails
+ 401 - When the user is not authenticated or the feature is not enabled
+ 403 - When the user is not authorized
+ 429 - When rate limits are exceeded
+ 500 - When an internal server error is encountred
+ 501 - When the operation is not supported
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/ErrorResponse'
+ GetFactorResponse:
+ description: Success
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/UserFactor'
+ examples:
+ SMS:
+ $ref: '#/components/examples/FactorResponseSms'
+ Email:
+ $ref: '#/components/examples/FactorEmail'
+ Error-FF-NotEnabled-Response-401:
+ description: Unauthorized
+ content:
+ application/json:
+ examples:
+ Unauthorized:
+ value:
+ errorCode: E0000015
+ errorSummary: You do not have permission to access the feature you are requesting
+ errorLink: E0000015
+ errorId: oaeStOuPPxDRUm3PJhf-tL7bQ
+ errorCauses: []
+ ErrorInternalServer500:
+ description: Internal Server Error
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Error'
+ examples:
+ InternalServerError:
+ $ref: '#/components/examples/ErrorInternalServer'
+ NzErrorApiValidationFailed400:
+ description: Bad Request
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Error'
+ examples:
+ APIValidationFailed:
+ $ref: '#/components/examples/NzErrorApiValidationFailed'
+ NzErrorResourceNotFound404:
+ description: Not Found
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Error'
+ examples:
+ ResourceNotFound:
+ $ref: '#/components/examples/NzErrorResourceNotFound'
+ schemas:
+ AAGUIDGroupObject:
+ description: |
+
+ The AAGUID Group object supports the Early Access (Self-Service) Allow List for FIDO2 (WebAuthn) Authenticators feature. Enable the feature for your org from the **Settings** > **Features** page in the Admin Console.
+
+ This feature has several limitations when enrolling a security key:
+ - Enrollment is currently unsupported on Firefox.
+ - Enrollment is currently unsupported on Chrome if User Verification is set to DISCOURAGED and a PIN is set on the security key.
+ - If prompted during enrollment, users must allow Okta to see the make and model of the security key.
+ type: object
+ properties:
+ aaguids:
+ description: A list of YubiKey hardware FIDO2 Authenticator Attestation Global Unique Identifiers (AAGUIDs). The available [AAGUIDs](https://support.yubico.com/hc/en-us/articles/360016648959-YubiKey-Hardware-FIDO2-AAGUIDs) (opens new window) are provided by the FIDO Alliance Metadata Service.
+ type: array
+ items:
+ type: string
+ description: AAGUID
+ name:
+ type: string
+ description: A name to identify the group of YubiKey hardware FIDO2 AAGUIDs
+ APIServiceIntegrationInstance:
+ type: object
+ properties:
+ configGuideUrl:
+ type: string
+ description: The URL to the API service integration configuration guide
+ example: https://{docDomain}/my-app-cie/configuration-guide
+ readOnly: true
+ createdAt:
+ type: string
+ description: Timestamp when the API Service Integration instance was created
+ example: '2023-02-21T20:08:24.000Z'
+ readOnly: true
+ createdBy:
+ type: string
+ description: The user ID of the API Service Integration instance creator
+ example: 00uu3u0ujW1P6AfZC2d5
+ readOnly: true
+ grantedScopes:
+ type: array
+ description: The list of Okta management scopes granted to the API Service Integration instance. See [Okta management OAuth 2.0 scopes](/oauth2/#okta-admin-management).
+ items:
+ type: string
+ example:
+ - okta.logs.read
+ id:
+ type: string
+ description: The ID of the API Service Integration instance
+ readOnly: true
+ example: 0oa72lrepvp4WqEET1d9
+ name:
+ type: string
+ description: The name of the API service integration that corresponds with the `type` property. This is the full name of the API service integration listed in the Okta Integration Network (OIN) catalog.
+ readOnly: true
+ example: My App Cloud Identity Engine
+ type:
+ type: string
+ description: The type of the API service integration. This string is an underscore-concatenated, lowercased API service integration name. For example, `my_api_log_integration`.
+ example: my_app_cie
+ _links:
+ $ref: '#/components/schemas/APIServiceIntegrationLinks'
+ readOnly: true
+ APIServiceIntegrationInstanceSecret:
+ type: object
+ properties:
+ client_secret:
+ type: string
+ description: The OAuth 2.0 client secret string. The client secret string is returned in the response of a Secret creation request. In other responses (such as list, activate, or deactivate requests), the client secret is returned as an undisclosed hashed value.
+ example: DRUFXGF9XbLnS9k-Sla3x3POBiIxDreBCdZuFs5B
+ readOnly: true
+ created:
+ type: string
+ description: Timestamp when the API Service Integration instance Secret was created
+ example: '2023-02-21T20:08:24.000Z'
+ readOnly: true
+ id:
+ type: string
+ description: The ID of the API Service Integration instance Secret
+ example: ocs2f4zrZbs8nUa7p0g4
+ readOnly: true
+ lastUpdated:
+ type: string
+ description: Timestamp when the API Service Integration instance Secret was updated
+ example: '2023-02-21T20:08:24.000Z'
+ readOnly: true
+ secret_hash:
+ type: string
+ description: OAuth 2.0 client secret string hash
+ example: yk4SVx4sUWVJVbHt6M-UPA
+ readOnly: true
+ status:
+ type: string
+ enum:
+ - ACTIVE
+ - INACTIVE
+ description: Status of the API Service Integration instance Secret
+ example: ACTIVE
+ _links:
+ $ref: '#/components/schemas/APIServiceIntegrationSecretLinks'
+ readOnly: true
+ required:
+ - id
+ - status
+ - client_secret
+ - created
+ - lastUpdated
+ - secret_hash
+ - _links
+ APIServiceIntegrationLinks:
+ description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of an application using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations.
+ properties:
+ client:
+ $ref: '#/components/schemas/HrefObjectClientLink'
+ logo:
+ $ref: '#/components/schemas/HrefObjectLogoLink'
+ self:
+ $ref: '#/components/schemas/HrefObjectSelfLink'
+ readOnly: true
+ APIServiceIntegrationSecretLinks:
+ description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of an application using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations.
+ properties:
+ activate:
+ $ref: '#/components/schemas/HrefObjectActivateLink'
+ deactivate:
+ $ref: '#/components/schemas/HrefObjectDeactivateLink'
+ delete:
+ $ref: '#/components/schemas/HrefObjectDeleteLink'
+ readOnly: true
+ APNSConfiguration:
+ properties:
+ fileName:
+ type: string
+ description: (Optional) File name for Admin Console display
+ keyId:
+ type: string
+ description: 10-character Key ID obtained from the Apple developer account
+ teamId:
+ type: string
+ description: 10-character Team ID used to develop the iOS app
+ tokenSigningKey:
+ type: string
+ description: APNs private authentication token signing key
+ writeOnly: true
+ APNSPushProvider:
+ allOf:
+ - $ref: '#/components/schemas/PushProvider'
+ - type: object
+ properties:
+ configuration:
+ $ref: '#/components/schemas/APNSConfiguration'
+ AccessPolicy:
+ allOf:
+ - $ref: '#/components/schemas/Policy'
+ - type: object
+ properties:
+ conditions:
+ type: string
+ description: Policy conditions aren't supported. Conditions are applied at the rule level for this policy type.
+ default: null
+ nullable: true
+ _embedded:
+ type: object
+ properties:
+ resourceType:
+ type: string
+ description: The resource that this policy controls. For the [Okta account management policy](https://developer.okta.com/docs/guides/okta-account-management-policy/main/#example-response), `END_USER_ACCOUNT_MANAGEMENT` is returned. For other policies, `APP` is returned.
+ additionalProperties:
+ type: object
+ properties: {}
+ AccessPolicyConstraint:
+ type: object
+ properties:
+ authenticationMethods:
+ description: This property specifies the precise authenticator and method for authentication.
+ type: array
+ items:
+ $ref: '#/components/schemas/AuthenticationMethodObject'
+ excludedAuthenticationMethods:
+ description: This property specifies the precise authenticator and method to exclude from authentication.
+ items:
+ $ref: '#/components/schemas/AuthenticationMethodObject'
+ methods:
+ description: The Authenticator methods that are permitted
+ items:
+ type: string
+ enum:
+ - PASSWORD
+ - SECURITY_QUESTION
+ - SMS
+ - VOICE
+ - EMAIL
+ - PUSH
+ - SIGNED_NONCE
+ - OTP
+ - TOTP
+ - WEBAUTHN
+ - DUO
+ - IDP
+ - CERT
+ type: array
+ reauthenticateIn:
+ description: The duration after which the user must re-authenticate regardless of user activity. This re-authentication interval overrides the Verification Method object's `reauthenticateIn` interval. The supported values use ISO 8601 period format for recurring time intervals (for example, `PT1H`).
+ type: string
+ required:
+ description: This property indicates whether the knowledge or possession factor is required by the assurance. It's optional in the request, but is always returned in the response. By default, this field is `true`. If the knowledge or possession constraint has values for `excludedAuthenticationMethods` the `required` value is false.
+ type: boolean
+ types:
+ description: The Authenticator types that are permitted
+ items:
+ type: string
+ enum:
+ - SECURITY_KEY
+ - PHONE
+ - EMAIL
+ - PASSWORD
+ - SECURITY_QUESTION
+ - APP
+ - FEDERATED
+ type: array
+ AccessPolicyConstraints:
+ type: object
+ properties:
+ knowledge:
+ $ref: '#/components/schemas/KnowledgeConstraint'
+ possession:
+ $ref: '#/components/schemas/PossessionConstraint'
+ AccessPolicyLink:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the app access policy resource
+ AccessPolicyRule:
+ allOf:
+ - $ref: '#/components/schemas/PolicyRule'
+ - type: object
+ properties:
+ actions:
+ $ref: '#/components/schemas/AccessPolicyRuleActions'
+ conditions:
+ $ref: '#/components/schemas/AccessPolicyRuleConditions'
+ AccessPolicyRuleActions:
+ allOf:
+ - $ref: '#/components/schemas/PolicyRuleActions'
+ - type: object
+ properties:
+ appSignOn:
+ $ref: '#/components/schemas/AccessPolicyRuleApplicationSignOn'
+ AccessPolicyRuleApplicationSignOn:
+ type: object
+ properties:
+ access:
+ $ref: '#/components/schemas/AccessPolicyRuleApplicationSignOnAccess'
+ verificationMethod:
+ $ref: '#/components/schemas/VerificationMethod'
+ AccessPolicyRuleApplicationSignOnAccess:
+ type: string
+ x-okta-known-values:
+ - ALLOW
+ - DENY
+ AccessPolicyRuleConditions:
+ allOf:
+ - type: object
+ properties:
+ device:
+ $ref: '#/components/schemas/DeviceAccessPolicyRuleCondition'
+ elCondition:
+ $ref: '#/components/schemas/AccessPolicyRuleCustomCondition'
+ network:
+ $ref: '#/components/schemas/PolicyNetworkCondition'
+ people:
+ $ref: '#/components/schemas/PolicyPeopleCondition'
+ platform:
+ $ref: '#/components/schemas/PlatformPolicyRuleCondition'
+ riskScore:
+ $ref: '#/components/schemas/RiskScorePolicyRuleCondition'
+ userType:
+ $ref: '#/components/schemas/UserTypeCondition'
+ AccessPolicyRuleCustomCondition:
+ properties:
+ condition:
+ type: string
+ description: expression to match
+ required:
+ - condition
+ AcsEndpoint:
+ description: An array of ACS endpoints. You can configure a maximum of 100 endpoints.
+ type: object
+ properties:
+ index:
+ type: integer
+ description: Index of the URL in the array of ACS endpoints
+ example: 0
+ url:
+ type: string
+ description: URL of the ACS
+ maxLength: 1024
+ example: https://www.example.com/sso/saml
+ required:
+ - url
+ - index
+ Actions:
+ type: object
+ properties:
+ assignUserToRealm:
+ $ref: '#/components/schemas/AssignUserToRealm'
+ AdminConsoleSettings:
+ title: Okta Admin Console Settings
+ description: Settings specific to the Okta Admin Console
+ type: object
+ properties:
+ sessionIdleTimeoutMinutes:
+ description: The maximum idle time before the Okta Admin Console session expires. Must be no more than 12 hours.
+ type: integer
+ minimum: 5
+ maximum: 720
+ default: 15
+ sessionMaxLifetimeMinutes:
+ description: The absolute maximum session lifetime of the Okta Admin Console. Must be no more than 7 days.
+ type: integer
+ minimum: 5
+ maximum: 10080
+ default: 720
+ Agent:
+ description: Agent details
+ type: object
+ properties:
+ id:
+ type: string
+ readOnly: true
+ isHidden:
+ type: boolean
+ isLatestGAedVersion:
+ type: boolean
+ lastConnection:
+ type: string
+ format: date-time
+ name:
+ type: string
+ operationalStatus:
+ $ref: '#/components/schemas/OperationalStatus'
+ poolId:
+ type: string
+ type:
+ $ref: '#/components/schemas/AgentType'
+ updateMessage:
+ type: string
+ updateStatus:
+ $ref: '#/components/schemas/AgentUpdateInstanceStatus'
+ version:
+ type: string
+ _links:
+ $ref: '#/components/schemas/LinksSelf'
+ AgentAction:
+ description: Details about the AD Group membership update
+ type: object
+ properties:
+ id:
+ type: string
+ description: ID of the AD group to update
+ parameters:
+ $ref: '#/components/schemas/Parameters'
+ AgentPool:
+ description: An AgentPool is a collection of agents that serve a common purpose. An AgentPool has a unique ID within an org, and contains a collection of agents disjoint to every other AgentPool (i.e. no two AgentPools share an Agent).
+ type: object
+ properties:
+ agents:
+ type: array
+ items:
+ $ref: '#/components/schemas/Agent'
+ id:
+ type: string
+ readOnly: true
+ name:
+ type: string
+ operationalStatus:
+ $ref: '#/components/schemas/OperationalStatus'
+ type:
+ $ref: '#/components/schemas/AgentType'
+ AgentPoolUpdate:
+ description: Various information about agent auto update configuration
+ type: object
+ properties:
+ agents:
+ type: array
+ items:
+ $ref: '#/components/schemas/Agent'
+ agentType:
+ $ref: '#/components/schemas/AgentType'
+ enabled:
+ type: boolean
+ id:
+ type: string
+ readOnly: true
+ name:
+ type: string
+ notifyAdmin:
+ type: boolean
+ reason:
+ type: string
+ schedule:
+ $ref: '#/components/schemas/AutoUpdateSchedule'
+ sortOrder:
+ type: integer
+ status:
+ $ref: '#/components/schemas/AgentUpdateJobStatus'
+ targetVersion:
+ type: string
+ _links:
+ $ref: '#/components/schemas/LinksSelf'
+ AgentPoolUpdateSetting:
+ description: Setting for auto-update
+ type: object
+ properties:
+ agentType:
+ $ref: '#/components/schemas/AgentType'
+ continueOnError:
+ type: boolean
+ latestVersion:
+ type: string
+ minimalSupportedVersion:
+ type: string
+ poolId:
+ type: string
+ readOnly: true
+ poolName:
+ type: string
+ releaseChannel:
+ $ref: '#/components/schemas/ReleaseChannel'
+ AgentType:
+ description: Agent types that are being monitored
+ type: string
+ x-okta-known-values:
+ - AD
+ - IWA
+ - LDAP
+ - MFA
+ - OPP
+ - RUM
+ - Radius
+ AgentUpdateInstanceStatus:
+ description: Status for one agent regarding the status to auto-update that agent
+ type: string
+ x-okta-known-values:
+ - Cancelled
+ - Failed
+ - InProgress
+ - PendingCompletion
+ - Scheduled
+ - Success
+ AgentUpdateJobStatus:
+ description: Overall state for the auto-update job from admin perspective
+ type: string
+ x-okta-known-values:
+ - Cancelled
+ - Failed
+ - InProgress
+ - Paused
+ - Scheduled
+ - Success
+ AllowedForEnum:
+ description: The allowed types of uses for the Authenticator
+ type: string
+ x-okta-known-values:
+ - any
+ - none
+ - recovery
+ - sso
+ AndroidZeroTrust:
+ description: Android Zero Trust integration provider
+ type: object
+ properties:
+ deviceIntegrityLevel:
+ $ref: '#/components/schemas/DeviceIntegrity'
+ networkProxyDisabled:
+ description: Indicates whether a device has a network proxy disabled
+ type: boolean
+ playProtectVerdict:
+ $ref: '#/components/schemas/PlayProtectVerdict'
+ requireMajorVersionUpdate:
+ description: |
+ Indicates whether the device needs to be on the latest major version available to the device
+
+ **Note:** This option requires an `osVersion.dynamicVersionRequirement` value to be supplied with the `osVersion.dynamicVersionRequirement.type` as either `MINIMUM` or `EXACT`.
+ type: boolean
+ requirePatchVersionUpdate:
+ description: |
+ Indicates whether the device needs to be on the latest patch version available to the device
+
+ **Note:** This property mirrors `osVersion.dynamicVersionRequirement.latestSecurityPatch` and is meant for informational purposes only.
+ type: boolean
+ readOnly: true
+ screenLockComplexity:
+ $ref: '#/components/schemas/ScreenLockComplexity'
+ usbDebuggingDisabled:
+ description: Indicates whether Android Debug Bridge (adb) over USB is disabled
+ type: boolean
+ wifiSecured:
+ description: Indicates whether a device is on a password-protected Wi-Fi network
+ type: boolean
+ ApiToken:
+ title: API Token
+ description: An API token for an Okta User. This token is NOT scoped any further and can be used for any API the user has permissions to call.
+ type: object
+ properties:
+ clientName:
+ type: string
+ readOnly: true
+ created:
+ type: string
+ format: date-time
+ readOnly: true
+ expiresAt:
+ type: string
+ format: date-time
+ readOnly: true
+ id:
+ type: string
+ readOnly: true
+ lastUpdated:
+ type: string
+ format: date-time
+ readOnly: true
+ name:
+ type: string
+ network:
+ type: object
+ description: The Network Condition of the API Token
+ properties:
+ connection:
+ type: string
+ description: The connection type of the Network Condition
+ include:
+ type: array
+ description: List of included IP network zones
+ items:
+ type: string
+ exclude:
+ type: array
+ description: List of excluded IP network zones
+ items:
+ type: string
+ tokenWindow:
+ $ref: '#/components/schemas/TimeDuration'
+ userId:
+ type: string
+ _link:
+ $ref: '#/components/schemas/LinksSelf'
+ required:
+ - name
+ ApiTokenUpdate:
+ title: API Token Update
+ description: An API Token Update Object for an Okta user. This token is NOT scoped any further and can be used for any API that the user has permissions to call.
+ type: object
+ properties:
+ clientName:
+ type: string
+ description: The client name associated with the API Token
+ readOnly: true
+ created:
+ type: string
+ description: The creation date of the API Token
+ format: date-time
+ readOnly: true
+ name:
+ type: string
+ description: The name associated with the API Token
+ network:
+ type: object
+ description: The Network Condition of the API Token
+ properties:
+ connection:
+ type: string
+ description: The connection type of the Network Condition
+ include:
+ type: array
+ description: List of included IP network zones
+ items:
+ type: string
+ exclude:
+ type: array
+ description: List of excluded IP network zones
+ items:
+ type: string
+ userId:
+ type: string
+ description: The userId of the user who created the API Token
+ AppAccountContainerDetails:
+ description: Container details for resource type APP_ACCOUNT
+ type: object
+ properties:
+ appName:
+ type: string
+ description: The application name
+ readOnly: true
+ example: google
+ containerId:
+ type: string
+ description: The application ID associated with the privileged account
+ example: 0oa103099SBEb3Z2b0g4
+ displayName:
+ type: string
+ description: Human-readable name of the container that owns the privileged resource
+ readOnly: true
+ example: Google App1
+ globalAppId:
+ type: string
+ description: The application global ID
+ readOnly: true
+ example: 964b82aa-85b4-5645-b790-83312c473480
+ passwordPushSupported:
+ type: boolean
+ description: Indicates if the application supports password push
+ readOnly: true
+ example: true
+ provisioningEnabled:
+ type: boolean
+ description: Indicates if provisioning is enabled for this application
+ readOnly: true
+ example: true
+ status:
+ $ref: '#/components/schemas/AppInstanceContainerStatus'
+ _links:
+ $ref: '#/components/schemas/appLink'
+ required:
+ - containerId
+ AppAndInstanceConditionEvaluatorAppOrInstance:
+ type: object
+ properties:
+ id:
+ type: string
+ description: ID of the app
+ readOnly: false
+ name:
+ type: string
+ description: Name of the app type
+ type:
+ $ref: '#/components/schemas/AppAndInstanceType'
+ AppAndInstancePolicyRuleCondition:
+ type: object
+ properties:
+ exclude:
+ type: array
+ description: The list of applications to exclude
+ items:
+ $ref: '#/components/schemas/AppAndInstanceConditionEvaluatorAppOrInstance'
+ include:
+ type: array
+ description: The list of apps or app instances to match on
+ items:
+ $ref: '#/components/schemas/AppAndInstanceConditionEvaluatorAppOrInstance'
+ AppAndInstanceType:
+ description: Type of app
+ type: string
+ x-okta-known-values:
+ - APP
+ - APP_TYPE
+ AppCsrPkcs10:
+ description: Base64URL-encoded CSR in DER format
+ format: base64
+ type: string
+ AppCustomHrefObject:
+ type: object
+ properties:
+ hints:
+ type: object
+ description: Describes allowed HTTP verbs for the `href`
+ properties:
+ allow:
+ type: array
+ items:
+ type: string
+ href:
+ type: string
+ description: Link URI
+ title:
+ type: string
+ description: Link name
+ type:
+ type: string
+ description: The media type of the link. If omitted, it is implicitly `application/json`.
+ required:
+ - href
+ readOnly: true
+ AppInstanceContainerStatus:
+ description: Current status of the application instance
+ type: string
+ readOnly: true
+ x-okta-known-values:
+ - ACTIVE
+ - DELETED
+ - INACTIVE
+ AppInstancePolicyRuleCondition:
+ type: object
+ properties:
+ exclude:
+ type: array
+ items:
+ type: string
+ include:
+ type: array
+ items:
+ type: string
+ AppLink:
+ type: object
+ properties:
+ appAssignmentId:
+ type: string
+ readOnly: true
+ appInstanceId:
+ type: string
+ readOnly: true
+ appName:
+ type: string
+ readOnly: true
+ credentialsSetup:
+ type: boolean
+ readOnly: true
+ hidden:
+ type: boolean
+ readOnly: true
+ id:
+ type: string
+ readOnly: true
+ label:
+ type: string
+ readOnly: true
+ linkUrl:
+ type: string
+ readOnly: true
+ logoUrl:
+ type: string
+ readOnly: true
+ sortOrder:
+ type: integer
+ readOnly: true
+ AppResourceHrefObject:
+ type: object
+ properties:
+ href:
+ type: string
+ description: Link URI
+ example: https://{yourOktaDomain}/api/v1/apps/0oabskvc6442nkvQO0h7
+ title:
+ type: string
+ description: Link name
+ example: My App
+ AppUser:
+ title: Application User
+ description: The Application User object defines a user's app-specific profile and credentials for an app
+ type: object
+ properties:
+ created:
+ allOf:
+ - $ref: '#/components/schemas/createdProperty'
+ - example: '2014-06-24T15:27:59.000Z'
+ credentials:
+ $ref: '#/components/schemas/AppUserCredentials'
+ externalId:
+ type: string
+ description: |-
+ The ID of the user in the target app that's linked to the Okta Application User object.
+ This value is the native app-specific identifier or primary key for the user in the target app.
+
+ The `externalId` is set during import when the user is confirmed (reconciled) or during provisioning when the user is created in the target app.
+ This value isn't populated for SSO app assignments (for example, SAML or SWA) because it isn't synchronized with a target app.
+ readOnly: true
+ example: 70c14cc17d3745e8a9f98d599a68329c
+ id:
+ type: string
+ description: Unique identifier for the Okta User
+ example: 00u11z6WHMYCGPCHCRFK
+ lastSync:
+ type: string
+ description: Timestamp of the last synchronization operation. This value is only updated for apps with the `IMPORT_PROFILE_UPDATES` or `PUSH PROFILE_UPDATES` feature.
+ format: date-time
+ readOnly: true
+ example: '2014-06-24T15:27:59.000Z'
+ lastUpdated:
+ allOf:
+ - $ref: '#/components/schemas/lastUpdatedProperty'
+ - example: '2014-06-24T15:28:14.000Z'
+ passwordChanged:
+ type: string
+ description: Timestamp when the Application User password was last changed
+ format: date-time
+ readOnly: true
+ nullable: true
+ example: '2014-06-24T15:27:59.000Z'
+ profile:
+ $ref: '#/components/schemas/AppUserProfile'
+ scope:
+ type: string
+ description: Indicates if the assignment is direct (`USER`) or by group membership (`GROUP`).
+ enum:
+ - USER
+ - GROUP
+ example: USER
+ status:
+ $ref: '#/components/schemas/AppUserStatus'
+ statusChanged:
+ type: string
+ description: Timestamp when the Application User status was last changed
+ format: date-time
+ readOnly: true
+ example: '2014-06-24T15:28:14.000Z'
+ syncState:
+ $ref: '#/components/schemas/AppUserSyncState'
+ _embedded:
+ type: object
+ description: Embedded resources related to the Application User using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification
+ additionalProperties:
+ type: object
+ properties: {}
+ readOnly: true
+ _links:
+ $ref: '#/components/schemas/LinksAppAndUser'
+ AppUserAssignRequest:
+ allOf:
+ - $ref: '#/components/schemas/AppUser'
+ - required:
+ - id
+ AppUserCredentials:
+ description: |
+ Specifies a user's credentials for the app.
+ This parameter can be omitted for apps with [sign-on mode](/openapi/okta-management/management/tag/Application/#tag/Application/operation/getApplication!c=200&path=0/signOnMode&t=response) (`signOnMode`) or [authentication schemes](/openapi/okta-management/management/tag/Application/#tag/Application/operation/getApplication!c=200&path=0/credentials/scheme&t=response) (`credentials.scheme`) that don't require credentials.
+ type: object
+ properties:
+ password:
+ $ref: '#/components/schemas/AppUserPasswordCredential'
+ userName:
+ type: string
+ description: |-
+ The user's username in the app
+
+ > **Note:** The [userNameTemplate](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication!path=0/credentials/userNameTemplate&t=request) in the Application object defines the default username generated when a user is assigned to that app.
+ > If you attempt to assign a username or password to an app with an incompatible [authentication scheme](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication!path=0/credentials/scheme&t=request), the following error is returned:
+ > "Credentials should not be set on this resource based on the scheme."
+ minLength: 1
+ maxLength: 100
+ example: testuser@example.com
+ AppUserCredentialsRequestPayload:
+ title: Credentials
+ description: Updates the assigned user credentials
+ type: object
+ properties:
+ credentials:
+ $ref: '#/components/schemas/AppUserCredentials'
+ AppUserPasswordCredential:
+ description: The user's password. This is a write-only property. An empty `password` object is returned to indicate that a password value exists.
+ type: object
+ properties:
+ value:
+ description: Password value
+ type: string
+ format: password
+ writeOnly: true
+ AppUserProfile:
+ description: |
+ Specifies the default and custom profile properties for a user.
+ Properties that are visible in the Admin Console for an app assignment can also be assigned through the API.
+ Some properties are reference properties that are imported from the target app and can't be configured.
+ See [profile](/openapi/okta-management/management/tag/User/#tag/User/operation/getUser!c=200&path=profile&t=response).
+ additionalProperties: true
+ type: object
+ AppUserProfileRequestPayload:
+ title: Profile
+ description: |-
+ Updates the assigned user profile
+ > **Note:** The Okta API currently doesn't support entity tags for conditional updates. As long as you're the only user updating the the user profile, Okta recommends you fetch the most recent profile with [Retrieve an Application User](/openapi/okta-management/management/tag/ApplicationUsers/#tag/ApplicationUsers/operation/getApplicationUser), apply your profile update, and then `POST` back the updated profile.
+ type: object
+ properties:
+ profile:
+ $ref: '#/components/schemas/AppUserProfile'
+ AppUserStatus:
+ description: Status of an Application User
+ example: ACTIVE
+ type: string
+ x-enumDescriptions:
+ ACTIVE: The Application User is provisioned and is enabled to use the app. This status also occurs if the app has the `IMPORT_PROFILE_UPDATES` feature enabled and user import is confirmed, or if the app doesn't have provisioning enabled.
+ INACTIVE: The Application User is provisioned, but isn't enabled to use the app. Application Users in this status can be reactivated with a password reset or permanently deleted.
+ IMPORTED: The Application User is created based on imported data.
+ MATCHED: The imported user is matched with an existing Application User.
+ UNASSIGNED: The Application User was imported, but the user-matching operation was skipped.
+ SUSPENDED: The Application User is provisioned, but isn't enabled to use the app. Application Users in this status can be reactivated without a password reset.
+ PENDING: The Application User is provisioned, but in a pending state and can't use the app. The status moves to `ACTIVE` when the Application User is activated.
+ APPROVED: The Application User was created but not provisioned. This status can occur when manual provisioning acknowledgment is required.
+ REVOKED: The Application User is disabled and waiting for deprovisioning acknowledgment. The Application User can be deleted after deprovisioning acknowledgment.
+ IMPLICIT: The Application User is now migrated to use implicit app assignment.
+ STAGED: The Application User doesn't have `externalId` set and the background provisioning operation is queued. This applies to apps with the `PUSH_NEW_USERS` feature enabled.
+ PROVISIONED: The background provisioning operation completed and the Application User was assigned an `externalId` successfully.
+ DEPROVISIONED: The user was removed by the provisioning operation and the `externalId` property is unassigned.
+ readOnly: true
+ x-okta-known-values:
+ - ACTIVE
+ - APPROVED
+ - DEPROVISIONED
+ - IMPLICIT
+ - IMPORTED
+ - INACTIVE
+ - MATCHED
+ - PENDING
+ - PROVISIONED
+ - REVOKED
+ - STAGED
+ - SUSPENDED
+ - UNASSIGNED
+ AppUserSyncState:
+ description: |-
+ The synchronization state for the Application User.
+ The Application User's `syncState` depends on whether the `PROFILE_MASTERING` feature is enabled for the app.
+
+ > **Note:** User provisioning currently must be configured through the Admin Console.
+ example: SYNCHRONIZED
+ type: string
+ x-enumDescriptions:
+ DISABLED: The provisioning feature is disabled for the app (`PROFILE_MASTERING` feature is disabled).
+ OUT_OF_SYNC: The Application User has changes that haven't been pushed to the target app.
+ SYNCING: A background provisioning operation is running to update the user's profile in the target app.
+ SYNCHRONIZED: All changes to the Application User profile have successfully been synchronized with the target app.
+ ERROR: A background provisioning operation failed to update the user's profile in the target app. You must resolve the provisioning task in the Admin Console before you retry the operation.
+ readOnly: true
+ x-okta-known-values:
+ - DISABLED
+ - ERROR
+ - OUT_OF_SYNC
+ - SYNCHRONIZED
+ - SYNCING
+ AppUserUpdateRequest:
+ oneOf:
+ - $ref: '#/components/schemas/AppUserCredentialsRequestPayload'
+ - $ref: '#/components/schemas/AppUserProfileRequestPayload'
+ AppleClientSigning:
+ description: |-
+ Information used to generate the secret JSON Web Token for the token requests to Apple IdP
+ > **Note:** The `privateKey` property is required for a CREATE request. For an UPDATE request, it can be null and keeps the existing value if it's null. The `privateKey` property isn't returned for LIST and GET requests or UPDATE requests if it's null.
+ type: object
+ properties:
+ kid:
+ type: string
+ description: The Key ID that you obtained from Apple when you created the private key for the client
+ maxLength: 1024
+ example: test key id
+ privateKey:
+ type: string
+ description: The PKCS \#8 encoded private key that you created for the client and downloaded from Apple
+ maxLength: 1024
+ example: MIGTAgEAMBM........Cb9PnybCnzDv+3cWSGWqpAIsQQZ
+ teamId:
+ type: string
+ description: The Team ID associated with your Apple developer account
+ maxLength: 1024
+ example: test team id
+ Application:
+ type: object
+ properties:
+ accessibility:
+ $ref: '#/components/schemas/ApplicationAccessibility'
+ created:
+ type: string
+ format: date-time
+ readOnly: true
+ description: Timestamp when the Application object was created
+ features:
+ type: array
+ description: |
+ Enabled app features
+ > **Note:** Some apps can support optional provisioning features. See [Application Features](/openapi/okta-management/management/tag/ApplicationFeatures/)
+ items:
+ type: string
+ enum:
+ - GROUP_PUSH
+ - IMPORT_NEW_USERS
+ - IMPORT_PROFILE_UPDATES
+ - IMPORT_USER_SCHEMA
+ - PROFILE_MASTERING
+ - PUSH_NEW_USERS
+ - PUSH_PASSWORD_UPDATES
+ - PUSH_PROFILE_UPDATES
+ - PUSH_USER_DEACTIVATION
+ - REACTIVATE_USERS
+ - OUTBOUND_DEL_AUTH
+ - DESKTOP_SSO
+ - FEDERATED_PROFILE
+ - SUPPRESS_ACTIVATION_EMAIL
+ - PUSH_PENDING_USERS
+ - MFA
+ - UPDATE_EXISTING_USERNAME
+ - EXCLUDE_USERNAME_UPDATE_ON_PROFILE_PUSH
+ - EXCHANGE_ACTIVE_SYNC
+ - IMPORT_SYNC
+ - IMPORT_SYNC_CONTACTS
+ - DEVICE_COMPLIANCE
+ - VPN_CONFIG
+ - IMPORT_SCHEMA_ENUM_VALUES
+ - SCIM_PROVISIONING
+ - DEVICE_FILTER_IN_SIGN_ON_RULES
+ - PROFILE_TEMPLATE_UPGRADE
+ - DEFAULT_PUSH_STATUS_TO_PUSH
+ - REAL_TIME_SYNC
+ - SSO
+ - AUTHN_CONTEXT
+ - JIT_PROVISIONING
+ - GROUP_SYNC
+ - OPP_SCIM_INCREMENTAL_IMPORTS
+ - IN_MEMORY_APP_USER
+ - LOG_STREAMING
+ - OAUTH_INTEGRATION
+ - IDP
+ - PUSH_NEW_USERS_WITHOUT_PASSWORD
+ - SKYHOOK_SERVICE
+ - ENTITLEMENT_MANAGEMENT
+ - PUSH_NEW_USERS_WITH_HASHED_PASSWORD
+ x-enumDescriptions:
+ GROUP_PUSH: Creates or links a group in the app when a mapping is defined for a group in Okta. Okta is the source for group memberships and all group members in Okta who are also assigned to the app are synced as group members to the app.
+ IMPORT_NEW_USERS: Creates or links a user in Okta to a user from the app
+ IMPORT_PROFILE_UPDATES: Updates a linked user's app profile during manual or scheduled imports
+ IMPORT_USER_SCHEMA: Discovers the profile schema for a user from the app automatically
+ PROFILE_MASTERING: Designates the app as the identity lifecycle and profile attribute authority for linked users. The user's profile in Okta is read-only.
+ PUSH_NEW_USERS: Creates or links a user account in the app when assigning the app to a user in Okta
+ PUSH_PASSWORD_UPDATES: Updates the user's app password when their password changes in Okta
+ PUSH_PROFILE_UPDATES: Updates a user's profile in the app when the user's profile changes in Okta (the profile source)
+ PUSH_USER_DEACTIVATION: Deactivates a user's account in the app when unassigned from the app in Okta or deactivated
+ REACTIVATE_USERS: Reactivates an existing inactive user when provisioning a user to the app
+ OUTBOUND_DEL_AUTH: Okta user authentication requests are delegated to a third-party app
+ DESKTOP_SSO: Okta user authentication requests are handled by desktop SSO negotiation (if possible)
+ FEDERATED_PROFILE: App User profiles are synchronized at sign-in and profile-view instances instead of during bulk imports
+ SUPPRESS_ACTIVATION_EMAIL: Activation emails aren't sent to users sourced by AD and orgs with DelAuth enabled
+ PUSH_PENDING_USERS: Users are in PENDING state in Okta and are created but not active in the sourced app user
+ MFA: App can verify credentials as a second factor
+ UPDATE_EXISTING_USERNAME: App can update the user name for existing users
+ EXCLUDE_USERNAME_UPDATE_ON_PROFILE_PUSH: Exclude username update during profile push
+ EXCHANGE_ACTIVE_SYNC: App supports synchronizing credentials with OMM enrolled devices
+ IMPORT_SYNC: Synchronize import events
+ IMPORT_SYNC_CONTACTS: Synchronize contacts
+ DEVICE_COMPLIANCE: Apps support device compliance rules
+ VPN_CONFIG: App supports pushing VPN configuration to OMM enrolled devices
+ IMPORT_SCHEMA_ENUM_VALUES: App supports downloading schema enum values. You can download custom objects and integrating them with UD without being tied to the type metadata system.
+ SCIM_PROVISIONING: App supports generic SCIM client provisioning and can leverage SCIM standard for provisioning and push custom attributes to a third-party app
+ DEVICE_FILTER_IN_SIGN_ON_RULES: App supports filtering by client type in app sign-on rules
+ PROFILE_TEMPLATE_UPGRADE: App supports profile template upgrades. This is primarily to help roll out the profile template upgrade feature for individual apps
+ DEFAULT_PUSH_STATUS_TO_PUSH: App defaults Push status to `PUSH`. This feature is for apps, such as SharePoint, that want to receive App User profile updates even though they didn't implement traditional PUSH_PROFILE_UPDATES in the client API.
+ REAL_TIME_SYNC: Apps support real-time synchronization
+ SSO: Apps support establishing a subject based on claims from an IdP
+ AUTHN_CONTEXT: Apps support establishing an authentication context based on claims from an IdP
+ JIT_PROVISIONING: Apps support provisioning a user based on claims from an IdP
+ GROUP_SYNC: Apps support syncing group information based on claims from an IdP
+ OPP_SCIM_INCREMENTAL_IMPORTS: Apps support incremental imports. Used for SCIM app instances
+ IN_MEMORY_APP_USER: Apps support in-memory App Users. This feature is used as an alternative to Implicit App Assignment for a non-persisted App User.
+ LOG_STREAMING: Apps support Log Streaming
+ OAUTH_INTEGRATION: App is an OAuth 2.0 Integration
+ IDP: Apps support IdP functionalities
+ PUSH_NEW_USERS_WITHOUT_PASSWORD: Don't send generated password for new users
+ SKYHOOK_SERVICE: Use the Skyhook microservice for LCM operations
+ ENTITLEMENT_MANAGEMENT: Marker to showcase which OIN apps are entitlement enabled
+ PUSH_NEW_USERS_WITH_HASHED_PASSWORD: Send hashed password for new users. This feature is only used for CIS to CIC migration.
+ id:
+ type: string
+ readOnly: true
+ description: Unique ID for the app instance
+ label:
+ $ref: '#/components/schemas/ApplicationLabel'
+ lastUpdated:
+ type: string
+ format: date-time
+ readOnly: true
+ description: Timestamp when the Application object was last updated
+ licensing:
+ $ref: '#/components/schemas/ApplicationLicensing'
+ orn:
+ type: string
+ readOnly: true
+ description: The Okta resource name (ORN) for the current app instance
+ profile:
+ type: object
+ description: |-
+ Contains any valid JSON schema for specifying properties that can be referenced from a request (only available to OAuth 2.0 client apps).
+ For example, add an app manager contact email address or define an allowlist of groups that you can then reference using the Okta Expression Language `getFilteredGroups` function.
+
+ > **Notes:**
+ > * `profile` isn't encrypted, so don't store sensitive data in it.
+ > * `profile` doesn't limit the level of nesting in the JSON schema you created, but there is a practical size limit. Okta recommends a JSON schema size of 1 MB or less for best performance.
+ additionalProperties: true
+ signOnMode:
+ $ref: '#/components/schemas/ApplicationSignOnMode'
+ status:
+ $ref: '#/components/schemas/ApplicationLifecycleStatus'
+ visibility:
+ $ref: '#/components/schemas/ApplicationVisibility'
+ _embedded:
+ type: object
+ description: Embedded resources related to the app using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. If the `expand=user/{userId}` query parameter is specified, then the assigned [Application User](/openapi/okta-management/management/tag/ApplicationUsers/) is embedded.
+ properties:
+ user:
+ type: object
+ description: The specified [Application User](/openapi/okta-management/management/tag/ApplicationUsers/) assigned to the app
+ additionalProperties:
+ type: object
+ properties: {}
+ readOnly: true
+ _links:
+ $ref: '#/components/schemas/ApplicationLinks'
+ required:
+ - signOnMode
+ - label
+ discriminator:
+ propertyName: signOnMode
+ mapping:
+ AUTO_LOGIN: '#/components/schemas/AutoLoginApplication'
+ BASIC_AUTH: '#/components/schemas/BasicAuthApplication'
+ BOOKMARK: '#/components/schemas/BookmarkApplication'
+ BROWSER_PLUGIN: '#/components/schemas/BrowserPluginApplication'
+ OPENID_CONNECT: '#/components/schemas/OpenIdConnectApplication'
+ SAML_1_1: '#/components/schemas/Saml11Application'
+ SAML_2_0: '#/components/schemas/SamlApplication'
+ SECURE_PASSWORD_STORE: '#/components/schemas/SecurePasswordStoreApplication'
+ WS_FEDERATION: '#/components/schemas/WsFederationApplication'
+ ApplicationAccessibility:
+ description: Specifies access settings for the app
+ type: object
+ properties:
+ errorRedirectUrl:
+ type: string
+ description: Custom error page URL for the app
+ loginRedirectUrl:
+ type: string
+ description: |-
+ Custom login page URL for the app
+ > **Note:** The `loginRedirectUrl` property is deprecated in Identity Engine. This property is used with the custom app login feature. Orgs that actively use this feature can continue to do so. See [Okta-hosted sign-in (redirect authentication)](https://developer.okta.com/docs/guides/redirect-authentication/) or [configure IdP routing rules](https://help.okta.com/okta_help.htm?type=oie&id=ext-cfg-routing-rules) to redirect users to the appropriate sign-in app for orgs that don't use the custom app login feature.
+ selfService:
+ type: boolean
+ description: Represents whether the app can be self-assignable by users
+ ApplicationCredentials:
+ description: Credentials for the specified `signOnMode`
+ type: object
+ properties:
+ signing:
+ $ref: '#/components/schemas/ApplicationCredentialsSigning'
+ userNameTemplate:
+ $ref: '#/components/schemas/ApplicationCredentialsUsernameTemplate'
+ ApplicationCredentialsOAuthClient:
+ type: object
+ properties:
+ autoKeyRotation:
+ type: boolean
+ description: Requested key rotation mode
+ default: true
+ client_id:
+ type: string
+ maxLength: 100
+ minLength: 6
+ description: |-
+ Unique identifier for the OAuth 2.0 client app
+
+ > **Notes:**
+ > * If you don't specify the `client_id`, this immutable property is populated with the [Application instance ID](/openapi/okta-management/management/tag/Application/#tag/Application/operation/getApplication!c=200&path=4/id&t=response).
+ > * The `client_id` must consist of alphanumeric characters or the following special characters: `$-_.+!*'(),`.
+ > * You can't use the reserved word `ALL_CLIENTS`.
+ client_secret:
+ type: string
+ maxLength: 100
+ minLength: 14
+ description: |-
+ OAuth 2.0 client secret string (used for confidential clients)
+
+ > **Notes:** If a `client_secret` isn't provided on creation, and the `token_endpoint_auth_method` requires one, Okta generates a random `client_secret` for the client app.
+ > The `client_secret` is only shown when an OAuth 2.0 client app is created or updated (and only if the `token_endpoint_auth_method` requires a client secret).
+ pkce_required:
+ type: boolean
+ description: Requires Proof Key for Code Exchange (PKCE) for additional verification. If `token_endpoint_auth_method` is `none`, then `pkce_required` must be `true`. The default is `true` for browser and native app types.
+ default: true
+ token_endpoint_auth_method:
+ $ref: '#/components/schemas/OAuthEndpointAuthenticationMethod'
+ ApplicationCredentialsScheme:
+ description: |
+ Apps with `BASIC_AUTH`, `BROWSER_PLUGIN`, or `SECURE_PASSWORD_STORE` sign-on modes have credentials vaulted by Okta and can be configured with the following schemes.
+ type: string
+ x-enumDescriptions:
+ ADMIN_SETS_CREDENTIALS: Admin sets username and password
+ EDIT_PASSWORD_ONLY: Admin sets username, user sets password
+ EDIT_USERNAME_AND_PASSWORD: User sets username and password
+ EXTERNAL_PASSWORD_SYNC: Admin sets username, password is the same as user's Okta password
+ SHARED_USERNAME_AND_PASSWORD: Users share a single username and password set by the admin
+ x-okta-known-values:
+ - ADMIN_SETS_CREDENTIALS
+ - EDIT_PASSWORD_ONLY
+ - EDIT_USERNAME_AND_PASSWORD
+ - EXTERNAL_PASSWORD_SYNC
+ - SHARED_USERNAME_AND_PASSWORD
+ ApplicationCredentialsSigning:
+ description: |
+ App signing key properties
+ > **Note:** Only apps with SAML_2_0, SAML_1_1, WS_FEDERATION, or OPENID_CONNECT `signOnMode` support the key rotation feature.
+ type: object
+ properties:
+ kid:
+ type: string
+ description: |-
+ Key identifier used for signing assertions
+ > **Note:** Currently, only the X.509 JWK format is supported for apps with SAML_2_0 `signOnMode`.
+ lastRotated:
+ type: string
+ description: Timestamp when the signing key was last rotated
+ format: date-time
+ readOnly: true
+ nextRotation:
+ type: string
+ description: The scheduled time for the next signing key rotation
+ format: date-time
+ readOnly: true
+ rotationMode:
+ type: string
+ description: The mode of key rotation
+ use:
+ $ref: '#/components/schemas/ApplicationCredentialsSigningUse'
+ ApplicationCredentialsSigningUse:
+ description: Specifies the intended use of the key
+ type: string
+ x-okta-known-values:
+ - sig
+ ApplicationCredentialsUsernameTemplate:
+ description: The template used to generate the username when the app is assigned through a group or directly to a user
+ type: object
+ properties:
+ pushStatus:
+ type: string
+ description: Determines if the username is pushed to the app on updates for CUSTOM `type`
+ enum:
+ - PUSH
+ - DONT_PUSH
+ - NOT_CONFIGURED
+ template:
+ type: string
+ description: |-
+ Mapping expression used to generate usernames.
+
+ The following are supported mapping expressions that are used with the `BUILT_IN` template type:
+
+ | Name | Template Expression |
+ | ------------------------------- | ---------------------------------------------- |
+ | AD Employee ID | `${source.employeeID}` |
+ | AD SAM Account Name | `${source.samAccountName}` |
+ | AD SAM Account Name (lowercase) | `${fn:toLowerCase(source.samAccountName)}` |
+ | AD User Principal Name | `${source.userName}` |
+ | AD User Principal Name prefix | `${fn:substringBefore(source.userName, "@")}` |
+ | Email | `${source.email}` |
+ | Email (lowercase) | `${fn:toLowerCase(source.email)}` |
+ | Email prefix | `${fn:substringBefore(source.email, "@")}` |
+ | LDAP UID + custom suffix | `${source.userName}${instance.userSuffix}` |
+ | Okta username | `${source.login}` |
+ | Okta username prefix | `${fn:substringBefore(source.login, "@")}` |
+ default: ${source.login}
+ type:
+ type: string
+ description: Type of mapping expression. Empty string is allowed.
+ enum:
+ - NONE
+ - BUILT_IN
+ - CUSTOM
+ default: BUILT_IN
+ userSuffix:
+ type: string
+ description: An optional suffix appended to usernames for `BUILT_IN` mapping expressions
+ ApplicationFeature:
+ description: |
+ The Feature object is used to configure app feature settings.
+ type: object
+ properties:
+ description:
+ type: string
+ description: Description of the feature
+ example: Settings for provisioning users from Okta to a downstream app
+ readOnly: true
+ name:
+ $ref: '#/components/schemas/ApplicationFeatureType'
+ readOnly: true
+ status:
+ allOf:
+ - $ref: '#/components/schemas/EnabledStatus'
+ - default: DISABLED
+ - example: ENABLED
+ - readOnly: true
+ _links:
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - readOnly: true
+ discriminator:
+ propertyName: name
+ mapping:
+ USER_PROVISIONING: '#/components/schemas/UserProvisioningApplicationFeature'
+ INBOUND_PROVISIONING: '#/components/schemas/InboundProvisioningApplicationFeature'
+ ApplicationFeatureType:
+ description: |
+ Key name of the feature
+
+ | Feature name | Description |
+ | --------- | ------------- |
+ | USER_PROVISIONING | User profiles are pushed from Okta to the third-party app. Represents the **To App** provisioning feature setting in the Admin Console. |
+ | INBOUND_PROVISIONING | User profiles are imported from the third-party app into Okta. This feature represents the **To Okta** provisioning feature setting in the Admin Console. |
+
+ Select the feature:
+ example: USER_PROVISIONING
+ type: string
+ x-okta-known-values:
+ - USER_PROVISIONING
+ - USER_PROVISIONING
+ - INBOUND_PROVISIONING
+ ApplicationGroupAssignment:
+ title: Application Group Assignment
+ description: The Application Group object that defines a group of users' app-specific profile and credentials for an app
+ type: object
+ properties:
+ id:
+ type: string
+ description: ID of the [Group](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Group/)
+ readOnly: true
+ example: 00g4hb1HChfUriNgW0g4
+ lastUpdated:
+ allOf:
+ - $ref: '#/components/schemas/lastUpdatedProperty'
+ - example: '2014-06-24T15:28:14.000Z'
+ priority:
+ type: integer
+ description: |-
+ Priority assigned to the group. If an app has more than one group assigned to the same user, then the group with the higher priority has its profile applied to the [Application User](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/ApplicationUsers/).
+ If a priority value isn't specified, then the next highest priority is assigned by default.
+ See [Assign attribute group priority](https://help.okta.com/okta_help.htm?type=oie&id=ext-usgp-app-group-priority) and the [sample priority use case](https://help.okta.com/okta_help.htm?type=oie&id=ext-usgp-combine-values-use).
+ example: 99
+ profile:
+ $ref: '#/components/schemas/GroupAssignmentProfile'
+ _embedded:
+ type: object
+ description: |-
+ Embedded resource related to the Application Group using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification.
+ If the `expand=group` query parameter is specified, then the [Group](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Group/) object is embedded.
+ If the `expand=metadata` query parameter is specified, then the group assignment metadata is embedded.
+ additionalProperties:
+ type: object
+ properties: {}
+ readOnly: true
+ _links:
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - type: object
+ properties:
+ app:
+ $ref: '#/components/schemas/HrefObjectAppLink'
+ group:
+ $ref: '#/components/schemas/HrefObjectGroupLink'
+ ApplicationLabel:
+ description: User-defined display name for app
+ type: string
+ ApplicationLayout:
+ type: object
+ properties:
+ elements:
+ type: array
+ items:
+ type: object
+ additionalProperties: {}
+ label:
+ type: string
+ options:
+ type: object
+ additionalProperties: {}
+ rule:
+ type: object
+ properties:
+ effect:
+ type: string
+ condition:
+ $ref: '#/components/schemas/ApplicationLayoutRuleCondition'
+ scope:
+ type: string
+ type:
+ type: string
+ ApplicationLayoutRuleCondition:
+ type: object
+ properties:
+ schema:
+ type: object
+ additionalProperties: {}
+ scope:
+ type: string
+ ApplicationLayouts:
+ type: object
+ properties:
+ _links:
+ type: object
+ properties:
+ general:
+ $ref: '#/components/schemas/ApplicationLayoutsLinksItem'
+ signOn:
+ $ref: '#/components/schemas/ApplicationLayoutsLinksItem'
+ provisioning:
+ $ref: '#/components/schemas/ApplicationLayoutsLinksItem'
+ readOnly: true
+ ApplicationLayoutsLinksItem:
+ items:
+ $ref: '#/components/schemas/HrefObject'
+ type: array
+ ApplicationLicensing:
+ description: Licenses for the app
+ type: object
+ properties:
+ seatCount:
+ type: integer
+ description: Number of licenses purchased for the app
+ ApplicationLifecycleStatus:
+ description: App instance status
+ type: string
+ readOnly: true
+ x-okta-known-values:
+ - ACTIVE
+ - DELETED
+ - INACTIVE
+ ApplicationLinks:
+ description: Discoverable resources related to the app
+ properties:
+ accessPolicy:
+ $ref: '#/components/schemas/AccessPolicyLink'
+ activate:
+ $ref: '#/components/schemas/HrefObjectActivateLink'
+ appLinks:
+ type: array
+ description: List of app link resources
+ items:
+ $ref: '#/components/schemas/HrefObject'
+ deactivate:
+ $ref: '#/components/schemas/HrefObjectDeactivateLink'
+ groups:
+ $ref: '#/components/schemas/GroupsLink'
+ help:
+ $ref: '#/components/schemas/HelpLink'
+ logo:
+ type: array
+ description: List of app logo resources
+ items:
+ $ref: '#/components/schemas/HrefObject'
+ metadata:
+ $ref: '#/components/schemas/MetadataLink'
+ self:
+ $ref: '#/components/schemas/HrefObjectSelfLink'
+ users:
+ $ref: '#/components/schemas/UsersLink'
+ readOnly: true
+ ApplicationSettings:
+ description: App settings
+ type: object
+ properties:
+ identityStoreId:
+ type: string
+ description: Identifies an additional identity store app, if your app supports it. The `identityStoreId` value must be a valid identity store app ID. This identity store app must be created in the same org as your app.
+ implicitAssignment:
+ type: boolean
+ description: Controls whether Okta automatically assigns users to the app based on the user's role or group membership.
+ inlineHookId:
+ type: string
+ description: Identifier of an inline hook. Inline hooks are outbound calls from Okta to your own custom code, triggered at specific points in Okta process flows. They allow you to integrate custom functionality into those flows. See [Inline hooks](/openapi/okta-management/management/tag/InlineHook/).
+ notes:
+ $ref: '#/components/schemas/ApplicationSettingsNotes'
+ notifications:
+ $ref: '#/components/schemas/ApplicationSettingsNotifications'
+ ApplicationSettingsNotes:
+ description: App notes visible to either the admin or end user
+ type: object
+ properties:
+ admin:
+ type: string
+ description: An app message that's visible to admins
+ enduser:
+ type: string
+ description: A message that's visible in the End-User Dashboard
+ ApplicationSettingsNotifications:
+ description: Specifies notifications settings for the app
+ type: object
+ properties:
+ vpn:
+ $ref: '#/components/schemas/ApplicationSettingsNotificationsVpn'
+ ApplicationSettingsNotificationsVpn:
+ description: Sends customizable messages with conditions to end users when a VPN connection is required
+ type: object
+ properties:
+ helpUrl:
+ type: string
+ description: An optional URL to a help page to assist your end users in signing in to your company VPN
+ message:
+ type: string
+ description: A VPN requirement message that's displayed to users
+ network:
+ $ref: '#/components/schemas/ApplicationSettingsNotificationsVpnNetwork'
+ required:
+ - network
+ ApplicationSettingsNotificationsVpnNetwork:
+ description: Defines network zones for VPN notification
+ type: object
+ properties:
+ connection:
+ type: string
+ description: Specifies the VPN connection details required to access the app
+ enum:
+ - DISABLED
+ - ANYWHERE
+ - ON_NETWORK
+ - OFF_NETWORK
+ - ZONE
+ x-enumDescriptions:
+ DISABLED: The default state. Retain this setting for apps that don't require a VPN connection.
+ ANYWHERE: Displays VPN connection information regardless of the browser's client IP. The notification appears before the end user can access the app.
+ ON_NETWORK: Displays VPN connection information only when a browser's client IP matches the configured Public Gateway IPs. The notification appears before the end user can access the app.
+ OFF_NETWORK: Displays VPN connection information only when the browser's client IP doesn't match the configured Public Gateway IPs. The notification appears before the end user can access the app.
+ exclude:
+ type: array
+ description: Defines the IP addresses or network ranges that are excluded from the VPN requirement
+ items:
+ type: string
+ include:
+ type: array
+ description: Defines the IP addresses or network ranges that are required to use the VPN
+ items:
+ type: string
+ ApplicationSignOnMode:
+ description: |
+ Authentication mode for the app
+
+ | signOnMode | Description |
+ | ---------- | ----------- |
+ | AUTO_LOGIN | Secure Web Authentication (SWA) |
+ | BASIC_AUTH | HTTP Basic Authentication with Okta Browser Plugin |
+ | BOOKMARK | Just a bookmark (no-authentication) |
+ | BROWSER_PLUGIN | Secure Web Authentication (SWA) with Okta Browser Plugin |
+ | OPENID_CONNECT | Federated Authentication with OpenID Connect (OIDC) |
+ | SAML_1_1 | Federated Authentication with SAML 1.1 WebSSO (not supported for custom apps) |
+ | SAML_2_0 | Federated Authentication with SAML 2.0 WebSSO |
+ | SECURE_PASSWORD_STORE | Secure Web Authentication (SWA) with POST (plugin not required) |
+ | WS_FEDERATION | Federated Authentication with WS-Federation Passive Requestor Profile |
+
+ Select the `signOnMode` for your custom app:
+ type: string
+ x-okta-known-values:
+ - AUTO_LOGIN
+ - BASIC_AUTH
+ - BOOKMARK
+ - BROWSER_PLUGIN
+ - OPENID_CONNECT
+ - SAML_1_1
+ - SAML_2_0
+ - SECURE_PASSWORD_STORE
+ - WS_FEDERATION
+ ApplicationType:
+ description: 'The type of client application. Default value: `web`.'
+ type: string
+ x-okta-known-values:
+ - browser
+ - native
+ - service
+ - web
+ ApplicationVisibility:
+ description: Specifies visibility settings for the app
+ type: object
+ properties:
+ appLinks:
+ type: object
+ description: Links or icons that appear on the End-User Dashboard if they're set to `true`.
+ additionalProperties:
+ type: boolean
+ autoLaunch:
+ type: boolean
+ description: Automatically signs in to the app when user signs into Okta
+ autoSubmitToolbar:
+ type: boolean
+ description: Automatically sign in when user lands on the sign-in page
+ hide:
+ $ref: '#/components/schemas/ApplicationVisibilityHide'
+ ApplicationVisibilityHide:
+ description: Hides the app for specific end-user apps
+ type: object
+ properties:
+ iOS:
+ type: boolean
+ description: Okta Mobile for iOS or Android (pre-dates Android)
+ default: false
+ example: false
+ web:
+ type: boolean
+ description: Okta End-User Dashboard on a web browser
+ default: false
+ example: true
+ AssignGroupOwnerRequestBody:
+ type: object
+ properties:
+ id:
+ description: The `id` of the group owner
+ type: string
+ type:
+ $ref: '#/components/schemas/GroupOwnerType'
+ AssignRoleRequest:
+ type: object
+ properties:
+ type:
+ $ref: '#/components/schemas/RoleType'
+ AssignUserToRealm:
+ type: object
+ properties:
+ realmId:
+ type: string
+ AssociatedServerMediated:
+ type: object
+ properties:
+ trusted:
+ type: array
+ description: A list of the authorization server IDs
+ items:
+ type: string
+ AssuranceMethod:
+ allOf:
+ - $ref: '#/components/schemas/VerificationMethod'
+ - type: object
+ properties:
+ constraints:
+ items:
+ $ref: '#/components/schemas/AccessPolicyConstraints'
+ type: array
+ factorMode:
+ $ref: '#/components/schemas/AssuranceMethodFactorMode'
+ inactivityPeriod:
+ type: string
+ description: The inactivity duration after which the user must re-authenticate. Use the ISO 8601 period format (for example, PT2H).
+ reauthenticateIn:
+ type: string
+ description: The duration after which the user must re-authenticate, regardless of user activity. Keep in mind that the re-authentication intervals for constraints take precedent over this value. Use the ISO 8601 period format for recurring time intervals (for example, PT2H, PT0S, PT43800H, and so on).
+ AssuranceMethodFactorMode:
+ type: string
+ x-okta-known-values:
+ - 1FA
+ - 2FA
+ AttackProtectionAuthenticatorSettings:
+ type: object
+ properties:
+ verifyKnowledgeSecondWhen2faRequired:
+ type: boolean
+ description: If true, requires users to verify a possession factor before verifying a knowledge factor when the assurance requires two-factor authentication (2FA).
+ default: false
+ AuthServerLinks:
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - type: object
+ properties:
+ claims:
+ allOf:
+ - description: Link to the authorization server claims
+ - $ref: '#/components/schemas/HrefObject'
+ deactivate:
+ allOf:
+ - $ref: '#/components/schemas/HrefObjectDeactivateLink'
+ metadata:
+ description: Link to the authorization server metadata
+ type: array
+ items:
+ $ref: '#/components/schemas/HrefObject'
+ policies:
+ allOf:
+ - description: Link to the authorization server policies
+ - $ref: '#/components/schemas/HrefObject'
+ rotateKey:
+ allOf:
+ - description: Link to the authorization server key rotation
+ - $ref: '#/components/schemas/HrefObject'
+ scopes:
+ allOf:
+ - description: Link to the authorization server scopes
+ - $ref: '#/components/schemas/HrefObject'
+ AuthenticationMethod:
+ type: object
+ properties:
+ hardwareProtection:
+ type: string
+ description: Indicates if any secrets or private keys used during authentication must be hardware protected and not exportable. This property is only set for `POSSESSION` constraints.
+ enum:
+ - OPTIONAL
+ - REQUIRED
+ default: OPTIONAL
+ id:
+ type: string
+ description: An ID that identifies the authenticator
+ key:
+ type: string
+ description: A label that identifies the authenticator
+ method:
+ type: string
+ description: Specifies the method used for the authenticator
+ phishingResistant:
+ type: string
+ description: Indicates if phishing-resistant Factors are required. This property is only set for `POSSESSION` constraints
+ enum:
+ - OPTIONAL
+ - REQUIRED
+ default: OPTIONAL
+ userVerification:
+ type: string
+ description: Indicates the user interaction requirement (PIN or biometrics) to ensure verification of a possession factor
+ enum:
+ - OPTIONAL
+ - REQUIRED
+ default: OPTIONAL
+ required:
+ - key
+ - method
+ AuthenticationMethodChain:
+ type: object
+ properties:
+ authenticationMethods:
+ items:
+ $ref: '#/components/schemas/AuthenticationMethod'
+ type: array
+ next:
+ type: array
+ description: The next steps of the authentication method chain. This is an array of `AuthenticationMethodChain`. Only supports one item in the array.
+ items:
+ type: object
+ reauthenticateIn:
+ type: string
+ description: |-
+ Specifies how often the user should be prompted for authentication using duration format for the time period.
+ For example, `PT2H30M` for two and a half hours. This parameter can't be set at the same time as the `reauthenticateIn` property on the `verificationMethod`.
+ AuthenticationMethodChainMethod:
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: true
+ allOf:
+ - $ref: '#/components/schemas/VerificationMethod'
+ - type: object
+ properties:
+ chains:
+ items:
+ $ref: '#/components/schemas/AuthenticationMethodChain'
+ type: array
+ description: Authentication method chains. Only supports 5 items in the array. Each chain can support maximum 3 steps.
+ reauthenticateIn:
+ description: |-
+ Specifies how often the user should be prompted for authentication using duration format for the time period.
+ For example, `PT2H30M` for two and a half hours. Don't set this parameter if you're setting the `reauthenticateIn` parameter in `chains`.
+ type: string
+ AuthenticationMethodObject:
+ type: object
+ properties:
+ key:
+ type: string
+ description: A label that identifies the authenticator
+ method:
+ type: string
+ description: Specifies the method used for the authenticator
+ required:
+ - key
+ AuthenticationProvider:
+ description: Specifies the authentication provider that validates the user's password credential. The user's current provider is managed by the **Delegated Authentication** settings for your org. The provider object is **read-only**.
+ type: object
+ properties:
+ name:
+ type: string
+ description: The name of the authentication provider
+ readOnly: true
+ example: OKTA
+ type:
+ $ref: '#/components/schemas/AuthenticationProviderType'
+ readOnly: true
+ AuthenticationProviderType:
+ description: The type of authentication provider
+ type: string
+ x-enumDescriptions:
+ ACTIVE_DIRECTORY: Specifies the directory instance name as the `name` property
+ FEDERATION: Doesn't support a `password` or `recovery question` credential and must authenticate through a trusted Identity Provider
+ IMPORT: Specifies a hashed password that was imported from an external source
+ LDAP: Specifies the directory instance name as the `name` property
+ OKTA: Specifies the Okta Identity Provider
+ SOCIAL: Doesn't support a `password` or `recovery question` credential and must authenticate through a trusted Identity Provider
+ readOnly: true
+ x-okta-known-values:
+ - ACTIVE_DIRECTORY
+ - FEDERATION
+ - IMPORT
+ - LDAP
+ - OKTA
+ - SOCIAL
+ AuthenticatorBase:
+ type: object
+ properties:
+ created:
+ description: Timestamp when the Authenticator was created
+ format: date-time
+ readOnly: true
+ type: string
+ id:
+ description: A unique identifier for the Authenticator
+ readOnly: true
+ type: string
+ key:
+ $ref: '#/components/schemas/AuthenticatorKeyEnum'
+ lastUpdated:
+ description: Timestamp when the Authenticator was last modified
+ format: date-time
+ readOnly: true
+ type: string
+ name:
+ description: Display name of the Authenticator
+ type: string
+ status:
+ description: Status of the Authenticator
+ $ref: '#/components/schemas/LifecycleStatus'
+ type:
+ $ref: '#/components/schemas/AuthenticatorType'
+ _links:
+ description: Link relations for this object
+ $ref: '#/components/schemas/AuthenticatorLinks'
+ discriminator:
+ propertyName: key
+ mapping:
+ custom_app: '#/components/schemas/AuthenticatorKeyCustomApp'
+ duo: '#/components/schemas/AuthenticatorKeyDuo'
+ okta_email: '#/components/schemas/AuthenticatorKeyEmail'
+ google_otp: '#/components/schemas/AuthenticatorKeyGoogleOtp'
+ external_idp: '#/components/schemas/AuthenticatorKeyExternalIdp'
+ okta_password: '#/components/schemas/AuthenticatorKeyPassword'
+ okta_verify: '#/components/schemas/AuthenticatorKeyOktaVerify'
+ onprem_mfa: '#/components/schemas/AuthenticatorKeyOnprem'
+ phone_number: '#/components/schemas/AuthenticatorKeyPhone'
+ security_key: '#/components/schemas/AuthenticatorKeySecurityKey'
+ security_question: '#/components/schemas/AuthenticatorKeySecurityQuestion'
+ symantec_vip: '#/components/schemas/AuthenticatorKeySymantecVip'
+ smart_card_idp: '#/components/schemas/AuthenticatorKeySmartCard'
+ webauthn: '#/components/schemas/AuthenticatorKeyWebauthn'
+ yubikey_token: '#/components/schemas/AuthenticatorKeyYubikey'
+ AuthenticatorEnrollmentPolicy:
+ allOf:
+ - $ref: '#/components/schemas/Policy'
+ - type: object
+ properties:
+ conditions:
+ $ref: '#/components/schemas/AuthenticatorEnrollmentPolicyConditions'
+ settings:
+ $ref: '#/components/schemas/AuthenticatorEnrollmentPolicySettings'
+ AuthenticatorEnrollmentPolicyAuthenticatorSettings:
+ type: object
+ properties:
+ constraints:
+ description: Constraints for the authenticator
+ nullable: true
+ minimum: 0
+ type: object
+ properties:
+ aaguidGroups:
+ type: array
+ description: The list of FIDO2 WebAuthn authenticator groups allowed for enrollment
+ items:
+ type: string
+ uniqueItems: true
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
+ enroll:
+ type: object
+ description: Enrollment requirements for the authenticator
+ properties:
+ self:
+ $ref: '#/components/schemas/AuthenticatorEnrollmentPolicyAuthenticatorStatus'
+ key:
+ $ref: '#/components/schemas/AuthenticatorEnrollmentPolicyAuthenticatorType'
+ AuthenticatorEnrollmentPolicyAuthenticatorStatus:
+ description: Requirements for the user-initiated enrollment
+ default: NOT_ALLOWED
+ type: string
+ x-okta-known-values:
+ - NOT_ALLOWED
+ - OPTIONAL
+ - REQUIRED
+ AuthenticatorEnrollmentPolicyAuthenticatorType:
+ description: A label that identifies the authenticator
+ type: string
+ x-okta-known-values:
+ - custom_app
+ - custom_otp
+ - duo
+ - external_idp
+ - google_otp
+ - okta_email
+ - okta_password
+ - okta_verify
+ - onprem_mfa
+ - phone_number
+ - rsa_token
+ - security_question
+ - symantec_vip
+ - webauthn
+ - yubikey_token
+ AuthenticatorEnrollmentPolicyConditions:
+ allOf:
+ - type: object
+ properties:
+ people:
+ type: object
+ description: Identifies Users and Groups that are used together
+ properties:
+ groups:
+ type: object
+ description: Specifies a set of Groups whose Users are to be included or excluded
+ properties:
+ include:
+ type: array
+ description: Groups to be included
+ items:
+ type: string
+ AuthenticatorEnrollmentPolicyRule:
+ allOf:
+ - $ref: '#/components/schemas/PolicyRule'
+ - type: object
+ properties:
+ actions:
+ $ref: '#/components/schemas/AuthenticatorEnrollmentPolicyRuleActions'
+ conditions:
+ $ref: '#/components/schemas/AuthenticatorEnrollmentPolicyRuleConditions'
+ AuthenticatorEnrollmentPolicyRuleActionEnroll:
+ description: Specifies whether the User is to be enrolled the first time they `LOGIN`, the next time they are in the `CHALLENGE` process, or `NEVER`
+ type: object
+ properties:
+ self:
+ type: string
+ enum:
+ - CHALLENGE
+ - LOGIN
+ - NEVER
+ AuthenticatorEnrollmentPolicyRuleActions:
+ allOf:
+ - $ref: '#/components/schemas/PolicyRuleActions'
+ - type: object
+ properties:
+ enroll:
+ $ref: '#/components/schemas/AuthenticatorEnrollmentPolicyRuleActionEnroll'
+ AuthenticatorEnrollmentPolicyRuleConditions:
+ type: object
+ properties:
+ network:
+ $ref: '#/components/schemas/PolicyNetworkCondition'
+ people:
+ type: object
+ description: Identifies Users and Groups that are used together
+ properties:
+ users:
+ type: object
+ description: Specifies a set of Users to be included or excluded
+ properties:
+ exclude:
+ type: array
+ description: Users to be excluded
+ items:
+ type: string
+ AuthenticatorEnrollmentPolicySettings:
+ description: '**Note:** In Identity Engine, the Multifactor (MFA) Enrollment Policy name has changed to authenticator enrollment policy. The policy type of `MFA_ENROLL` remains unchanged. However, the `settings` data is updated for authenticators. Policy `settings` are included only for those authenticators that are enabled.'
+ type: object
+ properties:
+ authenticators:
+ description: |
+ List of authenticator policy settings
+
+ For orgs with the Authenticator enrollment policy feature enabled, the new default authenticator enrollment policy created by Okta contains the `authenticators` property in the policy settings. Existing default authenticator enrollment policies from a migrated Classic Engine org remain unchanged. The policies still use the `factors` property in their settings. The `authenticators` parameter allows you to configure all available authenticators, including authentication and recovery. The `factors` parameter only allows you to configure multifactor authentication.
+ items:
+ $ref: '#/components/schemas/AuthenticatorEnrollmentPolicyAuthenticatorSettings'
+ type: array
+ type:
+ $ref: '#/components/schemas/AuthenticatorEnrollmentPolicySettingsType'
+ AuthenticatorEnrollmentPolicySettingsType:
+ description: |
+ Type of policy configuration object
+
+ The `type` property in the policy `settings` is only applicable to the authenticator enrollment policy available in Identity Engine.
+ default: FACTORS
+ type: string
+ x-okta-known-values:
+ - AUTHENTICATORS
+ - FACTORS
+ AuthenticatorIdentity:
+ description: Represents a particular authenticator serving as a constraint on a method
+ type: object
+ properties:
+ key:
+ type: string
+ AuthenticatorKeyCustomApp:
+ allOf:
+ - $ref: '#/components/schemas/AuthenticatorSimple'
+ - type: object
+ properties:
+ agreeToTerms:
+ type: boolean
+ description: A value of `true` indicates that the administrator accepts the [terms](https://www.okta.com/privacy-policy/)for creating a new authenticator. Okta requires that you accept the terms when creating a new `custom_app` authenticator. Other authenticators don't require this field.
+ provider:
+ type: object
+ properties:
+ type:
+ type: string
+ description: Provider type
+ enum:
+ - PUSH
+ configuration:
+ type: object
+ description: The configuration of the provider
+ properties:
+ apns:
+ type: object
+ properties:
+ id:
+ type: string
+ description: ID of the APNs (Apple Push Notification Service) [configurations](https://developer.okta.com/docs/reference/api/push-providers/)
+ appBundleId:
+ type: string
+ description: AppBundleId of the APNs (Apple Push Notification Service) [configurations](https://developer.okta.com/docs/reference/api/push-providers/)
+ debugAppBundleId:
+ type: string
+ description: DebugAppBundleId of the APNs (Apple Push Notification Service) [configurations](https://developer.okta.com/docs/reference/api/push-providers/)
+ fcm:
+ type: object
+ properties:
+ id:
+ type: string
+ description: ID of the FCM (Firebase Cloud Messaging Service) [configurations](https://developer.okta.com/docs/reference/api/push-providers/)
+ settings:
+ type: object
+ properties:
+ userVerification:
+ $ref: '#/components/schemas/CustomAppUserVerificationEnum'
+ appInstanceId:
+ type: string
+ description: The application instance ID. For custom_app, you need to create an OIDC native app using the [Apps API](https://developer.okta.com/docs/reference/api/apps/) with `Authorization Code` and `Refresh Token` grant types. You can leave both `Sign-in redirect URIs` and `Sign-out redirect URIs` as the default values.
+ AuthenticatorKeyDuo:
+ allOf:
+ - $ref: '#/components/schemas/AuthenticatorSimple'
+ - type: object
+ properties:
+ provider:
+ type: object
+ properties:
+ type:
+ type: string
+ description: Provider type
+ enum:
+ - DUO
+ configuration:
+ type: object
+ properties:
+ host:
+ type: string
+ description: The Duo Security API hostname
+ integrationKey:
+ type: string
+ description: The Duo Security integration key
+ secretKey:
+ type: string
+ description: The Duo Security secret key
+ userNameTemplate:
+ type: object
+ properties:
+ template:
+ type: string
+ description: The Duo Security user template name
+ AuthenticatorKeyEmail:
+ allOf:
+ - $ref: '#/components/schemas/AuthenticatorSimple'
+ - type: object
+ properties:
+ settings:
+ type: object
+ properties:
+ allowedFor:
+ $ref: '#/components/schemas/AllowedForEnum'
+ tokenLifetimeInMinutes:
+ description: Specifies the lifetime of an email token. Default value is 5 minutes.
+ type: number
+ default: 5
+ AuthenticatorKeyEnum:
+ description: A human-readable string that identifies the Authenticator
+ type: string
+ x-okta-known-values:
+ - custom_app
+ - duo
+ - external_idp
+ - google_otp
+ - okta_email
+ - okta_password
+ - okta_verify
+ - onprem_mfa
+ - phone_number
+ - security_key
+ - security_question
+ - smart_card_idp
+ - symantec_vip
+ - webauthn
+ - yubikey_token
+ AuthenticatorKeyExternalIdp:
+ allOf:
+ - $ref: '#/components/schemas/AuthenticatorSimple'
+ AuthenticatorKeyGoogleOtp:
+ allOf:
+ - $ref: '#/components/schemas/AuthenticatorSimple'
+ AuthenticatorKeyOktaVerify:
+ allOf:
+ - $ref: '#/components/schemas/AuthenticatorSimple'
+ - type: object
+ properties:
+ settings:
+ type: object
+ properties:
+ channelBinding:
+ $ref: '#/components/schemas/ChannelBinding'
+ compliance:
+ $ref: '#/components/schemas/Compliance'
+ userVerification:
+ $ref: '#/components/schemas/UserVerificationEnum'
+ appInstanceId:
+ type: string
+ description: The application instance ID
+ AuthenticatorKeyOnprem:
+ allOf:
+ - $ref: '#/components/schemas/AuthenticatorSimple'
+ AuthenticatorKeyPassword:
+ allOf:
+ - $ref: '#/components/schemas/AuthenticatorSimple'
+ AuthenticatorKeyPhone:
+ allOf:
+ - $ref: '#/components/schemas/AuthenticatorSimple'
+ - type: object
+ properties:
+ settings:
+ type: object
+ properties:
+ allowedFor:
+ $ref: '#/components/schemas/AllowedForEnum'
+ AuthenticatorKeySecurityKey:
+ allOf:
+ - $ref: '#/components/schemas/AuthenticatorSimple'
+ AuthenticatorKeySecurityQuestion:
+ allOf:
+ - $ref: '#/components/schemas/AuthenticatorSimple'
+ - type: object
+ properties:
+ settings:
+ type: object
+ properties:
+ allowedFor:
+ $ref: '#/components/schemas/AllowedForEnum'
+ AuthenticatorKeySmartCard:
+ allOf:
+ - $ref: '#/components/schemas/AuthenticatorSimple'
+ AuthenticatorKeySymantecVip:
+ allOf:
+ - $ref: '#/components/schemas/AuthenticatorSimple'
+ AuthenticatorKeyWebauthn:
+ allOf:
+ - $ref: '#/components/schemas/AuthenticatorSimple'
+ AuthenticatorKeyYubikey:
+ allOf:
+ - $ref: '#/components/schemas/AuthenticatorSimple'
+ AuthenticatorLinks:
+ allOf:
+ - $ref: '#/components/schemas/LinksSelfAndLifecycle'
+ - type: object
+ properties:
+ methods:
+ description: Link to Authenticator methods
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ AuthenticatorMethodAlgorithm:
+ type: string
+ x-okta-known-values:
+ - ES256
+ - RS256
+ AuthenticatorMethodBase:
+ type: object
+ properties:
+ status:
+ description: The status of the authenticator method
+ $ref: '#/components/schemas/LifecycleStatus'
+ type:
+ $ref: '#/components/schemas/AuthenticatorMethodType'
+ _links:
+ $ref: '#/components/schemas/LinksSelfAndLifecycle'
+ discriminator:
+ propertyName: type
+ mapping:
+ sms: '#/components/schemas/AuthenticatorMethodSimple'
+ voice: '#/components/schemas/AuthenticatorMethodSimple'
+ email: '#/components/schemas/AuthenticatorMethodSimple'
+ push: '#/components/schemas/AuthenticatorMethodPush'
+ signed_nonce: '#/components/schemas/AuthenticatorMethodSignedNonce'
+ totp: '#/components/schemas/AuthenticatorMethodTotp'
+ otp: '#/components/schemas/AuthenticatorMethodOtp'
+ password: '#/components/schemas/AuthenticatorMethodSimple'
+ webauthn: '#/components/schemas/AuthenticatorMethodWebAuthn'
+ security_question: '#/components/schemas/AuthenticatorMethodSimple'
+ idp: '#/components/schemas/AuthenticatorMethodWithVerifiableProperties'
+ duo: '#/components/schemas/AuthenticatorMethodWithVerifiableProperties'
+ cert: '#/components/schemas/AuthenticatorMethodWithVerifiableProperties'
+ AuthenticatorMethodConstraint:
+ description: 'Limits the authenticators that can be used for a given method. Currently, only the `otp` method supports constraints, and Google authenticator (key : ''google_otp'') is the only allowed authenticator.'
+ type: object
+ properties:
+ allowedAuthenticators:
+ type: array
+ items:
+ $ref: '#/components/schemas/AuthenticatorIdentity'
+ method:
+ enum:
+ - otp
+ AuthenticatorMethodOtp:
+ allOf:
+ - $ref: '#/components/schemas/AuthenticatorMethodWithVerifiableProperties'
+ - type: object
+ properties:
+ acceptableAdjacentIntervals:
+ type: integer
+ description: The number of acceptable adjacent intervals, also known as the clock drift interval. This setting allows you to build in tolerance for any time difference between the token and the server. For example, with a `timeIntervalInSeconds` of 60 seconds and an `acceptableAdjacentIntervals` value of 5, Okta accepts passcodes within 300 seconds (60 * 5) before or after the end user enters their code.
+ minimum: 0
+ maximum: 10
+ algorithm:
+ $ref: '#/components/schemas/OtpTotpAlgorithm'
+ encoding:
+ $ref: '#/components/schemas/OtpTotpEncoding'
+ factorProfileId:
+ type: string
+ description: The `id` value of the factor profile
+ example: aut1nd8PQhGcQtSxB0g4
+ passCodeLength:
+ $ref: '#/components/schemas/OtpTotpPassCodeLength'
+ protocol:
+ $ref: '#/components/schemas/OtpProtocol'
+ timeIntervalInSeconds:
+ $ref: '#/components/schemas/OtpTotpTimeIntervalInSeconds'
+ AuthenticatorMethodProperty:
+ type: string
+ x-okta-known-values:
+ - DEVICE_BOUND
+ - HARDWARE_PROTECTED
+ - PHISHING_RESISTANT
+ - USER_PRESENCE
+ - USER_VERIFYING
+ AuthenticatorMethodPush:
+ allOf:
+ - $ref: '#/components/schemas/AuthenticatorMethodBase'
+ - type: object
+ properties:
+ settings:
+ type: object
+ properties:
+ algorithms:
+ type: array
+ items:
+ $ref: '#/components/schemas/AuthenticatorMethodAlgorithm'
+ keyProtection:
+ $ref: '#/components/schemas/PushMethodKeyProtection'
+ transactionTypes:
+ type: array
+ items:
+ $ref: '#/components/schemas/AuthenticatorMethodTransactionType'
+ AuthenticatorMethodSignedNonce:
+ allOf:
+ - $ref: '#/components/schemas/AuthenticatorMethodBase'
+ - type: object
+ properties:
+ settings:
+ type: object
+ properties:
+ algorithms:
+ type: array
+ items:
+ $ref: '#/components/schemas/AuthenticatorMethodAlgorithm'
+ keyProtection:
+ $ref: '#/components/schemas/PushMethodKeyProtection'
+ showSignInWithOV:
+ $ref: '#/components/schemas/ShowSignInWithOV'
+ AuthenticatorMethodSimple:
+ allOf:
+ - $ref: '#/components/schemas/AuthenticatorMethodBase'
+ AuthenticatorMethodTotp:
+ allOf:
+ - $ref: '#/components/schemas/AuthenticatorMethodBase'
+ - type: object
+ properties:
+ settings:
+ type: object
+ properties:
+ timeIntervalInSeconds:
+ $ref: '#/components/schemas/OtpTotpTimeIntervalInSeconds'
+ encoding:
+ $ref: '#/components/schemas/OtpTotpEncoding'
+ algorithm:
+ $ref: '#/components/schemas/OtpTotpAlgorithm'
+ passCodeLength:
+ $ref: '#/components/schemas/OtpTotpPassCodeLength'
+ AuthenticatorMethodTransactionType:
+ type: string
+ x-okta-known-values:
+ - CIBA
+ - LOGIN
+ AuthenticatorMethodType:
+ description: The type of authenticator method
+ type: string
+ x-okta-known-values:
+ - cert
+ - duo
+ - email
+ - idp
+ - otp
+ - password
+ - push
+ - security_question
+ - signed_nonce
+ - sms
+ - totp
+ - voice
+ - webauthn
+ AuthenticatorMethodWebAuthn:
+ allOf:
+ - $ref: '#/components/schemas/AuthenticatorMethodBase'
+ - type: object
+ properties:
+ settings:
+ type: object
+ properties:
+ aaguidGroups:
+ description: The FIDO2 AAGUID groups available to the WebAuthn authenticator
+ type: array
+ items:
+ $ref: '#/components/schemas/AAGUIDGroupObject'
+ userVerification:
+ $ref: '#/components/schemas/UserVerificationEnum'
+ attachment:
+ $ref: '#/components/schemas/WebAuthnAttachment'
+ AuthenticatorMethodWithVerifiableProperties:
+ allOf:
+ - $ref: '#/components/schemas/AuthenticatorMethodBase'
+ - type: object
+ properties:
+ verifiableProperties:
+ type: array
+ items:
+ $ref: '#/components/schemas/AuthenticatorMethodProperty'
+ AuthenticatorSimple:
+ allOf:
+ - $ref: '#/components/schemas/AuthenticatorBase'
+ AuthenticatorType:
+ description: The type of Authenticator
+ type: string
+ x-okta-known-values:
+ - app
+ - email
+ - federated
+ - password
+ - phone
+ - security_key
+ - security_question
+ AuthorizationServer:
+ type: object
+ properties:
+ audiences:
+ type: array
+ description: The recipients that the tokens are intended for. This becomes the `aud` claim in an access token. Okta currently supports only one audience.
+ items:
+ type: string
+ created:
+ type: string
+ format: date-time
+ readOnly: true
+ credentials:
+ $ref: '#/components/schemas/AuthorizationServerCredentials'
+ description:
+ type: string
+ description: The description of the custom authorization server
+ id:
+ type: string
+ description: The ID of the custom authorization server
+ readOnly: true
+ issuer:
+ type: string
+ description: The complete URL for the custom authorization server. This becomes the `iss` claim in an access token.
+ issuerMode:
+ type: string
+ description: |-
+ Indicates which value is specified in the issuer of the tokens that a custom authorization server returns: the Okta org domain URL or a custom domain URL.
+
+ `issuerMode` is visible if you have a custom URL domain configured or the Dynamic Issuer Mode feature enabled. If you have a custom URL domain configured, you can set a custom domain URL in a custom authorization server, and this property is returned in the appropriate responses.
+
+ When set to `ORG_URL`, then in responses, `issuer` is the Okta org domain URL: `https://${yourOktaDomain}`.
+
+ When set to `CUSTOM_URL`, then in responses, `issuer` is the custom domain URL configured in the administration user interface.
+
+ When set to `DYNAMIC`, then in responses, `issuer` is the custom domain URL if the OAuth 2.0 request was sent to the custom domain, or is the Okta org's domain URL if the OAuth 2.0 request was sent to the original Okta org domain.
+
+ After you configure a custom URL domain, all new custom authorization servers use `CUSTOM_URL` by default. If the Dynamic Issuer Mode feature is enabled, then all new custom authorization servers use `DYNAMIC` by default. All existing custom authorization servers continue to use the original value until they're changed using the Admin Console or the API. This way, existing integrations with the client and resource server continue to work after the feature is enabled.
+ lastUpdated:
+ type: string
+ format: date-time
+ readOnly: true
+ name:
+ type: string
+ description: The name of the custom authorization server
+ status:
+ $ref: '#/components/schemas/LifecycleStatus'
+ _links:
+ $ref: '#/components/schemas/AuthServerLinks'
+ AuthorizationServerCredentials:
+ type: object
+ properties:
+ signing:
+ $ref: '#/components/schemas/AuthorizationServerCredentialsSigningConfig'
+ AuthorizationServerCredentialsRotationMode:
+ description: The Key rotation mode for the authorization server
+ type: string
+ x-okta-known-values:
+ - AUTO
+ - MANUAL
+ AuthorizationServerCredentialsSigningConfig:
+ type: object
+ properties:
+ kid:
+ type: string
+ description: The ID of the JSON Web Key used for signing tokens issued by the authorization server
+ readOnly: true
+ lastRotated:
+ type: string
+ description: The timestamp when the authorization server started using the `kid` for signing tokens
+ format: date-time
+ readOnly: true
+ nextRotation:
+ type: string
+ description: The timestamp when the authorization server changes the Key for signing tokens. This is only returned when `rotationMode` is set to `AUTO`.
+ format: date-time
+ readOnly: true
+ rotationMode:
+ $ref: '#/components/schemas/AuthorizationServerCredentialsRotationMode'
+ use:
+ $ref: '#/components/schemas/AuthorizationServerCredentialsUse'
+ AuthorizationServerCredentialsUse:
+ description: How the key is used
+ type: string
+ x-okta-known-values:
+ - sig
+ AuthorizationServerJsonWebKey:
+ type: object
+ properties:
+ alg:
+ description: 'The algorithm used with the Key. Valid value: `RS256`'
+ type: string
+ e:
+ description: RSA key value (public exponent) for Key binding
+ type: string
+ readOnly: true
+ kid:
+ description: Unique identifier for the key
+ type: string
+ readOnly: true
+ kty:
+ description: 'Cryptographic algorithm family for the certificate''s keypair. Valid value: `RSA`'
+ type: string
+ readOnly: true
+ 'n':
+ description: RSA modulus value that is used by both the public and private keys and provides a link between them
+ type: string
+ status:
+ description: |-
+ An `ACTIVE` Key is used to sign tokens issued by the authorization server. Supported values: `ACTIVE`, `NEXT`, or `EXPIRED`
+ A `NEXT` Key is the next Key that the authorization server uses to sign tokens when Keys are rotated. The `NEXT` Key might not be listed if it hasn't been generated.
+ An `EXPIRED` Key is the previous Key that the authorization server used to sign tokens. The `EXPIRED` Key might not be listed if no Key has expired or the expired Key was deleted.
+ type: string
+ use:
+ description: 'Acceptable use of the key. Valid value: `sig`'
+ type: string
+ readOnly: true
+ _links:
+ $ref: '#/components/schemas/LinksSelf'
+ AuthorizationServerPolicy:
+ allOf:
+ - type: object
+ properties:
+ id:
+ type: string
+ description: ID of the Policy
+ type:
+ type: string
+ description: Indicates that the Policy is an authorization server Policy
+ enum:
+ - OAUTH_AUTHORIZATION_POLICY
+ name:
+ type: string
+ description: Name of the Policy
+ conditions:
+ $ref: '#/components/schemas/AuthorizationServerPolicyConditions'
+ description:
+ type: string
+ description: Description of the Policy
+ priority:
+ type: integer
+ description: Specifies the order in which this Policy is evaluated in relation to the other Policies in a custom authorization server
+ status:
+ type: string
+ description: Specifies whether requests have access to this Policy
+ enum:
+ - ACTIVE
+ - INACTIVE
+ system:
+ type: boolean
+ description: Specifies whether Okta created this Policy
+ created:
+ type: string
+ format: date-time
+ readOnly: true
+ description: Timestamp when the Policy was created
+ lastUpdated:
+ type: string
+ format: date-time
+ readOnly: true
+ description: Timestamp when the Policy was last updated
+ _links:
+ allOf:
+ - $ref: '#/components/schemas/LinksSelfAndLifecycle'
+ - type: object
+ properties:
+ rules:
+ allOf:
+ - description: Link to the authorization server policy's rules
+ - $ref: '#/components/schemas/HrefObject'
+ AuthorizationServerPolicyConditions:
+ type: object
+ properties:
+ clients:
+ $ref: '#/components/schemas/ClientPolicyCondition'
+ AuthorizationServerPolicyPeopleCondition:
+ description: Identifies Users and Groups that are used together
+ type: object
+ properties:
+ groups:
+ $ref: '#/components/schemas/AuthorizationServerPolicyRuleGroupCondition'
+ users:
+ $ref: '#/components/schemas/AuthorizationServerPolicyRuleUserCondition'
+ AuthorizationServerPolicyRule:
+ type: object
+ properties:
+ actions:
+ $ref: '#/components/schemas/AuthorizationServerPolicyRuleActions'
+ conditions:
+ $ref: '#/components/schemas/AuthorizationServerPolicyRuleConditions'
+ created:
+ type: string
+ format: date-time
+ readOnly: true
+ description: Timestamp when the rule was created
+ id:
+ type: string
+ description: Identifier of the rule
+ readOnly: true
+ lastUpdated:
+ type: string
+ format: date-time
+ readOnly: true
+ description: Timestamp when the rule was last modified
+ name:
+ type: string
+ description: Name of the rule
+ priority:
+ type: integer
+ description: Priority of the rule
+ status:
+ type: string
+ description: Status of the rule
+ enum:
+ - ACTIVE
+ - INACTIVE
+ system:
+ type: boolean
+ description: Set to `true` for system rules. You can't delete system rules.
+ type:
+ type: string
+ description: Rule type
+ enum:
+ - RESOURCE_ACCESS
+ _links:
+ allOf:
+ - $ref: '#/components/schemas/LinksSelfAndLifecycle'
+ AuthorizationServerPolicyRuleActions:
+ allOf:
+ - $ref: '#/components/schemas/PolicyRuleActions'
+ - type: object
+ properties:
+ token:
+ $ref: '#/components/schemas/TokenAuthorizationServerPolicyRuleAction'
+ AuthorizationServerPolicyRuleConditions:
+ type: object
+ properties:
+ grantTypes:
+ $ref: '#/components/schemas/GrantTypePolicyRuleCondition'
+ people:
+ $ref: '#/components/schemas/AuthorizationServerPolicyPeopleCondition'
+ scopes:
+ $ref: '#/components/schemas/OAuth2ScopesMediationPolicyRuleCondition'
+ AuthorizationServerPolicyRuleGroupCondition:
+ description: Specifies a set of Groups whose Users are to be included
+ type: object
+ properties:
+ include:
+ type: array
+ description: Groups to be included
+ items:
+ type: string
+ AuthorizationServerPolicyRuleRequest:
+ allOf:
+ - $ref: '#/components/schemas/AuthorizationServerPolicyRule'
+ - type: object
+ required:
+ - name
+ - conditions
+ - type
+ AuthorizationServerPolicyRuleUserCondition:
+ description: Specifies a set of Users to be included
+ type: object
+ properties:
+ include:
+ description: Users to be included
+ type: array
+ items:
+ type: string
+ AuthorizationServerResourceHrefObject:
+ type: object
+ properties:
+ href:
+ type: string
+ description: Link URI
+ example: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7
+ title:
+ type: string
+ description: Link name
+ example: Example Authorization Server
+ AutoAssignAdminAppSetting:
+ description: The org setting that automatically assigns the Okta Admin Console when an admin role is assigned
+ type: object
+ properties:
+ autoAssignAdminAppSetting:
+ type: boolean
+ description: Automatically assigns the Okta Admin Console to the user when an admin role is assigned
+ AutoLoginApplication:
+ allOf:
+ - $ref: '#/components/schemas/Application'
+ - type: object
+ properties:
+ credentials:
+ $ref: '#/components/schemas/SchemeApplicationCredentials'
+ name:
+ type: string
+ description: A unique key is generated for the custom SWA app instance when you use AUTO_LOGIN `signOnMode`.
+ readOnly: true
+ settings:
+ $ref: '#/components/schemas/AutoLoginApplicationSettings'
+ AutoLoginApplicationSettings:
+ allOf:
+ - $ref: '#/components/schemas/ApplicationSettings'
+ - type: object
+ properties:
+ signOn:
+ $ref: '#/components/schemas/AutoLoginApplicationSettingsSignOn'
+ AutoLoginApplicationSettingsSignOn:
+ type: object
+ properties:
+ loginUrl:
+ type: string
+ description: Primary URL of the sign-in page for this app
+ redirectUrl:
+ type: string
+ description: Secondary URL of the sign-in page for this app
+ required:
+ - loginUrl
+ AutoUpdateSchedule:
+ description: The schedule of auto-update configured by admin.
+ type: object
+ properties:
+ cron:
+ type: string
+ delay:
+ description: delay in days
+ type: integer
+ duration:
+ description: duration in minutes
+ type: integer
+ lastUpdated:
+ description: last time when the updated finished (success or failed, exclude cancelled), null if job haven't finished once yet.
+ type: string
+ format: date-time
+ timezone:
+ type: string
+ AwsAccountId:
+ description: Your AWS account ID
+ minLength: 12
+ maxLength: 12
+ example: 123456789012
+ type: string
+ AwsEventSourceName:
+ description: An alphanumeric name (no spaces) to identify this event source in AWS EventBridge
+ minLength: 1
+ maxLength: 75
+ example: your-event-source-name
+ type: string
+ pattern: ^[a-zA-Z0-9.\-_]$
+ AwsRegion:
+ description: The destination AWS region where your event source is located
+ type: string
+ x-okta-known-values:
+ - ap-northeast-1
+ - ap-northeast-2
+ - ap-northeast-3
+ - ap-south-1
+ - ap-southeast-1
+ - ap-southeast-2
+ - ca-central-1
+ - eu-central-1
+ - eu-north-1
+ - eu-west-1
+ - eu-west-2
+ - eu-west-3
+ - sa-east-1
+ - us-east-1
+ - us-east-2
+ - us-west-1
+ - us-west-2
+ BaseContext:
+ description: This object contains a number of sub-objects, each of which provide some type of contextual information.
+ type: object
+ properties:
+ request:
+ $ref: '#/components/schemas/InlineHookRequestObject'
+ session:
+ description: Details of the user session
+ type: object
+ properties:
+ id:
+ description: The unique identifier for the user's session
+ type: string
+ example: 102LN9Bnuc4S_ewfc9BYwageA
+ userId:
+ description: The unique identifier for the user
+ type: string
+ example: 00uq8tMo3zV0OfJON0g3
+ login:
+ description: The username used to identify the user. This is often the user's email address.
+ type: string
+ example: user@example.com
+ createdAt:
+ description: Timestamp of when the session was created
+ type: string
+ format: date-time
+ example: '2019-03-28T16:45:55.000Z'
+ expiresAt:
+ description: Timestamp of when the session expires
+ type: string
+ format: date-time
+ example: '2019-03-28T21:15:23.000Z'
+ status:
+ description: Represents the current status of the user's session
+ type: string
+ example: ACTIVE
+ lastPasswordVerification:
+ description: Timestamp of when the user was last authenticated
+ type: string
+ format: date-time
+ example: '2019-03-28T16:45:55.000Z'
+ amr:
+ description: The authentication method reference
+ type: array
+ items:
+ type: string
+ example:
+ - PASSWORD
+ idp:
+ $ref: '#/components/schemas/SessionIdentityProvider'
+ mfaActive:
+ description: Describes whether multifactor authentication was enabled
+ type: boolean
+ example: false
+ user:
+ description: Identifies the Okta user that the token was generated to authenticate and provides details of their Okta user profile
+ type: object
+ properties:
+ id:
+ description: The unique identifier for the user
+ type: string
+ example: 00uq8tMo3zV0OfJON0g3
+ passwordChanged:
+ description: The timestamp when the user's password was last updated
+ type: string
+ format: date-time
+ example: '2018-09-11T23:19:12.000Z'
+ profile:
+ type: object
+ properties:
+ login:
+ description: The username used to identify the user. This is often the user's email address.
+ type: string
+ example: user@example.com
+ firstName:
+ description: The first name of the user
+ type: string
+ example: John
+ lastName:
+ description: The last name of the user
+ type: string
+ example: Smith
+ locale:
+ description: |-
+ The user's default location for purposes of localizing items such as currency, date time format, numerical representations, and so on.
+ A locale value is a concatenation of the [ISO 639-1](https://en.wikipedia.org/wiki/List_of_ISO_639_language_codes) two-letter language code, an underscore, and the [ISO 3166-1](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2) two-letter country code. For example, `en_US` specifies the language English and country US. This value is `en_US` by default.
+ type: string
+ example: en_US
+ timeZone:
+ description: The user's timezone
+ type: string
+ example: America/Los_Angeles
+ _links:
+ description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of the user. These links are used to discover what groups the user is a part of and what factors they have enrolled.
+ type: object
+ properties:
+ groups:
+ description: URL to retrieve the individual user's group memberships
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ factors:
+ description: URL to retrieve individual user's factor enrollments
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ BaseEmailDomain:
+ type: object
+ properties:
+ displayName:
+ type: string
+ userName:
+ type: string
+ required:
+ - displayName
+ - userName
+ BaseEmailServer:
+ type: object
+ properties:
+ alias:
+ type: string
+ description: Human-readable name for your SMTP server
+ example: CustomServer1
+ enabled:
+ type: boolean
+ description: If `true`, routes all email traffic through your SMTP server
+ host:
+ type: string
+ description: Hostname or IP address of your SMTP server
+ example: 192.168.160.1
+ port:
+ type: integer
+ description: Port number of your SMTP server
+ example: 587
+ username:
+ type: string
+ description: Username used to access your SMTP server
+ example: aUser
+ BaseToken:
+ type: object
+ properties:
+ claims:
+ description: Claims included in the token. Consists of name-value pairs for each included claim. For descriptions of the claims that you can include, see the Okta [OpenID Connect and OAuth 2.0 API reference](/openapi/okta-oauth/guides/overview/#claims).
+ type: object
+ lifetime:
+ description: Lifetime of the token
+ type: object
+ properties:
+ expiration:
+ description: Time in seconds until the token expires
+ type: integer
+ BasicApplicationSettings:
+ allOf:
+ - $ref: '#/components/schemas/ApplicationSettings'
+ - type: object
+ properties:
+ app:
+ $ref: '#/components/schemas/BasicApplicationSettingsApplication'
+ BasicApplicationSettingsApplication:
+ type: object
+ properties:
+ authURL:
+ type: string
+ description: The URL of the authenticating site for this app
+ url:
+ type: string
+ description: The URL of the sign-in page for this app
+ required:
+ - authURL
+ - url
+ BasicAuthApplication:
+ x-okta-defined-as:
+ name: template_basic_auth
+ allOf:
+ - $ref: '#/components/schemas/Application'
+ - type: object
+ properties:
+ credentials:
+ $ref: '#/components/schemas/SchemeApplicationCredentials'
+ name:
+ type: string
+ description: '`template_basic_auth` is the key name for a Basic Authentication scheme app instance'
+ enum:
+ - template_basic_auth
+ settings:
+ $ref: '#/components/schemas/BasicApplicationSettings'
+ required:
+ - name
+ - settings
+ BeforeScheduledActionPolicyRuleCondition:
+ type: object
+ properties:
+ duration:
+ $ref: '#/components/schemas/Duration'
+ lifecycleAction:
+ $ref: '#/components/schemas/ScheduledUserLifecycleAction'
+ BehaviorRule:
+ title: Behavior Detection Rule
+ type: object
+ properties:
+ created:
+ type: string
+ format: date-time
+ readOnly: true
+ id:
+ type: string
+ readOnly: true
+ lastUpdated:
+ type: string
+ format: date-time
+ readOnly: true
+ name:
+ type: string
+ maxLength: 128
+ status:
+ $ref: '#/components/schemas/LifecycleStatus'
+ type:
+ $ref: '#/components/schemas/BehaviorRuleType'
+ _link:
+ $ref: '#/components/schemas/LinksSelf'
+ required:
+ - name
+ - type
+ discriminator:
+ propertyName: type
+ mapping:
+ ANOMALOUS_LOCATION: '#/components/schemas/BehaviorRuleAnomalousLocation'
+ ANOMALOUS_IP: '#/components/schemas/BehaviorRuleAnomalousIP'
+ ANOMALOUS_DEVICE: '#/components/schemas/BehaviorRuleAnomalousDevice'
+ VELOCITY: '#/components/schemas/BehaviorRuleVelocity'
+ BehaviorRuleAnomalousDevice:
+ allOf:
+ - $ref: '#/components/schemas/BehaviorRule'
+ - type: object
+ properties:
+ settings:
+ $ref: '#/components/schemas/BehaviorRuleSettingsAnomalousDevice'
+ BehaviorRuleAnomalousIP:
+ allOf:
+ - $ref: '#/components/schemas/BehaviorRule'
+ - type: object
+ properties:
+ settings:
+ $ref: '#/components/schemas/BehaviorRuleSettingsAnomalousIP'
+ BehaviorRuleAnomalousLocation:
+ allOf:
+ - $ref: '#/components/schemas/BehaviorRule'
+ - type: object
+ properties:
+ settings:
+ $ref: '#/components/schemas/BehaviorRuleSettingsAnomalousLocation'
+ BehaviorRuleSettings:
+ title: Behavior Detection Rule Settings
+ type: object
+ BehaviorRuleSettingsAnomalousDevice:
+ allOf:
+ - $ref: '#/components/schemas/BehaviorRuleSettingsHistoryBased'
+ BehaviorRuleSettingsAnomalousIP:
+ allOf:
+ - $ref: '#/components/schemas/BehaviorRuleSettingsHistoryBased'
+ - type: object
+ properties:
+ maxEventsUsedForEvaluation:
+ type: integer
+ minimum: 0
+ maximum: 100
+ default: 50
+ BehaviorRuleSettingsAnomalousLocation:
+ allOf:
+ - $ref: '#/components/schemas/BehaviorRuleSettingsHistoryBased'
+ - type: object
+ properties:
+ granularity:
+ $ref: '#/components/schemas/LocationGranularity'
+ radiusKilometers:
+ type: integer
+ description: Required when `granularity` is `LAT_LONG`. Radius from the provided coordinates in kilometers.
+ required:
+ - granularity
+ BehaviorRuleSettingsHistoryBased:
+ allOf:
+ - $ref: '#/components/schemas/BehaviorRuleSettings'
+ - title: Behavior Detection Rule Settings based on Event History
+ type: object
+ properties:
+ maxEventsUsedForEvaluation:
+ type: integer
+ minimum: 1
+ maximum: 100
+ default: 20
+ minEventsNeededForEvaluation:
+ type: integer
+ minimum: 0
+ maximum: 10
+ default: 0
+ BehaviorRuleSettingsVelocity:
+ allOf:
+ - $ref: '#/components/schemas/BehaviorRuleSettings'
+ - title: Behavior Detection Rule Settings based on device velocity in kilometers per hour.
+ type: object
+ properties:
+ velocityKph:
+ type: integer
+ minimum: 1
+ default: 805
+ required:
+ - velocityKph
+ BehaviorRuleType:
+ type: string
+ x-okta-known-values:
+ - ANOMALOUS_DEVICE
+ - ANOMALOUS_IP
+ - ANOMALOUS_LOCATION
+ - VELOCITY
+ BehaviorRuleVelocity:
+ allOf:
+ - $ref: '#/components/schemas/BehaviorRule'
+ - type: object
+ properties:
+ settings:
+ $ref: '#/components/schemas/BehaviorRuleSettingsVelocity'
+ BindingMethod:
+ description: The method used to bind the out-of-band channel with the primary channel.
+ type: string
+ x-okta-known-values:
+ - none
+ - prompt
+ - transfer
+ BookmarkApplication:
+ x-okta-defined-as:
+ name: bookmark
+ allOf:
+ - $ref: '#/components/schemas/Application'
+ - type: object
+ properties:
+ credentials:
+ $ref: '#/components/schemas/ApplicationCredentials'
+ name:
+ type: string
+ description: '`bookmark` is the key name for a Bookmark app'
+ enum:
+ - bookmark
+ settings:
+ $ref: '#/components/schemas/BookmarkApplicationSettings'
+ required:
+ - name
+ - settings
+ BookmarkApplicationSettings:
+ allOf:
+ - $ref: '#/components/schemas/ApplicationSettings'
+ - type: object
+ properties:
+ app:
+ $ref: '#/components/schemas/BookmarkApplicationSettingsApplication'
+ BookmarkApplicationSettingsApplication:
+ type: object
+ properties:
+ requestIntegration:
+ type: boolean
+ description: Would you like Okta to add an integration for this app?
+ default: false
+ url:
+ type: string
+ description: The URL of the launch page for this app
+ required:
+ - url
+ BouncesRemoveListError:
+ type: object
+ properties:
+ emailAddress:
+ type: string
+ description: An email address with a validation error
+ reason:
+ type: string
+ description: Validation error reason
+ BouncesRemoveListObj:
+ type: object
+ properties:
+ emailAddresses:
+ type: array
+ description: A list of email addresses to remove from the email-service bounce list
+ items:
+ type: string
+ description: Email address
+ BouncesRemoveListResult:
+ type: object
+ properties:
+ errors:
+ type: array
+ description: A list of emails that wasn't added to the email-bounced remove list and the error reason
+ items:
+ $ref: '#/components/schemas/BouncesRemoveListError'
+ Brand:
+ type: object
+ properties:
+ agreeToCustomPrivacyPolicy:
+ type: boolean
+ description: Consent for updating the custom privacy URL. Not required when resetting the URL.
+ customPrivacyPolicyUrl:
+ type: string
+ description: Custom privacy policy URL
+ default: null
+ defaultApp:
+ $ref: '#/components/schemas/DefaultApp'
+ emailDomainId:
+ type: string
+ description: The ID of the email domain
+ id:
+ readOnly: true
+ type: string
+ description: The Brand ID
+ isDefault:
+ readOnly: true
+ type: boolean
+ description: If `true`, the Brand is used for the Okta subdomain
+ locale:
+ $ref: '#/components/schemas/Language'
+ name:
+ type: string
+ description: The name of the Brand
+ removePoweredByOkta:
+ type: boolean
+ default: false
+ description: Removes "Powered by Okta" from the sign-in page in redirect authentication deployments, and "© [current year] Okta, Inc." from the Okta End-User Dashboard
+ BrandDomains:
+ title: BrandDomains
+ items:
+ $ref: '#/components/schemas/DomainResponse'
+ type: array
+ BrandRequest:
+ type: object
+ properties:
+ agreeToCustomPrivacyPolicy:
+ type: boolean
+ description: Consent for updating the custom privacy URL. Not required when resetting the URL.
+ customPrivacyPolicyUrl:
+ type: string
+ description: Custom privacy policy URL
+ defaultApp:
+ $ref: '#/components/schemas/DefaultApp'
+ emailDomainId:
+ type: string
+ description: The ID of the email domain
+ locale:
+ $ref: '#/components/schemas/Language'
+ name:
+ type: string
+ description: The name of the Brand
+ removePoweredByOkta:
+ type: boolean
+ default: false
+ description: Removes "Powered by Okta" from the sign-in page in redirect authentication deployments, and "© [current year] Okta, Inc." from the Okta End-User Dashboard
+ required:
+ - name
+ BrandWithEmbedded:
+ allOf:
+ - $ref: '#/components/schemas/Brand'
+ type: object
+ properties:
+ _embedded:
+ type: object
+ properties:
+ themes:
+ type: array
+ items:
+ $ref: '#/components/schemas/ThemeResponse'
+ domains:
+ items:
+ $ref: '#/components/schemas/DomainResponse'
+ type: array
+ emailDomain:
+ $ref: '#/components/schemas/EmailDomainResponse'
+ readOnly: true
+ _links:
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - properties:
+ themes:
+ $ref: '#/components/schemas/HrefObject'
+ BrowserPluginApplication:
+ allOf:
+ - $ref: '#/components/schemas/Application'
+ - type: object
+ properties:
+ credentials:
+ $ref: '#/components/schemas/SchemeApplicationCredentials'
+ name:
+ type: string
+ description: The key name for the app definition
+ enum:
+ - template_swa
+ - template_swa3field
+ x-enumDescriptions:
+ template_swa: The key name for a SWA app instance that requires a browser plugin
+ template_swa3field: The key name for a SWA app instance that requires a browser plugin and supports three CSS selectors
+ settings:
+ $ref: '#/components/schemas/SwaApplicationSettings'
+ required:
+ - name
+ - settings
+ BulkDeleteRequestBody:
+ type: object
+ properties:
+ entityType:
+ type: string
+ enum:
+ - USERS
+ profiles:
+ type: array
+ items:
+ $ref: '#/components/schemas/IdentitySourceUserProfileForDelete'
+ BulkUpsertRequestBody:
+ type: object
+ properties:
+ entityType:
+ type: string
+ enum:
+ - USERS
+ profiles:
+ type: array
+ items:
+ type: object
+ properties:
+ externalId:
+ type: string
+ description: The external ID of the entity that needs to be created or updated in Okta
+ maxLength: 512
+ profile:
+ $ref: '#/components/schemas/IdentitySourceUserProfileForUpsert'
+ BundleEntitlement:
+ type: object
+ properties:
+ description:
+ type: string
+ id:
+ type: string
+ name:
+ type: string
+ role:
+ type: string
+ _links:
+ allOf:
+ - properties:
+ values:
+ $ref: '#/components/schemas/HrefObject'
+ BundleEntitlementsResponse:
+ type: object
+ properties:
+ entitlements:
+ type: array
+ items:
+ $ref: '#/components/schemas/BundleEntitlement'
+ _links:
+ type: object
+ description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification
+ readOnly: true
+ properties:
+ next:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the next resource
self:
- href: https://${yourOktaDomain}/api/v1/api-tokens/00T1234567890abcdefg
- hints:
- allow:
- - GET
- - DELETE
- user:
- href: https://${yourOktaDomain}/api/v1/users/00uabcdefg1234567890
- hints:
- allow:
- - GET
- ApiTokenMetadataResponse:
- value:
- name: My API Token
- userId: 00uXXXXXXXXXXXXXXXXX
- tokenWindow: P30D
- id: 00Tabcdefg1234567890
- clientName: Okta API
- expiresAt: 2021-12-11T20:38:10.000Z
- created: 2021-11-09T20:38:10.000Z
- lastUpdated: 2021-11-11T20:38:10.000Z
+ $ref: '#/components/schemas/HrefObjectSelfLink'
+ bundle:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the bundle resource
+ ByDateTimeExpiry:
+ allOf:
+ - $ref: '#/components/schemas/DateTime'
+ ByDurationExpiry:
+ allOf:
+ - $ref: '#/components/schemas/TimeDuration'
+ description: |-
+ A time duration specified as an [ISO-8601 duration](https://en.wikipedia.org/wiki/ISO_8601#Durations).
+ Must be between 1 and 180 days inclusive.
+ CAPTCHAInstance:
+ title: CAPTCHAInstance
+ description: ''
+ type: object
+ properties:
+ id:
+ description: The unique key for the CAPTCHA instance
+ type: string
+ readOnly: true
+ name:
+ description: The name of the CAPTCHA instance
+ type: string
+ secretKey:
+ description: The secret key issued from the CAPTCHA provider to perform server-side validation for a CAPTCHA token
+ type: string
+ writeOnly: true
+ siteKey:
+ description: The site key issued from the CAPTCHA provider to render a CAPTCHA on a page
+ type: string
+ type:
+ $ref: '#/components/schemas/CAPTCHAType'
+ _links:
+ $ref: '#/components/schemas/LinksSelf'
+ CAPTCHAType:
+ description: The type of CAPTCHA provider
+ type: string
+ x-okta-known-values:
+ - HCAPTCHA
+ - RECAPTCHA_V2
+ CSRLinks:
+ description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of a CSR object using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations.
+ properties:
+ publish:
+ $ref: '#/components/schemas/HrefCsrPublishLink'
+ self:
+ $ref: '#/components/schemas/HrefCsrSelfLink'
+ readOnly: true
+ CaepDeviceComplianceChangeEvent:
+ description: The subject's device compliance was revoked
+ type: object
+ properties:
+ current_status:
+ type: string
+ description: Current device compliance status
+ enum:
+ - compliant
+ - not-compliant
+ example: non-compliant
+ event_timestamp:
+ type: integer
+ format: int64
+ description: The time of the event (UNIX timestamp)
+ example: 1702448550
+ initiating_entity:
+ type: string
+ description: The entity that initiated the event
+ enum:
+ - admin
+ - user
+ - policy
+ - system
+ previous_status:
+ type: string
+ description: Previous device compliance status
+ enum:
+ - compliant
+ - not-compliant
+ reason_admin:
+ allOf:
+ - $ref: '#/components/schemas/SecurityEventReason'
+ - type: object
+ description: A localized administrative message intended for logging and auditing.
Either `reason_admin` or `reason_user` is required.
+ reason_user:
+ allOf:
+ - $ref: '#/components/schemas/SecurityEventReason'
+ - type: object
+ description: A localized message intended for the end user.
Either `reason_admin` or `reason_user` is required.
+ subject:
+ $ref: '#/components/schemas/SecurityEventSubject'
+ required:
+ - event_timestamp
+ - subject
+ - current_status
+ - previous_status
+ CaepSecurityEvent:
+ type: object
+ properties:
+ event_timestamp:
+ type: integer
+ format: int64
+ description: The time of the event (UNIX timestamp)
+ example: 1702448550
+ initiating_entity:
+ type: string
+ description: The entity that initiated the event
+ enum:
+ - admin
+ - user
+ - policy
+ - system
+ reason_admin:
+ allOf:
+ - $ref: '#/components/schemas/SecurityEventReason'
+ - type: object
+ description: A localized administrative message intended for logging and auditing.
Either `reason_admin` or `reason_user` is required.
+ reason_user:
+ allOf:
+ - $ref: '#/components/schemas/SecurityEventReason'
+ - type: object
+ description: A localized message intended for the end user.
Either `reason_admin` or `reason_user` is required.
+ subject:
+ $ref: '#/components/schemas/SecurityEventSubject'
+ required:
+ - event_timestamp
+ - subject
+ CaepSessionRevokedEvent:
+ description: The session of the subject was revoked
+ type: object
+ properties:
+ current_ip:
+ type: string
+ description: Current IP of the session
+ example: 123.4.5.6
+ current_user_agent:
+ type: string
+ description: Current User Agent of the session
+ example: CurrentUserAgent
+ event_timestamp:
+ type: integer
+ format: int64
+ description: The time of the event (UNIX timestamp)
+ example: 1702448550
+ initiating_entity:
+ type: string
+ description: The entity that initiated the event
+ enum:
+ - admin
+ - user
+ - policy
+ - system
+ last_known_ip:
+ type: string
+ description: Last known IP of the session
+ example: 123.4.5.6
+ last_known_user_agent:
+ type: string
+ description: Last known User Agent of the session
+ example: LastUserAgent
+ reason_admin:
+ allOf:
+ - $ref: '#/components/schemas/SecurityEventReason'
+ - type: object
+ description: A localized administrative message intended for logging and auditing.
Either `reason_admin` or `reason_user` is required.
+ reason_user:
+ allOf:
+ - $ref: '#/components/schemas/SecurityEventReason'
+ - type: object
+ description: A localized message intended for the end user.
Either `reason_admin` or `reason_user` is required.
+ subject:
+ $ref: '#/components/schemas/SecurityEventSubject'
+ required:
+ - event_timestamp
+ - subject
+ CapabilitiesCreateObject:
+ description: |
+ Determines whether Okta assigns a new app account to each user managed by Okta.
+
+ Okta doesn't create a new account if it detects that the username specified in Okta already exists in the app.
+ The user's Okta username is assigned by default.
+ type: object
+ properties:
+ lifecycleCreate:
+ $ref: '#/components/schemas/LifecycleCreateSettingObject'
+ CapabilitiesImportRulesObject:
+ description: Defines user import rules
+ type: object
+ properties:
+ userCreateAndMatch:
+ $ref: '#/components/schemas/CapabilitiesImportRulesUserCreateAndMatchObject'
+ CapabilitiesImportRulesUserCreateAndMatchObject:
+ description: Rules for matching and creating users
+ type: object
+ properties:
+ allowPartialMatch:
+ type: boolean
+ description: Allows user import upon partial matching. Partial matching occurs when the first and last names of an imported user match those of an existing Okta user, even if the username or email attributes don't match.
+ autoActivateNewUsers:
+ type: boolean
+ description: If set to `true`, imported new users are automatically activated.
+ autoConfirmExactMatch:
+ type: boolean
+ description: If set to `true`, exact-matched users are automatically confirmed on activation. If set to `false`, exact-matched users need to be confirmed manually.
+ autoConfirmNewUsers:
+ type: boolean
+ description: If set to `true`, imported new users are automatically confirmed on activation. This doesn't apply to imported users that already exist in Okta.
+ autoConfirmPartialMatch:
+ type: boolean
+ description: If set to `true`, partially matched users are automatically confirmed on activation. If set to `false`, partially matched users need to be confirmed manually.
+ exactMatchCriteria:
+ type: string
+ description: Determines the attribute to match users
+ enum:
+ - EMAIL
+ - USERNAME
+ CapabilitiesImportSettingsObject:
+ description: Defines import settings
+ type: object
+ properties:
+ schedule:
+ $ref: '#/components/schemas/ImportScheduleObject'
+ username:
+ $ref: '#/components/schemas/ImportUsernameObject'
+ CapabilitiesInboundProvisioningObject:
+ title: INBOUND_PROVISIONING
+ description: Defines the configuration for the INBOUND_PROVISIONING feature
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ type: object
+ properties:
+ importRules:
+ $ref: '#/components/schemas/CapabilitiesImportRulesObject'
+ importSettings:
+ $ref: '#/components/schemas/CapabilitiesImportSettingsObject'
+ required:
+ - importSettings
+ - importRules
+ CapabilitiesObject:
+ title: USER_PROVISIONING
+ description: Defines the configurations for the USER_PROVISIONING feature
+ type: object
+ properties:
+ create:
+ $ref: '#/components/schemas/CapabilitiesCreateObject'
+ update:
+ $ref: '#/components/schemas/CapabilitiesUpdateObject'
+ CapabilitiesUpdateObject:
+ description: Determines whether updates to a user's profile are pushed to the app
+ type: object
+ properties:
+ lifecycleDeactivate:
+ $ref: '#/components/schemas/LifecycleDeactivateSettingObject'
+ password:
+ $ref: '#/components/schemas/PasswordSettingObject'
+ profile:
+ $ref: '#/components/schemas/ProfileSettingObject'
+ CatalogApplication:
+ type: object
+ properties:
+ category:
+ type: string
+ description:
+ type: string
+ displayName:
+ type: string
+ features:
+ type: array
+ items:
+ type: string
+ id:
+ type: string
+ readOnly: true
+ lastUpdated:
+ type: string
+ format: date-time
+ readOnly: true
+ name:
+ type: string
+ signOnModes:
+ type: array
+ items:
+ type: string
+ status:
+ $ref: '#/components/schemas/CatalogApplicationStatus'
+ verificationStatus:
+ type: string
+ website:
+ type: string
+ _links:
+ $ref: '#/components/schemas/LinksSelf'
+ CatalogApplicationStatus:
+ type: string
+ x-okta-known-values:
+ - ACTIVE
+ - INACTIVE
+ ChallengeType:
+ type: string
+ x-okta-known-values:
+ - http://auth0.com/oauth/grant-type/mfa-oob
+ - http://auth0.com/oauth/grant-type/mfa-otp
+ ChangeEnum:
+ description: Determines whether a change in a user's password also updates the user's password in the app
+ default: KEEP_EXISTING
+ example: CHANGE
+ type: string
+ x-okta-known-values:
+ - CHANGE
+ - KEEP_EXISTING
+ ChangePasswordRequest:
+ type: object
+ properties:
+ newPassword:
+ $ref: '#/components/schemas/PasswordCredential'
+ oldPassword:
+ $ref: '#/components/schemas/PasswordCredential'
+ revokeSessions:
+ type: boolean
+ description: When set to `true`, revokes all user sessions, except for the current session
+ default: false
+ Channel:
+ description: The out-of-band channel for use with authentication. Required for all `/oob-authenticate` requests and any `/challenge` request with an out-of-band authenticator.
+ type: string
+ x-okta-known-values:
+ - push
+ - sms
+ - voice
+ ChannelBinding:
+ type: object
+ properties:
+ required:
+ $ref: '#/components/schemas/RequiredEnum'
+ style:
+ type: string
+ enum:
+ - NUMBER_CHALLENGE
+ ChildOrg:
+ type: object
+ properties:
+ admin:
+ $ref: '#/components/schemas/OrgCreationAdmin'
+ created:
+ description: Timestamp when the org was created
+ type: string
+ format: date-time
+ readOnly: true
+ example: '2022-08-25T00:05:00.000Z'
+ edition:
+ description: Edition for the org. `SKU` is the only supported value.
+ type: string
+ enum:
+ - SKU
+ example: SKU
+ id:
+ type: string
+ description: Org ID
+ readOnly: true
+ example: 00o1n8sbwArJ7OQRw406
+ lastUpdated:
+ description: Timestamp when the org was last updated
+ type: string
+ format: date-time
+ readOnly: true
+ example: '2022-08-25T00:05:00.000Z'
+ name:
+ description: |-
+ Unique name of the org.
+ This name appears in the HTML `` tag of the new org sign-in page.
+ Only less than 4-width UTF-8 encoded characters are allowed.
+ type: string
+ format: utf-8
+ minimum: 1
+ maximum: 100
+ example: My Child Org 1
+ settings:
+ description: Settings associated with the created org
+ readOnly: true
+ type: object
+ additionalProperties: true
+ status:
+ description: Status of the org. `ACTIVE` is returned after the org is created.
+ type: string
+ readOnly: true
+ enum:
+ - ACTIVE
+ subdomain:
+ description: Subdomain of the org. Must be unique and include no spaces.
+ type: string
+ minimum: 1
+ maximum: 57
+ example: my-child-org-1
+ token:
+ description: |-
+ API token associated with the child org super admin account.
+ Use this API token to provision resources (such as policies, apps, and groups) on the newly created child org.
+ This token is revoked if the super admin account is deactivated.
+ > **Note:** If this API token expires, sign in to the Admin Console as the super admin user and create a new API token. See [Create an API token](https://developer.okta.com/docs/guides/create-an-api-token/).
+ type: string
+ readOnly: true
+ tokenType:
+ description: Type of returned `token`. See [Okta API tokens](https://developer.okta.com/docs/guides/create-an-api-token/main/#okta-api-tokens).
+ type: string
+ readOnly: true
+ example: SSWS
+ enum:
+ - SSWS
+ website:
+ description: Default website for the org
+ type: string
+ example: https://www.okta.com
+ _links:
+ description: Specifies available link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification
+ readOnly: true
+ type: object
+ additionalProperties: true
+ required:
+ - admin
+ - edition
+ - name
+ - subdomain
+ ChromeBrowserVersion:
+ description: Current version of the Chrome Browser
+ type: object
+ properties:
+ minimum:
+ type: string
+ Claim:
+ type: string
+ Client:
+ type: object
+ properties:
+ application_type:
+ $ref: '#/components/schemas/ApplicationType'
+ client_id:
+ type: string
+ description: Unique key for the client application. The `client_id` is immutable. When you create a client Application, you can't specify the `client_id` because Okta uses the application ID for the `client_id`.
+ readOnly: true
+ client_id_issued_at:
+ type: integer
+ readOnly: true
+ description: Time at which the `client_id` was issued (measured in unix seconds)
+ client_name:
+ type: string
+ description: Human-readable string name of the client application
+ client_secret:
+ type: string
+ readOnly: true
+ description: OAuth 2.0 client secret string (used for confidential clients). The `client_secret` is shown only on the response of the creation or update of a client Application (and only if the `token_endpoint_auth_method` is one that requires a client secret). You can't specify the `client_secret`. If the `token_endpoint_auth_method` requires one, Okta generates a random `client_secret` for the client Application.
+ nullable: true
+ client_secret_expires_at:
+ type: integer
+ readOnly: true
+ description: Time at which the `client_secret` expires or 0 if it doesn't expire (measured in unix seconds)
+ minimum: 0
+ nullable: true
+ frontchannel_logout_session_required:
+ type: boolean
+ description: Include user session details
+ frontchannel_logout_uri:
+ type: string
+ description: URL where Okta sends the logout request
+ nullable: true
+ grant_types:
+ type: array
+ description: 'Array of OAuth 2.0 grant type strings. Default value: `[authorization_code]`'
+ items:
+ $ref: '#/components/schemas/GrantType'
+ initiate_login_uri:
+ type: string
+ description: URL that a third party can use to initiate a login by the client
+ jwks_uri:
+ type: string
+ description: URL string that references a [JSON Web Key Set](https://tools.ietf.org/html/rfc7517#section-5) for validating JWTs presented to Okta
+ logo_uri:
+ type: string
+ description: URL string that references a logo for the client consent dialog (not the sign-in dialog)
+ nullable: true
+ policy_uri:
+ type: string
+ description: URL string of a web page providing the client's policy document
+ nullable: true
+ post_logout_redirect_uris:
+ type: string
+ description: Array of redirection URI strings for use for relying party initiated logouts
+ items:
+ type: string
+ redirect_uris:
+ type: array
+ description: 'Array of redirection URI strings for use in redirect-based flows. All redirect URIs must be absolute URIs and must not include a fragment component. At least one redirect URI and response type is required for all client types, with the following exceptions: If the client uses the Resource Owner Password flow (if `grant_type` contains the value password) or the Client Credentials flow (if `grant_type` contains the value `client_credentials`), then no redirect URI or response type is necessary. In these cases, you can pass either null or an empty array for these attributes.'
+ items:
+ type: string
+ request_object_signing_alg:
+ type: array
+ description: The type of [JSON Web Key Set](https://tools.ietf.org/html/rfc7517#section-5) algorithm that must be used for signing request objects
+ items:
+ $ref: '#/components/schemas/SigningAlgorithm'
+ response_types:
+ type: array
+ description: 'Array of OAuth 2.0 response type strings. Default value: `[code]`'
+ items:
+ $ref: '#/components/schemas/ResponseType'
+ token_endpoint_auth_method:
+ $ref: '#/components/schemas/EndpointAuthMethod'
+ tos_uri:
+ type: string
+ description: URL string of a web page providing the client's terms of service document
+ nullable: true
+ ClientPolicyCondition:
+ description: Specifies which clients are included in the Policy
+ type: object
+ properties:
+ include:
+ type: array
+ description: Which clients are included in the Policy
+ items:
+ type: string
+ ClientPrivilegesSetting:
+ description: The org setting that assigns the super admin role by default to a public client app
+ type: object
+ properties:
+ clientPrivilegesSetting:
+ type: boolean
+ description: If true, assigns the super admin role by default to new public client apps
+ example: true
+ CodeChallengeMethod:
+ type: string
+ x-okta-known-values:
+ - S256
+ Compliance:
+ type: object
+ properties:
+ fips:
+ $ref: '#/components/schemas/FipsEnum'
+ Conditions:
+ type: object
+ properties:
+ expression:
+ $ref: '#/components/schemas/Expression'
+ profileSourceId:
+ type: string
+ ContentSecurityPolicySetting:
+ type: object
+ properties:
+ mode:
+ type: string
+ enum:
+ - enforced
+ - report_only
+ reportUri:
+ type: string
+ srcList:
+ type: array
+ items:
+ type: string
+ ContextPolicyRuleCondition:
+ allOf:
+ - $ref: '#/components/schemas/DevicePolicyRuleCondition'
+ - type: object
+ properties:
+ expression:
+ type: string
+ CreateBrandRequest:
+ title: CreateBrandRequest
+ type: object
+ properties:
+ name:
+ type: string
+ description: The name of the Brand
+ required:
+ - name
+ CreateGroupRuleRequest:
+ type: object
+ properties:
+ actions:
+ $ref: '#/components/schemas/GroupRuleAction'
+ conditions:
+ $ref: '#/components/schemas/GroupRuleConditions'
+ name:
+ type: string
+ description: Name of the Group rule
+ minLength: 1
+ maxLength: 50
+ type:
+ type: string
+ enum:
+ - group_rule
+ CreateIamRoleRequest:
+ type: object
+ properties:
+ description:
+ type: string
+ description: Description of the role
+ label:
+ type: string
+ description: Unique label for the role
+ permissions:
+ type: array
+ description: Array of permissions that the Role grants. See [Permissions](/openapi/okta-management/guides/roles/#permissions).
+ items:
+ $ref: '#/components/schemas/RolePermissionType'
+ required:
+ - label
+ - description
+ - permissions
+ CreateRealmAssignmentRequest:
+ type: object
+ properties:
+ actions:
+ $ref: '#/components/schemas/Actions'
+ conditions:
+ $ref: '#/components/schemas/Conditions'
+ name:
+ type: string
+ priority:
+ type: integer
+ CreateRealmRequest:
+ type: object
+ properties:
+ profile:
+ $ref: '#/components/schemas/RealmProfile'
+ CreateResourceSetRequest:
+ type: object
+ properties:
+ description:
+ type: string
+ description: Description of the Resource Set
+ label:
+ type: string
+ description: Unique name for the Resource Set
+ resources:
+ type: array
+ description: The endpoint (URL) that references all resource objects included in the Resource Set. Resources are identified by either an Okta Resource Name (ORN) or by a REST URL format. See [Okta Resource Name](/openapi/okta-management/guides/roles/#okta-resource-name-orn).
+ maximum: 1000
+ items:
+ type: string
+ required:
+ - description
+ - label
+ - resources
+ CreateSessionRequest:
+ type: object
+ properties:
+ sessionToken:
+ type: string
+ description: The session token obtained during authentication
+ CreateUISchema:
+ description: The request body properties for the new UI Schema
+ type: object
+ properties:
+ uiSchema:
+ $ref: '#/components/schemas/UISchemaObject'
+ CreateUpdateIamRolePermissionRequest:
+ type: object
+ properties:
+ conditions:
+ $ref: '#/components/schemas/PermissionConditions'
+ CreateUserRequest:
+ type: object
+ properties:
+ credentials:
+ $ref: '#/components/schemas/UserCredentials'
+ groupIds:
+ type: array
+ items:
+ type: string
+ profile:
+ $ref: '#/components/schemas/UserProfile'
+ realmId:
+ type: string
+ description:
The ID of the realm in which the user is residing
+ example: guo1bfiNtSnZYILxO0g4
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
+ type:
+ type: object
+ description: |-
+ The ID of the user type. Add this value if you want to create a user with a non-default [User Type](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/).
+ The user type determines which [schema](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/) applies to that user. After a user has been created, the user can
+ only be assigned a different user type by an administrator through a full replacement (`PUT`) operation.
+ properties:
+ id:
+ type: string
+ description: The ID of the user type
+ required:
+ - profile
+ Created:
+ format: date-time
+ description: Timestamp when the object was created
+ example: '2016-01-03T18:15:47.000Z'
+ type: string
+ readOnly: true
+ CredentialSyncInfo:
+ type: object
+ properties:
+ errorCode:
+ type: string
+ description: The error code for the type of error
+ readOnly: true
+ errorReason:
+ type: string
+ description: A short description of the error
+ readOnly: true
+ secretVersionId:
+ type: string
+ description: The version ID of the password secret from the OPA vault.
+ minLength: 1
+ maxLength: 36
+ example: 9f8400-e29b-41d4-a716-926655440034
+ syncState:
+ $ref: '#/components/schemas/CredentialSyncState'
+ example: NOT_SYNCED
+ syncTime:
+ type: string
+ description: Timestamp when the credential was changed
+ format: date-time
+ readOnly: true
+ example: '2024-06-10T11:30:01.000Z'
+ CredentialSyncState:
+ description: Current credential sync status of the privileged resource
+ type: string
+ x-enumDescriptions:
+ NOT_SYNCED: Credentials are not yet synced
+ SYNCING: Credentials are currently being synced
+ SYNCED: Credentials are successfully synced
+ SYNC_FAILED: Credential sync failed
+ readOnly: true
+ x-okta-known-values:
+ - NOT_SYNCED
+ - SYNCED
+ - SYNCING
+ - SYNC_FAILED
+ Csr:
+ type: object
+ properties:
+ created:
+ $ref: '#/components/schemas/createdProperty'
+ csr:
+ type: string
+ readOnly: true
+ example: MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9/tKvvbFN59T4raoCs/78KRm4fSefHQOv1TKLXo4wTLbsqYWRWc5u0sd5orUMQgPQOyj3i6qh13mALY4BzrT057EG1BUNjGg29QgYlnOk2iX890e5BIDMQQEIKFrvOi2V8cLUkLvE2ydRn0VO1Q1frbUkYeStJYC5Api2JQsYRwa+1ZeDH1ITnIzUaugWhW2WB2lSnwZkenne5KtffxMPYVu+IhNRHoKaRA6Z51YNhMJIx17JM2hs/H4Ka3drk6kzDf7ofk/yBpb9yBWyU7CTSQhdoHidxqFprMDaT66W928t3AeOENHBuwn8c2K9WeGG+bELNyQRJVmawIDAQABoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggxkZXYub2t0YS5jb20wDQYJKoZIhvcNAQELBQADggEBAA2hsVJRVM+A83X9MekjTnIbt19UNT8wX7wlE9jUKirWsxceLiZBpVGn9qfKhhVIpvdaIRSeoFYS2Kg/m1G6bCvjmZLcrQ5FcEBjZH2NKfNppGVnfC2ugtUkBtCB+UUzOhKhRKJtGugenKbP33zRWWIqnd2waF6Cy8TIuqQVPbwEDN9bCbAs7ND6CFYNguY7KYjWzQOeAR716eqpEEXuPYAS4nx/ty4ylonR8cv+gpq51rvq80A4k/36aoeM0Y6I4w64vhTfuvWW2UYFUD+/+y2FA2CSP4JfctySrf1s525v6fzTFZ3qZbB5OZQtP2b8xYWktMzywsxGKDoVDB4wkH4=
+ id:
+ type: string
+ readOnly: true
+ example: h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50
+ kty:
+ type: string
+ readOnly: true
+ example: RSA
+ _links:
+ $ref: '#/components/schemas/CSRLinks'
+ readOnly: true
+ nullable: false
+ CsrMetadata:
+ type: object
+ properties:
+ subject:
+ $ref: '#/components/schemas/CsrMetadataSubject'
+ subjectAltNames:
+ $ref: '#/components/schemas/CsrMetadataSubjectAltNames'
+ CsrMetadataSubject:
+ type: object
+ properties:
+ commonName:
+ type: string
+ description: Common name of the subject
+ example: SP Issuer
+ countryName:
+ type: string
+ description: Country name or code
+ example: US
+ localityName:
+ type: string
+ description: Locality (city) name
+ example: San Francisco
+ organizationalUnitName:
+ type: string
+ description: Name of the smaller organization, for example, the department or the division
+ example: Dev
+ organizationName:
+ type: string
+ description: Large organization name
+ example: Okta, Inc.
+ stateOrProvinceName:
+ type: string
+ description: State or province name
+ example: California
+ CsrMetadataSubjectAltNames:
+ type: object
+ properties:
+ dnsNames:
+ type: array
+ description: DNS names of the subject
+ items:
+ type: string
+ example: dev.okta.com
+ CsrPublishHrefHints:
+ description: Describes allowed HTTP verbs for the `href`
+ type: object
+ properties:
+ allow:
+ type: array
+ items:
+ type: string
+ enum:
+ - POST
+ CsrSelfHrefHints:
+ description: Describes allowed HTTP verbs for the `href`
+ type: object
+ properties:
+ allow:
+ type: array
+ items:
+ type: string
+ enum:
+ - GET
+ - DELETE
+ CustomAppUserVerificationEnum:
+ description: User verification setting
+ type: string
+ x-okta-known-values:
+ - PREFERRED
+ - REQUIRED
+ CustomRole:
+ title: Custom Role Assignment
+ type: object
+ properties:
+ assignmentType:
+ $ref: '#/components/schemas/RoleAssignmentType'
+ created:
+ type: string
+ description: Timestamp when the object was created
+ format: date-time
+ readOnly: true
+ id:
+ type: string
+ description: Binding Object ID
+ readOnly: true
+ label:
+ type: string
+ description: Label for the custom role assignment
+ readOnly: true
+ lastUpdated:
+ type: string
+ description: Timestamp when the object was last updated
+ format: date-time
+ readOnly: true
+ resource-set:
+ type: string
+ description: Resource Set ID
+ readOnly: true
+ role:
+ type: string
+ description: Custom Role ID
+ readOnly: true
+ status:
+ allOf:
+ - $ref: '#/components/schemas/LifecycleStatus'
+ - description: Status of the Custom Role Assignment
+ type:
+ type: string
+ description: CUSTOM for a custom role
+ enum:
+ - CUSTOM
+ _links:
+ $ref: '#/components/schemas/LinksCustomRoleResponse'
+ CustomRoleAssignmentSchema:
+ title: Custom Role
+ type: object
+ properties:
+ resource-set:
+ type: string
+ description: Resource Set ID
+ role:
+ type: string
+ description: Custom Role ID
+ type:
+ type: string
+ description: The type of role. Specify `CUSTOM` for a custom role.
+ enum:
+ - CUSTOM
+ CustomizablePage:
+ type: object
+ properties:
+ pageContent:
+ type: string
+ description: The HTML for the page
+ DNSRecord:
+ description: DNS TXT and CNAME records to be registered for the Domain
+ type: object
+ properties:
+ expiration:
+ description: DNS TXT record expiration
+ type: string
+ fqdn:
+ description: DNS record name
+ type: string
+ example: _oktaverification.login.example.com
+ recordType:
+ $ref: '#/components/schemas/DNSRecordType'
+ values:
+ description: DNS record value
+ type: array
+ items:
+ type: string
+ example:
+ - 79496f234c814638b1cc44f51a782781
+ DNSRecordType:
+ example: TXT
+ type: string
+ x-okta-known-values:
+ - CNAME
+ - TXT
+ DRStatusItem:
+ description: Provides the status whether a domain has been failed over or not
+ type: object
+ properties:
+ domain:
+ type: string
+ description: domain
+ isFailedOver:
+ type: boolean
+ description: Indicates if the domain has been failed over
+ nullable: false
+ DTCChromeOS:
+ description: Google Chrome Device Trust Connector provider
+ type: object
+ properties:
+ allowScreenLock:
+ description: Indicates whether the AllowScreenLock enterprise policy is enabled
+ type: boolean
+ browserVersion:
+ $ref: '#/components/schemas/ChromeBrowserVersion'
+ builtInDnsClientEnabled:
+ description: Indicates if a software stack is used to communicate with the DNS server
+ type: boolean
+ chromeRemoteDesktopAppBlocked:
+ description: Indicates whether access to the Chrome Remote Desktop application is blocked through a policy
+ type: boolean
+ deviceEnrollmentDomain:
+ description: Enrollment domain of the customer that is currently managing the device
+ type: string
+ diskEncrypted:
+ description: Indicates whether the main disk is encrypted
+ type: boolean
+ keyTrustLevel:
+ $ref: '#/components/schemas/KeyTrustLevelOSMode'
+ managedDevice:
+ description: Indicates whether the device is enrolled in ChromeOS device management
+ type: boolean
+ osFirewall:
+ description: Indicates whether a firewall is enabled at the OS-level on the device
+ type: boolean
+ osVersion:
+ $ref: '#/components/schemas/OSVersionFourComponents'
+ passwordProtectionWarningTrigger:
+ $ref: '#/components/schemas/PasswordProtectionWarningTrigger'
+ realtimeUrlCheckMode:
+ description: Indicates whether enterprise-grade (custom) unsafe URL scanning is enabled
+ type: boolean
+ safeBrowsingProtectionLevel:
+ $ref: '#/components/schemas/SafeBrowsingProtectionLevel'
+ screenLockSecured:
+ description: Indicates whether the device is password-protected
+ type: boolean
+ siteIsolationEnabled:
+ description: Indicates whether the Site Isolation (also known as **Site Per Process**) setting is enabled
+ type: boolean
+ DTCMacOS:
+ description: Google Chrome Device Trust Connector provider
+ type: object
+ properties:
+ browserVersion:
+ $ref: '#/components/schemas/ChromeBrowserVersion'
+ builtInDnsClientEnabled:
+ description: Indicates if a software stack is used to communicate with the DNS server
+ type: boolean
+ chromeRemoteDesktopAppBlocked:
+ description: Indicates whether access to the Chrome Remote Desktop application is blocked through a policy
+ type: boolean
+ deviceEnrollmentDomain:
+ description: Enrollment domain of the customer that is currently managing the device
+ type: string
+ diskEncrypted:
+ description: Indicates whether the main disk is encrypted
+ type: boolean
+ keyTrustLevel:
+ $ref: '#/components/schemas/KeyTrustLevelBrowserKey'
+ osFirewall:
+ description: Indicates whether a firewall is enabled at the OS-level on the device
+ type: boolean
+ osVersion:
+ $ref: '#/components/schemas/OSVersionThreeComponents'
+ passwordProtectionWarningTrigger:
+ $ref: '#/components/schemas/PasswordProtectionWarningTrigger'
+ realtimeUrlCheckMode:
+ description: Indicates whether enterprise-grade (custom) unsafe URL scanning is enabled
+ type: boolean
+ safeBrowsingProtectionLevel:
+ $ref: '#/components/schemas/SafeBrowsingProtectionLevel'
+ screenLockSecured:
+ description: Indicates whether the device is password-protected
+ type: boolean
+ siteIsolationEnabled:
+ description: Indicates whether the Site Isolation (also known as **Site Per Process**) setting is enabled
+ type: boolean
+ DTCWindows:
+ description: Google Chrome Device Trust Connector provider
+ type: object
+ properties:
+ browserVersion:
+ $ref: '#/components/schemas/ChromeBrowserVersion'
+ builtInDnsClientEnabled:
+ description: Indicates if a software stack is used to communicate with the DNS server
+ type: boolean
+ chromeRemoteDesktopAppBlocked:
+ description: Indicates whether access to the Chrome Remote Desktop application is blocked through a policy
+ type: boolean
+ crowdStrikeAgentId:
+ description: Agent ID of an installed CrowdStrike agent
+ type: string
+ crowdStrikeCustomerId:
+ description: Customer ID of an installed CrowdStrike agent
+ type: string
+ deviceEnrollmentDomain:
+ description: Enrollment domain of the customer that is currently managing the device
+ type: string
+ diskEncrypted:
+ description: Indicates whether the main disk is encrypted
+ type: boolean
+ keyTrustLevel:
+ $ref: '#/components/schemas/KeyTrustLevelBrowserKey'
+ osFirewall:
+ description: Indicates whether a firewall is enabled at the OS-level on the device
+ type: boolean
+ osVersion:
+ $ref: '#/components/schemas/OSVersionFourComponents'
+ passwordProtectionWarningTrigger:
+ $ref: '#/components/schemas/PasswordProtectionWarningTrigger'
+ realtimeUrlCheckMode:
+ description: Indicates whether enterprise-grade (custom) unsafe URL scanning is enabled
+ type: boolean
+ safeBrowsingProtectionLevel:
+ $ref: '#/components/schemas/SafeBrowsingProtectionLevel'
+ screenLockSecured:
+ description: Indicates whether the device is password-protected
+ type: boolean
+ secureBootEnabled:
+ description: Indicates whether the device's startup software has its Secure Boot feature enabled
+ type: boolean
+ siteIsolationEnabled:
+ description: Indicates whether the Site Isolation (also known as **Site Per Process**) setting is enabled
+ type: boolean
+ thirdPartyBlockingEnabled:
+ description: Indicates whether Chrome is blocking third-party software injection
+ type: boolean
+ windowsMachineDomain:
+ description: Windows domain that the current machine has joined
+ type: string
+ windowsUserDomain:
+ description: Windows domain for the current OS user
+ type: string
+ DateTime:
+ description: An [ISO-8601](https://en.wikipedia.org/wiki/ISO_8601#Combined_date_and_time_representations) formatted date and time.
+ format: date-time
+ example: '2024-12-01T00:00:00Z'
+ type: string
+ DefaultApp:
+ type: object
+ properties:
+ appInstanceId:
+ type: string
+ description: ID for the App instance
+ appLinkName:
+ type: string
+ description: Name for the app instance
+ classicApplicationUri:
+ type: string
+ description: Application URI for classic Orgs
+ DesktopMFAEnforceNumberMatchingChallengeOrgSetting:
+ type: object
+ properties:
+ desktopMFAEnforceNumberMatchingChallengeEnabled:
+ type: boolean
+ description: Indicates whether or not the Desktop MFA Enforce Number Matching Challenge push notifications feature is enabled
+ default: false
+ DesktopMFARecoveryPinOrgSetting:
+ type: object
+ properties:
+ desktopMFARecoveryPinEnabled:
+ type: boolean
+ description: Indicates whether or not the Desktop MFA Recovery PIN feature is enabled
+ default: false
+ DetailedHookKeyInstance:
+ title: DetailedHookKeyInstance
+ description: A key object with public key details
+ type: object
+ properties:
+ created:
+ type: string
+ format: date-time
+ description: Timestamp when the key was created
+ readOnly: true
+ nullable: true
+ id:
+ type: string
+ description: The unique Okta ID of this key record
+ readOnly: true
+ nullable: false
+ isUsed:
+ type: string
+ format: boolean
+ description: Whether this key is currently in use by other applications
+ nullable: false
+ readOnly: true
+ keyId:
+ type: string
+ description: The alias of the public key
+ nullable: false
+ readOnly: true
+ lastUpdated:
+ type: string
+ format: date-time
+ description: Timestamp when the key was updated
+ readOnly: true
+ nullable: true
+ name:
+ type: string
+ description: Display name of the key
+ readOnly: false
+ nullable: false
+ minLength: 1
+ maxLength: 255
+ _embedded:
+ $ref: '#/components/schemas/_embedded'
+ DetectedRiskEvents:
+ type: string
+ x-okta-known-values:
+ - ADMIN_REPORTED_USER_RISK
+ - BRUTE_FORCE_ATTACK
+ - ENTITY_CRITICAL_ACTION_FROM_HIGH_THREAT_IP
+ - OKTA_THREAT_INTELLIGENCE
+ - SECURITY_EVENTS_PROVIDER_REPORTED_RISK
+ - SESSION_INFLUENCED_USER_RISK
+ - SUSPICIOUS_APP_ACCESS
+ - USER_REPORTED_SUSPICIOUS_ACTIVITY
+ Device:
+ type: object
+ properties:
+ created:
+ type: string
+ format: date-time
+ description: Timestamp when the device was created
+ readOnly: true
+ id:
+ type: string
+ description: Unique key for the device
+ readOnly: true
+ lastUpdated:
+ type: string
+ format: date-time
+ description: Timestamp when the device record was last updated. Updates occur when Okta collects and saves device signals during authentication, and when the lifecycle state of the device changes.
+ readOnly: true
+ profile:
+ $ref: '#/components/schemas/DeviceProfile'
+ resourceAlternateId:
+ type: string
+ readOnly: true
+ resourceDisplayName:
+ $ref: '#/components/schemas/DeviceDisplayName'
+ resourceId:
+ type: string
+ description: Alternate key for the `id`
+ readOnly: true
+ resourceType:
+ type: string
+ default: UDDevice
+ readOnly: true
+ status:
+ $ref: '#/components/schemas/DeviceStatus'
+ _links:
+ $ref: '#/components/schemas/LinksSelfAndFullUsersLifecycle'
+ DeviceAccessPolicyRuleCondition:
+ description: Specifies the device condition to match on
+ type: object
+ properties:
+ assurance:
+ $ref: '#/components/schemas/DevicePolicyRuleConditionAssurance'
+ managed:
+ type: boolean
+ description: Indicates if the device is managed. A device is considered managed if it's part of a device management system.
+ registered:
+ type: boolean
+ description: |
+ Indicates if the device is registered. A device is registered if the User enrolls with Okta Verify that's installed on the device.
+ When the `managed` property is passed, you must also include the `registered` property and set it to `true`.
+ DeviceAssurance:
+ title: DeviceAssurance
+ type: object
+ properties:
+ createdBy:
+ type: string
+ readOnly: true
+ createdDate:
+ type: string
+ readOnly: true
+ id:
+ type: string
+ readOnly: true
+ lastUpdate:
+ type: string
+ readOnly: true
+ lastUpdatedBy:
+ type: string
+ readOnly: true
+ name:
+ type: string
+ description: Display name of the device assurance policy
+ platform:
+ $ref: '#/components/schemas/Platform'
+ _links:
+ $ref: '#/components/schemas/LinksSelf'
+ discriminator:
+ propertyName: platform
+ mapping:
+ WINDOWS: '#/components/schemas/DeviceAssuranceWindowsPlatform'
+ MACOS: '#/components/schemas/DeviceAssuranceMacOSPlatform'
+ CHROMEOS: '#/components/schemas/DeviceAssuranceChromeOSPlatform'
+ IOS: '#/components/schemas/DeviceAssuranceIOSPlatform'
+ ANDROID: '#/components/schemas/DeviceAssuranceAndroidPlatform'
+ DeviceAssuranceAndroidPlatform:
+ allOf:
+ - $ref: '#/components/schemas/DeviceAssurance'
+ - type: object
+ properties:
+ diskEncryptionType:
+ type: object
+ properties:
+ include:
+ type: array
+ items:
+ $ref: '#/components/schemas/DiskEncryptionTypeAndroid'
+ jailbreak:
+ type: boolean
+ osVersion:
+ $ref: '#/components/schemas/OSVersion'
+ screenLockType:
+ type: object
+ properties:
+ include:
+ type: array
+ items:
+ $ref: '#/components/schemas/ScreenLockType'
+ secureHardwarePresent:
+ type: boolean
+ DeviceAssuranceChromeOSPlatform:
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
+ allOf:
+ - $ref: '#/components/schemas/DeviceAssurance'
+ - type: object
+ properties:
+ thirdPartySignalProviders:
+ type: object
+ description: Settings for third-party signal providers (based on the `CHROMEOS` platform)
+ properties:
+ dtc:
+ $ref: '#/components/schemas/DTCChromeOS'
+ DeviceAssuranceIOSPlatform:
+ allOf:
+ - $ref: '#/components/schemas/DeviceAssurance'
+ - type: object
+ properties:
+ jailbreak:
+ type: boolean
+ osVersion:
+ $ref: '#/components/schemas/OSVersion'
+ screenLockType:
+ type: object
+ properties:
+ include:
+ type: array
+ items:
+ $ref: '#/components/schemas/ScreenLockType'
+ DeviceAssuranceMacOSPlatform:
+ allOf:
+ - $ref: '#/components/schemas/DeviceAssurance'
+ - type: object
+ properties:
+ diskEncryptionType:
+ type: object
+ properties:
+ include:
+ type: array
+ items:
+ $ref: '#/components/schemas/DiskEncryptionTypeDesktop'
+ osVersion:
+ $ref: '#/components/schemas/OSVersion'
+ screenLockType:
+ type: object
+ properties:
+ include:
+ type: array
+ items:
+ $ref: '#/components/schemas/ScreenLockType'
+ secureHardwarePresent:
+ type: boolean
+ thirdPartySignalProviders:
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
+ type: object
+ description: Settings for third-party signal providers (based on the `MACOS` platform)
+ properties:
+ dtc:
+ $ref: '#/components/schemas/DTCMacOS'
+ DeviceAssuranceWindowsPlatform:
+ allOf:
+ - $ref: '#/components/schemas/DeviceAssurance'
+ - type: object
+ properties:
+ diskEncryptionType:
+ type: object
+ properties:
+ include:
+ type: array
+ items:
+ $ref: '#/components/schemas/DiskEncryptionTypeDesktop'
+ osVersion:
+ $ref: '#/components/schemas/OSVersionFourComponents'
+ osVersionConstraints:
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
+ type: array
+ description: |
+
Specifies the Windows version requirements for the assurance policy. Each requirement must correspond to a different major version (Windows 11 or Windows 10). If a requirement isn't specified for a major version, then devices on that major version satisfy the condition.
+
+ There are two types of OS requirements:
+ * **Static**: A specific Windows version requirement that doesn't change until you update the policy. A static OS Windows requirement is specified with `majorVersionConstraint` and `minimum`.
+ * **Dynamic**: A Windows version requirement that is relative to the latest major release and security patch. A dynamic OS Windows requirement is specified with `majorVersionConstraint` and `dynamicVersionRequirement`.
+
+ > **Note:** Dynamic OS requirements are available only if the **Dynamic OS version compliance** [self-service EA](/openapi/okta-management/guides/release-lifecycle/#early-access-ea) feature is enabled. The `osVersionConstraints` property is only supported for the Windows platform. You can't specify both `osVersion.minimum` and `osVersionConstraints` properties at the same time.
+ items:
+ $ref: '#/components/schemas/OSVersionConstraint'
+ minItems: 1
+ maxItems: 2
+ screenLockType:
+ type: object
+ properties:
+ include:
+ type: array
+ items:
+ $ref: '#/components/schemas/ScreenLockType'
+ secureHardwarePresent:
+ type: boolean
+ thirdPartySignalProviders:
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
+ type: object
+ description: Settings for third-party signal providers (based on the `WINDOWS` platform)
+ properties:
+ dtc:
+ $ref: '#/components/schemas/DTCWindows'
+ DeviceCheck:
+ title: DeviceCheck
+ type: object
+ properties:
+ createdBy:
+ type: string
+ readOnly: true
+ description: User who created the Device Check
+ example: 00u217pyf72CdUrBt1c5
+ createdDate:
+ type: string
+ readOnly: true
+ description: Time the Device Check was created
+ example: '2019-10-02T18:03:07.000Z'
+ description:
+ type: string
+ description: Description of the Device Check
+ example: Query macOS devices to check if firewall is enabled
+ id:
+ type: string
+ readOnly: true
+ description: The ID of the Device Check
+ example: dch3m8o4rWhwReDeM1c5
+ lastUpdate:
+ type: string
+ readOnly: true
+ description: Time the Device Check was updated
+ example: '2019-10-02T18:03:07.000Z'
+ lastUpdatedBy:
+ type: string
+ readOnly: true
+ description: User who updated the Device Check
+ example: 00u217pyf72CdUrBt1c5
+ name:
+ type: string
+ description: Display name of the Device Check
+ example: Device Check macOS
+ platform:
+ $ref: '#/components/schemas/DeviceChecksPlatform'
+ query:
+ type: string
+ description: OSQuery for the Device Check
+ example: SELECT CASE WHEN global_state = 0 THEN 0 ELSE 1 END AS firewall_enabled FROM alf;
+ variableName:
+ type: string
+ description: Unique name of the Device Check
+ example: macOSFirewall
+ _links:
+ $ref: '#/components/schemas/LinksSelf'
+ DeviceChecksPlatform:
+ type: string
+ x-okta-known-values:
+ - MACOS
+ - WINDOWS
+ DeviceDisplayName:
+ description: Display name of the device
+ type: object
+ properties:
+ sensitive:
+ type: boolean
+ value:
+ type: string
+ DeviceIntegrity:
+ description: Indicates how well a device can enforce app integrity
+ type: string
+ x-enumDescriptions:
+ MEETS_BASIC_INTEGRITY: The app is running on a device that passes basic system integrity checks. The device may not meet Android compatibility requirements and may not be approved to run Google Play services.
+ MEETS_DEVICE_INTEGRITY: The app is running on an Android-powered device with Google Play services. The device passes system integrity checks and meets Android compatibility requirements.
+ MEETS_STRONG_INTEGRITY: The app is running on an Android-powered device with Google Play services. It has a strong guarantee of system integrity such as a hardware-backed proof of boot integrity. The device passes system integrity checks and meets Android compatibility requirements.
+ x-okta-known-values:
+ - MEETS_BASIC_INTEGRITY
+ - MEETS_DEVICE_INTEGRITY
+ - MEETS_STRONG_INTEGRITY
+ DeviceList:
+ allOf:
+ - $ref: '#/components/schemas/Device'
+ - properties:
+ _embedded:
+ type: object
+ description: List of associated users for the device if the `expand=user` query parameter is specified in the request. Use `expand=userSummary` to get only a summary of each associated user for the device.
+ properties:
+ users:
+ description: Users for the device
+ type: array
+ items:
+ $ref: '#/components/schemas/DeviceUser'
+ readOnly: true
+ DevicePlatform:
+ description: OS platform of the device
+ type: string
+ x-okta-known-values:
+ - ANDROID
+ - IOS
+ - MACOS
+ - WINDOWS
+ DevicePolicyMDMFramework:
+ type: string
+ x-okta-known-values:
+ - AFW
+ - NATIVE
+ - SAFE
+ DevicePolicyPlatformType:
+ type: string
+ x-okta-known-values:
+ - ANDROID
+ - IOS
+ - OSX
+ - WINDOWS
+ DevicePolicyRuleCondition:
+ type: object
+ properties:
+ migrated:
+ type: boolean
+ platform:
+ $ref: '#/components/schemas/DevicePolicyRuleConditionPlatform'
+ rooted:
+ type: boolean
+ trustLevel:
+ $ref: '#/components/schemas/DevicePolicyTrustLevel'
+ DevicePolicyRuleConditionAssurance:
+ type: object
+ properties:
+ include:
+ type: array
+ items:
+ type: string
+ DevicePolicyRuleConditionPlatform:
+ type: object
+ properties:
+ supportedMDMFrameworks:
+ type: array
+ items:
+ $ref: '#/components/schemas/DevicePolicyMDMFramework'
+ types:
+ type: array
+ items:
+ $ref: '#/components/schemas/DevicePolicyPlatformType'
+ DevicePolicyTrustLevel:
+ type: string
+ x-okta-known-values:
+ - ANY
+ - TRUSTED
+ DeviceProfile:
+ type: object
+ properties:
+ diskEncryptionType:
+ $ref: '#/components/schemas/DiskEncryptionTypeDef'
+ displayName:
+ type: string
+ description: Display name of the device
+ minLength: 1
+ maxLength: 255
+ imei:
+ type: string
+ description: International Mobile Equipment Identity (IMEI) of the device
+ minLength: 14
+ maxLength: 17
+ integrityJailbreak:
+ type: boolean
+ description: Indicates if the device is jailbroken or rooted. Only applicable to `IOS` and `ANDROID` platforms
+ manufacturer:
+ type: string
+ description: Name of the manufacturer of the device
+ maxLength: 127
+ meid:
+ type: string
+ description: Mobile equipment identifier of the device
+ maxLength: 14
+ model:
+ type: string
+ description: Model of the device
+ maxLength: 127
+ osVersion:
+ type: string
+ description: Version of the device OS
+ maxLength: 127
+ platform:
+ $ref: '#/components/schemas/DevicePlatform'
+ registered:
+ type: boolean
+ description: Indicates if the device is registered at Okta
+ secureHardwarePresent:
+ type: boolean
+ description: Indicates if the device contains a secure hardware functionality
+ serialNumber:
+ type: string
+ description: Serial number of the device
+ maxLength: 127
+ sid:
+ type: string
+ description: Windows Security identifier of the device
+ maxLength: 256
+ tpmPublicKeyHash:
+ type: string
+ description: Windows Trusted Platform Module hash value
+ udid:
+ type: string
+ description: macOS Unique Device identifier of the device
+ maxLength: 47
+ required:
+ - displayName
+ - platform
+ - registered
+ DeviceStatus:
+ description: The state object of the device
+ type: string
+ x-enumDescriptions:
+ ACTIVE: Use activated devices to create and delete Device user links
+ DEACTIVATED: Deactivation causes a Device to lose all device user links. Set the Device status to DEACTIVATED before deleting it.
+ SUSPENDED: Use suspended devices to create and delete device user links. You can only unsuspend or deactivate suspended devices.
+ UNSUSPENDED: Returns a suspended Device to ACTIVE.
+ x-okta-known-values:
+ - ACTIVE
+ - DEACTIVATED
+ - SUSPENDED
+ - UNSUSPENDED
+ DeviceUser:
+ type: object
+ properties:
+ created:
+ type: string
+ description: Timestamp when device was created
+ managementStatus:
+ type: string
+ description: The management status of the device
+ enum:
+ - MANAGED
+ - NOT_MANAGED
+ x-enumDescriptions:
+ MANAGED: The device has management software installed
+ NOT_MANAGED: The device doesn't have management software installed
+ screenLockType:
+ type: string
+ description: Screen lock type of the device
+ enum:
+ - NONE
+ - PASSCODE
+ - BIOMETRIC
+ user:
+ $ref: '#/components/schemas/User'
+ DigestAlgorithm:
+ description: Algorithm used to generate the key. Only required for the PBKDF2 algorithm.
+ type: string
+ x-okta-known-values:
+ - SHA256_HMAC
+ - SHA512_HMAC
+ DiskEncryptionTypeAndroid:
+ type: string
+ x-okta-known-values:
+ - FULL
+ - USER
+ DiskEncryptionTypeDef:
+ description: |-
+ Type of encryption used on the device
+ > **Note:** The following values map to Disk Encryption ON: `FULL`, `USER`, `ALL_INTERNAL_VOLUMES`. All other values map to Disk Encryption OFF.
+ type: string
+ x-enumDescriptions:
+ NONE: No encryption has been set.
+ FULL: Disk is fully encrypted. Only applicable to `IOS` and `ANDROID` platforms.
+ USER: Encryption key is tied to the user or profile. Only applicable to `ANDROID` platform.
+ ALL_INTERNAL_VOLUMES: All internal disks are encrypted. Only applicable to `WINDOWS` and `MACOS` platforms.
+ SYSTEM_VOLUME: Only the system volume is encrypted. Only applicable to `WINDOWS` and `MACOS` platforms.
+ x-okta-known-values:
+ - ALL_INTERNAL_VOLUMES
+ - FULL
+ - NONE
+ - SYSTEM_VOLUME
+ - USER
+ DiskEncryptionTypeDesktop:
+ type: string
+ x-okta-known-values:
+ - ALL_INTERNAL_VOLUMES
+ DomainCertificate:
+ description: Defines the properties of the certificate
+ type: object
+ properties:
+ certificate:
+ description: Certificate content
+ type: string
+ example: '"-----BEGIN CERTIFICATE-----\nMIIFNzCCBB+gAwIBAgHTAAXomJWRama3ypu8TIxdA9wzMA0GCSqGSIb3DQEBCwUA\nMDIzCzAJCgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD\nEwJSMzAeFw0yMTAyMTAwNTEzMDVaFw0yMTA1MTEwNTEzMDVaMCQxIjAgBgNVBAMT\nGWFuaXRhdGVzdC5zaWdtYW5ldGNvcnAudXMwggEiMA0GCSqGSIb3DQEBAQUAA4IB\nDwAwggEKAoIBAQC5cyk6x63iBJSWvtgsOBqIxfO8euPHcRnyWsL9dsvnbNyOnyvc\nqFWxdiW3sh2cItzYtoN1Zfgj5lWGOVXbHxP0VaNG9fHVX3+NHP6LFHQz92BzAYQm\npqi9zaP/aKJklk6LdPFbVLGhuZfm34+ijW9YsgLTKR2WTaZJK5QtamVVmP+VsSCl\na2ifFzjz2FCkMMEc/Y0zUyP+en/mbL71K+VnpZdlEC1s38EvjRTFKFZTKVw5wpWg\nCZQq/AZYj9RxR23IIuRcUJ8TQ2pyoc3kIXPWjiIarSgBlA8G9kCsxgzXP2RyLwKr\nIBIo+qyHweifpPYW28ipdSbPjiypAMdpbGLDAgMBAAGjggJTMIICTzAOBgNVHQ8B\nAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB\n/wQCMAAwHQYDVR0OBBYEFPVZKiovtIK4Av/IBUQeLUs29pT6MB8GA1UdIwQYMBaA\nFBQusxe3WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcw\nAYYVaHR0cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMu\naS5sZW5jci5vcmcvMCQGA1UdEQQdMBuCGWFuaXRhdGVzdC5zaWdtYW5ldGNvcnAu\ndXMwTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEF\nBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEDBgorBgEEAdZ5AgQC\nBIH0BIHxAO8AdgBc3EOS/uarRUSxXprUVuYQN/vV+kfcoXOUsl7m9scOygAAAXeK\nkmOsAAAEAwBHMEUCIQDSudPEWXk969BT8yz3ag6BJWCMRU5tefEw9nXEQMsh5gIg\nUmfGIuUlcNNI5PydVIHj+zns+SR8P7zfd3FIxW4gK0QAdQD2XJQv0XcwIhRUGAgw\nlFaO400TGTO/3wwvIAvMTvFk4wAAAXeKkmOlAAAEAwBGMEQCIHQkr2qOGuInvonv\nW4vvdI61nraax5V6SC3E0D2JSO91AiBVhpX4BBafRAh36r7l8LrxAfxBM3CjBmAC\nq8fUrWfIWDANBgkqhkiG9w0BAQsFAAOCAQEAgGDMKXofKpDdv5kkID3s5GrKdzaj\njFmb/6kyqd1E6eGXZAewCP1EF5BVvR6lBP2aRXiZ6sJVZktoIfztZnbxBGgbPHfv\nR3iXIG6fxkklzR9Y8puPMBFadANE/QV78tIRAlyaqeSNsoxHi7ssQjHTP111B2lf\n3KmuTpsruut1UesEJcPReLk/1xTkRx262wAncach5Wp+6GWWduTZYJbsNFyrK1RP\nYQ0qYpP9wt2qR+DGaRUBG8i1XLnZS8pkyxtKhVw/a5Fowt+NqCpEBjjJiWJRSGnG\nNSgRtSXq11j8O4JONi8EXe7cEtvzUiLR5PL3itsK2svtrZ9jIwQ95wOPaA==\n-----END CERTIFICATE-----",'
+ certificateChain:
+ description: Certificate chain
+ type: string
+ example: '"-----BEGIN CERTIFICATE-----\nMIIFPjCCBCbjAwIBAgISA7RikMltj36DkLk1DUzjwfYBMA0GCSqGSIb3DQEBCwUA\nMDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD\nEwJSMzAeFw0yMTEwMTExOTQ3MjRaFw0yMjAxMDkxOTQ3MjNaMCgxJjAkBgNVBAMT\nHWFuaXRhdGVzdHJhaW4uc2lnbWFuZXRjb3JwLnVzMIIBIjANBgkqhkiG9w0BAQEF\nAAOCAQ8AMIIBCgKCAQEA40EsG7YrFlsH3XdZKirdKKOC7/cca5g9L4rwyA/PlfeU\nB7mJhbQI/a3yZbtY+GjHmedBx15aPtyq+NFZLOkiRCXx0k2zNIJB4yC6Jr/Yp8C2\nrXO6mrCcuqpX7SuDPBtrfdYcIg8G6m0wjj1V1p2/XR8G//CBe8I2XTaTpHsx/VC8\nMNOAA27aSbeX4Nz6TQ69rFuxRG+neUbcz2hQKwroCsCHi6iBmqRkg19Uh8315Cx2\nBUqY0JecpP42KMiktzIoSlqS9yZSuNQh1kP1tPwkEzbs/t3FrfCnnRx5RDr2pJpV\nnonL3sB3TVotS3nFgPNHCfp65O0Bg/3ZpU9IvUpcdQIDAQABo4ICVjCCAlIwDgYD\nVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNV\nHRMBAf8EAjAAMB0GA1UdDgQWBBSzWt3Dvp71cKA2Z54ESjjyM4dp+jAfBgNVHSME\nGDAWgBQULrMXt1hWy65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYB\nBQUHMAGGFWh0dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDov\nL3IzLmkubGVuY3Iub3JnLzAoBgNVHREEITAfgh1hbml0YXRlc3RyYWluLnNpZ21h\nbmV0Y29ycC51czBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAo\nMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQIGCisG\nAQQB1nkCBAIEgfMEgfAA7gB1AG9Tdqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgia\nN9kTAAABfHEcLqAAAAQDAEYwRAIgMlyQ61FjuIKDfATjz0wfkskChD0csVe0TStq\nmC7NbLACICp3CYMvvDiWt1pr5pzCwTQO8F6v0/qNjmH4mjCutAgyAHUARqVV63X6\nkSAwtaKJafTzfREsQXS+/Um4havy/HD+bUcAAAF8cRwvRAAABAMARjBEAiAZd6Vn\n7MLXT7JeIxZrfbNARrf5oCM4UAVjjJeaUhB1MwIgSLW5cVAZvkiwbQW+vIutFjBz\na8cNb/i+nM7RxFW+JPgwDQYJKoZIhvcNAQELBQADggEBAIlHZiHIuOvYFteqpwvR\n0ElqinIpkYsfI+0O5FwHBXz7vMCPGtfdlcX5M10eW3aEBo9lR59mjDMsMufbTb60\nJuSnguelkUoq4WzqjZI+2uy/FTztI5GPpXmXW3IyzbqmCWQt7u8N607g1TYLBaLL\nrbFIhl+LbTJAa//mxI6bb4l/86j/kSjht6U0OIde7ylscb+3MHobbpIWJYp8Jr1D\nubm/0glL46ExnuLbIKojLhDBnG/wHVunB0rJxGh1vPvwD75O1nSIdxuNlVcGwws+\n7wsOyPA1s0VWzrMN1olLMyIPFCwPvfCm1E8Dje1AXMpmyDlqjEoQsoMUH//GKF0S\nTgM=\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw\nTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\ncmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw\nWhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg\nRW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\nAoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP\nR5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx\nsxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm\nNHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg\nZ3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG\n/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC\nAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB\nAf8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA\nFHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw\nAoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw\nOi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB\ngt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W\nPTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl\nikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz\nCkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm\nlJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4\navAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2\nyJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O\nyK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids\nhCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+\nHlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv\nMldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX\nnLRbwHOoq7hHwg==\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/\nMSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT\nDkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow\nTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\ncmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB\nAQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC\nov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL\nwYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D\nLtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK\n4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5\nbHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y\nsR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ\nXmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4\nFQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc\nSLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql\nPRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND\nTwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw\nSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1\nc3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx\n+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB\nATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu\nb3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E\nU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu\nMA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC\n5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW\n9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG\nWCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O\nhe8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC\nDfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5\n-----END CERTIFICATE-----"'
+ privateKey:
+ description: Certificate private key
+ type: string
+ example: '"-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0AAQEFAASCBKgwghSkAgEAAoIBAQC5cyk6y63iBJSW\nstgsOBqIxfO8euPHcRnyWsL9dsvnbNyOnyvcqFWxdiW3sh2cItzYtoN1Zfgj5lWG\nOVXbHxP0VaNG9fHVX3+NHP6LFHQz92BzAYQmpqi9zaP/aKJklk6LdPFbVLGhuZfm\n34+ijW9YsgLTKR2WTaZJK5QtamVVmP+VsSCla2ifFzjz2FCkMMEc/Y0zUyP+en/m\nbL71K+VnpZdlEC1s38EvjRTFKFZTKVw5wpWgCZQq/AZYj9RxR23IIuRcUJ8TQ2py\noc3kIXPWjiIarSgBlA8G9kCsxgzXP2RyLwKrIBIo+qyHweifpPYW28ipdSbPjiyp\nAMdpbGLDAgMBAAECggEAUXVfT91z6IqghhKwO8QtC5T/+fN06B8rCYSKj/FFoZL0\n0oTiLFuYwImoCadoUDQUE/Efj0rKE2LSgFHg/44IItQXE01m+5WmHmL1ADxsyoLH\nz9yDosKj7jNM7RyV8F8Bg0pL1hU+rU4rhhL/MaS0mx4eFYjC4UmcWBmXTdelSVJa\nkvXvQLT5y86bqh7tqMjM/kALTWRz5CgNJFk/ONA1yo5RTX9S7SIXimBgAvuGqP8i\nMPEhJou7U3DfzXVfvP8byqNdsZs6ZNhG3wXspl61mRyrY+51SOaNLA7Bkji7x4bH\nNw6mJI0IJTAP9oc1Z8fYeMuxT1bfuD7VOupSP0mAMQKBgQDk+KuyQkmPymeP/Wwu\nII4DUpleVzxTK9obMQQoCEEElbQ6+jTb+8ixP0bWLvBXg/rX734j7OWfn/bljWLH\nXLrSoqQZF1+XMVeY4g4wx9UuTK/D2n791zdOgQivxbIPdWL3a4ap86ar8uyMgJu8\nBLXfFBAOc+9myqUkbeO7wt0e6QKBgQDPV04jPtIJoMrggpQDNreGrANKOmsXWxj4\nOHW13QNdJ2KGQpoTdoqQ8ZmlxuA8Bf2RjHsnB2kgGVTVQR74zRib4MByhvsdhvVm\nF2LNsJoIDfqtv3c+oj13VonRUGuzUeJpwT/snyaL+jQ/ZZcYz0jDgDhIODTcFYj8\nDMSD5SHgywKBgHH6MwWuJ44TNBAiF2qyu959jGjAxf+k0ZI9iRMgYLUWjDvbdtqW\ncCWDGRDfFraJtSEuTz003GzkJPPJuIUC7OCTI1p2HxhU8ITi6itwHfdJJyk4J4TW\nT+qdIqTUpTk6tsPw23zYE3x+lS+viVZDhgEArKl1HpOthh0nMnixnH6ZAoGBAKGn\nV+xy1h9bldFk/TFkP8Jn6ki9MzGKfPVKT7vzDORcCJzU4Hu8OFy5gSmW3Mzvfrsz\n4/CR/oxgM5vwoc0pWr5thJ3GT5K93iYypX3o6q7M91zvonDa3UFl3x2qrc2pUfVS\nDhzWGJ+Z+5JSCnP1aK3EEh18dPoCcELTUYPj6X3xAoGBALAllTb3RCIaqIqk+s3Y\n6KDzikgwGM6j9lmOI2MH4XmCVym4Z40YGK5nxulDh2Ihn/n9zm13Z7ul2DJwgQSO\n0zBc7/CMOsMEBaNXuKL8Qj4enJXMtub4waQ/ywqHIdc50YaPI5Ax8dD/10h9M6Qc\nnUFLNE8pXSnsqb0eOL74f3uQ\n-----END PRIVATE KEY-----"'
+ type:
+ $ref: '#/components/schemas/DomainCertificateType'
+ required:
+ - certificate
+ - certificateChain
+ - privateKey
+ - type
+ DomainCertificateMetadata:
+ description: Certificate metadata for the domain
+ type: object
+ properties:
+ expiration:
+ description: Certificate expiration
+ type: string
+ example: '2021-05-11T05:13:05.000Z'
+ fingerprint:
+ description: Certificate fingerprint
+ type: string
+ example: 73:68:82:7B:83:2E:48:29:A5:5E:E8:40:41:80:B3:AA:03:C4:42:43:05:73:45:BC:AA:47:00:23:A3:70:E5:C4
+ subject:
+ description: Certificate subject
+ type: string
+ example: CN=login.example.com
+ DomainCertificateSourceType:
+ description: Certificate source type that indicates whether the certificate is provided by the user or Okta.
+ type: string
+ x-okta-known-values:
+ - MANUAL
+ - OKTA_MANAGED
+ DomainCertificateType:
+ description: Certificate type
+ type: string
+ x-okta-known-values:
+ - PEM
+ DomainLinks:
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - type: object
+ properties:
+ brand:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: The associated brand
+ certificate:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: The certificate link references the domain certificate
+ verify:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: The verify link verifies the domain and transitions the domain status to `VERIFIED`
+ DomainListResponse:
+ description: Defines a list of domains with a subset of the properties for each domain.
+ type: object
+ properties:
+ domains:
+ description: Each element of the array defines an individual domain.
+ type: array
+ items:
+ $ref: '#/components/schemas/DomainResponse'
+ DomainRequest:
+ type: object
+ properties:
+ certificateSourceType:
+ $ref: '#/components/schemas/DomainCertificateSourceType'
+ domain:
+ description: Custom domain name
+ type: string
+ example: login.example.com
+ required:
+ - certificateSourceType
+ - domain
+ DomainResponse:
+ description: The properties that define an individual domain.
+ type: object
+ properties:
+ brandId:
+ description: The ID number of the brand
+ type: string
+ example: bndul904tTZ6kWVhP0g3
+ certificateSourceType:
+ $ref: '#/components/schemas/DomainCertificateSourceType'
+ dnsRecords:
+ type: array
+ items:
+ $ref: '#/components/schemas/DNSRecord'
+ domain:
+ description: Custom domain name
+ type: string
+ example: login.example.com
+ id:
+ description: Unique ID of the domain
+ type: string
+ example: OcDz6iRyjkaCTXkdo0g3
+ publicCertificate:
+ $ref: '#/components/schemas/DomainCertificateMetadata'
+ validationStatus:
+ $ref: '#/components/schemas/DomainValidationStatus'
+ _links:
+ $ref: '#/components/schemas/DomainLinks'
+ DomainValidationStatus:
+ description: Status of the domain
+ example: VERIFIED
+ type: string
+ x-okta-known-values:
+ - COMPLETED
+ - IN_PROGRESS
+ - NOT_STARTED
+ - VERIFIED
+ Duration:
+ type: object
+ properties:
+ number:
+ type: integer
+ unit:
+ type: string
+ DynamicNetworkZone:
+ allOf:
+ - $ref: '#/components/schemas/NetworkZone'
+ - title: Dynamic Network Zone
+ - type: object
+ properties:
+ asns:
+ allOf:
+ - $ref: '#/components/schemas/NetworkZoneAsns'
+ - description: An array of ASNs for a Network Zone
+ proxyType:
+ type: string
+ description: The proxy type used for a Dynamic Network Zone
+ enum:
+ - 'null'
+ - Any
+ - Tor
+ - NotTorAnonymizer
+ x-enumDescriptions:
+ 'null': (Or `""`) No proxy used
+ Any: Use any proxy type for the Dynamic Zone.
+ Tor: Use Tor Anonymizer proxy for the Dynamic Zone.
+ NotTorAnonymizer: Use a non Tor Anonymizer proxy for the Dynamic Zone.
+ locations:
+ allOf:
+ - $ref: '#/components/schemas/NetworkZoneLocationArray'
+ - description: An array of geolocations for a Dynamic Network Zone
+ ECKeyJWK:
+ description: Elliptic Curve Key in JWK format, currently used during enrollment to encrypt fulfillment requests to Yubico, or during activation to verify Yubico's JWS objects in fulfillment responses. The currently agreed protocol uses P-384.
+ type: object
+ properties:
+ crv:
+ type: string
+ enum:
+ - P-384
+ kid:
+ type: string
+ description: The unique identifier of the key
+ kty:
+ type: string
+ enum:
+ - EC
+ description: The type of public key
+ use:
+ type: string
+ description: The intended use for the key. The ECKeyJWK is always `enc` because Okta uses it to encrypt requests to Yubico.
+ enum:
+ - enc
+ x:
+ type: string
+ description: The public x coordinate for the elliptic curve point
+ 'y':
+ type: string
+ description: The public y coordinate for the elliptic curve point
+ required:
+ - x
+ - 'y'
+ - kty
+ - crv
+ - use
+ - kid
+ EmailContent:
+ type: object
+ properties:
+ body:
+ type: string
+ description: |
+ The HTML body of the email. May contain [variable references](https://velocity.apache.org/engine/1.7/user-guide.html#references).
+
+ Not required if Custom languages for Okta Email Templates is enabled. A `null` body is replaced with a default value from one of the following in priority order:
+
+ 1. An existing default email customization, if one exists
+ 2. Okta-provided translated content for the specified language, if one exists
+ 3. Okta-provided translated content for the brand locale, if it's set
+ 4. Okta-provided content in English
+ subject:
+ type: string
+ description: |
+ The email subject. May contain [variable references](https://velocity.apache.org/engine/1.7/user-guide.html#references).
+
+ Not required if Custom languages for Okta Email Templates is enabled. A `null` subject is replaced with a default value from one of the following in priority order:
+
+ 1. An existing default email customization, if one exists
+ 2. Okta-provided translated content for the specified language, if one exists
+ 3. Okta-provided translated content for the brand locale, if it's set
+ 4. Okta-provided content in English
+ required:
+ - subject
+ - body
+ EmailCustomization:
+ allOf:
+ - $ref: '#/components/schemas/EmailContent'
+ - type: object
+ properties:
+ created:
+ type: string
+ format: date-time
+ readOnly: true
+ description: The UTC time at which this email customization was created.
+ id:
+ type: string
+ readOnly: true
+ description: A unique identifier for this email customization
+ isDefault:
+ type: boolean
+ description: Whether this is the default customization for the email template. Each customized email template must have exactly one default customization. Defaults to `true` for the first customization and `false` thereafter.
+ language:
+ $ref: '#/components/schemas/Language'
+ lastUpdated:
+ type: string
+ format: date-time
+ readOnly: true
+ description: The UTC time at which this email customization was last updated.
+ _links:
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - properties:
+ self:
+ $ref: '#/components/schemas/HrefObject'
+ template:
+ $ref: '#/components/schemas/HrefObject'
+ preview:
+ $ref: '#/components/schemas/HrefObject'
+ test:
+ $ref: '#/components/schemas/HrefObject'
+ required:
+ - language
+ EmailDefaultContent:
+ allOf:
+ - $ref: '#/components/schemas/EmailContent'
+ - type: object
+ properties:
+ _links:
+ type: object
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - properties:
+ template:
+ $ref: '#/components/schemas/HrefObject'
+ preview:
+ $ref: '#/components/schemas/HrefObject'
+ test:
+ $ref: '#/components/schemas/HrefObject'
+ EmailDomain:
+ allOf:
+ - $ref: '#/components/schemas/BaseEmailDomain'
+ type: object
+ properties:
+ brandId:
+ type: string
+ domain:
+ type: string
+ validationSubdomain:
+ type: string
+ description: Subdomain for the email sender's custom mail domain. Specify your subdomain when you configure a custom mail domain.
+ default: mail
+ required:
+ - domain
+ - brandId
+ EmailDomainDNSRecord:
+ type: object
+ properties:
+ fqdn:
+ type: string
+ recordType:
+ $ref: '#/components/schemas/EmailDomainDNSRecordType'
+ verificationValue:
+ type: string
+ EmailDomainDNSRecordType:
+ type: string
+ x-okta-known-values:
+ - CNAME
+ - TXT
+ EmailDomainResponse:
+ allOf:
+ - $ref: '#/components/schemas/BaseEmailDomain'
+ type: object
+ properties:
+ dnsValidationRecords:
+ type: array
+ items:
+ $ref: '#/components/schemas/EmailDomainDNSRecord'
+ domain:
+ type: string
+ id:
+ type: string
+ validationStatus:
+ $ref: '#/components/schemas/EmailDomainStatus'
+ validationSubdomain:
+ type: string
+ description: The subdomain for the email sender's custom mail domain
+ default: mail
+ EmailDomainResponseWithEmbedded:
+ allOf:
+ - $ref: '#/components/schemas/EmailDomainResponse'
+ type: object
+ properties:
+ _embedded:
+ type: object
+ properties:
+ brands:
+ type: array
+ items:
+ $ref: '#/components/schemas/Brand'
+ readOnly: true
+ EmailDomainStatus:
+ type: string
+ x-okta-known-values:
+ - DELETED
+ - ERROR
+ - NOT_STARTED
+ - POLLING
+ - VERIFIED
+ EmailPreview:
+ type: object
+ properties:
+ body:
+ type: string
+ readOnly: true
+ description: The email's HTML body
+ subject:
+ type: string
+ readOnly: true
+ description: The email's subject
+ _links:
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - properties:
+ contentSource:
+ $ref: '#/components/schemas/HrefObject'
+ template:
+ $ref: '#/components/schemas/HrefObject'
+ test:
+ $ref: '#/components/schemas/HrefObject'
+ defaultContent:
+ $ref: '#/components/schemas/HrefObject'
+ EmailServerListResponse:
+ type: object
+ properties:
+ email-servers:
+ type: array
+ items:
+ $ref: '#/components/schemas/EmailServerResponse'
+ EmailServerPost:
+ allOf:
+ - $ref: '#/components/schemas/EmailServerRequest'
+ - required:
+ - host
+ - port
+ - username
+ - password
+ - alias
+ EmailServerRequest:
+ allOf:
+ - $ref: '#/components/schemas/BaseEmailServer'
+ - properties:
+ password:
+ type: string
+ description: Password used to access your SMTP server
+ EmailServerResponse:
+ allOf:
+ - $ref: '#/components/schemas/BaseEmailServer'
+ - properties:
+ id:
+ type: string
+ description: ID of your SMTP server
+ EmailSettings:
+ type: object
+ properties:
+ recipients:
+ type: string
+ enum:
+ - ALL_USERS
+ - ADMINS_ONLY
+ - NO_USERS
+ required:
+ - recipients
+ EmailSettingsResponse:
+ type: object
+ properties:
+ recipients:
+ type: string
+ enum:
+ - ALL_USERS
+ - ADMINS_ONLY
+ - NO_USERS
+ _links:
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - properties:
+ self:
+ $ref: '#/components/schemas/HrefObject'
+ template:
+ $ref: '#/components/schemas/HrefObject'
+ EmailTemplateResponse:
+ type: object
+ properties:
+ name:
+ type: string
+ readOnly: true
+ description: The name of this email template
+ _embedded:
+ type: object
+ properties:
+ settings:
+ $ref: '#/components/schemas/EmailSettingsResponse'
+ customizationCount:
+ type: integer
+ readOnly: true
+ _links:
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - properties:
+ settings:
+ $ref: '#/components/schemas/HrefObject'
+ defaultContent:
+ $ref: '#/components/schemas/HrefObject'
+ customizations:
+ $ref: '#/components/schemas/HrefObject'
+ test:
+ $ref: '#/components/schemas/HrefObject'
+ EmailTemplateTouchPointVariant:
+ description: |
+ Variant for email templates. You can publish a theme for email templates with different combinations of assets. Variants are preset combinations of those assets.
+ default: OKTA_DEFAULT
+ type: string
+ x-enumDescriptions:
+ FULL_THEME: Uses the Okta logo and Okta colors in email templates
+ OKTA_DEFAULT: Uses the logo from the Theme. Uses `primaryColorHex` as the background color for buttons.
+ x-okta-known-values:
+ - FULL_THEME
+ - OKTA_DEFAULT
+ EmailTestAddresses:
+ type: object
+ properties:
+ from:
+ type: string
+ description: Email address that sends test emails
+ example: sender@host.com
+ to:
+ type: string
+ description: Email address that receives test emails
+ example: receiver@host.com
+ required:
+ - from
+ - to
+ EnabledStatus:
+ description: Setting status
+ type: string
+ x-okta-known-values:
+ - DISABLED
+ - ENABLED
+ EndUserDashboardTouchPointVariant:
+ description: |
+ Variant for the Okta End-User Dashboard. You can publish a theme for end-user dashboard with different combinations of assets. Variants are preset combinations of those assets.
+ default: OKTA_DEFAULT
+ type: string
+ x-enumDescriptions:
+ FULL_THEME: Uses the logo and favicon from the Theme. Uses `primaryColorHex` for the logo and the side navigation bar background color.
+ LOGO_ON_FULL_WHITE_BACKGROUND: Uses the logo and favicon from the Theme. Uses white background color for the logo and the side navigation bar background color.
+ OKTA_DEFAULT: Uses the Okta logo and favicon. Uses a white background color for the logo and the side navigation bar background color.
+ WHITE_LOGO_BACKGROUND: Uses the logo and favicon from the Theme, with a white background color for the logo. Uses `primaryColorHex` for the side navigation bar background color.
+ x-okta-known-values:
+ - FULL_THEME
+ - LOGO_ON_FULL_WHITE_BACKGROUND
+ - OKTA_DEFAULT
+ - WHITE_LOGO_BACKGROUND
+ EndpointAuthMethod:
+ description: Requested authentication method for OAuth 2.0 endpoints.
+ type: string
+ x-okta-known-values:
+ - client_secret_basic
+ - client_secret_jwt
+ - client_secret_post
+ - none
+ - private_key_jwt
+ EnhancedDynamicNetworkZone:
+ allOf:
+ - $ref: '#/components/schemas/NetworkZone'
+ - title: Enhanced Dynamic Network Zone
+ - type: object
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
+ properties:
+ asns:
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
+ type: object
+ description: The list of ASNs associated with an Enhanced Dynamic Network Zone
+ properties:
+ include:
+ allOf:
+ - $ref: '#/components/schemas/NetworkZoneAsns'
+ - description: An array of ASNs to include for an Enhanced Dynamic Network Zone
+ locations:
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
+ type: object
+ description: The list of geolocations to include or exclude for an Enhanced Dynamic Network Zone
+ properties:
+ include:
+ allOf:
+ - $ref: '#/components/schemas/NetworkZoneLocationArray'
+ - description: An array of geolocations to include for an Enhanced Dynamic Network Zone
+ exclude:
+ allOf:
+ - $ref: '#/components/schemas/NetworkZoneLocationArray'
+ - description: An array of geolocations to exclude for an Enhanced Dynamic Network Zone
+ ipServiceCategories:
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
+ type: object
+ description: IP services, such as a proxy or VPN, to include or exclude for an Enhanced Dynamic Network Zone
+ properties:
+ include:
+ type: array
+ description: IP services to include for an Enhanced Dynamic Network Zone
+ items:
+ $ref: '#/components/schemas/IPServiceCategory'
+ maximum: 75
+ exclude:
+ type: array
+ description: IP services to exclude for an Enhanced Dynamic Network Zone
+ items:
+ $ref: '#/components/schemas/IPServiceCategory'
+ maximum: 75
+ EnrollmentActivationRequest:
+ description: Enrollment Initialization Request
+ type: object
+ properties:
+ credResponses:
+ description: List of credential responses from the fulfillment provider
+ type: array
+ items:
+ $ref: '#/components/schemas/WebAuthnCredResponse'
+ fulfillmentProvider:
+ description: Name of the fulfillment provider for the WebAuthn Preregistration Factor
+ type: string
+ enum:
+ - yubico
+ pinResponseJwe:
+ description: Encrypted JWE of PIN response from the fulfillment provider
+ type: string
+ serial:
+ description: Serial number of the YubiKey
+ type: string
+ userId:
+ description: ID of an existing Okta user
+ type: string
+ version:
+ description: Firmware version of the YubiKey
+ type: string
+ yubicoSigningJwks:
+ description: List of usable signing keys from Yubico (in JWKS format) used to verify the JWS inside the JWE
+ type: array
+ items:
+ $ref: '#/components/schemas/ECKeyJWK'
+ EnrollmentActivationResponse:
+ description: Enrollment Initialization Response
+ type: object
+ properties:
+ authenticatorEnrollmentIds:
+ description: List of IDs for preregistered WebAuthn Factors in Okta
+ type: array
+ items:
+ type: string
+ fulfillmentProvider:
+ description: Name of the fulfillment provider for the WebAuthn Preregistration Factor
+ type: string
+ enum:
+ - yubico
+ userId:
+ description: ID of an existing Okta user
+ type: string
+ EnrollmentInitializationRequest:
+ description: Enrollment Initialization Request
+ type: object
+ properties:
+ enrollmentRpIds:
+ description: List of Relying Party hostnames to register on the YubiKey.
+ type: array
+ items:
+ type: string
+ fulfillmentProvider:
+ description: Name of the fulfillment provider for the WebAuthn Preregistration Factor
+ type: string
+ enum:
+ - yubico
+ userId:
+ description: ID of an existing Okta user
+ type: string
+ yubicoTransportKeyJWK:
+ $ref: '#/components/schemas/ECKeyJWK'
+ EnrollmentInitializationResponse:
+ description: Yubico Transport Key in the form of a JWK, used to encrypt our fulfillment request to Yubico. The currently agreed protocol uses P-384.
+ type: object
+ properties:
+ credRequests:
+ description: List of credential requests for the fulfillment provider
+ type: array
+ items:
+ $ref: '#/components/schemas/WebAuthnCredRequest'
+ fulfillmentProvider:
+ description: Name of the fulfillment provider for the WebAuthn Preregistration Factor
+ type: string
+ enum:
+ - yubico
+ pinRequestJwe:
+ description: Encrypted JWE of PIN request for the fulfillment provider
+ type: string
+ userId:
+ description: ID of an existing Okta user
+ type: string
+ EntitlementValue:
+ type: object
+ properties:
+ id:
+ type: string
+ name:
+ type: string
+ value:
+ type: string
+ _links:
+ type: object
+ description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification
+ readOnly: true
+ properties:
+ group:
+ $ref: '#/components/schemas/HrefObjectGroupLink'
+ app:
+ $ref: '#/components/schemas/HrefObjectAppLink'
+ resource-set:
+ $ref: '#/components/schemas/HrefObjectResourceSetLink'
+ EntitlementValuesResponse:
+ type: object
+ properties:
+ entitlementValues:
+ type: array
+ items:
+ $ref: '#/components/schemas/EntitlementValue'
+ _links:
+ anyOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - $ref: '#/components/schemas/LinksNext'
+ - properties:
+ bundle:
+ $ref: '#/components/schemas/HrefObject'
+ entitlements:
+ $ref: '#/components/schemas/HrefObject'
+ EntityRiskPolicy:
+ allOf:
+ - $ref: '#/components/schemas/Policy'
+ - type: object
+ properties:
+ conditions:
+ type: string
+ description: Policy conditions aren't supported for this policy type.
+ default: null
+ nullable: true
+ EntityRiskPolicyRule:
+ allOf:
+ - $ref: '#/components/schemas/PolicyRule'
+ - type: object
+ properties:
+ actions:
+ type: object
+ description: The action to take based on the risk event
+ properties:
+ entityRisk:
+ type: object
+ description: The object that contains the `actions` array
+ properties:
+ actions:
+ type: array
+ description: The `entityRisk` object's `actions` array can be empty or contain one of two `action` object value pairs. This object determines the specific response to a risk event.
+ items:
+ $ref: '#/components/schemas/EntityRiskPolicyRuleActionsObject'
+ conditions:
+ $ref: '#/components/schemas/EntityRiskPolicyRuleConditions'
+ EntityRiskPolicyRuleActionRunWorkflow:
+ type: object
+ properties:
+ action:
+ type: string
+ enum:
+ - RUN_WORKFLOW
+ workflow:
+ type: object
+ description: This action runs a workflow
+ properties:
+ id:
+ type: integer
+ description: The `id` of the workflow that runs.
+ EntityRiskPolicyRuleActionTerminateAllSessions:
+ type: object
+ properties:
+ action:
+ type: string
+ description: This action revokes or terminates all of the user's active sessions.
+ enum:
+ - TERMINATE_ALL_SESSIONS
+ EntityRiskPolicyRuleActionsObject:
+ type: object
+ properties:
+ action:
+ type: string
+ enum:
+ - RUN_WORKFLOW
+ - TERMINATE_ALL_SESSIONS
+ discriminator:
+ propertyName: action
+ mapping:
+ RUN_WORKFLOW: '#/components/schemas/EntityRiskPolicyRuleActionRunWorkflow'
+ TERMINATE_ALL_SESSIONS: '#/components/schemas/EntityRiskPolicyRuleActionTerminateAllSessions'
+ EntityRiskPolicyRuleConditions:
+ allOf:
+ - type: object
+ properties:
+ entityRisk:
+ $ref: '#/components/schemas/EntityRiskScorePolicyRuleCondition'
+ people:
+ $ref: '#/components/schemas/PolicyPeopleCondition'
+ riskDetectionTypes:
+ $ref: '#/components/schemas/RiskDetectionTypesPolicyRuleCondition'
+ EntityRiskScorePolicyRuleCondition:
+ description: The risk score level of the entity risk policy rule
+ type: object
+ properties:
+ level:
+ type: string
+ enum:
+ - ANY
+ - LOW
+ - MEDIUM
+ - HIGH
+ required:
+ - level
+ Error:
+ title: Error
+ type: object
+ properties:
+ errorCauses:
+ type: array
+ items:
+ $ref: '#/components/schemas/ErrorCause'
+ errorCode:
+ type: string
+ description: An Okta code for this type of error
+ errorId:
+ type: string
+ description: A unique identifier for this error. This can be used by Okta Support to help with troubleshooting.
+ errorLink:
+ type: string
+ description: An Okta code for this type of error
+ errorSummary:
+ type: string
+ description: A short description of what caused this error. Sometimes this contains dynamically-generated information about your specific error.
+ ErrorCause:
+ type: object
+ properties:
+ errorSummary:
+ type: string
+ ErrorPage:
+ allOf:
+ - $ref: '#/components/schemas/CustomizablePage'
+ - type: object
+ properties:
+ contentSecurityPolicySetting:
+ $ref: '#/components/schemas/ContentSecurityPolicySetting'
+ ErrorPageTouchPointVariant:
+ description: |
+ Variant for the error page. You can publish a theme for error page with different combinations of assets. Variants are preset combinations of those assets.
+ default: OKTA_DEFAULT
+ type: string
+ x-enumDescriptions:
+ BACKGROUND_IMAGE: Uses the logo, favicon, and background image from the Theme
+ BACKGROUND_SECONDARY_COLOR: Uses the logo and favicon from the Theme. Uses `secondaryColorHex` as the background color for the error page.
+ OKTA_DEFAULT: Uses the Okta logo, favicon, and background color
+ x-okta-known-values:
+ - BACKGROUND_IMAGE
+ - BACKGROUND_SECONDARY_COLOR
+ - OKTA_DEFAULT
+ ErrorResponse:
+ type: object
+ properties:
+ errorCause:
+ type: string
+ description: The reason or cause for the error in the org domain for the dr operation
+ nullable: true
+ errorCode:
+ type: string
+ description: An error code unique to the error
+ errorId:
+ type: string
+ description: The unique identifier of this error
+ nullable: true
+ errorLink:
+ type: string
+ description: An indicator where to look out to troubleshoot the error
+ nullable: true
+ errorSummary:
+ type: string
+ description: An error code description, detailing the error
+ required:
+ - errorCode
+ - errorSummary
+ EventHook:
+ type: object
+ properties:
+ channel:
+ $ref: '#/components/schemas/EventHookChannel'
+ created:
+ description: Timestamp of the event hook creation
+ type: string
+ format: date-time
+ readOnly: true
+ createdBy:
+ description: The ID of the user who created the event hook
+ type: string
+ readOnly: true
+ description:
+ description: Description of the event hook
+ type: string
+ nullable: true
+ events:
+ $ref: '#/components/schemas/EventSubscriptions'
+ id:
+ type: string
+ description: Unique key for the event hook
+ readOnly: true
+ lastUpdated:
+ description: Date of the last event hook update
+ type: string
+ format: date-time
+ readOnly: true
+ name:
+ description: Display name for the event hook
+ type: string
+ status:
+ description: Status of the event hook
+ type: string
+ enum:
+ - ACTIVE
+ - INACTIVE
+ readOnly: true
+ verificationStatus:
+ $ref: '#/components/schemas/EventHookVerificationStatus'
+ _links:
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - properties:
+ deactivate:
+ $ref: '#/components/schemas/HrefObject'
+ verify:
+ $ref: '#/components/schemas/HrefObject'
+ required:
+ - name
+ - events
+ - channel
+ EventHookChannel:
+ type: object
+ properties:
+ config:
+ $ref: '#/components/schemas/EventHookChannelConfig'
+ type:
+ $ref: '#/components/schemas/EventHookChannelType'
+ version:
+ description: Version of the channel. Currently the only supported version is `1.0.0``.
+ type: string
+ required:
+ - type
+ - config
+ - version
+ EventHookChannelConfig:
+ type: object
+ properties:
+ authScheme:
+ $ref: '#/components/schemas/EventHookChannelConfigAuthScheme'
+ headers:
+ description: |-
+ Optional list of key/value pairs for headers that can be sent with the request to the external service. For example,
+ `X-Other-Header` is an example of an optional header, with a value of `my-header-value`, that you want Okta to pass to your
+ external service.
+ type: array
+ items:
+ $ref: '#/components/schemas/EventHookChannelConfigHeader'
+ method:
+ description: The method of the Okta event hook request
+ type: string
+ readOnly: true
+ uri:
+ description: The external service endpoint called to execute the event hook handler
+ type: string
+ required:
+ - uri
+ EventHookChannelConfigAuthScheme:
+ description: |-
+ The authentication scheme used for this request.
+
+ To use Basic Auth for authentication, set `type` to `HEADER`,
+ `key` to `Authorization`, and `value` to the Base64-encoded string of "username:password". Ensure that you include
+ the scheme (including space) as part of the `value` parameter. For example, `Basic YWRtaW46c3VwZXJzZWNyZXQ=`.
+ type: object
+ properties:
+ key:
+ description: The name for the authorization header
+ type: string
+ type:
+ $ref: '#/components/schemas/EventHookChannelConfigAuthSchemeType'
+ value:
+ description: |-
+ The header value. This secret key is passed to your external service endpoint for security verification.
+ This property is not returned in the response.
+ type: string
+ writeOnly: true
+ EventHookChannelConfigAuthSchemeType:
+ description: The authentication scheme type. Currently only supports `HEADER`.
+ type: string
+ x-okta-known-values:
+ - HEADER
+ EventHookChannelConfigHeader:
+ nullable: true
+ type: object
+ properties:
+ key:
+ description: The optional field or header name
+ type: string
+ value:
+ description: The value for the key
+ type: string
+ EventHookChannelType:
+ description: The channel type. Currently supports `HTTP`.
+ type: string
+ x-okta-known-values:
+ - HTTP
+ EventHookFilterMap:
+ description: The object that maps the filter to the event type
+ items:
+ $ref: '#/components/schemas/EventHookFilterMapObject'
+ type: array
+ EventHookFilterMapObject:
+ type: object
+ properties:
+ condition:
+ $ref: '#/components/schemas/EventHookFilterMapObjectCondition'
+ event:
+ type: string
+ description: The filtered event type
+ EventHookFilterMapObjectCondition:
+ type: object
+ properties:
+ expression:
+ type: string
+ description: The Okta Expression language statement that filters the event type
+ version:
+ type: string
+ nullable: true
+ description: Internal field
+ readOnly: true
+ EventHookFilters:
+ nullable: true
+ description: |-
+ The optional filter defined on a specific event type
+
+ > **Note:** Event hook filters is a [self-service Early Access (EA)](/openapi/okta-management/guides/release-lifecycle/#early-access-ea) to enable.
+ If you want to disable this feature, it's recommended to first remove all event filters.
+ type: object
+ properties:
+ eventFilterMap:
+ $ref: '#/components/schemas/EventHookFilterMap'
+ type:
+ type: string
+ description: The type of filter. Currently only supports `EXPRESSION_LANGUAGE`
+ readOnly: true
+ EventHookSubscribedEventTypes:
+ description: |-
+ The subscribed event types that trigger the event hook. When you register an event hook
+ you need to specify which events you want to subscribe to. To see the list of event types
+ currently eligible for use in event hooks, use the [Event Types catalog](https://developer.okta.com/docs/reference/api/event-types/#catalog)
+ and search with the parameter `event-hook-eligible`.
+ items:
+ type: string
+ type: array
+ EventHookVerificationStatus:
+ description: Verification status of the event hook. `UNVERIFIED` event hooks won't receive any events.
+ type: string
+ readOnly: true
+ x-okta-known-values:
+ - UNVERIFIED
+ - VERIFIED
+ EventSubscriptionType:
+ description: The events object type. Currently supports `EVENT_TYPE`.
+ type: string
+ x-okta-known-values:
+ - EVENT_TYPE
+ EventSubscriptions:
+ type: object
+ properties:
+ filter:
+ $ref: '#/components/schemas/EventHookFilters'
+ items:
+ $ref: '#/components/schemas/EventHookSubscribedEventTypes'
+ type:
+ $ref: '#/components/schemas/EventSubscriptionType'
+ required:
+ - type
+ - items
+ ExpiresAt:
+ format: date-time
+ description: Timestamp when the object expires
+ example: '2016-01-03T18:15:47.000Z'
+ type: string
+ readOnly: true
+ Expression:
+ type: object
+ properties:
+ value:
+ type: string
+ FCMConfiguration:
+ properties:
+ fileName:
+ type: string
+ description: (Optional) File name for Admin Console display
+ projectId:
+ type: string
+ description: Project ID of FCM configuration
+ readOnly: true
+ serviceAccountJson:
+ type: object
+ description: JSON containing the private service account key and service account details. See [Creating and managing service account keys](https://cloud.google.com/iam/docs/creating-managing-service-account-keys) for more information on creating service account keys in JSON.
+ writeOnly: true
+ FCMPushProvider:
+ allOf:
+ - $ref: '#/components/schemas/PushProvider'
+ - type: object
+ properties:
+ configuration:
+ $ref: '#/components/schemas/FCMConfiguration'
+ FailbackRequestSchema:
+ description: List of domains to failback
+ items:
+ type: string
+ description: Okta or custom domain to failback
+ example: yourOktaDomain.okta.com
+ type: array
+ FailbackResponseSchema:
+ description: successful failback message
+ type: string
+ FailoverRequestSchema:
+ description: List of domains to failover
+ items:
+ type: string
+ description: Okta or custom domain to failover
+ example: yourOktaDomain.okta.com
+ type: array
+ FailoverResponseSchema:
+ description: successful failover message
+ type: string
+ Feature:
+ description: Specifies feature release cycle information
+ type: object
+ properties:
+ description:
+ type: string
+ description: Brief description of the feature and what it provides
+ id:
+ type: string
+ description: Unique identifier for this feature
+ readOnly: true
+ name:
+ type: string
+ description: Name of the feature
+ stage:
+ $ref: '#/components/schemas/FeatureStage'
+ status:
+ $ref: '#/components/schemas/EnabledStatus'
+ type:
+ $ref: '#/components/schemas/FeatureType'
_links:
- self:
- href: https://${yourOktaDomain}/api/v1/api-tokens/00Tabcdefg1234567890
- hints:
- allow:
- - GET
- - DELETE
- user:
- href: https://${yourOktaDomain}/api/v1/users/00uXXXXXXXXXXXXXXXXX
- hints:
- allow:
- - GET
- BehaviorRuleRequest:
- value:
- name: My Behavior Rule
- type: VELOCITY
- BehaviorRuleResponse:
- value:
- id: abcd1234
- name: My Behavior Rule
- type: VELOCITY
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - properties:
+ dependents:
+ description: Link to feature dependents
+ type: object
+ readOnly: true
+ properties:
+ href:
+ description: Link URI
+ type: string
+ readOnly: true
+ dependencies:
+ description: Link to feature dependencies
+ type: object
+ readOnly: true
+ properties:
+ href:
+ description: Link URI
+ type: string
+ readOnly: true
+ FeatureLifecycle:
+ example: ENABLE
+ type: string
+ x-okta-known-values:
+ - DISABLE
+ - ENABLE
+ FeatureStage:
+ description: |-
+ Current release cycle stage of a feature
+
+ If a feature's stage value is `EA`, the state is `null` and not returned. If the value is `BETA`, the state is `OPEN` or `CLOSED` depending on whether the `BETA` feature is manageable.
+
+ > **Note:** If a feature's stage is `OPEN BETA`, you can update it only in Preview cells. If a feature's stage is `CLOSED BETA`, you can disable it only in Preview cells.
+ type: object
+ properties:
+ state:
+ $ref: '#/components/schemas/FeatureStageState'
+ value:
+ $ref: '#/components/schemas/FeatureStageValue'
+ FeatureStageState:
+ description: Indicates the release state of the feature
+ type: string
+ x-okta-known-values:
+ - CLOSED
+ - OPEN
+ FeatureStageValue:
+ description: Current release stage of the feature
+ type: string
+ x-okta-known-values:
+ - BETA
+ - EA
+ FeatureType:
+ description: Type of feature
+ type: string
+ x-okta-known-values:
+ - self-service
+ FipsEnum:
+ type: string
+ x-okta-known-values:
+ - OPTIONAL
+ - REQUIRED
+ ForgotPasswordResponse:
+ type: object
+ properties:
+ resetPasswordUrl:
+ type: string
+ readOnly: true
+ FulfillmentData:
+ description: Fulfillment provider details
+ type: object
+ properties:
+ customizationId:
+ description: ID for the set of custom configurations of the requested Factor
+ type: string
+ inventoryProductId:
+ description: ID for the specific inventory bucket of the requested Factor
+ type: string
+ productId:
+ description: ID for the make and model of the requested Factor
+ type: string
+ FulfillmentRequest:
+ description: Fulfillment Request
+ type: object
+ properties:
+ fulfillmentData:
+ $ref: '#/components/schemas/FulfillmentData'
+ fulfillmentProvider:
+ description: Name of the fulfillment provider for the WebAuthn Preregistration Factor
+ type: string
+ enum:
+ - yubico
+ userId:
+ description: ID of an existing Okta user
+ type: string
+ GoogleApplication:
+ title: Google Workspace
+ x-tags:
+ - Application
+ x-okta-defined-as:
+ name: google
+ example:
+ name: google
+ label: Sample Google App
+ signOnMode: SAML_2_0
settings:
- velocityKph: 805
- status: ACTIVE
- created: 2021-11-09T20:38:10.000Z
- lastUpdated: 2021-11-11T20:38:10.000Z
- _link:
- self:
- href: https://your-subdomain.okta.com/api/v1/behaviors/abcd1234
- hints:
- allow:
- - GET
- - POST
- - PUT
- - DELETE
- CAPTCHAInstanceRequestHCaptcha:
- value:
- name: myHCaptcha
- secretKey: xxxxxxxxxxx
- siteKey: xxxxxxxxxxx
- type: HCAPTCHA
- CAPTCHAInstanceRequestReCaptcha:
- value:
- name: myReCaptcha
- secretKey: xxxxxxxxxxx
- siteKey: yyyyyyyyyyyyyyy
- type: RECAPTCHA_V2
- CAPTCHAInstanceResponseHCaptcha:
- value:
- id: abcd1234
- name: myHCaptcha
- siteKey: xxxxxxxxxxx
- type: HCAPTCHA
- _link:
- self:
- href: https://your-subdomain.okta.com/api/v1/captchas/abcd1234
- hints:
- allow:
- - GET
- - POST
- - PUT
- - DELETE
- CAPTCHAInstanceResponseReCaptcha:
- value:
- id: abcd4567
- name: myReCaptcha
- siteKey: yyyyyyyyyyyyyyy
- type: RECAPTCHA_V2
- _link:
- self:
- href: https://your-subdomain.okta.com/api/v1/captchas/abcd4567
- hints:
- allow:
- - GET
- - POST
- - PUT
- - DELETE
- CreateUpdateEmailCustomizationRequest:
- value:
- language: fr
- subject: Bienvenue dans ${org.name}!
- body: Bonjour ${user.profile.firstName}. Activer le compte
- isDefault: false
- CreateUpdateEmailCustomizationResponse:
- value:
- language: fr
- subject: Bienvenue dans ${org.name}!
- body: Bonjour ${user.profile.firstName}. Activer le compte
- isDefault: false
- id: oel11u6DqUiMbQkpl0g4
- created: 2021-11-09T20:38:10.000Z
- lastUpdated: 2021-11-11T20:38:10.000Z
+ app:
+ domain: my-company-domain
+ description: |
+ Schema for the Google Workspace app (key name: `google`)
+
+ To create a Google Workspace app, use the [Create an Application](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) request with the following parameters in the request body.
+ > **Note:** The Google Workspace app only supports `BROWSER_PLUGIN` and `SAML_2_0` sign-on modes.
+ allOf:
+ - $ref: '#/components/schemas/OINApplication'
+ - type: object
+ - required:
+ - name
+ - label
+ - settings
+ properties:
+ name:
+ enum:
+ - google
+ example: google
+ signOnMode:
+ enum:
+ - BROWSER_PLUGIN
+ - SAML_2_0
+ example: BROWSER_PLUGIN
+ settings:
+ $ref: '#/components/schemas/GoogleApplicationSettings'
+ GoogleApplicationSettings:
+ allOf:
+ - $ref: '#/components/schemas/ApplicationSettings'
+ - type: object
+ - required:
+ - app
+ properties:
+ app:
+ $ref: '#/components/schemas/GoogleApplicationSettingsApplication'
+ signOn:
+ $ref: '#/components/schemas/OINSaml20ApplicationSettingsSignOn'
+ GoogleApplicationSettingsApplication:
+ description: Google app instance properties
+ type: object
+ properties:
+ domain:
+ type: string
+ description: Your Google company domain
+ rpId:
+ type: string
+ description: RPID
+ required:
+ - domain
+ GovernanceBundle:
+ type: object
+ properties:
+ description:
+ type: string
+ id:
+ type: string
+ name:
+ type: string
+ orn:
+ type: string
+ status:
+ type: string
+ _links:
+ allOf:
+ - properties:
+ entitlements:
+ $ref: '#/components/schemas/HrefObject'
+ GovernanceBundleCreateRequest:
+ type: object
+ properties:
+ description:
+ type: string
+ entitlements:
+ type: array
+ items:
+ $ref: '#/components/schemas/IAMBundleEntitlement'
+ name:
+ type: string
+ GovernanceBundleUpdateRequest:
+ type: object
+ properties:
+ description:
+ type: string
+ entitlements:
+ type: array
+ items:
+ $ref: '#/components/schemas/IAMBundleEntitlement'
+ name:
+ type: string
+ GovernanceBundlesResponse:
+ type: object
+ properties:
+ bundles:
+ type: array
+ items:
+ $ref: '#/components/schemas/GovernanceBundle'
_links:
- self:
- href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4
- hints:
- allow:
- - GET
- - PUT
- - DELETE
- template:
- href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation
- hints:
- allow:
- - GET
- preview:
- href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4/preview
- hints:
- allow:
- - GET
- test:
- href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation/test
- hints:
- allow:
- - POST
- DeviceAssuranceAndroidRequest:
- value:
- name: Device Assurance Android
- osVersion:
- minimum: 12.4.5
- diskEncryptionType:
- include:
- - USER
- - FULL
- jailbreak: false
- platform: ANDROID
- screenLockType:
- include:
- - BIOMETRIC
- secureHardwarePresent: true
- DeviceAssuranceIosRequest:
- value:
- name: Device Assurance IOS
- osVersion:
- minimum: 12.4.5
- jailbreak: false
- platform: IOS
- screenLockType:
- include:
- - BIOMETRIC
- DeviceAssuranceMacOSRequest:
- value:
- name: Device Assurance macOS
- osVersion:
- minimum: 12.4.5
- diskEncryptionType:
- include:
- - ALL_INTERNAL_VOLUMES
- platform: MACOS
- screenLockType:
- include:
- - PASSCODE
- - BIOMETRIC
- secureHardwarePresent: true
- DeviceAssuranceResponse:
- value:
- id: dae3m8o4rWhwReDeM1c5
- name: Device Assurance Example
- lastUpdate: 2022-01-01T00:00:00.000Z
- createdUpdate: 2022-01-01T00:00:00.000Z
- lastUpdatedBy: 00u217pyf72CdUrBt1c5
- createdBy: 00u217pyf72CdUrBt1c5
- osVersion:
- minimum: 12.4.5.9
- diskEncryptionType:
- include:
- - ALL_INTERNAL_VOLUMES
- platform: WINDOWS
- screenLockType:
- include:
- - PASSCODE
- - BIOMETRIC
- secureHardwarePresent: true
+ anyOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - $ref: '#/components/schemas/LinksNext'
+ GovernanceSourceType:
+ description: The grant type
+ type: string
+ x-okta-known-values:
+ - CUSTOM
+ - ENTITLEMENT-BUNDLE
+ GrantOrTokenStatus:
+ description: Status
+ example: ACTIVE
+ type: string
+ readOnly: true
+ x-okta-known-values:
+ - ACTIVE
+ - REVOKED
+ GrantResourcesHrefObject:
+ type: object
+ properties:
+ href:
+ type: string
+ description: Link URI
+ example: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7/clients/0oabskvc6442nkvQO0h7/grants
+ GrantType:
+ description: Determines the mechanism Okta uses to authorize the creation of the tokens.
+ type: string
+ x-okta-known-values:
+ - authorization_code
+ - client_credentials
+ - implicit
+ - interaction_code
+ - password
+ - refresh_token
+ - urn:ietf:params:oauth:grant-type:device_code
+ - urn:ietf:params:oauth:grant-type:jwt-bearer
+ - urn:ietf:params:oauth:grant-type:saml2-bearer
+ - urn:ietf:params:oauth:grant-type:token-exchange
+ - urn:openid:params:grant-type:ciba
+ - urn:okta:params:oauth:grant-type:otp
+ - urn:okta:params:oauth:grant-type:oob
+ - http://auth0.com/oauth/grant-type/mfa-otp
+ - http://auth0.com/oauth/grant-type/mfa-oob
+ GrantTypePolicyRuleCondition:
+ description: Array of grant types that this condition includes. Determines the mechanism that Okta uses to authorize the creation of the tokens.
+ type: object
+ properties:
+ include:
+ type: array
+ description: Array of grant types that this condition includes.
+ items:
+ type: string
+ Group:
+ type: object
+ properties:
+ created:
+ type: string
+ format: date-time
+ readOnly: true
+ description: Timestamp when the Group was created
+ id:
+ type: string
+ readOnly: true
+ example: 0gabcd1234
+ description: Unique ID for the Group
+ lastMembershipUpdated:
+ type: string
+ format: date-time
+ readOnly: true
+ description: Timestamp when the Groups memberships were last updated
+ lastUpdated:
+ type: string
+ format: date-time
+ readOnly: true
+ description: Timestamp when the Group's Profile was last updated
+ objectClass:
+ type: array
+ readOnly: true
+ description: Determines the Group's `profile`
+ items:
+ type: string
+ profile:
+ $ref: '#/components/schemas/GroupProfile'
+ type:
+ $ref: '#/components/schemas/GroupType'
+ _embedded:
+ type: object
+ description: Embedded resources related to the Group
+ additionalProperties:
+ type: object
+ properties: {}
+ readOnly: true
+ _links:
+ description: '[Discoverable resources](/openapi/okta-management/management/tag/Group/#tag/Group/operation/listGroups!c=200&path=_links&t=response) related to the Group'
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - properties:
+ apps:
+ $ref: '#/components/schemas/HrefObject'
+ logo:
+ type: array
+ items:
+ $ref: '#/components/schemas/HrefObject'
+ source:
+ $ref: '#/components/schemas/HrefObject'
+ users:
+ $ref: '#/components/schemas/HrefObject'
+ GroupAssignmentProfile:
+ description: |-
+ Specifies the profile properties applied to [Application Users](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/ApplicationUsers/) that are assigned to the app through group membership.
+ Some reference properties are imported from the target app and can't be configured. See [profile](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/getUser!c=200&path=profile&t=response).
+ additionalProperties: true
+ type: object
+ GroupCondition:
+ description: Specifies a set of Groups whose Users are to be included or excluded
+ type: object
+ properties:
+ exclude:
+ type: array
+ description: Groups to be excluded
+ items:
+ type: string
+ include:
+ type: array
+ description: Groups to be included
+ items:
+ type: string
+ required:
+ - exclude
+ - include
+ GroupOwner:
+ type: object
+ properties:
+ displayName:
+ description: The display name of the group owner
+ type: string
+ readOnly: true
+ id:
+ description: The `id` of the group owner
+ type: string
+ lastUpdated:
+ description: Timestamp when the group owner was last updated
+ type: string
+ format: date-time
+ readOnly: true
+ originId:
+ description: The ID of the app instance if the `originType` is `APPLICATION`. This value is `NULL` if `originType` is `OKTA_DIRECTORY`.
+ type: string
+ originType:
+ $ref: '#/components/schemas/GroupOwnerOriginType'
+ resolved:
+ description: If `originType`is APPLICATION, this parameter is set to `FALSE` until the owner’s `originId` is reconciled with an associated Okta ID.
+ type: boolean
+ type:
+ $ref: '#/components/schemas/GroupOwnerType'
+ GroupOwnerOriginType:
+ description: The source where group ownership is managed
+ type: string
+ x-okta-known-values:
+ - APPLICATION
+ - OKTA_DIRECTORY
+ GroupOwnerType:
+ description: The entity type of the owner
+ type: string
+ x-okta-known-values:
+ - GROUP
+ - USER
+ GroupPolicyRuleCondition:
+ description: Specifies a set of Groups whose Users are to be included or excluded
+ type: object
+ properties:
+ exclude:
+ type: array
+ description: Groups to be excluded
+ items:
+ type: string
+ include:
+ type: array
+ description: Groups to be included
+ items:
+ type: string
+ GroupProfile:
+ description: |-
+ Specifies required and optional properties for a Group. The `objectClass` of a Group determines which additional properties are available.
+
+ You can extend Group Profiles with custom properties, but you must first add the properties to the Group Profile schema before you can reference them. Use the Profile Editor in the Admin Console or the [Schemas API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/)to manage schema extensions.
+
+ Custom properties can contain HTML tags. It is the client's responsibility to escape or encode this data before displaying it. Use [best-practices](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) to prevent cross-site scripting.
+ anyOf:
+ - $ref: '#/components/schemas/OktaUserGroupProfile'
+ - $ref: '#/components/schemas/OktaActiveDirectoryGroupProfile'
+ GroupRule:
+ type: object
+ properties:
+ actions:
+ $ref: '#/components/schemas/GroupRuleAction'
+ conditions:
+ $ref: '#/components/schemas/GroupRuleConditions'
+ created:
+ type: string
+ format: date-time
+ readOnly: true
+ description: Creation date for group rule
+ id:
+ type: string
+ readOnly: true
+ description: ID of the group rule
+ lastUpdated:
+ type: string
+ format: date-time
+ readOnly: true
+ description: Date group rule was last updated
+ name:
+ type: string
+ description: Name of the Group rule
+ minLength: 1
+ maxLength: 50
+ status:
+ $ref: '#/components/schemas/GroupRuleStatus'
+ type:
+ type: string
+ description: Type to indicate a Group rule operation. Only `group_rule` is allowed.
+ GroupRuleAction:
+ description: Defines which users and groups to assign
+ type: object
+ properties:
+ assignUserToGroups:
+ $ref: '#/components/schemas/GroupRuleGroupAssignment'
+ GroupRuleConditions:
+ description: Defines group rule conditions
+ type: object
+ properties:
+ expression:
+ $ref: '#/components/schemas/GroupRuleExpression'
+ people:
+ $ref: '#/components/schemas/GroupRulePeopleCondition'
+ GroupRuleExpression:
+ description: Defines Okta specific [group-rules expression](https://developer.okta.com/docs/reference/okta-expression-language/#expressions-in-group-rules)
+ type: object
+ properties:
+ type:
+ type: string
+ description: Expression type. Only valid value is '`urn:okta:expression:1.0`'.
+ value:
+ type: string
+ description: Okta expression that would result in a Boolean value
+ example: user.role==\"Engineer\"
+ GroupRuleGroupAssignment:
+ description: Contains the `groupIds` array
+ type: object
+ properties:
+ groupIds:
+ description: Array of `groupIds` to which Users are added
+ type: array
+ items:
+ type: string
+ GroupRuleGroupCondition:
+ description: Currently not supported
+ type: object
+ properties:
+ exclude:
+ type: array
+ description: Currently not supported
+ items:
+ type: string
+ GroupRulePeopleCondition:
+ description: Defines conditions for `people` in a group rule
+ type: object
+ properties:
+ groups:
+ $ref: '#/components/schemas/GroupRuleGroupCondition'
+ users:
+ $ref: '#/components/schemas/GroupRuleUserCondition'
+ GroupRuleStatus:
+ description: Status of group rule
+ type: string
+ x-okta-known-values:
+ - ACTIVE
+ - INACTIVE
+ - INVALID
+ GroupRuleUserCondition:
+ description: Defines conditions specific to user exclusion
+ type: object
+ properties:
+ exclude:
+ type: array
+ description: Excluded `userIds` when processing rules
+ items:
+ type: string
+ GroupSchema:
+ type: object
+ properties:
+ $schema:
+ readOnly: true
+ type: string
+ description: JSON Schema version identifier
+ created:
+ readOnly: true
+ type: string
+ description: Timestamp when the Schema was created
+ definitions:
+ $ref: '#/components/schemas/GroupSchemaDefinitions'
+ description:
+ type: string
+ description: Description for the Schema
+ id:
+ readOnly: true
+ type: string
+ description: URI of Group Schema
+ lastUpdated:
+ readOnly: true
+ type: string
+ description: Timestamp when the Schema was last updated
+ name:
+ readOnly: true
+ type: string
+ description: Name of the Schema
+ properties:
+ $ref: '#/components/schemas/UserSchemaProperties'
+ description: Group object properties
+ title:
+ type: string
+ description: User-defined display name for the Schema
+ type:
+ readOnly: true
+ type: string
+ description: Type of [root Schema](https://tools.ietf.org/html/draft-zyp-json-schema-04#section-3.4)
_links:
- self:
- href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5
- hints:
- allow:
- - DELETE
- - GET
- - PUT
- DeviceAssuranceWindowsRequest:
- value:
- name: Device Assurance Windows
- osVersion:
- minimum: 12.4.5.9
- diskEncryptionType:
- include:
- - ALL_INTERNAL_VOLUMES
- platform: WINDOWS
- screenLockType:
- include:
- - PASSCODE
- - BIOMETRIC
- secureHardwarePresent: true
- EmailCustomizationResponse:
- value:
- language: en
- isDefault: true
- subject: Welcome to ${org.name}!
- body: Hello, ${user.profile.firstName}. Click here to activate your account.
- id: oel11u6DqUiMbQkpl0g4
- created: 2021-11-09T20:38:10.000Z
- lastUpdated: 2021-11-11T20:38:10.000Z
+ $ref: '#/components/schemas/LinksSelf'
+ x-okta-allow-null-property-value-for-updates: true
+ GroupSchemaAttribute:
+ type: object
+ properties:
+ description:
+ type: string
+ description: Description of the property
+ enum:
+ items:
+ anyOf:
+ - type: string
+ - type: integer
+ type: array
+ nullable: true
+ description: |-
+ Enumerated value of the property.
+
+ The value of the property is limited to one of the values specified in the enum definition. The list of values for the enum must consist of unique elements.
+ externalName:
+ type: string
+ description: Name of the property as it exists in an external application
+ externalNamespace:
+ type: string
+ description: Namespace from the external application
+ format:
+ description: Identifies the type of data represented by the string
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttributeFormat'
+ items:
+ $ref: '#/components/schemas/UserSchemaAttributeItems'
+ nullable: true
+ master:
+ description: Identifies where the property is mastered
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttributeMaster'
+ maxLength:
+ type: integer
+ nullable: true
+ description: Maximum character length of a string property
+ minLength:
+ type: integer
+ nullable: true
+ description: Minimum character length of a string property
+ mutability:
+ description: Defines the mutability of the property
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttributeMutabilityString'
+ oneOf:
+ items:
+ $ref: '#/components/schemas/UserSchemaAttributeEnum'
+ type: array
+ nullable: true
+ description: |-
+ Non-empty array of valid JSON schemas.
+
+ Okta only supports `oneOf` for specifying display names for an `enum`. Each schema has the following format:
+
+ ```
+ {
+ "const": "enumValue",
+ "title": "display name"
+ }
+ ```json
+
+ When `enum` is used in conjunction with `oneOf`, you must keep the set of enumerated values and their order.
+
+ ```
+ {"enum": ["S","M","L","XL"],
+ "oneOf": [
+ {"const": "S", "title": "Small"},
+ {"const": "M", "title": "Medium"},
+ {"const": "L", "title": "Large"},
+ {"const": "XL", "title": "Extra Large"}
+ ]
+ }
+ ```json
+
+ The `oneOf` key is only supported in conjunction with `enum` and provides a mechanism to return a display name for the `enum` value.
+ permissions:
+ description: Access control permissions for the property
+ items:
+ $ref: '#/components/schemas/UserSchemaAttributePermission'
+ type: array
+ nullable: true
+ required:
+ type: boolean
+ nullable: true
+ description: Determines whether the property is required
+ scope:
+ description: Determines whether a group attribute can be set at the individual or group level
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttributeScope'
+ title:
+ type: string
+ minLength: 1
+ description: User-defined display name for the property
+ type:
+ description: Type of property
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttributeType'
+ unique:
+ description: Determines whether property values must be unique
+ type: boolean
+ nullable: true
+ GroupSchemaBase:
+ type: object
+ properties:
+ id:
+ readOnly: true
+ type: string
+ description: The subschema name
+ properties:
+ description: The `#base` object properties
+ allOf:
+ - $ref: '#/components/schemas/GroupSchemaBaseProperties'
+ required:
+ items:
+ type: string
+ type: array
+ description: A collection indicating required property names
+ readOnly: true
+ type:
+ description: The object type
+ type: string
+ readOnly: true
+ GroupSchemaBaseProperties:
+ description: All Okta-defined Profile properties are defined in a Profile subschema with the resolution scope `#base`. These properties can't be removed or edited, regardless of any attempt to do so.
+ type: object
+ properties:
+ description:
+ description: Human readable description of the Group
+ allOf:
+ - $ref: '#/components/schemas/GroupSchemaAttribute'
+ name:
+ description: Unique identifier for the Group
+ allOf:
+ - $ref: '#/components/schemas/GroupSchemaAttribute'
+ GroupSchemaCustom:
+ description: All custom Profile properties are defined in a Profile subschema with the resolution scope `#custom`
+ type: object
+ properties:
+ id:
+ readOnly: true
+ type: string
+ description: The subschema name
+ properties:
+ additionalProperties:
+ $ref: '#/components/schemas/GroupSchemaAttribute'
+ type: object
+ description: The `#custom` object properties
+ required:
+ items:
+ type: string
+ type: array
+ description: A collection indicating required property names
+ readOnly: true
+ type:
+ type: string
+ description: The object type
+ readOnly: true
+ GroupSchemaDefinitions:
+ type: object
+ properties:
+ base:
+ $ref: '#/components/schemas/GroupSchemaBase'
+ custom:
+ $ref: '#/components/schemas/GroupSchemaCustom'
+ GroupType:
+ description: Determines how a Group's Profile and memberships are managed
+ type: string
+ x-enumDescriptions:
+ APP_GROUP: Group Profile and memberships are imported and must be managed within the app (such as Active Directory or LDAP) that imported the Group
+ BUILT_IN: Group Profile and memberships are managed by Okta and can't be modified
+ OKTA_GROUP: Group Profile and memberships are directly managed in Okta via static assignments or indirectly through Group rules
+ x-okta-known-values:
+ - APP_GROUP
+ - BUILT_IN
+ - OKTA_GROUP
+ GroupsLink:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the [Application Groups](/openapi/okta-management/management/tag/ApplicationGroups/#tag/ApplicationGroups/operation/listApplicationGroupAssignments) resource
+ HelpLink:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the app help resource
+ HookKey:
+ title: HookKeyInstance
+ description: |-
+ The `id` property in the response as `id` serves as the unique ID for the key, which you can specify when invoking other CRUD operations.
+
+ The `keyId` provided in the response is the alias of the public key that you can use to get details of the public key data in a separate call.
+ type: object
+ properties:
+ created:
+ type: string
+ format: date-time
+ description: Timestamp when the key was created
+ readOnly: true
+ nullable: true
+ id:
+ type: string
+ description: The unique identifier for the key
+ readOnly: true
+ nullable: false
+ isUsed:
+ type: string
+ format: boolean
+ description: Whether this key is currently in use by other applications
+ nullable: false
+ readOnly: true
+ keyId:
+ type: string
+ description: The alias of the public key
+ nullable: false
+ readOnly: true
+ lastUpdated:
+ type: string
+ format: date-time
+ description: Timestamp when the key was updated
+ readOnly: true
+ nullable: true
+ name:
+ type: string
+ description: Display name of the key
+ readOnly: false
+ nullable: false
+ minLength: 1
+ maxLength: 255
+ HostedPage:
+ type: object
+ properties:
+ type:
+ $ref: '#/components/schemas/HostedPageType'
+ url:
+ type: string
+ required:
+ - type
+ HostedPageType:
+ type: string
+ x-okta-known-values:
+ - EXTERNALLY_HOSTED
+ - OKTA_DEFAULT
+ HrefCsrPublishLink:
+ title: Link Object
+ description: Link to publish CSR
+ type: object
+ properties:
+ hints:
+ $ref: '#/components/schemas/CsrPublishHrefHints'
+ href:
+ type: string
+ description: Link URI
+ example: https://{yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50/lifecycle/publish
+ required:
+ - href
+ readOnly: true
+ HrefCsrSelfLink:
+ title: Link Object
+ description: Link to the resource (self)
+ type: object
+ properties:
+ hints:
+ $ref: '#/components/schemas/CsrSelfHrefHints'
+ href:
+ type: string
+ description: Link URI
+ example: https://{yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50
+ required:
+ - href
+ readOnly: true
+ HrefHints:
+ description: Describes allowed HTTP verbs for the `href`
+ type: object
+ properties:
+ allow:
+ type: array
+ items:
+ $ref: '#/components/schemas/HttpMethod'
+ HrefHintsGuidanceObject:
+ allOf:
+ - $ref: '#/components/schemas/HrefHints'
+ - description: Describes allowed HTTP verbs and guidance for the `href`
+ - type: object
+ properties:
+ guidance:
+ type: array
+ description: |
+ Specifies the URI to invoke for granting scope consent required to complete the OAuth 2.0 connection
+ items:
+ type: string
+ HrefObject:
+ title: Link Object
+ additionalProperties: true
+ type: object
+ properties:
+ hints:
+ $ref: '#/components/schemas/HrefHints'
+ href:
+ type: string
+ description: Link URI
+ name:
+ type: string
+ description: Link name
+ templated:
+ type: boolean
+ description: Indicates whether the Link Object's `href` property is a URI template.
+ type:
+ type: string
+ description: The media type of the link. If omitted, it is implicitly `application/json`.
+ required:
+ - href
+ readOnly: true
+ HrefObjectActivateLink:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to activate the resource
+ HrefObjectAppLink:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the app resource
+ HrefObjectAssigneeLink:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the assignee resource
+ HrefObjectAuthorizeLink:
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ description: Link to authorize scopes
+ type: object
+ properties:
+ hints:
+ $ref: '#/components/schemas/HrefHintsGuidanceObject'
+ href:
+ type: string
+ description: Link URI
+ required:
+ - href
+ readOnly: true
+ HrefObjectClientLink:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the client resource
+ HrefObjectDeactivateLink:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to deactivate the resource
+ HrefObjectDeleteLink:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to delete the resource
+ HrefObjectGovernanceResourcesLink:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the resources
+ HrefObjectGrantAerialConsent:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to grant Okta Aerial access to your Org
+ HrefObjectGroupLink:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the group resource
+ HrefObjectLogoLink:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the logo resource
+ HrefObjectMappingsLink:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the mappings resource
+ HrefObjectMemberLink:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the member resource
+ HrefObjectPermissionsLink:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the permissions resource
+ HrefObjectResourceSetLink:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the resource-set resource
+ HrefObjectRetrieveAerialConsent:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to retrieve Okta Aerial consent for your Org
+ HrefObjectRevokeAerialConsent:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to revoke Okta Aerial consent for your Org
+ HrefObjectRoleLink:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the role resource
+ HrefObjectRulesLink:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the rules resource
+ HrefObjectSelfLink:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the resource (self)
+ HrefObjectSuspendLink:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to suspend the resource
+ HrefObjectUnsuspendLink:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to unsuspend the resource
+ HrefObjectUserLink:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the user resource
+ HttpMethod:
+ type: string
+ x-okta-known-values:
+ - DELETE
+ - GET
+ - POST
+ - PUT
+ IAMBundleEntitlement:
+ type: object
+ properties:
+ resourceSets:
+ type: array
+ items:
+ type: string
+ role:
+ type: string
+ targets:
+ type: array
+ items:
+ type: string
+ IPNetworkZone:
+ allOf:
+ - $ref: '#/components/schemas/NetworkZone'
+ - title: IP Network Zone
+ - type: object
+ properties:
+ gateways:
+ type: array
+ items:
+ $ref: '#/components/schemas/NetworkZoneAddress'
+ description: |-
+ The IP addresses (range or CIDR form) for an IP Network Zone.
+ The maximum array length is 150 entries for admin-created IP zones, 1000 entries for IP blocklist zones, and 5000 entries for the default system IP Zone.
+ proxies:
+ type: array
+ items:
+ $ref: '#/components/schemas/NetworkZoneAddress'
+ nullable: true
+ description: |-
+ The IP addresses (range or CIDR form) that are allowed to forward a request from gateway addresses for an IP Network Zone.
+ These proxies are automatically trusted by Threat Insights and used to identify the client IP of a request.
+ The maximum array length is 150 entries for admin-created zones and 5000 entries for the default system IP Zone.
+ IPServiceCategory:
+ description: An IP service offered by a provider, such as a proxy or VPN
+ type: string
+ x-okta-known-values:
+ - ALL_ANONYMIZERS
+ - ALL_ANONYMIZERS_EXCEPT_TOR
+ - ALL_IP_SERVICES
+ - ALL_PROXIES_VPNS
+ - ANONYMIZER_TOR
+ - APPLE_ICLOUD_RELAY_PROXY
+ - AVAST_VPN
+ - GLOBALPROTECT_VPN
+ - GOOGLE_VPN
+ - MULLVAD_VPN
+ - NORD_VPN
+ - OXYLABS_PROXY
+ - SAMSUNG_VPN
+ - SURFSHARK_VPN
+ - SYMANTEC_VPN
+ - TRENDMICRO_VPN
+ - ULTRASURF_VPN
+ IamRole:
+ type: object
+ properties:
+ created:
+ type: string
+ format: date-time
+ description: Timestamp when the role was created
+ readOnly: true
+ description:
+ type: string
+ description: Description of the role
+ id:
+ type: string
+ description: Unique key for the role
+ readOnly: true
+ label:
+ type: string
+ description: Unique label for the role
+ lastUpdated:
+ type: string
+ format: date-time
+ description: Timestamp when the role was last updated
+ readOnly: true
_links:
- self:
- href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4
- hints:
- allow:
- - GET
- - PUT
- - DELETE
- template:
- href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation
- hints:
- allow:
- - GET
- preview:
- href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4/preview
- hints:
- allow:
- - GET
- test:
- href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation/test
- hints:
- allow:
- - POST
- EmailSettingsResponse:
- value:
- recipients: ALL_USERS
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - properties:
+ permissions:
+ $ref: '#/components/schemas/HrefObject'
+ required:
+ - label
+ - description
+ IamRoles:
+ type: object
+ properties:
+ roles:
+ type: array
+ items:
+ $ref: '#/components/schemas/IamRole'
_links:
- self:
- href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation/settings
- hints:
- allow:
- - GET
- - PUT
- template:
- href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation
- hints:
- allow:
- - GET
- EmailTemplateDefaultContentResponse:
- value:
- subject: Welcome to ${org.name}!
- body:
Hello, ${user.profile.firstName}. Click here to activate your account.
+ $ref: '#/components/schemas/LinksNext'
+ IdPCertificateCredential:
+ type: object
+ properties:
+ x5c:
+ $ref: '#/components/schemas/X5c'
+ required:
+ - x5c
+ IdPCsr:
+ description: Defines a CSR for a signature or decryption credential for an IdP
+ type: object
+ properties:
+ created:
+ $ref: '#/components/schemas/Created'
+ csr:
+ description: Base64-encoded CSR in DER format
+ type: string
+ readOnly: true
+ example: MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9/tKvvbFN59T4raoCs/78KRm4fSefHQOv1TKLXo4wTLbsqYWRWc5u0sd5orUMQgPQOyj3i6qh13mALY4BzrT057EG1BUNjGg29QgYlnOk2iX890e5BIDMQQEIKFrvOi2V8cLUkLvE2ydRn0VO1Q1frbUkYeStJYC5Api2JQsYRwa+1ZeDH1ITnIzUaugWhW2WB2lSnwZkenne5KtffxMPYVu+IhNRHoKaRA6Z51YNhMJIx17JM2hs/H4Ka3drk6kzDf7ofk/yBpb9yBWyU7CTSQhdoHidxqFprMDaT66W928t3AeOENHBuwn8c2K9WeGG+bELNyQRJVmawIDAQABoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggxkZXYub2t0YS5jb20wDQYJKoZIhvcNAQELBQADggEBAA2hsVJRVM+A83X9MekjTnIbt19UNT8wX7wlE9jUKirWsxceLiZBpVGn9qfKhhVIpvdaIRSeoFYS2Kg/m1G6bCvjmZLcrQ5FcEBjZH2NKfNppGVnfC2ugtUkBtCB+UUzOhKhRKJtGugenKbP33zRWWIqnd2waF6Cy8TIuqQVPbwEDN9bCbAs7ND6CFYNguY7KYjWzQOeAR716eqpEEXuPYAS4nx/ty4ylonR8cv+gpq51rvq80A4k/36aoeM0Y6I4w64vhTfuvWW2UYFUD+/+y2FA2CSP4JfctySrf1s525v6fzTFZ3qZbB5OZQtP2b8xYWktMzywsxGKDoVDB4wkH4=
+ id:
+ description: Unique identifier for the CSR
+ type: string
+ readOnly: true
+ example: h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50
+ kty:
+ description: Cryptographic algorithm family for the CSR's keypair
+ type: string
+ example: RSA
_links:
- self:
- href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation/default-content
- hints:
- allow:
- - GET
- template:
- href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation
- hints:
- allow:
- - GET
- preview:
- href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation/default-content/preview
- hints:
- allow:
- - GET
- ErrorAccessDenied:
- value:
- errorCode: E0000006
- errorSummary: You do not have permission to perform the requested action
- errorLink: E0000006
- errorId: sampleNUSD_8fdkFd8fs8SDBK
- errorCauses: []
- ErrorApiValidationFailed:
- value:
- errorCode: E0000001
- errorSummary: 'Api validation failed: {0}'
- errorLink: E0000001
- errorId: sampleiCF-8D5rLW6myqiPItW
- errorCauses: []
- ErrorCAPTCHALimitOfOne:
- value:
- errorCode: E0000165
- errorSummary: CAPTCHA count limit reached. At most one CAPTCHA instance is allowed per Org.
- errorLink: E0000165
- errorId: oaejrB1fWL1S7mc-2KcG-SOtw
- errorCauses: []
- ErrorCAPTCHAOrgWideSetting:
- value:
- errorCode: E0000149
- errorSummary: Current CAPTCHA is associated with org-wide settings, cannot be removed.
- errorLink: E0000149
- errorId: samplezsusshPdiTWiITwqBt8
- errorCauses: []
- ErrorCreateUserWithExpiredPasswordWithNullPassword:
- value:
- errorCode: E0000124
- errorSummary: Could not create user. To create a user and expire their password immediately, a password must be specified
- errorLink: E0000124
- errorId: oaeXxuZgXBySvqi1FvtkwoYCA
- errorCauses:
- - errorSummary: Could not create user. To create a user and expire their password immediately, a password must be specified
- ErrorCreateUserWithExpiredPasswordWithoutActivation:
- value:
- errorCode: E0000125
- errorSummary: Could not create user. To create a user and expire their password immediately, "activate" must be true
- errorLink: E0000125
- errorId: oaeDd77L9R-TJaD7j_rXsQ31w
- errorCauses:
- - errorSummary: Could not create user. To create a user and expire their password immediately, "activate" must be true
- ErrorCreateUserWithTooManyManyGroupsResponse:
- value:
- errorCode: E0000093
- errorSummary: Target count limit exceeded
- errorLink: E0000093
- errorId: oaePVSLIYnIQsC0B-ptBIllVA
- errorCauses:
- - errorSummary: The number of group targets is too large.
- ErrorDeviceAssuranceInUse:
- value:
- errorSummary: Device assurance is in use and cannot be deleted.
- errorId: oaenwA1ra80S9W-pvbh4m6haA
- errorCauses: []
- ErrorEmailCustomizationCannotClearDefault:
- value:
- errorCode: E0000185
- errorSummary: The isDefault parameter of the default email template customization can't be set to false.
- errorLink: E0000185
- errorId: oaejrB1fWL1S7mc-2KcG-SOtw
- errorCauses: []
- ErrorEmailCustomizationCannotDeleteDefault:
- value:
- errorCode: E0000184
- errorSummary: A default email template customization can't be deleted.
- errorLink: E0000184
- errorId: oaeAdRqprFuTyKokyYPbURJkA
- errorCauses: []
- ErrorEmailCustomizationDefaultAlreadyExists:
- value:
- errorCode: E0000182
- errorSummary: A default email template customization already exists.
- errorLink: E0000182
- errorId: oaeXYwTiMvASsC3O4HCzjFaCA
- errorCauses: []
- ErrorEmailCustomizationLanguageAlreadyExists:
- value:
- errorCode: E0000183
- errorSummary: An email template customization for that language already exists.
- errorLink: E0000183
- errorId: oaeUcGELffqRay0u1OPdnPypw
- errorCauses: []
- ErrorInvalidEmailTemplateRecipients:
- value:
- errorCode: E0000189
- errorSummary: This template does not support the recipients value.
- errorLink: E0000189
- errorId: oae8L1-UkcNTeGi5xVQ28_lww
- errorCauses: []
- ErrorPushProviderUsedByCustomAppAuthenticator:
- value:
- errorCode: E0000187
- errorSummary: Cannot delete push provider because it is being used by a custom app authenticator.
- errorLink: E0000187
- errorId: oaenwA1ra80S9W-pvbh4m6haA
- errorCauses: []
- ErrorResourceNotFound:
- value:
- errorCode: E0000007
- errorSummary: 'Not found: {0}'
- errorLink: E0000007
- errorId: sampleMlLvGUj_YD5v16vkYWY
- errorCauses: []
- ErrorTooManyRequests:
- value:
- errorCode: E0000047
- errorSummary: You exceeded the maximum number of requests. Try again in a while.
- errorLink: E0000047
- errorId: sampleQPivGUj_ND5v78vbYWW
- errorCauses: []
- GetEmailTemplateResponse:
- value:
- name: UserActivation
+ type: object
+ additionalProperties: true
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - properties:
+ publish:
+ description: Publish the CSR
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ IdPCsrPkcs10:
+ description: Base64URL-encoded CSR in DER format
+ format: base64
+ type: string
+ IdPKeyCredential:
+ description: A [JSON Web Key](https://tools.ietf.org/html/rfc7517) for a signature or encryption credential for an IdP
+ additionalProperties: true
+ type: object
+ properties:
+ created:
+ $ref: '#/components/schemas/Created'
+ e:
+ description: The exponent value for the RSA public key
+ type: string
+ example: AQAB
+ expiresAt:
+ $ref: '#/components/schemas/ExpiresAt'
+ kid:
+ description: Unique identifier for the key
+ type: string
+ example: your-key-id
+ kty:
+ description: 'Identifies the cryptographic algorithm family used with the key (Supported value: `RSA`)'
+ type: string
+ example: RSA
+ lastUpdated:
+ $ref: '#/components/schemas/LastUpdated'
+ 'n':
+ description: The modulus value for the RSA public key
+ type: string
+ example: '101438407598598116085679865987760095721749307901605456708912786847324207000576780508113360584555007890315805735307890113536927352312915634368993759211767770602174860126854831344273970871509573365292777620005537635317282520456901584213746937262823585533063042033441296629204165064680610660631365266976782082747'
+ use:
+ description: 'Intended use of the public key (Supported value: `sig`)'
+ type: string
+ example: sig
+ x5c:
+ $ref: '#/components/schemas/X5c'
+ x5t#S256:
+ description: Base64url-encoded SHA-256 thumbprint of the DER encoding of an X.509 certificate
+ type: string
+ example: wzPVobIrveR1x-PCbjsFGNV-6zn7Rm9KuOWOG4Rk6jE
+ IdentityProvider:
+ type: object
+ properties:
+ created:
+ $ref: '#/components/schemas/Created'
+ id:
+ type: string
+ readOnly: true
+ description: Unique key for the IdP
+ example: 0oaWma58liwx40w6boYD
+ issuerMode:
+ $ref: '#/components/schemas/IdentityProviderIssuerMode'
+ lastUpdated:
+ $ref: '#/components/schemas/LastUpdated'
+ name:
+ type: string
+ maxLength: 100
+ description: Unique name for the IdP
+ example: Sample Identity Provider
+ policy:
+ $ref: '#/components/schemas/IdentityProviderPolicy'
+ properties:
+ $ref: '#/components/schemas/IdentityProviderProperties'
+ protocol:
+ description: IdP-specific protocol settings for endpoints, bindings, and algorithms used to connect with the IdP and validate messages
+ oneOf:
+ - $ref: '#/components/schemas/ProtocolSaml'
+ - $ref: '#/components/schemas/ProtocolOAuth'
+ - $ref: '#/components/schemas/ProtocolOidc'
+ - $ref: '#/components/schemas/ProtocolMtls'
+ status:
+ $ref: '#/components/schemas/LifecycleStatus'
+ type:
+ $ref: '#/components/schemas/IdentityProviderType'
_links:
- self:
- href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation
- hints:
- allow:
- - GET
- settings:
- href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation/settings
- hints:
- allow:
- - GET
- - PUT
- defaultContent:
- href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation/default-content
- hints:
- allow:
- - GET
- customizations:
- href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation/customizations
- hints:
- allow:
- - GET
- - POST
- - DELETE
- test:
- href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation/test
- hints:
- allow:
- - POST
- ListEmailCustomizationResponse:
- value:
- - language: en
- isDefault: true
- subject: Welcome to ${org.name}!
- body:
Hello, ${user.profile.firstName}. Click here to activate your account.
- id: oel11u6DqUiMbQkpl0g4
- created: 2021-11-09T20:38:10.000Z
- lastUpdated: 2021-11-11T20:38:10.000Z
- _links:
- self:
- href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4
- hints:
- allow:
- - GET
- - PUT
- - DELETE
- template:
- href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation
- hints:
- allow:
- - GET
- preview:
- href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4/preview
- hints:
- allow:
- - GET
- test:
- href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation/test
- hints:
- allow:
- - POST
- ListEmailTemplateResponse:
- value:
- - name: UserActivation
- _links:
- self:
- href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation
- hints:
- allow:
- - GET
- settings:
- href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation/settings
- hints:
- allow:
- - GET
- - PUT
- defaultContent:
- href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation/default-content
- hints:
- allow:
- - GET
- customizations:
- href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation/customizations
- hints:
- allow:
- - GET
- - POST
- - DELETE
- test:
- href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation/test
- hints:
- allow:
- - POST
- ListUsersResponse:
- value:
- - id: 00u118oQYT4TBGuay0g4
- status: ACTIVE
- created: 2022-04-04T15:56:05.000Z
- activated: null
- statusChanged: null
- lastLogin: 2022-05-04T19:50:52.000Z
- lastUpdated: 2022-05-05T18:15:44.000Z
- passwordChanged: 2022-04-04T16:00:22.000Z
- type:
- id: oty1162QAr8hJjTaq0g4
- profile:
- firstName: Alice
- lastName: Smith
- mobilePhone: null
- secondEmail: null
- login: alice.smith@example.com
- email: alice.smith@example.com
- credentials:
- password: {}
- provider:
- type: OKTA
- name: OKTA
- _links:
- self:
- href: http://your-subdomain.okta.com/api/v1/users/00u118oQYT4TBGuay0g4
- PreviewEmailCustomizationResponse:
- value:
- subject: Welcome to Okta!
- body:
Hello, John. Click here to activate your account.
+ type: object
+ additionalProperties: true
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - properties:
+ acs:
+ description: SAML 2.0 Assertion Consumer Service URL for the Okta SP
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ authorize:
+ description: OAuth 2.0 authorization endpoint for the IdP OAuth 2.0 Authorization Code flow
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ clientRedirectUri:
+ description: Redirect URI for the OAuth 2.0 Authorization Code flow
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ metadata:
+ description: 'Federation metadata document for the IdP (for example: SAML 2.0 Metadata)'
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ users:
+ description: IdP users
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ deactivate:
+ description: Deactivate IdP
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ activate:
+ description: Activate IdP
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ keys:
+ description: IdP keys
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ IdentityProviderApplicationUser:
+ type: object
+ properties:
+ created:
+ $ref: '#/components/schemas/Created'
+ externalId:
+ type: string
+ description: Unique IdP-specific identifier for the User
+ readOnly: true
+ maxLength: 512
+ example: saml.jackson@example.com
+ id:
+ type: string
+ description: Unique key of the User
+ readOnly: true
+ lastUpdated:
+ $ref: '#/components/schemas/LastUpdated'
+ profile:
+ type: object
+ description: |-
+ IdP-specific profile for the User.
+
+ Identity Provider User profiles are IdP-specific but may be customized by the Profile Editor in the Admin Console.
+
+ > **Note:** Okta variable names have reserved characters that may conflict with the name of an IdP assertion attribute. You can use the **External name** to define the attribute name as defined in an IdP assertion such as a SAML attribute name.
+ additionalProperties:
+ type: object
+ properties: {}
+ example:
+ lastName: Jackson
+ subjectNameQualifier: example.com
+ subjectSpNameQualifier: urn:federation:example
+ authnContextClassRef: null
+ subjectNameId: saml.jackson@example.com
+ subjectConfirmationAddress: null
+ displayName: Saml Jackson
+ mobilePhone: +1-415-555-5141
+ email: saml.jackson@example.com
+ subjectNameFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
+ firstName: Saml
+ subjectSpProvidedId: null
+ subjectConfirmationMethod: null
+ _embedded:
+ type: object
+ description: Embedded resources related to the IdP User
+ additionalProperties:
+ type: object
+ properties: {}
+ readOnly: true
_links:
- self:
- href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation/customizations/oel2kk1zYJBJbeaGo0g4/preview
- hints:
- allow:
- - GET
- template:
- href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation
- hints:
- allow:
- - GET
- test:
- href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation/test
- hints:
- allow:
- - POST
- PreviewEmailTemplateDefaultContentResponse:
- value:
- subject: Welcome to Okta!
- body:
Hello, John. Click here to activate your account.
+ type: object
+ additionalProperties: true
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - $ref: '#/components/schemas/LinksNext'
+ - properties:
+ idp:
+ description: The IdP instance
+ example:
+ href: https://{yourOktaDomain}/api/v1/idps/0oa1k5d68qR2954hb0g4
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ user:
+ description: The linked Okta User
+ example:
+ href: https://{yourOktaDomain}/api/v1/users/00ulwodIu7wCfdiVR0g3
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ IdentityProviderIssuerMode:
+ description: Indicates whether Okta uses the original Okta org domain URL or a custom domain URL in the request to the social IdP
+ default: DYNAMIC
+ type: string
+ x-enumDescriptions:
+ ORG_URL: In the authorize request to the social IdP, Okta uses the Okta org's original domain URL (`https://${yourOktaDomain}`) as the domain in the `redirect_uri`.
+ CUSTOM_URL: In the authorize request to the social IdP, Okta uses the custom domain URL as the domain in the `redirect_uri`. You can set `issuerMode` to `CUSTOM_URL` only if you have a custom URL domain configured.
+ DYNAMIC: In the authorize request to the social IdP, Okta uses the custom domain URL as the domain in the `redirect_uri` if the request was made from the custom domain URL. Otherwise, Okta uses the Okta org's original domain URL if the request was made from the Okta org domain.
+ x-okta-known-values:
+ - CUSTOM_URL
+ - DYNAMIC
+ - ORG_URL
+ IdentityProviderPolicy:
+ description: |-
+ Policy settings for the IdP.
+ The following provisioning and account linking actions are supported by each IdP provider:
+ | IdP type | User provisioning actions | Group provisioning actions | Account link actions | Account link filters |
+ | ----------------------------------------------------------------- | ------------------------- | ------------------------------------- | -------------------- | -------------------- |
+ | `SAML2` | `AUTO` or `DISABLED` | `NONE`, `ASSIGN`, `APPEND`, or `SYNC` | `AUTO`, `DISABLED` | `groups` |
+ | `X509` | `DISABLED` | No support for JIT provisioning | | |
+ | All social IdP types (any IdP type that isn't `SAML2` or `X509`) | `AUTO`, `DISABLED` | `NONE` or `ASSIGN` | `AUTO`, `DISABLED` | `groups` |
+ allOf:
+ - type: object
+ properties:
+ accountLink:
+ $ref: '#/components/schemas/PolicyAccountLink'
+ maxClockSkew:
+ type: integer
+ description: Maximum allowable clock skew when processing messages from the IdP
+ example: 120000
+ provisioning:
+ $ref: '#/components/schemas/Provisioning'
+ subject:
+ $ref: '#/components/schemas/PolicySubject'
+ IdentityProviderPolicyProvider:
+ type: string
+ x-okta-known-values:
+ - ANY
+ - OKTA
+ - SPECIFIC_IDP
+ IdentityProviderPolicyRuleCondition:
+ type: object
+ properties:
+ idpIds:
+ type: array
+ items:
+ type: string
+ provider:
+ $ref: '#/components/schemas/IdentityProviderPolicyProvider'
+ IdentityProviderProperties:
+ nullable: true
+ description: The properties in the Identity Provider Properties object vary depending on the IdP type
+ type: object
+ properties:
+ aalValue:
+ type: string
+ nullable: true
+ description: |-
+ The [authentication assurance level](https://developers.login.gov/oidc/#aal-values) (AAL) value for the Login.gov IdP.
+ See [Add a Login.gov IdP](https://developer.okta.com/docs/guides/add-logingov-idp/). Applies to `LOGINGOV` and `LOGINGOV_SANDBOX` IdP types.
+ additionalAmr:
+ type: array
+ description: The additional Assurance Methods References (AMR) values for Smart Card IdPs. Applies to `X509` IdP type.
+ nullable: true
+ items:
+ type: string
+ enum:
+ - sc
+ - hwk
+ - pin
+ - mfa
+ x-enumDescriptions:
+ sc: Smart card
+ hwk: Hardware-secured key
+ pin: Personal identification number
+ mfa: Multifactor authentication
+ ialValue:
+ type: string
+ nullable: true
+ description: |-
+ The [type of identity verification](https://developers.login.gov/oidc/#ial-values) (IAL) value for the Login.gov IdP.
+ See [Add a Login.gov IdP](https://developer.okta.com/docs/guides/add-logingov-idp/). Applies to `LOGINGOV` and `LOGINGOV_SANDBOX` IdP types.
+ IdentityProviderType:
+ description: |-
+ The Identity Provider object's `type` property identifies the social or enterprise Identity Provider used for authentication.
+ Each Identity Provider uses a specific protocol, therefore the `protocol` property must correspond with the IdP `type`.
+ If the protocol is OAuth 2.0-based, the Protocol object's `scopes` property must also correspond with the scopes supported by the IdP `type`.
+ For policy actions supported by each IdP type, see [IdP type policy actions](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=policy&t=request).
+
+ | Type | Description | Corresponding protocol | Corresponding protocol scopes |
+ | ------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------- | -------------------------------------------------------------------- |
+ | `AMAZON` | [Amazon](https://developer.amazon.com/settings/console/registration?return_to=/) as the Identity Provider | OpenID Connect | `profile`, `profile:user_id` |
+ | `APPLE` | [Apple](https://developer.apple.com/sign-in-with-apple/) as the Identity Provider | OpenID Connect | `names`, `email`, `openid` |
+ | `DISCORD` | [Discord](https://discord.com/login) as the Identity Provider | OAuth 2.0 | `identify`, `email` |
+ | `FACEBOOK` | [Facebook](https://developers.facebook.com) as the Identity Provider | OAuth 2.0 | `public_profile`, `email` |
+ | `GITHUB` | [GitHub](https://github.com/join) as the Identity Provider | OAuth 2.0 | `user` |
+ | `GITLAB` | [GitLab](https://gitlab.com/users/sign_in) as the Identity Provider | OpenID Connect | `openid`, `read_user`, `profile`, `email` |
+ | `GOOGLE` | [Google](https://accounts.google.com/signup) as the Identity Provider | OpenID Connect | `openid`, `email`, `profile` |
+ | `LINKEDIN` | [LinkedIn](https://developer.linkedin.com/) as the Identity Provider | OAuth 2.0 | `r_emailaddress`, `r_liteprofile` |
+ | `LOGINGOV` | [Login.gov](https://developers.login.gov/) as the Identity Provider | OpenID Connect | `email`, `profile`, `profile:name` |
+ | `LOGINGOV_SANDBOX` | [Login.gov's identity sandbox](https://developers.login.gov/testing/) as the Identity Provider | OpenID Connect | `email`, `profile`, `profile:name` |
+ | `MICROSOFT` | [Microsoft Enterprise SSO](https://azure.microsoft.com/) as the Identity Provider | OpenID Connect | `openid`, `email`, `profile`, `https://graph.microsoft.com/User.Read` |
+ | `OIDC` | IdP provider that supports [OpenID Connect](https://openid.net/specs/openid-connect-core-1_0.html) | OpenID Connect | `openid`, `email`, `profile` |
+ | `PAYPAL` | [Paypal](https://www.paypal.com/signin) as the Identity Provider | OpenID Connect | `openid`, `email`, `profile` |
+ | `PAYPAL_SANDBOX` | [Paypal Sandbox](https://developer.paypal.com/tools/sandbox/) as the Identity Provider | OpenID Connect | `openid`, `email`, `profile` |
+ | `SALESFORCE` | [SalesForce](https://login.salesforce.com/) as the Identity Provider | OAuth 2.0 | `id`, `email`, `profile` |
+ | `SAML2` | Enterprise IdP provider that supports the [SAML 2.0 Web Browser SSO Profile](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf) | SAML 2.0 | |
+ | `SPOTIFY` | [Spotify](https://developer.spotify.com/) as the Identity Provider | OpenID Connect | `user-read-email`, `user-read-private` |
+ | `X509` | [Smart Card IdP](https://tools.ietf.org/html/rfc5280) | Mutual TLS | |
+ | `XERO` | [Xero](https://www.xero.com/us/signup/api/) as the Identity Provider | OpenID Connect | `openid`, `profile`, `email` |
+ | `YAHOO` | [Yahoo](https://login.yahoo.com/) as the Identity Provider | OpenID Connect | `openid`, `profile`, `email` |
+ | `YAHOOJP` | [Yahoo Japan](https://login.yahoo.co.jp/config/login) as the Identity Provider | OpenID Connect | `openid`, `profile`, `email` |
+ type: string
+ x-okta-known-values:
+ - AMAZON
+ - APPLE
+ - DISCORD
+ - FACEBOOK
+ - GITHUB
+ - GITLAB
+ - GOOGLE
+ - LINKEDIN
+ - LOGINGOV
+ - LOGINGOV_SANDBOX
+ - MICROSOFT
+ - OIDC
+ - PAYPAL
+ - PAYPAL_SANDBOX
+ - SALESFORCE
+ - SAML2
+ - SPOTIFY
+ - X509
+ - XERO
+ - YAHOO
+ - YAHOOJP
+ IdentitySourceSession:
+ type: object
+ properties:
+ created:
+ type: string
+ description: The timestamp when the Identity Source Session was created
+ format: date-time
+ readOnly: true
+ id:
+ type: string
+ description: The ID of the Identity Source Session
+ readOnly: true
+ identitySourceId:
+ type: string
+ description: The ID of the custom Identity Source for which the session is created
+ readOnly: true
+ importType:
+ type: string
+ description: The type of import. All imports are `INCREMENTAL` imports.
+ readOnly: true
+ lastUpdated:
+ type: string
+ description: The timestamp when the Identity Source Session was created
+ format: date-time
+ readOnly: true
+ status:
+ $ref: '#/components/schemas/IdentitySourceSessionStatus'
+ IdentitySourceSessionStatus:
+ type: string
+ x-enumDescriptions:
+ CREATED: This is a new Identity Source Session that hasn't been processed. You can upload bulk data in this stage.
+ IN_PROGRESS: The bulk data is being uploaded to Okta.
+ TRIGGERED: Okta is processing the import data in this session. You can't load bulk data in this stage.
+ COMPLETED: The bulk data was processed and imported into Okta.
+ CLOSED: The Identity Source Session was canceled and isn't available for further activity.
+ EXPIRED: This Identity Source Session had the `CREATED` status and timed-out after 24 hours of inactivity.
+ ERROR: The processing of import data in the session encountered an error. You need to open a new session to upload the data again.
+ x-okta-known-values:
+ - CLOSED
+ - COMPLETED
+ - CREATED
+ - ERROR
+ - EXPIRED
+ - IN_PROGRESS
+ - TRIGGERED
+ IdentitySourceUserProfileForDelete:
+ type: object
+ properties:
+ externalId:
+ type: string
+ description: The external ID of the entity that needs to be deleted in Okta
+ maxLength: 512
+ IdentitySourceUserProfileForUpsert:
+ type: object
+ properties:
+ email:
+ type: string
+ format: email
+ description: Email address of the user
+ minLength: 5
+ maxLength: 100
+ firstName:
+ type: string
+ description: First name of the user
+ minLength: 1
+ maxLength: 50
+ nullable: true
+ homeAddress:
+ type: string
+ description: Home address of the user
+ maxLength: 4096
+ nullable: true
+ lastName:
+ type: string
+ description: Last name of the user
+ minLength: 1
+ maxLength: 50
+ nullable: true
+ mobilePhone:
+ type: string
+ description: Mobile phone number of the user
+ maxLength: 100
+ nullable: true
+ secondEmail:
+ type: string
+ description: Alternative email address of the user
+ format: email
+ minLength: 5
+ maxLength: 100
+ userName:
+ type: string
+ description: Username of the user
+ maxLength: 100
+ IdpDiscoveryPolicy:
+ allOf:
+ - $ref: '#/components/schemas/Policy'
+ - type: object
+ properties:
+ conditions:
+ type: string
+ description: Policy conditions aren't supported for this policy type.
+ default: null
+ nullable: true
+ IdpDiscoveryPolicyRule:
+ allOf:
+ - $ref: '#/components/schemas/PolicyRule'
+ - type: object
+ properties:
+ actions:
+ $ref: '#/components/schemas/IdpPolicyRuleAction'
+ conditions:
+ $ref: '#/components/schemas/IdpDiscoveryPolicyRuleCondition'
+ IdpDiscoveryPolicyRuleCondition:
+ allOf:
+ - type: object
+ properties:
+ app:
+ $ref: '#/components/schemas/AppAndInstancePolicyRuleCondition'
+ network:
+ $ref: '#/components/schemas/PolicyNetworkCondition'
+ userIdentifier:
+ $ref: '#/components/schemas/UserIdentifierPolicyRuleCondition'
+ platform:
+ $ref: '#/components/schemas/PlatformPolicyRuleCondition'
+ IdpPolicyRuleAction:
+ type: object
+ properties:
+ idp:
+ type: object
+ properties:
+ providers:
+ items:
+ $ref: '#/components/schemas/IdpPolicyRuleActionProvider'
+ type: array
+ description: List of configured Identity Providers that a given Rule can route to. Ability to define multiple providers is a part of the Okta Identity Engine. This allows users to choose a Provider when they sign in. Contact support for information on the Identity Engine.
+ idpSelectionType:
+ description: Determines whether the rule should use expression language or a specific IdP
+ $ref: '#/components/schemas/IdpSelectionType'
+ matchCriteria:
+ items:
+ $ref: '#/components/schemas/IdpPolicyRuleActionMatchCriteria'
+ type: array
+ description: Required if `idpSelectionType` is set to `DYNAMIC`
+ IdpPolicyRuleActionMatchCriteria:
+ type: object
+ properties:
+ propertyName:
+ type: string
+ description: The IdP property that the evaluated string should match to
+ providerExpression:
+ type: string
+ description: |
+ You can provide an Okta Expression Language expression with the Login Context that's evaluated with the IdP. For example, the value `login.identifier` refers to the user's username. If the user is signing in with the username `john.doe@mycompany.com`, the expression `login.identifier.substringAfter(@))` is evaluated to the domain name of the user, for example: `mycompany.com`.
+ IdpPolicyRuleActionProvider:
+ type: object
+ properties:
+ id:
+ type: string
+ description: IdP types of `OKTA`, `AgentlessDSSO`, and `IWA` don't require an ID.
+ name:
+ type: string
+ description: Provider `name` in Okta. Optional. Supported in `IDENTITY ENGINE`.
+ type:
+ $ref: '#/components/schemas/IdentityProviderType'
+ IdpSelectionType:
+ description: Determines whether the rule should use expression language or a specific IdP
+ type: string
+ x-okta-known-values:
+ - DYNAMIC
+ - SPECIFIC
+ IframeEmbedScopeAllowedApps:
+ type: string
+ x-okta-known-values:
+ - OKTA_ENDUSER
+ ImageUploadResponse:
+ type: object
+ properties:
+ url:
+ readOnly: true
+ type: string
+ ImportScheduleObject:
+ description: Import schedule configuration
+ type: object
+ properties:
+ fullImport:
+ allOf:
+ - $ref: '#/components/schemas/ImportScheduleSettings'
+ - description: Determines the full import schedule
+ incrementalImport:
+ allOf:
+ - $ref: '#/components/schemas/ImportScheduleSettings'
+ - description: Determines the incremental import schedule
+ status:
+ $ref: '#/components/schemas/EnabledStatus'
+ ImportScheduleSettings:
+ type: object
+ properties:
+ expression:
+ type: string
+ description: The import schedule in UNIX cron format
+ example: 00 21 * * Mon,Thu,Fri,Sat
+ timezone:
+ type: string
+ description: The import schedule time zone in Internet Assigned Numbers Authority (IANA) time zone name format
+ minLength: 1
+ maxLength: 64
+ example: America/Los_Angeles
+ required:
+ - expression
+ ImportUsernameObject:
+ description: Determines the Okta username for the imported user
+ type: object
+ properties:
+ userNameExpression:
+ type: string
+ description: For `usernameFormat=CUSTOM`, specifies the Okta Expression Language statement for a username format that imported users use to sign in to Okta
+ usernameFormat:
+ type: string
+ description: Determines the username format when users sign in to Okta
+ default: EMAIL
+ enum:
+ - EMAIL
+ - CUSTOM
+ required:
+ - usernameFormat
+ InactivityPolicyRuleCondition:
+ type: object
+ properties:
+ number:
+ type: integer
+ unit:
+ type: string
+ InboundProvisioningApplicationFeature:
+ allOf:
+ - $ref: '#/components/schemas/ApplicationFeature'
+ - type: object
+ - properties:
+ capabilities:
+ $ref: '#/components/schemas/CapabilitiesInboundProvisioningObject'
+ InlineHook:
+ description: An inline hook object that specifies the details of the inline hook
+ type: object
+ properties:
+ channel:
+ $ref: '#/components/schemas/InlineHookChannel'
+ created:
+ type: string
+ format: date-time
+ readOnly: true
+ description: Date of the inline hook creation
+ id:
+ type: string
+ readOnly: true
+ description: The unique identifier for the inline hook
+ lastUpdated:
+ type: string
+ format: date-time
+ readOnly: true
+ description: Date of the last inline hook update
+ name:
+ type: string
+ description: The display name of the inline hook
+ maximum: 255
+ minimum: 1
+ status:
+ $ref: '#/components/schemas/InlineHookStatus'
+ type:
+ $ref: '#/components/schemas/InlineHookType'
+ version:
+ type: string
+ description: Version of the inline hook type. The currently supported version is `1.0.0`.
+ readOnly: true
_links:
- self:
- href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation/default-content/preview
- hints:
- allow:
- - GET
- template:
- href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation
- hints:
- allow:
- - GET
- defaultContent:
- href: https://${yourOktaDomain}/api/v1/brands/${brandId}/templates/email/UserActivation/test/default-content
- hints:
- allow:
- - POST
- PrincipalRateLimitEntityRequestEmptyPercentages:
- value:
- principalId: token1234
- principalType: SSWS_TOKEN
- PrincipalRateLimitEntityRequestSSWSToken:
- value:
- principalId: token1234
- principalType: SSWS_TOKEN
- defaultPercentage: 50
- defaultConcurrencyPercentage: 75
- PrincipalRateLimitEntityResponseSSWSToken:
- value:
- id: abcd1234
- orgId: org1234
- principalId: token1234
- principalType: SSWS_TOKEN
- defaultPercentage: 50
- defaultConcurrencyPercentage: 75
- createdDate: '2022-05-19T20:05:32.720Z'
- createdBy: user1234
- lastUpdate: '2022-05-20T21:13:07.410Z'
- lastUpdatedBy: user4321
- PushProviderAPNsRequest:
- value:
- name: APNs Example
- providerType: APNS
- configuration:
- keyId: KEY_ID
- teamId: TEAM_ID
- tokenSigningKey: '-----BEGIN PRIVATE KEY-----\nPRIVATE_KEY\n-----END PRIVATE KEY-----\n'
- fileName: fileName.p8
- PushProviderAPNsResponse:
- value:
- id: ppctekcmngGaqeiBxB0g4
- name: APNs Example
- providerType: APNS
- lastUpdatedDate: 2022-01-01T00:00:00.000Z
- configuration:
- keyId: KEY_ID
- teamId: TEAM_ID
- fileName: fileName.p8
+ $ref: '#/components/schemas/InlineHookLinks'
+ InlineHookBasePayload:
+ type: object
+ properties:
+ cloudEventVersion:
+ description: The inline hook cloud version
+ example: 0.1
+ type: string
+ contentType:
+ description: The inline hook request header content
+ example: application/JSON
+ type: string
+ eventId:
+ type: string
+ description: The individual inline hook request ID
+ example: 3o9jBzq1SmOGmmsDsqyyeQ
+ eventTime:
+ type: string
+ description: The time the inline hook request was sent
+ example: '2020-01-17T21:23:56.000Z'
+ eventTypeVersion:
+ description: The inline hook version
+ example: 1
+ type: string
+ InlineHookChannel:
+ type: object
+ properties:
+ type:
+ $ref: '#/components/schemas/InlineHookChannelType'
+ version:
+ type: string
+ description: Version of the inline hook type. The currently supported version is `1.0.0`.
+ discriminator:
+ propertyName: type
+ mapping:
+ HTTP: '#/components/schemas/InlineHookChannelHttp'
+ OAUTH: '#/components/schemas/InlineHookChannelOAuth'
+ InlineHookChannelConfig:
+ description: Properties of the communications channel that are used to contact your external service
+ type: object
+ properties:
+ headers:
+ type: array
+ description: An optional list of key/value pairs for headers that you can send with the request to the external service
+ items:
+ $ref: '#/components/schemas/InlineHookChannelConfigHeaders'
+ method:
+ type: string
+ description: The method of the Okta inline hook request
+ uri:
+ type: string
+ description: The external service endpoint that executes the inline hook handler. It must begin with `https://` and be reachable by Okta. No white space is allowed in the URI.
+ maximum: 1024
+ InlineHookChannelConfigAuthSchemeBody:
+ description: The authentication scheme to use for this request
+ nullable: true
+ type: object
+ properties:
+ key:
+ type: string
+ description: The header name for the authorization server
+ type:
+ type: string
+ description: The authentication scheme type. Supported type—`HEADER`.
+ value:
+ type: string
+ description: The header value. This secret value is passed to your external service endpoint. Your external service can check it as a security measure.
+ InlineHookChannelConfigAuthSchemeResponse:
+ description: The authentication scheme to use for this request
+ nullable: true
+ type: object
+ properties:
+ key:
+ type: string
+ description: The header name for the authorization server
+ type:
+ type: string
+ description: The authentication scheme type. Supported type—`HEADER`
+ InlineHookChannelConfigCreate:
+ description: Properties of the communications channel that are used to contact your external service
+ type: object
+ properties:
+ headers:
+ type: array
+ description: An optional list of key/value pairs for headers that you can send with the request to the external service.
+ items:
+ $ref: '#/components/schemas/InlineHookChannelConfigHeaders'
+ method:
+ type: string
+ description: The method of the Okta inline hook request
+ uri:
+ type: string
+ description: The external service endpoint that executes the inline hook handler. It must begin with `https://` and be reachable by Okta. No white space is allowed in the URI.
+ maximum: 1024
+ InlineHookChannelConfigHeaders:
+ type: object
+ properties:
+ key:
+ type: string
+ description: The optional field or header name
+ value:
+ type: string
+ description: The value for the key
+ InlineHookChannelCreate:
+ type: object
+ properties:
+ type:
+ $ref: '#/components/schemas/InlineHookChannelType'
+ version:
+ type: string
+ description: Version of the inline hook type. The currently supported version is `1.0.0`.
+ discriminator:
+ propertyName: type
+ mapping:
+ HTTP: '#/components/schemas/InlineHookChannelHttpCreate'
+ OAUTH: '#/components/schemas/InlineHookChannelOAuthCreate'
+ InlineHookChannelHttp:
+ allOf:
+ - $ref: '#/components/schemas/InlineHookChannel'
+ - type: object
+ properties:
+ config:
+ $ref: '#/components/schemas/InlineHookHttpConfig'
+ InlineHookChannelHttpCreate:
+ allOf:
+ - $ref: '#/components/schemas/InlineHookChannelCreate'
+ - type: object
+ properties:
+ config:
+ $ref: '#/components/schemas/InlineHookHttpConfigCreate'
+ InlineHookChannelOAuth:
+ allOf:
+ - $ref: '#/components/schemas/InlineHookChannel'
+ - type: object
+ properties:
+ config:
+ $ref: '#/components/schemas/InlineHookOAuthChannelConfig'
+ InlineHookChannelOAuthCreate:
+ allOf:
+ - $ref: '#/components/schemas/InlineHookChannelCreate'
+ - type: object
+ properties:
+ config:
+ $ref: '#/components/schemas/InlineHookOAuthChannelConfigCreate'
+ InlineHookChannelType:
+ type: string
+ x-okta-known-values:
+ - HTTP
+ - OAUTH
+ InlineHookCreate:
+ description: An inline hook object that specifies the details of the inline hook
+ type: object
+ properties:
+ channel:
+ $ref: '#/components/schemas/InlineHookChannelCreate'
+ name:
+ type: string
+ description: The display name of the inline hook
+ maximum: 255
+ minimum: 1
+ type:
+ $ref: '#/components/schemas/InlineHookType'
+ version:
+ type: string
+ description: Version of the inline hook type. The currently supported version is `1.0.0`.
+ InlineHookCreateResponse:
+ description: An inline hook object that specifies the details of the inline hook
+ type: object
+ properties:
+ channel:
+ $ref: '#/components/schemas/InlineHookChannel'
+ created:
+ type: string
+ format: date-time
+ readOnly: true
+ description: Date of the inline hook creation
+ id:
+ type: string
+ readOnly: true
+ description: The unique identifier for the inline hook
+ lastUpdated:
+ type: string
+ format: date-time
+ readOnly: true
+ description: Date of the last inline hook update
+ name:
+ type: string
+ description: The display name of the inline hook
+ maximum: 255
+ minimum: 1
+ status:
+ $ref: '#/components/schemas/InlineHookStatus'
+ type:
+ $ref: '#/components/schemas/InlineHookType'
+ version:
+ type: string
+ description: Version of the inline hook type. The currently supported version is `1.0.0`.
+ readOnly: true
_links:
- self:
- href: https://your-subdomain.okta.com/api/v1/push-providers/ppctekcmngGaqeiBxB0g4
- hints:
- allow:
- - DELETE
- - GET
- - PUT
- PushProviderFCMRequest:
- value:
- name: FCM Example
- providerType: FCM
- configuration:
- serviceAccountJson:
- type: service_account
- project_id: PROJECT_ID
- private_key_id: KEY_ID
- private_key: '-----BEGIN PRIVATE KEY-----\nPRIVATE_KEY\n-----END PRIVATE KEY-----\n'
- client_email: SERVICE_ACCOUNT_EMAIL
- client_id: CLIENT_ID
- auth_uri: https://accounts.google.com/o/oauth2/auth
- token_uri: https://accounts.google.com/o/oauth2/token
- auth_provider_x509_cert_url: https://www.googleapis.com/oauth2/v1/certs
- client_x509_cert_url: https://www.googleapis.com/robot/v1/metadata/x509/SERVICE_ACCOUNT_EMAIL
- fileName: fileName.json
- PushProviderFCMResponse:
- value:
- id: ppctekcmngGaqeiBxB0g4
- name: FCM Example
- providerType: FCM
- lastUpdatedDate: 2022-01-01T00:00:00.000Z
- configuration:
- projectId: PROJECT_ID
- fileName: fileName.p8
+ $ref: '#/components/schemas/InlineHookLinksCreate'
+ InlineHookHttpConfig:
+ allOf:
+ - $ref: '#/components/schemas/InlineHookChannelConfig'
+ type: object
+ properties:
+ authScheme:
+ $ref: '#/components/schemas/InlineHookChannelConfigAuthSchemeResponse'
+ InlineHookHttpConfigCreate:
+ allOf:
+ - $ref: '#/components/schemas/InlineHookChannelConfigCreate'
+ type: object
+ properties:
+ authScheme:
+ $ref: '#/components/schemas/InlineHookChannelConfigAuthSchemeBody'
+ InlineHookLinks:
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - type: object
+ properties:
+ activate:
+ description: URL to activate the inline hook
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ deactivate:
+ description: URL to deactivate the inline hook
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ delete:
+ description: URL to delete the inline hook
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ execute:
+ description: URL to test the inline hook
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ InlineHookLinksCreate:
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - type: object
+ properties:
+ deactivate:
+ description: URL to deactivate the inline hook
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ execute:
+ description: URL to test the inline hook
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ InlineHookOAuthBasicConfig:
+ allOf:
+ - $ref: '#/components/schemas/InlineHookChannelConfig'
+ type: object
+ properties:
+ authType:
+ type: string
+ clientId:
+ type: string
+ description: A publicly exposed string provided by the service that's used to identify the OAuth app and build authorization URLs
+ scope:
+ type: string
+ description: Include the scopes that allow you to perform the actions on the hook endpoint that you want to access
+ tokenUrl:
+ type: string
+ description: The URI where inline hooks can exchange an authorization code for access and refresh tokens
+ InlineHookOAuthChannelConfig:
+ type: object
+ properties:
+ authType:
+ type: string
+ description: The authentication method for the token endpoint
+ discriminator:
+ propertyName: authType
+ mapping:
+ client_secret_post: '#/components/schemas/InlineHookOAuthClientSecretConfig'
+ private_key_jwt: '#/components/schemas/InlineHookOAuthPrivateKeyJwtConfig'
+ InlineHookOAuthChannelConfigCreate:
+ type: object
+ properties:
+ authType:
+ type: string
+ description: The authentication method for the token endpoint
+ discriminator:
+ propertyName: authType
+ mapping:
+ client_secret_post: '#/components/schemas/InlineHookOAuthClientSecretConfigCreate'
+ private_key_jwt: '#/components/schemas/InlineHookOAuthPrivateKeyJwtConfig'
+ InlineHookOAuthClientSecretConfig:
+ allOf:
+ - $ref: '#/components/schemas/InlineHookOAuthBasicConfig'
+ type: object
+ properties:
+ authScheme:
+ type: string
+ description: Not applicable. Must be `null`.
+ nullable: true
+ InlineHookOAuthClientSecretConfigCreate:
+ allOf:
+ - $ref: '#/components/schemas/InlineHookOAuthBasicConfig'
+ type: object
+ properties:
+ clientSecret:
+ type: string
+ description: A private value provided by the service used to authenticate the identity of the app to the service
+ method:
+ type: string
+ description: The method of the Okta inline hook request. Only accepts `POST`.
+ InlineHookOAuthPrivateKeyJwtConfig:
+ allOf:
+ - $ref: '#/components/schemas/InlineHookOAuthBasicConfig'
+ type: object
+ properties:
+ authScheme:
+ type: string
+ description: Not applicable. Must be `null`.
+ nullable: true
+ hookKeyId:
+ type: string
+ description: An ID value of the hook key pair generated from the [Hook Keys API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/HookKey/#tag/HookKey)
+ method:
+ type: string
+ description: The method of the Okta inline hook request. Only accepts `POST`.
+ InlineHookPayload:
+ type: object
+ x-okta-extensible: true
+ InlineHookReplace:
+ description: An inline hook object that specifies the details of the inline hook
+ type: object
+ properties:
+ channel:
+ $ref: '#/components/schemas/InlineHookChannelCreate'
+ name:
+ type: string
+ description: The display name of the inline hook
+ maximum: 255
+ minimum: 1
+ version:
+ type: string
+ description: Version of the inline hook type. The currently supported version is `1.0.0`.
+ InlineHookRequestObject:
+ description: The API request that triggered the inline hook
+ type: object
+ properties:
+ id:
+ type: string
+ description: The unique identifier that Okta assigned to the API request
+ ipAddress:
+ type: string
+ description: The IP address of the client that made the API request
+ method:
+ type: string
+ description: The HTTP request method of the API request
+ url:
+ type: object
+ description: The URL of the API endpoint
+ properties:
+ value:
+ type: string
+ description: The URL value of the API endpoint
+ InlineHookResponse:
+ type: object
+ properties:
+ commands:
+ type: array
+ items:
+ $ref: '#/components/schemas/InlineHookResponseCommands'
+ InlineHookResponseCommandValue:
+ type: object
+ properties:
+ op:
+ type: string
+ path:
+ type: string
+ value:
+ type: string
+ InlineHookResponseCommands:
+ type: object
+ properties:
+ type:
+ type: string
+ value:
+ type: array
+ items:
+ $ref: '#/components/schemas/InlineHookResponseCommandValue'
+ InlineHookStatus:
+ type: string
+ x-okta-known-values:
+ - ACTIVE
+ - INACTIVE
+ InlineHookType:
+ description: One of the inline hook types
+ type: string
+ x-okta-known-values:
+ - com.okta.import.transform
+ - com.okta.oauth2.tokens.transform
+ - com.okta.saml.tokens.transform
+ - com.okta.telephony.provider
+ - com.okta.user.credential.password.import
+ - com.okta.user.pre-registration
+ IssuerMode:
+ type: string
+ x-okta-known-values:
+ - CUSTOM_URL
+ - DYNAMIC
+ - ORG_URL
+ JsonPatchOperation:
+ description: The update action
+ type: object
+ properties:
+ op:
+ $ref: '#/components/schemas/PatchAction'
+ path:
+ type: string
+ description: The resource path of the attribute to update
+ value:
+ type: object
+ description: The update operation value
+ JsonWebKey:
+ type: object
+ properties:
+ created:
+ $ref: '#/components/schemas/createdProperty'
+ e:
+ description: RSA key value (public exponent) for Key binding
+ type: string
+ readOnly: true
+ expiresAt:
+ description: Timestamp when the certificate expires
+ type: string
+ format: date-time
+ readOnly: true
+ kid:
+ description: Unique identifier for the certificate
+ type: string
+ readOnly: true
+ kty:
+ description: 'Cryptographic algorithm family for the certificate''s keypair. Valid value: `RSA`'
+ type: string
+ readOnly: true
+ lastUpdated:
+ type: string
+ format: date-time
+ $ref: '#/components/schemas/lastUpdatedProperty'
+ 'n':
+ description: RSA modulus value that is used by both the public and private keys and provides a link between them
+ type: string
+ use:
+ description: 'Acceptable use of the certificate. Valid value: `sig`'
+ type: string
+ readOnly: true
+ x5c:
+ description: X.509 certificate chain that contains a chain of one or more certificates
+ type: array
+ items:
+ type: string
+ readOnly: true
+ x5t#S256:
+ description: X.509 certificate SHA-256 thumbprint, which is the base64url-encoded SHA-256 thumbprint (digest) of the DER encoding of an X.509 certificate
+ type: string
+ readOnly: true
+ JwkUse:
+ type: object
+ properties:
+ use:
+ $ref: '#/components/schemas/JwkUseType'
+ JwkUseType:
+ description: Purpose of the certificate. The only supported value is `sig`.
+ type: string
+ x-okta-known-values:
+ - sig
+ KeepCurrent:
+ type: object
+ properties:
+ keepCurrent:
+ description: Skip deleting the user's current session when set to `true`
+ type: boolean
+ default: true
+ KeepMeSignedIn:
+ type: object
+ properties:
+ postAuth:
+ description: Whether the post-authentication Keep Me Signed In flow is allowed
+ type: string
+ enum:
+ - ALLOWED
+ - NOT_ALLOWED
+ postAuthPromptFrequency:
+ description: If allowed, how often to display the post-authentication Keep Me Signed In prompt
+ default: P30D
+ $ref: '#/components/schemas/TimeDuration'
+ KeyRequest:
+ type: object
+ properties:
+ name:
+ description: Display name for the key
+ type: string
+ uniqueItems: true
+ readOnly: false
+ minLength: 1
+ maxLength: 255
+ nullable: false
+ KeyTrustLevelBrowserKey:
+ description: Represents the attestation strength used by the Chrome Verified Access API
+ example: CHROME_BROWSER_HW_KEY
+ type: string
+ x-enumDescriptions:
+ CHROME_BROWSER_HW_KEY: Identity of the device was attested using a key pair that is OS encapsulated by a hardware layer
+ CHROME_BROWSER_OS_KEY: Identity of the device was attested using a key pair that is simply stored on the device but not in any specific hardware layer
+ x-okta-known-values:
+ - CHROME_BROWSER_HW_KEY
+ - CHROME_BROWSER_OS_KEY
+ KeyTrustLevelOSMode:
+ description: Represents the attestation strength used by the Chrome Verified Access API
+ example: CHROME_OS_VERIFIED_MODE
+ type: string
+ x-enumDescriptions:
+ CHROME_OS_VERIFIED_MODE: Identity of the device was attested using an enterprise-emitted certificate, and the device is in Verified mode
+ CHROME_OS_DEVELOPER_MODE: Identity of the device was attested using an enterprise-emitted certificate, and the device is in Developer mode
+ x-okta-known-values:
+ - CHROME_OS_DEVELOPER_MODE
+ - CHROME_OS_VERIFIED_MODE
+ KnowledgeConstraint:
+ allOf:
+ - $ref: '#/components/schemas/AccessPolicyConstraint'
+ Language:
+ description: The language specified as an [IETF BCP 47 language tag](https://datatracker.ietf.org/doc/html/rfc5646)
+ type: string
+ LastUpdated:
+ format: date-time
+ description: Timestamp when the object was last updated
+ example: '2016-01-03T18:15:47.000Z'
+ type: string
+ readOnly: true
+ LifecycleCreateSettingObject:
+ description: Determines whether to update a user in the app when a user in Okta is updated
+ type: object
+ properties:
+ status:
+ allOf:
+ - $ref: '#/components/schemas/EnabledStatus'
+ - default: DISABLED
+ LifecycleDeactivateSettingObject:
+ description: Determines whether deprovisioning occurs when the app is unassigned
+ type: object
+ properties:
+ status:
+ allOf:
+ - $ref: '#/components/schemas/EnabledStatus'
+ - default: DISABLED
+ LifecycleExpirationPolicyRuleCondition:
+ type: object
+ properties:
+ lifecycleStatus:
+ type: string
+ number:
+ type: integer
+ unit:
+ type: string
+ LifecycleStatus:
+ type: string
+ x-okta-known-values:
+ - ACTIVE
+ - INACTIVE
+ LinkedHrefObject:
+ title: Link Object
+ additionalProperties: true
+ type: object
+ properties:
+ href:
+ type: string
+ description: Link URI
+ required:
+ - href
+ readOnly: true
+ LinkedObject:
+ title: LinkedObject
+ type: object
+ properties:
+ associated:
+ $ref: '#/components/schemas/LinkedObjectDetails'
+ primary:
+ $ref: '#/components/schemas/LinkedObjectDetails'
_links:
- self:
- href: https://your-subdomain.okta.com/api/v1/push-providers/ppctekcmngGaqeiBxB0g4
- hints:
- allow:
- - DELETE
- - GET
- - PUT
- parameters:
- pathApiTokenId:
- name: apiTokenId
- in: path
- schema:
- type: string
- example: 00Tabcdefg1234567890
- required: true
- description: id of the API Token
- pathBehaviorId:
- name: behaviorId
- in: path
- schema:
- type: string
- example: abcd1234
- required: true
- description: id of the Behavior Detection Rule
- pathBrandId:
- name: brandId
- in: path
- required: true
- schema:
- type: string
- description: The ID of the brand.
- pathCaptchaId:
- name: captchaId
- in: path
- schema:
- type: string
- example: abcd1234
- required: true
- description: id of the CAPTCHA
- pathCustomizationId:
- name: customizationId
- in: path
- required: true
- schema:
- type: string
- description: The ID of the email customization.
- pathDeviceAssuranceId:
- in: path
- name: deviceAssuranceId
- required: true
- description: Id of the Device Assurance Policy
- schema:
- type: string
- pathEmailDomainId:
- name: emailDomainId
- in: path
- required: true
- schema:
- type: string
- description: The ID of the email domain.
- pathPoolId:
- name: poolId
- in: path
- description: Id of the agent pool for which the settings will apply
- schema:
- type: string
- required: true
- pathPrincipalRateLimitId:
- name: principalRateLimitId
- in: path
- schema:
- type: string
- example: abcd1234
- required: true
- description: id of the Principal Rate Limit
- pathPushProviderId:
- in: path
- name: pushProviderId
- required: true
- description: Id of the push provider
- schema:
- type: string
- pathTemplateName:
- name: templateName
- in: path
- required: true
- schema:
- type: string
- description: The name of the email template.
- pathUpdateId:
- name: updateId
- in: path
- description: Id of the update
- schema:
- type: string
- required: true
- pathUserId:
- name: userId
- in: path
- required: true
- schema:
- type: string
- queryAfter:
- name: after
- in: query
- schema:
- type: string
- description: The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/reference/core-okta-api/#pagination) for more information.
- queryExpandEmailTemplate:
- name: expand
- in: query
- style: form
- explode: false
- required: false
- schema:
- type: array
- items:
+ $ref: '#/components/schemas/LinkedObjectLinksSelf'
+ LinkedObjectDetails:
+ title: LinkedObjectDetails
+ type: object
+ properties:
+ description:
+ type: string
+ description: Description of the `primary` or the `associated` relationship
+ name:
+ type: string
+ description: 'API name of the `primary` or the `associated` link. The `name` parameter can''t start with a number and can only contain the following characters: `a-z`, `A-Z`,` 0-9`, and `_`.'
+ title:
+ type: string
+ description: Display name of the `primary` or the `associated` link
+ type:
+ $ref: '#/components/schemas/LinkedObjectDetailsType'
+ required:
+ - name
+ - title
+ - type
+ LinkedObjectDetailsType:
+ description: The object type for this relationship
+ type: string
+ x-enumDescriptions:
+ USER: Specifies the type of object
+ x-okta-known-values:
+ - USER
+ LinkedObjectLinksSelf:
+ description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of an application using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations.
+ type: object
+ properties:
+ self:
+ $ref: '#/components/schemas/LinkedHrefObject'
+ LinksActivate:
+ type: object
+ properties:
+ activate:
+ allOf:
+ - description: Activates an enrolled Factor. See [Activate a Factor](/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/activateFactor).
+ - $ref: '#/components/schemas/HrefObject'
+ readOnly: true
+ LinksAerialConsentGranted:
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - type: object
+ properties:
+ revoke:
+ $ref: '#/components/schemas/HrefObjectRevokeAerialConsent'
+ LinksAerialConsentRevoked:
+ allOf:
+ - type: object
+ properties:
+ grant:
+ $ref: '#/components/schemas/HrefObjectGrantAerialConsent'
+ LinksAppAndUser:
+ description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of resources related to the Application User.
+ type: object
+ properties:
+ app:
+ $ref: '#/components/schemas/HrefObjectAppLink'
+ group:
+ $ref: '#/components/schemas/HrefObjectGroupLink'
+ user:
+ $ref: '#/components/schemas/HrefObjectUserLink'
+ readOnly: true
+ LinksAssignee:
+ description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification.
+ type: object
+ properties:
+ assignee:
+ $ref: '#/components/schemas/HrefObjectAssigneeLink'
+ LinksCancel:
+ type: object
+ properties:
+ cancel:
+ allOf:
+ - description: Cancels a `push` factor challenge with a `WAITING` status
+ - $ref: '#/components/schemas/HrefObject'
+ readOnly: true
+ LinksCustomRoleResponse:
+ description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources.
+ type: object
+ properties:
+ assignee:
+ $ref: '#/components/schemas/HrefObjectAssigneeLink'
+ member:
+ $ref: '#/components/schemas/HrefObjectMemberLink'
+ permissions:
+ $ref: '#/components/schemas/HrefObjectPermissionsLink'
+ resource-set:
+ $ref: '#/components/schemas/HrefObjectResourceSetLink'
+ role:
+ $ref: '#/components/schemas/HrefObjectRoleLink'
+ LinksDeactivate:
+ type: object
+ properties:
+ deactivate:
+ allOf:
+ - description: Deactivates the Factor. See [Unenroll a Factor](/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/unenrollFactor).
+ - $ref: '#/components/schemas/HrefObject'
+ readOnly: true
+ LinksEnroll:
+ type: object
+ properties:
+ enroll:
+ allOf:
+ - description: Enrolls a supported Factor. See [Enroll a Factor](/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/enrollFactor).
+ - $ref: '#/components/schemas/HrefObject'
+ readOnly: true
+ LinksFactor:
+ type: object
+ properties:
+ factor:
+ allOf:
+ - description: Link to the Factor resource
+ - $ref: '#/components/schemas/HrefObject'
+ readOnly: true
+ LinksGovernanceResources:
+ description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the resources using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification.
+ type: object
+ properties:
+ resources:
+ $ref: '#/components/schemas/HrefObjectGovernanceResourcesLink'
+ readOnly: true
+ LinksGovernanceSources:
+ description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the sources using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification.
+ type: object
+ properties:
+ assignee:
+ $ref: '#/components/schemas/HrefObjectUserLink'
+ self:
+ $ref: '#/components/schemas/HrefObjectSelfLink'
+ readOnly: true
+ LinksNext:
+ description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of an application using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. Use the `LinksNext` object for dynamic discovery of related resources and lifecycle operations.
+ type: object
+ properties:
+ next:
+ $ref: '#/components/schemas/HrefObject'
+ readOnly: true
+ LinksNextForRoleAssignments:
+ description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification.
+ type: object
+ properties:
+ next:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: The next page of results if [pagination](#pagination) is required
+ readOnly: true
+ LinksPoll:
+ type: object
+ properties:
+ poll:
+ allOf:
+ - description: Polls the Factor resource for status information. Always use the `poll` link instead of manually constructing your own URL.
+ - $ref: '#/components/schemas/HrefObject'
+ readOnly: true
+ LinksQrcode:
+ type: object
+ properties:
+ qrcode:
+ allOf:
+ - description: QR code that encodes the push activation code needed for enrollment on the device
+ - $ref: '#/components/schemas/HrefObject'
+ readOnly: true
+ LinksQuestions:
+ type: object
+ properties:
+ question:
+ allOf:
+ - description: Lists all supported security questions. See [List all Supported Security Questions](/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/listSupportedSecurityQuestions).
+ - $ref: '#/components/schemas/HrefObject'
+ readOnly: true
+ LinksResend:
+ type: object
+ properties:
+ resend:
+ allOf:
+ - description: Resends the factor enrollment challenge. See [Resend a Factor enrollment](/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/resendEnrollFactor).
+ - $ref: '#/components/schemas/HrefObject'
+ readOnly: true
+ LinksSelf:
+ description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations.
+ type: object
+ properties:
+ self:
+ $ref: '#/components/schemas/HrefObjectSelfLink'
+ readOnly: true
+ LinksSelfAndFullUsersLifecycle:
+ allOf:
+ - $ref: '#/components/schemas/LinksSelfAndLifecycle'
+ - type: object
+ properties:
+ suspend:
+ $ref: '#/components/schemas/HrefObjectSuspendLink'
+ unsuspend:
+ $ref: '#/components/schemas/HrefObjectUnsuspendLink'
+ users:
+ description: Link to Device users
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ LinksSelfAndLifecycle:
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - type: object
+ properties:
+ activate:
+ $ref: '#/components/schemas/HrefObjectActivateLink'
+ deactivate:
+ $ref: '#/components/schemas/HrefObjectDeactivateLink'
+ LinksSelfAndRoles:
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - type: object
+ properties:
+ roles:
+ $ref: '#/components/schemas/HrefObjectRoleLink'
+ LinksSelfForRoleAssignment:
+ description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources.
+ type: object
+ properties:
+ self:
+ $ref: '#/components/schemas/HrefObjectSelfLink'
+ LinksSelfLifecycleAndAuthorize:
+ allOf:
+ - $ref: '#/components/schemas/LinksSelfAndLifecycle'
+ - type: object
+ properties:
+ authorize:
+ $ref: '#/components/schemas/HrefObjectAuthorizeLink'
+ LinksSend:
+ type: object
+ properties:
+ send:
+ allOf:
+ - description: Sends an activation link through email or sms for users who can't scan the QR code
+ - $ref: '#/components/schemas/HrefObject'
+ readOnly: true
+ LinksUser:
+ type: object
+ properties:
+ user:
+ allOf:
+ - description: Returns information on the specified user
+ - $ref: '#/components/schemas/HrefObject'
+ readOnly: true
+ LinksUserRef:
+ type: object
+ properties:
+ user:
+ $ref: '#/components/schemas/HrefObjectUserLink'
+ LinksVerify:
+ type: object
+ properties:
+ verify:
+ allOf:
+ - description: Verifies the Factor resource. See [Verify a Factor](/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/verifyFactor).
+ - $ref: '#/components/schemas/HrefObject'
+ readOnly: true
+ ListProfileMappings:
+ description: |-
+ A collection of the profile mappings that include a subset of the profile mapping object's properties. The Profile Mapping object describes a mapping between an Okta User's and an App User's properties using [JSON Schema Draft 4](https://datatracker.ietf.org/doc/html/draft-zyp-json-schema-04).
+
+ > **Note:** Same type source/target mappings aren't supported by this API. Profile mappings must either be Okta->App or App->Okta.
+ type: object
+ properties:
+ id:
+ type: string
+ description: Unique identifier for profile mapping
+ readOnly: true
+ source:
+ $ref: '#/components/schemas/ProfileMappingSource'
+ target:
+ $ref: '#/components/schemas/ProfileMappingTarget'
+ _links:
+ $ref: '#/components/schemas/LinksSelf'
+ LoadingPageTouchPointVariant:
+ description: |
+ Variant for the Okta loading page. You can publish a theme for Okta loading page with different combinations of assets. Variants are preset combinations of those assets.
+ default: OKTA_DEFAULT
+ type: string
+ x-enumDescriptions:
+ NONE: Uses no loading page animation during the redirect
+ OKTA_DEFAULT: Uses the default Okta loading page animation during the redirect
+ x-okta-known-values:
+ - NONE
+ - OKTA_DEFAULT
+ LocationGranularity:
+ type: string
+ x-okta-known-values:
+ - CITY
+ - COUNTRY
+ - LAT_LONG
+ - SUBDIVISION
+ LogActor:
+ description: Describes the user, app, client, or other entity (actor) who performs an action on a target. The actor is dependent on the action that is performed. All events have actors.
+ type: object
+ properties:
+ alternateId:
+ description: Alternative ID of the actor
+ type: string
+ readOnly: true
+ detailEntry:
+ description: Further details about the actor
+ type: object
+ additionalProperties: true
+ readOnly: true
+ displayName:
+ description: Display name of the actor
+ type: string
+ readOnly: true
+ id:
+ description: ID of the actor
+ type: string
+ readOnly: true
+ type:
+ description: Type of actor
+ type: string
+ readOnly: true
+ LogAuthenticationContext:
+ description: |-
+ All authentication relies on validating one or more credentials that prove the authenticity of the actor's identity. Credentials are sometimes provided by the actor, as is the case with passwords, and at other times provided by a third party, and validated by the authentication provider.
+
+ The authenticationContext contains metadata about how the actor is authenticated. For example, an authenticationContext for an event, where a user authenticates with Integrated Windows Authentication (IWA), looks like the following:
+ ```
+ {
+ "authenticationProvider": "ACTIVE_DIRECTORY",
+ "authenticationStep": 0,
+ "credentialProvider": null,
+ "credentialType": "IWA",
+ "externalSessionId": "102N1EKyPFERROGvK9wizMAPQ",
+ "interface": null,
+ "issuer": null
+ }
+ ```
+ In this case, the user enters an IWA credential to authenticate against an Active Directory instance. All of the user's future-generated events in this sign-in session are going to share the same `externalSessionId`.
+
+ Among other operations, this response object can be used to scan for suspicious sign-in activity or perform analytics on user authentication habits (for example, how often authentication scheme X is used versus authentication scheme Y).
+ type: object
+ properties:
+ authenticationProvider:
+ $ref: '#/components/schemas/LogAuthenticationProvider'
+ authenticationStep:
+ description: The zero-based step number in the authentication pipeline. Currently unused and always set to `0`.
+ type: integer
+ readOnly: true
+ credentialProvider:
+ $ref: '#/components/schemas/LogCredentialProvider'
+ credentialType:
+ $ref: '#/components/schemas/LogCredentialType'
+ externalSessionId:
+ description: A proxy for the actor's [session ID](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html)
+ type: string
+ readOnly: true
+ interface:
+ description: The third-party user interface that the actor authenticates through, if any.
+ type: string
+ readOnly: true
+ issuer:
+ $ref: '#/components/schemas/LogIssuer'
+ LogAuthenticationProvider:
+ description: The system that proves the identity of an actor using the credentials provided to it
+ type: string
+ x-okta-known-values:
+ - ACTIVE_DIRECTORY
+ - FACTOR_PROVIDER
+ - FEDERATION
+ - LDAP
+ - OKTA_AUTHENTICATION_PROVIDER
+ - SOCIAL
+ LogClient:
+ description: When an event is triggered by an HTTP request, the `client` object describes the [client](https://datatracker.ietf.org/doc/html/rfc2616) that issues the HTTP request. For instance, the web browser is the client when a user accesses Okta. When this request is received and processed, a sign-in event is fired. When the event isn't sourced to an HTTP request, such as an automatic update, the `client` object field is blank.
+ type: object
+ properties:
+ device:
+ description: Type of device that the client operates from (for example, computer)
+ type: string
+ readOnly: true
+ geographicalContext:
+ $ref: '#/components/schemas/LogGeographicalContext'
+ id:
+ description: For OAuth requests, this is the ID of the OAuth [client](https://datatracker.ietf.org/doc/html/rfc6749#section-1.1) making the request. For SSWS token requests, this is the ID of the agent making the request.
+ type: string
+ readOnly: true
+ ipAddress:
+ description: IP address that the client is making its request from
+ type: string
+ readOnly: true
+ userAgent:
+ $ref: '#/components/schemas/LogUserAgent'
+ zone:
+ description: The `name` of the [Zone](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/NetworkZone/#tag/NetworkZone/operation/getNetworkZone) that the client's location is mapped to
+ type: string
+ readOnly: true
+ LogCredentialProvider:
+ description: A credential provider is a software service that manages identities and their associated credentials. When authentication occurs through credentials provided by a credential provider, the credential provider is recorded here.
+ type: string
+ x-okta-known-values:
+ - DUO
+ - GOOGLE
+ - OKTA_AUTHENTICATION_PROVIDER
+ - OKTA_CREDENTIAL_PROVIDER
+ - RSA
+ - SYMANTEC
+ - YUBIKEY
+ LogCredentialType:
+ description: The underlying technology/scheme used in the credential
+ type: string
+ x-okta-known-values:
+ - ASSERTION
+ - CERTIFICATE
+ - DEVICE_UDID
+ - EMAIL
+ - IWA
+ - JWT
+ - OAuth 2.0
+ - OKTA_CLIENT_SESSION
+ - OTP
+ - PASSWORD
+ - PRE_SHARED_SYMMETRIC_KEY
+ - SMS
+ LogDebugContext:
+ description: |-
+ For some kinds of events (for example, OLM provisioning, sign-in request, second factor SMS, and so on), the fields that are provided in other response objects aren't sufficient to adequately describe the operations that the event has performed. In such cases, the `debugContext` object provides a way to store additional information.
+
+ For example, an event where a second factor SMS token is sent to a user may have a `debugContext` that looks like the following:
+ ```
+ {
+ "debugData": {
+ "requestUri": "/api/v1/users/00u3gjksoiRGRAZHLSYV/factors/smsf8luacpZJAva10x45/verify",
+ "smsProvider": "TELESIGN",
+ "transactionId": "268632458E3C100F5F5F594C6DC689D4"
+ }
+ }
+ ```
+ By inspecting the debugData field, you can find the URI that is used to trigger the second factor SMS (`/api/v1/users/00u3gjksoiRGRAZHLSYV/factors/smsf8luacpZJAva10x45/verify`), the SMS provider (`TELESIGN`), and the ID used by Telesign to identify this transaction (`268632458E3C100F5F5F594C6DC689D4`).
+
+ If for some reason the information that is needed to implement a feature isn't provided in other response objects, you should scan the `debugContext.debugData` field for potentially useful fields.
+ > **Important:** The information contained in `debugContext.debugData` is intended to add context when troubleshooting customer platform issues. Both key names and values may change from release to release and aren't guaranteed to be stable. Therefore, they shouldn't be viewed as a data contract but as a debugging aid instead.
+ type: object
+ properties:
+ debugData:
+ type: object
+ description: A dynamic field that contains miscellaneous information that is dependent on the event type.
+ additionalProperties: true
+ readOnly: true
+ LogDevice:
+ description: The entity that describes a device enrolled with passwordless authentication using Okta Verify.
+ example:
+ LogDeviceObject:
+ $ref: '#/components/examples/LogDeviceObject'
+ type: object
+ properties:
+ device_integrator:
+ description: The integration platform or software used with the device
+ type: object
+ readOnly: true
+ disk_encryption_type:
+ $ref: '#/components/schemas/LogDiskEncryptionType'
+ id:
+ description: ID of the device
+ type: string
+ readOnly: true
+ jailbreak:
+ description: If the device has removed software restrictions
+ type: boolean
+ readOnly: true
+ managed:
+ description: Indicates if the device is configured for device management and is registered with Okta
+ type: boolean
+ readOnly: true
+ name:
+ type: string
+ readOnly: true
+ os_platform:
+ type: string
+ readOnly: true
+ os_version:
+ type: string
+ readOnly: true
+ registered:
+ description: Indicates if the device is registered with an Okta org and is bound to an Okta Verify instance on the device
+ type: boolean
+ readOnly: true
+ screen_lock_type:
+ $ref: '#/components/schemas/LogScreenLockType'
+ secure_hardware_present:
+ description: The availability of hardware security on the device
+ type: boolean
+ readOnly: true
+ LogDiskEncryptionType:
+ type: string
+ x-okta-known-values:
+ - ALL_INTERNAL_VALUES
+ - FULL
+ - NONE
+ - SYSTEM_VOLUME
+ - USER
+ LogEvent:
+ type: object
+ properties:
+ actor:
+ $ref: '#/components/schemas/LogActor'
+ authenticationContext:
+ $ref: '#/components/schemas/LogAuthenticationContext'
+ client:
+ $ref: '#/components/schemas/LogClient'
+ debugContext:
+ $ref: '#/components/schemas/LogDebugContext'
+ displayMessage:
+ description: The display message for an event
+ type: string
+ readOnly: true
+ eventType:
+ description: Type of event that is published
+ type: string
+ readOnly: true
+ legacyEventType:
+ description: Associated Events API Action `objectType` attribute value
+ type: string
+ readOnly: true
+ outcome:
+ $ref: '#/components/schemas/LogOutcome'
+ published:
+ description: Timestamp when the event is published
+ type: string
+ format: date-time
+ readOnly: true
+ request:
+ $ref: '#/components/schemas/LogRequest'
+ securityContext:
+ $ref: '#/components/schemas/LogSecurityContext'
+ severity:
+ $ref: '#/components/schemas/LogSeverity'
+ target:
+ type: array
+ readOnly: true
+ items:
+ $ref: '#/components/schemas/LogTarget'
+ transaction:
+ $ref: '#/components/schemas/LogTransaction'
+ uuid:
+ description: Unique identifier for an individual event
+ type: string
+ readOnly: true
+ version:
+ description: Versioning indicator
+ type: string
+ readOnly: true
+ LogGeographicalContext:
+ description: Geographical context describes a set of geographic coordinates. In addition to containing latitude and longitude data, the `GeographicalContext` object also contains address data of postal code-level granularity. Within the `Client` object, the geographical context refers to the physical location of the client when it sends the request that triggers this event. All `Transaction` events with `type` equal to `WEB` have a geographical context set. `Transaction` events with `type` equal to `JOB` don't have a geographical context set. The geographical context data can be missing if the geographical data for a request can't be resolved.
+ type: object
+ properties:
+ city:
+ description: The city that encompasses the area that contains the geolocation coordinates, if available (for example, Seattle, San Francisco)
+ type: string
+ readOnly: true
+ country:
+ description: Full name of the country that encompasses the area that contains the geolocation coordinates (for example, France, Uganda)
+ type: string
+ readOnly: true
+ geolocation:
+ $ref: '#/components/schemas/LogGeolocation'
+ postalCode:
+ description: Postal code of the area that encompasses the geolocation coordinates
+ type: string
+ readOnly: true
+ state:
+ description: Full name of the state or province that encompasses the area that contains the geolocation coordinates (for example, Montana, Ontario)
+ type: string
+ readOnly: true
+ LogGeolocation:
+ description: The latitude and longitude of the geolocation where an action was performed. The object is formatted according to the [ISO-6709](https://www.iso.org/obp/ui/fr/#iso:std:iso:6709:ed-3:v1:en) standard.
+ type: object
+ properties:
+ lat:
+ description: Latitude which uses two digits for the [integer part](https://www.iso.org/obp/ui/fr/#iso:std:iso:6709:ed-3:v1:en#Latitude)
+ type: number
+ format: double
+ readOnly: true
+ lon:
+ description: Longitude which uses three digits for the [integer part](https://www.iso.org/obp/ui/fr/#iso:std:iso:6709:ed-3:v1:en#Longitude)
+ type: number
+ format: double
+ readOnly: true
+ LogIpAddress:
+ type: object
+ properties:
+ geographicalContext:
+ $ref: '#/components/schemas/LogGeographicalContext'
+ ip:
+ description: IP address
+ type: string
+ readOnly: true
+ source:
+ description: Details regarding the source
+ type: string
+ readOnly: true
+ version:
+ description: IP address version
+ type: string
+ readOnly: true
+ LogIssuer:
+ description: Describes the issuer of the authorization server when the authentication is performed through OAuth. This is the location where well-known resources regarding the details of the authorization servers are published.
+ type: object
+ properties:
+ id:
+ description: Varies depending on the type of authentication. If authentication is SAML 2.0, `id` is the issuer in the SAML assertion. For social login, `id` is the issuer of the token.
+ type: string
+ readOnly: true
+ type:
+ description: Information on the `issuer` and source of the SAML assertion or token
+ type: string
+ readOnly: true
+ LogOutcome:
+ type: object
+ properties:
+ reason:
+ description: Reason for the result, for example, `INVALID_CREDENTIALS`
+ type: string
+ readOnly: true
+ minLength: 1
+ maxLength: 255
+ result:
+ description: Result of the action
+ type: string
+ readOnly: true
+ enum:
+ - SUCCESS
+ - FAILURE
+ - SKIPPED
+ - ALLOW
+ - DENY
+ - CHALLENGE
+ - UNKNOWN
+ LogRequest:
+ description: The `Request` object describes details that are related to the HTTP request that triggers this event, if available. When the event isn't sourced to an HTTP request, such as an automatic update on the Okta servers, the `Request` object still exists, but the `ipChain` field is empty.
+ type: object
+ properties:
+ ipChain:
+ description: If the incoming request passes through any proxies, the IP addresses of those proxies are stored here in the format of clientIp, proxy1, proxy2, and so on. This field is useful when working with trusted proxies.
+ type: array
+ readOnly: true
+ items:
+ $ref: '#/components/schemas/LogIpAddress'
+ LogScreenLockType:
+ type: string
+ x-okta-known-values:
+ - BIOMETRIC
+ - NONE
+ - PASSCODE
+ LogSecurityContext:
+ description: The `securityContext` object provides security information that is directly related to the evaluation of the event's IP reputation. IP reputation is a trustworthiness rating that evaluates how likely a sender is to be malicious and is based on the sender's IP address. As the name implies, the `securityContext` object is useful for security applications-flagging and inspecting suspicious events.
+ type: object
+ properties:
+ asNumber:
+ description: The [Autonomous system](https://docs.telemetry.mozilla.org/datasets/other/asn_aggregates/reference) number that's associated with the autonomous system the event request was sourced to
+ type: integer
+ readOnly: true
+ asOrg:
+ description: The organization that is associated with the autonomous system that the event request is sourced to
+ type: string
+ readOnly: true
+ domain:
+ description: The domain name that's associated with the IP address of the inbound event request
+ type: string
+ readOnly: true
+ isp:
+ description: The Internet service provider that's used to send the event's request
+ type: string
+ readOnly: true
+ isProxy:
+ description: Specifies whether an event's request is from a known proxy
+ type: boolean
+ readOnly: true
+ LogSeverity:
+ description: Indicates how severe the event is
+ type: string
+ x-okta-known-values:
+ - DEBUG
+ - ERROR
+ - INFO
+ - WARN
+ LogStream:
+ type: object
+ properties:
+ created:
+ type: string
+ format: date-time
+ description: Timestamp when the Log Stream object was created
+ readOnly: true
+ example: '2022-10-21T16:59:59.000Z'
+ id:
+ type: string
+ description: Unique identifier for the Log Stream
+ readOnly: true
+ example: 0oa1orzg0CHSgPcjZ0g4
+ lastUpdated:
+ type: string
+ format: date-time
+ description: Timestamp when the Log Stream object was last updated
+ readOnly: true
+ example: '2022-10-21T17:15:10.000Z'
+ name:
+ $ref: '#/components/schemas/LogStreamName'
+ status:
type: string
+ description: Lifecycle status of the Log Stream object
enum:
+ - ACTIVE
+ - INACTIVE
+ readOnly: true
+ type:
+ $ref: '#/components/schemas/LogStreamType'
+ _links:
+ $ref: '#/components/schemas/LogStreamLinksSelfAndLifecycle'
+ required:
+ - created
+ - id
+ - lastUpdated
+ - name
+ - status
+ - type
+ - _links
+ discriminator:
+ propertyName: type
+ mapping:
+ aws_eventbridge: '#/components/schemas/LogStreamAws'
+ splunk_cloud_logstreaming: '#/components/schemas/LogStreamSplunk'
+ LogStreamActivateLink:
+ allOf:
+ - $ref: '#/components/schemas/LogStreamLinkObject'
+ - description: Link to activate the resource
+ LogStreamAws:
+ allOf:
+ - $ref: '#/components/schemas/LogStream'
+ - type: object
+ properties:
+ settings:
+ $ref: '#/components/schemas/LogStreamSettingsAws'
+ required:
- settings
- - customizationCount
- description: Specifies additional metadata to be included in the response.
- queryLanguage:
- name: language
- schema:
- $ref: '#/components/schemas/Language'
- in: query
- description: The language to use for the email. Defaults to the current user's language if unspecified.
- queryLimit:
- name: limit
- in: query
- schema:
- type: integer
- minimum: 1
- maximum: 200
- default: 20
- description: A limit on the number of objects to return.
- queryLimitPerPoolType:
- name: limitPerPoolType
- in: query
- schema:
- type: integer
- default: 5
- required: false
- description: Maximum number of AgentPools being returned
- queryPoolType:
- name: poolType
- in: query
- schema:
- $ref: '#/components/schemas/AgentType'
- required: false
- description: Agent type to search for
- queryScheduled:
- name: scheduled
- in: query
- description: Scope the list only to scheduled or ad-hoc updates. If the parameter is not provided we will return the whole list of updates.
- schema:
- type: boolean
- required: false
- schemas:
- APNSConfiguration:
+ LogStreamAwsPutSchema:
+ allOf:
+ - $ref: '#/components/schemas/LogStreamPutSchema'
+ - type: object
+ properties:
+ settings:
+ $ref: '#/components/schemas/LogStreamSettingsAws'
+ required:
+ - settings
+ LogStreamDeactivateLink:
+ allOf:
+ - $ref: '#/components/schemas/LogStreamLinkObject'
+ - description: Link to deactivate the resource
+ LogStreamLinkObject:
+ title: Log Stream Link object
+ type: object
properties:
- fileName:
+ href:
type: string
- description: (Optional) File name for Admin Console display
- keyId:
+ description: The URI of the resource
+ method:
type: string
- description: 10-character Key ID obtained from the Apple developer account
- teamId:
+ description: HTTP method allowed for the resource
+ enum:
+ - GET
+ - POST
+ required:
+ - href
+ readOnly: true
+ LogStreamLinksSelfAndLifecycle:
+ description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of an application using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations.
+ type: object
+ properties:
+ activate:
+ $ref: '#/components/schemas/LogStreamActivateLink'
+ deactivate:
+ $ref: '#/components/schemas/LogStreamDeactivateLink'
+ self:
+ $ref: '#/components/schemas/LogStreamSelfLink'
+ required:
+ - self
+ readOnly: true
+ LogStreamName:
+ description: Unique name for the Log Stream object
+ example: My AWS EventBridge log stream
+ type: string
+ LogStreamPutSchema:
+ type: object
+ properties:
+ name:
+ $ref: '#/components/schemas/LogStreamName'
+ type:
+ $ref: '#/components/schemas/LogStreamType'
+ required:
+ - name
+ - type
+ discriminator:
+ propertyName: type
+ mapping:
+ aws_eventbridge: '#/components/schemas/LogStreamAwsPutSchema'
+ splunk_cloud_logstreaming: '#/components/schemas/LogStreamSplunkPutSchema'
+ LogStreamSchema:
+ type: object
+ properties:
+ $schema:
type: string
- description: 10-character Team ID used to develop the iOS app
- tokenSigningKey:
+ readOnly: true
+ description: JSON Schema version identifier
+ errorMessage:
+ type: object
+ description: A collection of error messages for individual properties in the schema. Okta implements a subset of [ajv-errors](https://github.com/ajv-validator/ajv-errors).
+ id:
type: string
- description: APNs private authentication token signing key
- writeOnly: true
- APNSPushProvider:
+ readOnly: true
+ description: URI of Log Stream Schema
+ oneOf:
+ items:
+ $ref: '#/components/schemas/UserSchemaAttributeEnum'
+ type: array
+ nullable: true
+ description: |-
+ Non-empty array of valid JSON schemas.
+
+ Okta only supports `oneOf` for specifying display names for an `enum`. Each schema has the following format:
+
+ ```
+ {
+ "const": "enumValue",
+ "title": "display name"
+ }
+ ```json
+ pattern:
+ type: string
+ description: For `string` Log Stream Schema property type, specifies the regular expression used to validate the property
+ properties:
+ type: object
+ description: Log Stream Schema properties object
+ required:
+ type: array
+ items:
+ type: string
+ description: Required properties for this Log Stream Schema object
+ title:
+ type: string
+ description: Name of the Log Streaming integration
+ type:
+ type: string
+ readOnly: true
+ description: Type of Log Stream Schema property
+ _links:
+ $ref: '#/components/schemas/LinksSelf'
+ LogStreamSelfLink:
allOf:
- - $ref: '#/components/schemas/PushProvider'
+ - $ref: '#/components/schemas/LogStreamLinkObject'
+ - description: Link to the resource (self)
+ LogStreamSettingsAws:
+ description: Specifies the configuration for the `aws_eventbridge` Log Stream type. This configuration can't be modified after creation.
+ type: object
+ properties:
+ accountId:
+ $ref: '#/components/schemas/AwsAccountId'
+ eventSourceName:
+ $ref: '#/components/schemas/AwsEventSourceName'
+ region:
+ $ref: '#/components/schemas/AwsRegion'
+ required:
+ - accountId
+ - eventSourceName
+ - region
+ LogStreamSettingsSplunk:
+ description: Specifies the configuration for the `splunk_cloud_logstreaming` Log Stream type.
+ type: object
+ properties:
+ edition:
+ $ref: '#/components/schemas/SplunkEdition'
+ host:
+ $ref: '#/components/schemas/SplunkHost'
+ token:
+ $ref: '#/components/schemas/SplunkToken'
+ required:
+ - edition
+ - host
+ - token
+ LogStreamSettingsSplunkPut:
+ description: Specifies the configuration for the `splunk_cloud_logstreaming` Log Stream type.
+ type: object
+ properties:
+ edition:
+ $ref: '#/components/schemas/SplunkEdition'
+ host:
+ $ref: '#/components/schemas/SplunkHost'
+ required:
+ - edition
+ - host
+ LogStreamSplunk:
+ allOf:
+ - $ref: '#/components/schemas/LogStream'
- type: object
properties:
- configuration:
- $ref: '#/components/schemas/APNSConfiguration'
- AccessPolicy:
+ settings:
+ $ref: '#/components/schemas/LogStreamSettingsSplunk'
+ required:
+ - settings
+ LogStreamSplunkPutSchema:
allOf:
- - $ref: '#/components/schemas/Policy'
+ - $ref: '#/components/schemas/LogStreamPutSchema'
- type: object
properties:
- conditions:
- $ref: '#/components/schemas/PolicyRuleConditions'
- AccessPolicyConstraint:
+ settings:
+ $ref: '#/components/schemas/LogStreamSettingsSplunkPut'
+ required:
+ - settings
+ LogStreamType:
+ description: |-
+ Specifies the streaming provider used
+
+ Supported providers:
+ * `aws_eventbridge` ([AWS EventBridge](https://aws.amazon.com/eventbridge))
+ * `splunk_cloud_logstreaming` ([Splunk Cloud](https://www.splunk.com/en_us/software/splunk-cloud-platform.html))
+
+ Select the provider type to see provider-specific configurations in the `settings` property:
+ type: string
+ x-okta-known-values:
+ - aws_eventbridge
+ - splunk_cloud_logstreaming
+ LogTarget:
+ description: The entity that an actor performs an action on. Targets can be anything, such as an app user, a sign-in token, or anything else.
+ type: object
+ properties:
+ alternateId:
+ type: string
+ description: The alternate ID of the target
+ readOnly: true
+ changeDetails:
+ type: object
+ example:
+ LogTargetChangeDetails:
+ $ref: '#/components/examples/LogTargetChangeDetails'
+ description: |-
+ Details on the target's changes. Not all event types support the `changeDetails` property, and not all
+ `target` objects contain the `changeDetails` property. You must include a property within the object.
+
+ > **Note:** When querying the `changeDetails` property, you can't search on the `to` or `from` objects alone. You must include a property within the object.
+ properties:
+ from:
+ type: object
+ description: The original properties of the target
+ additionalProperties: true
+ to:
+ type: object
+ description: The updated properties of the target
+ additionalProperties: true
+ detailEntry:
+ type: object
+ description: Further details on the target
+ additionalProperties: true
+ readOnly: true
+ displayName:
+ type: string
+ description: The display name of the target
+ readOnly: true
+ id:
+ type: string
+ description: The ID of the target
+ readOnly: true
+ type:
+ type: string
+ description: The type of target
+ readOnly: true
+ LogTransaction:
+ description: |-
+ A `transaction` object comprises contextual information associated with its respective event.
+ This information is useful for understanding sequences of correlated events.
+ For example, a `transaction` object such as the following:
+ ```
+ {
+ "id": "Wn4f-0RQ8D8lTSLkAmkKdQAADqo",
+ "type": "WEB",
+ "detail": null
+ }
+ ```
+ indicates that a `WEB` request with `id` `Wn4f-0RQ8D8lTSLkAmkKdQAADqo` has created this event.
+
+ A `transaction` object with a `requestApiTokenId` in the `detail` object, for example :
+ ```
+ {
+ "id": "YjSlblAAqnKY7CdyCkXNBgAAAIU",
+ "type": "WEB",
+ "detail": {
+ "requestApiTokenId": "00T94e3cn9kSEO3c51s5"
+ }
+ }
+ ```
+ indicates that this event was the result of an action performed through an API using the token identified by 00T94e3cn9kSEO3c51s5. The token ID is visible in the Admin Console, **Security** > **API**. See [API token management](https://help.okta.com/okta_help.htm?id=Security_API). For more information on API tokens, see [Create an API token](https://developer.okta.com/docs/guides/create-an-api-token/).
+ type: object
+ properties:
+ detail:
+ description: Details for this transaction.
+ type: object
+ additionalProperties: true
+ readOnly: true
+ id:
+ description: Unique identifier for this transaction.
+ type: string
+ readOnly: true
+ type:
+ description: Describes the kind of transaction. `WEB` indicates a web request. `JOB` indicates an asynchronous task.
+ type: string
+ readOnly: true
+ LogUserAgent:
+ description: |
+ "A user agent is software (a software agent) that is acting on behalf of a user." ([Definition of User Agent](https://developer.mozilla.org/en-US/docs/Glossary/User_agent))
+
+ In the Okta event data object, the `UserAgent` object provides specifications about the client software that makes event-triggering HTTP requests. User agent identification is often useful for identifying interoperability problems between servers and clients, and also for browser and operating system usage analytics.
type: object
properties:
- methods:
- items:
- type: string
- type: array
- reauthenticateIn:
+ browser:
+ description: If the client is a web browser, this field identifies the type of web browser (for example, CHROME, FIREFOX)
type: string
- types:
- items:
- type: string
- type: array
- AccessPolicyConstraints:
+ readOnly: true
+ os:
+ description: The operating system that the client runs on (for example, Windows 10)
+ type: string
+ readOnly: true
+ rawUserAgent:
+ description: A raw string representation of the user agent that is formatted according to [section 5.5.3 of HTTP/1.1 Semantics and Content](https://datatracker.ietf.org/doc/html/rfc7231#section-5.5.3). Both the `browser` and the `OS` fields can be derived from this field.
+ type: string
+ readOnly: true
+ MDMEnrollmentPolicyEnrollment:
+ type: string
+ x-okta-known-values:
+ - ANY_OR_NONE
+ - OMM
+ MDMEnrollmentPolicyRuleCondition:
type: object
properties:
- knowledge:
- $ref: '#/components/schemas/KnowledgeConstraint'
- possession:
- $ref: '#/components/schemas/PossessionConstraint'
- AccessPolicyRule:
- allOf:
- - $ref: '#/components/schemas/PolicyRule'
- - type: object
- properties:
- actions:
- $ref: '#/components/schemas/AccessPolicyRuleActions'
- conditions:
- $ref: '#/components/schemas/AccessPolicyRuleConditions'
- AccessPolicyRuleActions:
+ blockNonSafeAndroid:
+ type: boolean
+ enrollment:
+ $ref: '#/components/schemas/MDMEnrollmentPolicyEnrollment'
+ MetadataLink:
allOf:
- - $ref: '#/components/schemas/PolicyRuleActions'
- - type: object
- properties:
- appSignOn:
- $ref: '#/components/schemas/AccessPolicyRuleApplicationSignOn'
- AccessPolicyRuleApplicationSignOn:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the [SAML metadata](/openapi/okta-management/management/tag/ApplicationSSO/#tag/ApplicationSSO/operation/previewSAMLmetadataForApplication) for SSO
+ MtlsCredentials:
+ description: Certificate chain description for verifying assertions from the Smart Card
type: object
properties:
- access:
- type: string
- verificationMethod:
- $ref: '#/components/schemas/VerificationMethod'
- AccessPolicyRuleConditions:
- allOf:
- - $ref: '#/components/schemas/PolicyRuleConditions'
- - type: object
- properties:
- device:
- $ref: '#/components/schemas/DeviceAccessPolicyRuleCondition'
- elCondition:
- $ref: '#/components/schemas/AccessPolicyRuleCustomCondition'
- userType:
- $ref: '#/components/schemas/UserTypeCondition'
- AccessPolicyRuleCustomCondition:
+ trust:
+ $ref: '#/components/schemas/MtlsTrustCredentials'
+ MtlsEndpoints:
+ type: object
properties:
- condition:
- type: string
- AcsEndpoint:
+ sso:
+ $ref: '#/components/schemas/MtlsSsoEndpoint'
+ MtlsSsoEndpoint:
+ description: The Single Sign-On (SSO) endpoint is the IdP's `SingleSignOnService` endpoint
type: object
properties:
- index:
- type: integer
url:
type: string
- ActivateFactorRequest:
+ maxLength: 1014
+ example: https://{yourOktaDomain}.okta.com/login/cert
+ MtlsTrustCredentials:
type: object
properties:
- attestation:
- type: string
- clientData:
- type: string
- passCode:
- type: string
- registrationData:
+ audience:
type: string
- stateToken:
+ description: Not used
+ example: null
+ issuer:
type: string
- Agent:
- description: Agent details
+ description: Description of the certificate issuer
+ maxLength: 1024
+ example: CN=Test Smart Card, OU=Test OU, O=Test O, C=US
+ kid:
+ $ref: '#/components/schemas/ProtocolCredentialsKeyId'
+ revocation:
+ $ref: '#/components/schemas/MtlsTrustCredentialsRevocation'
+ revocationCacheLifetime:
+ type: number
+ description: Time in minutes to cache the certificate revocation information
+ maximum: 4320
+ example: 2880
+ MtlsTrustCredentialsRevocation:
+ description: Mechanism to validate the certificate
+ example: CRL
+ type: string
+ x-okta-known-values:
+ - CRL
+ - DELTA_CRL
+ - OCSP
+ NetworkZone:
type: object
properties:
+ created:
+ type: string
+ format: date-time
+ description: Timestamp when the object was created
+ readOnly: true
id:
type: string
+ description: Unique identifier for the Network Zone
readOnly: true
- isHidden:
- type: boolean
- isLatestGAedVersion:
- type: boolean
- lastConnection:
+ lastUpdated:
type: string
format: date-time
+ description: Timestamp when the object was last modified
+ readOnly: true
name:
type: string
- operationalStatus:
- $ref: '#/components/schemas/OperationalStatus'
- poolId:
- type: string
+ description: Unique name for this Network Zone
+ maxLength: 128
+ status:
+ $ref: '#/components/schemas/NetworkZoneStatus'
+ system:
+ type: boolean
+ readOnly: true
+ description: |
+ Indicates a system Network Zone:
+ * `true` for system Network Zones
+ * `false` for custom Network Zones
+
+ The Okta org provides the following default system Network Zones:
+ * `LegacyIpZone`
+ * `BlockedIpZone`
+ * `DefaultEnhancedDynamicZone`
+
+ Admins can modify the name of the default system Network Zone and add up to 5000 gateway or proxy IP entries.
type:
- $ref: '#/components/schemas/AgentType'
- updateMessage:
- type: string
- updateStatus:
- $ref: '#/components/schemas/AgentUpdateInstanceStatus'
- version:
- type: string
+ $ref: '#/components/schemas/NetworkZoneType'
+ usage:
+ $ref: '#/components/schemas/NetworkZoneUsage'
_links:
- $ref: '#/components/schemas/HrefObject'
- AgentPool:
- description: An AgentPool is a collection of agents that serve a common purpose. An AgentPool has a unique ID within an org, and contains a collection of agents disjoint to every other AgentPool (i.e. no two AgentPools share an Agent).
+ $ref: '#/components/schemas/LinksSelfAndLifecycle'
+ required:
+ - name
+ - type
+ discriminator:
+ propertyName: type
+ mapping:
+ IP: '#/components/schemas/IPNetworkZone'
+ DYNAMIC: '#/components/schemas/DynamicNetworkZone'
+ DYNAMIC_V2: '#/components/schemas/EnhancedDynamicNetworkZone'
+ NetworkZoneAddress:
+ description: Specifies the value of an IP address expressed using either `range` or `CIDR` form.
type: object
properties:
- agents:
- type: array
- items:
- $ref: '#/components/schemas/Agent'
- id:
+ type:
+ $ref: '#/components/schemas/NetworkZoneAddressType'
+ value:
type: string
- readOnly: true
- name:
+ description: Value in CIDR/range form, depending on the `type` specified
+ NetworkZoneAddressType:
+ description: Format of the IP addresses
+ type: string
+ x-okta-known-values:
+ - CIDR
+ - RANGE
+ NetworkZoneAsns:
+ items:
+ type: string
+ maximum: 75
+ type: array
+ NetworkZoneLocation:
+ type: object
+ properties:
+ country:
type: string
- operationalStatus:
- $ref: '#/components/schemas/OperationalStatus'
- type:
- $ref: '#/components/schemas/AgentType'
- AgentPoolUpdate:
- description: Various information about agent auto update configuration
+ description: |-
+ The two-character ISO-3166-1 country code.
+ Don't use continent codes since they are treated as generic codes for undesignated countries.
+
For example: `US`
+ maxLength: 2
+ minLength: 2
+ region:
+ type: string
+ description: |-
+ (Optional) The ISO-3166-2 region code appended to the country code (`countryCode-regionCode`), or `null` if empty.
+ Don't use continent codes since they are treated as generic codes for undesignated regions.
+
For example: `CA` (for `US-CA` country and region code)
+ NetworkZoneLocationArray:
+ items:
+ $ref: '#/components/schemas/NetworkZoneLocation'
+ maximum: 75
+ nullable: true
+ type: array
+ NetworkZoneStatus:
+ description: Network Zone status
+ type: string
+ x-okta-known-values:
+ - ACTIVE
+ - INACTIVE
+ NetworkZoneType:
+ description: The type of Network Zone
+ type: string
+ x-okta-known-values:
+ - DYNAMIC
+ - IP
+ - DYNAMIC_V2
+ NetworkZoneUsage:
+ description: The usage of the Network Zone
+ type: string
+ x-okta-known-values:
+ - BLOCKLIST
+ - POLICY
+ NotificationType:
+ description: The type of notification
+ type: string
+ x-enumDescriptions:
+ AD_AGENT: System notification sent when an AD agent disconnects or reconnects
+ AGENT_AUTO_UPDATE_NOTIFICATION: System notification sent when an agent automatically updates
+ APP_IMPORT: System notification sent with the status of an app user import
+ CONNECTOR_AGENT: System notification sent when an on-premises provisioning or Okta on-prem MFA agent disconnects or reconnects
+ IWA_AGENT: System notification sent when an IGA agent disconnects or reconnects
+ LDAP_AGENT: System notification sent when an LDAP agent disconnects or reconnects
+ OKTA_ANNOUNCEMENT: Okta communication sent for announcements and release notes
+ OKTA_ISSUE: Okta communication sent for trust incident alerts and updates
+ OKTA_UPDATE: Okta communication sent for scheduled system updates
+ RATELIMIT_NOTIFICATION: System notification sent when an org reaches rate limit warning or violation thresholds
+ REPORT_SUSPICIOUS_ACTIVITY: System notification sent when a user reports suspicious activity
+ USER_DEPROVISION: System notification sent when a user is deprovisioned from apps
+ USER_LOCKED_OUT: System notification sent when a user is locked out from logging in to Okta
+ x-okta-known-values:
+ - AD_AGENT
+ - AGENT_AUTO_UPDATE_NOTIFICATION
+ - AGENT_AUTO_UPDATE_NOTIFICATION_LDAP
+ - APP_IMPORT
+ - CONNECTOR_AGENT
+ - IWA_AGENT
+ - LDAP_AGENT
+ - OKTA_ANNOUNCEMENT
+ - OKTA_ISSUE
+ - OKTA_UPDATE
+ - RATELIMIT_NOTIFICATION
+ - REPORT_SUSPICIOUS_ACTIVITY
+ - USER_DEPROVISION
+ - USER_LOCKED_OUT
+ OAuth2Actor:
+ description: User that created the object
type: object
properties:
- agents:
- type: array
- items:
- $ref: '#/components/schemas/Agent'
- agentType:
- $ref: '#/components/schemas/AgentType'
- enabled:
- type: boolean
id:
type: string
+ description: User ID
readOnly: true
- name:
- type: string
- notifyAdmin:
- type: boolean
- reason:
- type: string
- schedule:
- $ref: '#/components/schemas/AutoUpdateSchedule'
- sortOrder:
- type: integer
- status:
- $ref: '#/components/schemas/AgentUpdateJobStatus'
- targetVersion:
+ example: 00u5t60iloOHN9pBi0h7
+ type:
type: string
- _links:
- $ref: '#/components/schemas/HrefObject'
- AgentPoolUpdateSetting:
- description: Setting for auto-update
+ description: Type of user
+ example: User
+ readOnly: true
+ OAuth2Claim:
type: object
properties:
- agentType:
- $ref: '#/components/schemas/AgentType'
- continueOnError:
+ alwaysIncludeInToken:
type: boolean
- latestVersion:
- type: string
- minimalSupportedVersion:
- type: string
- poolId:
- type: string
- readOnly: true
- poolName:
- type: string
- releaseChannel:
- $ref: '#/components/schemas/ReleaseChannel'
- AgentType:
- description: Agent types that are being monitored
- type: string
- x-okta-known-values:
- - AD
- - IWA
- - LDAP
- - MFA
- - OPP
- - RUM
- - Radius
- AgentUpdateInstanceStatus:
- description: Status for one agent regarding the status to auto-update that agent
+ description: Specifies whether to include Claims in the token. The value is always `TRUE` for access token Claims. If the value is set to `FALSE` for an ID token claim, the Claim isn't included in the ID token when the token is requested with the access token or with the `authorization_code`. The client instead uses the access token to get Claims from the `/userinfo` endpoint.
+ claimType:
+ $ref: '#/components/schemas/OAuth2ClaimType'
+ conditions:
+ $ref: '#/components/schemas/OAuth2ClaimConditions'
+ group_filter_type:
+ $ref: '#/components/schemas/OAuth2ClaimGroupFilterType'
+ id:
+ type: string
+ description: ID of the Claim
+ readOnly: true
+ name:
+ type: string
+ description: Name of the Claim
+ status:
+ $ref: '#/components/schemas/LifecycleStatus'
+ system:
+ description: When `true`, indicates that Okta created the Claim
+ type: boolean
+ value:
+ description: Specifies the value of the Claim. This value must be a string literal if `valueType` is `GROUPS`, and the string literal is matched with the selected `group_filter_type`. The value must be an Okta EL expression if `valueType` is `EXPRESSION`.
+ type: string
+ valueType:
+ $ref: '#/components/schemas/OAuth2ClaimValueType'
+ _links:
+ $ref: '#/components/schemas/LinksSelf'
+ OAuth2ClaimConditions:
+ description: Specifies the scopes for the Claim
+ type: object
+ properties:
+ scopes:
+ type: array
+ items:
+ type: string
+ OAuth2ClaimGroupFilterType:
+ description: |-
+ Specifies the type of group filter if `valueType` is `GROUPS`
+
+ If `valueType` is `GROUPS`, then the groups returned are filtered according to the value of `group_filter_type`.
+
+ If you have complex filters for Groups, you can [create a Groups allowlist](https://developer.okta.com/docs/guides/customize-tokens-groups-claim/main/) to put them all in a Claim.
type: string
+ x-enumDescriptions:
+ STARTS_WITH: Group names start with `value` (not case-sensitive). For example, if `value` is `group1`, then `group123` and `Group123` are included.
+ EQUALS: Group name is the same as `value` (not case-sensitive). For example, if `value` is `group1`, then `group1` and `Group1` are included, but `group123` isn't.
+ CONTAINS: Group names contain `value` (not case-sensitive). For example, if `value` is `group1`, then `MyGroup123` and `group1` are included.
+ REGEX: Group names match the regular expression in `value` (case-sensitive). For example if `value` is `/^[a-z0-9_-]{3,16}$/`, then any Group name that has at least three letters, no more than 16, and contains lowercase letters, a hyphen, or numbers is a match.
x-okta-known-values:
- - Cancelled
- - Failed
- - InProgress
- - PendingCompletion
- - Scheduled
- - Success
- AgentUpdateJobStatus:
- description: Overall state for the auto-update job from admin perspective
+ - CONTAINS
+ - EQUALS
+ - REGEX
+ - STARTS_WITH
+ OAuth2ClaimType:
+ description: Specifies whether the Claim is for an access token (`RESOURCE`) or an ID token (`IDENTITY`)
type: string
x-okta-known-values:
- - Cancelled
- - Failed
- - InProgress
- - Paused
- - Scheduled
- - Success
- AllowedForEnum:
+ - IDENTITY
+ - RESOURCE
+ OAuth2ClaimValueType:
+ description: Specifies whether the Claim is an Okta Expression Language (EL) expression (`EXPRESSION`), a set of groups (`GROUPS`), or a system claim (`SYSTEM`)
type: string
x-okta-known-values:
- - any
- - none
- - recovery
- - sso
- ApiToken:
- title: API Token
- description: An API token for an Okta User. This token is NOT scoped any further and can be used for any API the user has permissions to call.
+ - EXPRESSION
+ - GROUPS
+ - SYSTEM
+ OAuth2Client:
type: object
properties:
- clientName:
+ client_id:
+ description: Unique key for the client application. The `client_id` is immutable.
type: string
readOnly: true
- created:
+ example: 0oabskvc6442nkvQO0h7
+ client_name:
+ description: Human-readable string name of the client application
type: string
- format: date-time
readOnly: true
- expiresAt:
+ example: My App
+ client_uri:
type: string
- format: date-time
readOnly: true
+ example: https://www.example.com
+ logo_uri:
+ description: URL string that references a logo for the client consent dialog (not the sign-in dialog)
+ type: string
+ readOnly: true
+ example: https://www.example.com/logo.png
+ _links:
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - type: object
+ properties:
+ grants:
+ description: Link to the grant resources
+ allOf:
+ - $ref: '#/components/schemas/GrantResourcesHrefObject'
+ tokens:
+ description: Link to the token resources
+ allOf:
+ - $ref: '#/components/schemas/TokenResourcesHrefObject'
+ OAuth2ClientJsonWebKey:
+ type: object
+ properties:
+ alg:
+ type: string
+ description: Algorithm used in the key
+ example: RS256
+ nullable: false
+ created:
+ type: string
+ description: Timestamp when the OAuth Client 2.0 JSON Web Key was created
+ example: '2023-02-21T20:08:24.000Z'
+ readOnly: true
+ nullable: false
+ e:
+ type: string
+ description: RSA key value (exponent) for key binding
+ example: AQAB
+ nullable: false
id:
type: string
+ description: The unique ID of the OAuth Client JSON Web Key
+ example: pks2f4zrZbs8nUa7p0g4
readOnly: true
+ nullable: false
+ kid:
+ type: string
+ description: Unique identifier of the JSON Web Key in the OAUth 2.0 Client's JWKS
+ example: SIMcCQNY3uwXoW3y0vf6VxiBb5n9pf8L2fK8d-FIbm4
+ nullable: true
+ kty:
+ type: string
+ description: Cryptographic algorithm family for the certificate's key pair
+ example: RSA
+ nullable: false
lastUpdated:
type: string
- format: date-time
+ description: Timestamp when the OAuth Client 2.0 JSON Web Key was updated
+ example: '2023-02-21T20:08:24.000Z'
readOnly: true
- name:
+ nullable: false
+ 'n':
type: string
- tokenWindow:
- $ref: '#/components/schemas/TimeDuration'
- userId:
+ description: RSA key value (modulus) for key binding
+ example: mkC6yAJVvFwUlmM9gKjb2d-YK5qHFt-mXSsbjWKKs4EfNm-BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL_q7n0f_SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH-bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQ
+ nullable: false
+ status:
type: string
- _link:
- type: object
- properties:
- self:
- $ref: '#/components/schemas/HrefObject'
+ enum:
+ - ACTIVE
+ - INACTIVE
+ description: Status of the OAuth 2.0 Client JSON Web Key
+ example: ACTIVE
+ nullable: false
+ default: ACTIVE
+ use:
+ type: string
+ description: Acceptable use of the JSON Web Key
+ example: sig
+ nullable: false
+ _links:
+ $ref: '#/components/schemas/OAuthClientSecretLinks'
readOnly: true
- required:
- - name
- AppAndInstanceConditionEvaluatorAppOrInstance:
+ nullable: false
+ OAuth2ClientJsonWebKeyRequestBody:
type: object
properties:
- id:
+ alg:
type: string
- readOnly: true
- name:
+ description: Algorithm used in the key
+ example: RS256
+ nullable: false
+ e:
type: string
- type:
- $ref: '#/components/schemas/AppAndInstanceType'
- AppAndInstancePolicyRuleCondition:
- type: object
- properties:
- exclude:
- type: array
- items:
- $ref: '#/components/schemas/AppAndInstanceConditionEvaluatorAppOrInstance'
- include:
- type: array
- items:
- $ref: '#/components/schemas/AppAndInstanceConditionEvaluatorAppOrInstance'
- AppAndInstanceType:
- type: string
- x-okta-known-values:
- - APP
- - APP_TYPE
- AppInstancePolicyRuleCondition:
- type: object
- properties:
- exclude:
- type: array
- items:
- type: string
- include:
- type: array
- items:
- type: string
- AppLink:
+ description: RSA key value (exponent) for key binding
+ example: AQAB
+ nullable: false
+ kid:
+ type: string
+ description: Unique identifier of the JSON Web Key in the OAUth 2.0 Client's JWKS
+ example: SIMcCQNY3uwXoW3y0vf6VxiBb5n9pf8L2fK8d-FIbm4
+ nullable: true
+ kty:
+ type: string
+ description: Cryptographic algorithm family for the certificate's key pair
+ example: RSA
+ nullable: false
+ 'n':
+ type: string
+ description: RSA key value (modulus) for key binding
+ example: mkC6yAJVvFwUlmM9gKjb2d-YK5qHFt-mXSsbjWKKs4EfNm-BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL_q7n0f_SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH-bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQ
+ nullable: false
+ status:
+ type: string
+ enum:
+ - ACTIVE
+ - INACTIVE
+ description: Status of the OAuth 2.0 Client JSON Web Key
+ example: ACTIVE
+ use:
+ type: string
+ description: Acceptable use of the JSON Web Key
+ example: sig
+ nullable: false
+ OAuth2ClientSecret:
type: object
properties:
- appAssignmentId:
- type: string
- readOnly: true
- appInstanceId:
+ client_secret:
type: string
+ description: The OAuth 2.0 client secret string
+ example: DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B
readOnly: true
- appName:
+ nullable: false
+ created:
type: string
+ description: Timestamp when the OAuth Client 2.0 Secret was created
+ example: '2023-02-21T20:08:24.000Z'
readOnly: true
- credentialsSetup:
- type: boolean
- readOnly: true
- hidden:
- type: boolean
- readOnly: true
+ nullable: false
id:
type: string
+ description: The unique ID of the OAuth Client Secret
+ example: ocs2f4zrZbs8nUa7p0g4
readOnly: true
- label:
+ nullable: false
+ lastUpdated:
type: string
+ description: Timestamp when the OAuth Client 2.0 Secret was updated
+ example: '2023-02-21T20:08:24.000Z'
readOnly: true
- linkUrl:
+ nullable: false
+ secret_hash:
type: string
+ description: OAuth 2.0 client secret string hash
+ example: yk4SVx4sUWVJVbHt6M-UPA
readOnly: true
- logoUrl:
+ nullable: false
+ status:
type: string
+ enum:
+ - ACTIVE
+ - INACTIVE
+ description: Status of the OAuth 2.0 Client Secret
+ example: ACTIVE
+ nullable: false
+ default: ACTIVE
+ _links:
+ $ref: '#/components/schemas/OAuthClientSecretLinks'
readOnly: true
- sortOrder:
- type: integer
- readOnly: true
- AppUser:
+ nullable: false
+ OAuth2ClientSecretRequestBody:
+ type: object
+ properties:
+ client_secret:
+ type: string
+ description: The OAuth 2.0 client secret string
+ example: DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B
+ status:
+ type: string
+ enum:
+ - ACTIVE
+ - INACTIVE
+ description: Status of the OAuth 2.0 Client Secret
+ example: ACTIVE
+ OAuth2RefreshToken:
type: object
properties:
+ clientId:
+ type: string
+ description: Client ID
created:
+ $ref: '#/components/schemas/createdProperty'
+ expiresAt:
type: string
+ description: Expiration time of the OAuth 2.0 Token
format: date-time
readOnly: true
- credentials:
- $ref: '#/components/schemas/AppUserCredentials'
- externalId:
- type: string
- readOnly: true
id:
type: string
- readOnly: false
- lastSync:
- type: string
- format: date-time
+ description: ID of the Token object
readOnly: true
+ example: oar579Mcp7OUsNTlo0g3
+ issuer:
+ type: string
+ description: The complete URL of the authorization server that issued the Token
+ example: https://{yourOktaDomain}/oauth2/ausain6z9zIedDCxB0h7
lastUpdated:
+ $ref: '#/components/schemas/lastUpdatedProperty'
+ scopes:
+ type: array
+ description: The scope names attached to the Token
+ items:
+ type: string
+ example: offline_access
+ status:
+ $ref: '#/components/schemas/GrantOrTokenStatus'
+ userId:
type: string
- format: date-time
+ description: The ID of the user associated with the Token
+ example: 00u5t60iloOHN9pBi0h7
+ _embedded:
+ type: object
+ description: The embedded resources related to the object if the `expand` query parameter is specified
+ properties:
+ scopes:
+ type: array
+ description: The scope objects attached to the Token
+ items:
+ $ref: '#/components/schemas/OAuth2RefreshTokenScope'
readOnly: true
- passwordChanged:
+ _links:
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - type: object
+ properties:
+ app:
+ description: Link to the app resource
+ allOf:
+ - $ref: '#/components/schemas/AppResourceHrefObject'
+ revoke:
+ description: Link to revoke the refresh Token
+ allOf:
+ - $ref: '#/components/schemas/RevokeRefreshTokenHrefObject'
+ - properties:
+ hints:
+ properties:
+ allow:
+ items:
+ enum:
+ - DELETE
+ default: DELETE
+ client:
+ description: Link to the client resource
+ allOf:
+ - $ref: '#/components/schemas/AppResourceHrefObject'
+ user:
+ description: Link to the user resource
+ allOf:
+ - $ref: '#/components/schemas/UserResourceHrefObject'
+ authorizationServer:
+ description: Link to the Token authorization server resource
+ allOf:
+ - $ref: '#/components/schemas/AuthorizationServerResourceHrefObject'
+ OAuth2RefreshTokenScope:
+ type: object
+ properties:
+ description:
type: string
- format: date-time
+ description: Description of the Scope
+ example: Requests a refresh token by default, used to obtain more access tokens without re-prompting the user for authentication
+ displayName:
+ type: string
+ description: Name of the end user displayed in a consent dialog
+ id:
+ type: string
+ description: Scope object ID
readOnly: true
- profile:
+ example: scppb56cIl4GvGxy70g3
+ name:
+ type: string
+ description: Scope name
+ example: offline_access
+ _links:
+ description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of an application using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations.
type: object
- additionalProperties:
- type: object
- properties: {}
- scope:
+ properties:
+ scope:
+ description: Link to Scope resource
+ allOf:
+ - $ref: '#/components/schemas/OfflineAccessScopeResourceHrefObject'
+ OAuth2Scope:
+ type: object
+ properties:
+ consent:
+ $ref: '#/components/schemas/OAuth2ScopeConsentType'
+ default:
+ type: boolean
+ description: Indicates if this Scope is a default scope
+ default: false
+ description:
type: string
- status:
+ description: Description of the Scope
+ displayName:
+ type: string
+ description: Name of the end user displayed in a consent dialog
+ id:
+ type: string
+ description: Scope object ID
+ readOnly: true
+ metadataPublish:
+ $ref: '#/components/schemas/OAuth2ScopeMetadataPublish'
+ name:
+ type: string
+ description: Scope name
+ optional:
+ type: boolean
+ description: Indicates whether the Scope is optional. When set to `true`, the user can skip consent for the scope.
+ default: false
+ system:
+ type: boolean
+ description: Indicates if Okta created the Scope
+ default: false
+ _links:
+ $ref: '#/components/schemas/LinksSelf'
+ required:
+ - name
+ OAuth2ScopeConsentGrant:
+ description: Grant object that represents an app consent scope grant
+ type: object
+ properties:
+ clientId:
type: string
+ description: Client ID of the app integration
readOnly: true
- statusChanged:
+ example: oag3ih1zrm1cBFOiq0h6
+ created:
+ $ref: '#/components/schemas/createdProperty'
+ createdBy:
+ $ref: '#/components/schemas/OAuth2Actor'
+ id:
type: string
- format: date-time
+ description: ID of the Grant object
readOnly: true
- syncState:
+ example: oag3ih1zrm1cBFOiq0h6
+ issuer:
+ type: string
+ description: The issuer of your org authorization server. This is typically your Okta domain.
+ example: https://my_test_okta_org.oktapreview.com
+ lastUpdated:
+ $ref: '#/components/schemas/lastUpdatedProperty'
+ scopeId:
+ type: string
+ description: The name of the [Okta scope](https://developer.okta.com/docs/api/oauth2/#oauth-20-scopes) for which consent is granted
+ example: okta.users.read
+ source:
+ $ref: '#/components/schemas/OAuth2ScopeConsentGrantSource'
+ status:
+ $ref: '#/components/schemas/GrantOrTokenStatus'
+ userId:
type: string
+ description: User ID that granted consent (if `source` is `END_USER`)
readOnly: true
+ example: 00u5t60iloOHN9pBi0h7
_embedded:
type: object
- additionalProperties:
- type: object
- properties: {}
+ description: Embedded resources related to the Grant
+ properties:
+ scope:
+ type: object
+ properties:
+ id:
+ type: string
+ description: The name of the Okta scope for which consent is granted
+ example: okta.users.read
readOnly: true
_links:
- type: object
- additionalProperties:
- type: object
- properties: {}
- readOnly: true
- AppUserCredentials:
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - type: object
+ properties:
+ app:
+ description: Link to the app resource
+ allOf:
+ - $ref: '#/components/schemas/AppResourceHrefObject'
+ client:
+ description: Link to the client resource
+ allOf:
+ - $ref: '#/components/schemas/AppResourceHrefObject'
+ scope:
+ description: Link to the scope resource
+ allOf:
+ - $ref: '#/components/schemas/ScopeResourceHrefObject'
+ user:
+ description: Link to the user resource
+ allOf:
+ - $ref: '#/components/schemas/UserResourceHrefObject'
+ authorizationServer:
+ description: Link to the authorization server resource
+ allOf:
+ - $ref: '#/components/schemas/AuthorizationServerResourceHrefObject'
+ - readOnly: true
+ required:
+ - issuer
+ - scopeId
+ OAuth2ScopeConsentGrantSource:
+ description: User type source that granted consent
+ example: ADMIN
+ type: string
+ readOnly: true
+ x-okta-known-values:
+ - ADMIN
+ - END_USER
+ OAuth2ScopeConsentType:
+ description: Indicates whether a consent dialog is needed for the Scope
+ default: IMPLICIT
+ type: string
+ x-okta-known-values:
+ - FLEXIBLE
+ - IMPLICIT
+ - REQUIRED
+ OAuth2ScopeMetadataPublish:
+ description: Indicates whether the Scope is included in the metadata
+ default: NO_CLIENTS
+ type: string
+ x-okta-known-values:
+ - ALL_CLIENTS
+ - NO_CLIENTS
+ OAuth2ScopesMediationPolicyRuleCondition:
+ description: Array of scopes that the condition includes
type: object
properties:
- password:
- $ref: '#/components/schemas/AppUserPasswordCredential'
- userName:
- type: string
- AppUserPasswordCredential:
+ include:
+ type: array
+ items:
+ type: string
+ OAuth2Token:
type: object
properties:
- value:
+ clientId:
type: string
- format: password
- Application:
- type: object
- properties:
- accessibility:
- $ref: '#/components/schemas/ApplicationAccessibility'
+ description: Client ID
+ example: 0oabskvc6442nkvQO0h7
+ readOnly: true
created:
+ $ref: '#/components/schemas/createdProperty'
+ expiresAt:
type: string
+ description: Expiration time of the OAuth 2.0 Token
format: date-time
readOnly: true
- features:
- type: array
- items:
- type: string
id:
type: string
+ description: ID of the Token object
readOnly: true
- label:
+ issuer:
type: string
+ description: The complete URL of the authorization server that issued the Token
lastUpdated:
- type: string
- format: date-time
- readOnly: true
- licensing:
- $ref: '#/components/schemas/ApplicationLicensing'
- profile:
- type: object
- additionalProperties:
- type: object
- properties: {}
- signOnMode:
- $ref: '#/components/schemas/ApplicationSignOnMode'
+ $ref: '#/components/schemas/lastUpdatedProperty'
+ scopes:
+ type: array
+ description: Name of scopes attached to the Token
+ items:
+ type: string
status:
- $ref: '#/components/schemas/ApplicationLifecycleStatus'
- visibility:
- $ref: '#/components/schemas/ApplicationVisibility'
+ $ref: '#/components/schemas/GrantOrTokenStatus'
+ userId:
+ type: string
_embedded:
type: object
+ description: Embedded resources related to the object if the `expand` query parameter is specified
additionalProperties:
type: object
properties: {}
readOnly: true
_links:
- type: object
- additionalProperties:
- type: object
- properties: {}
- readOnly: true
- discriminator:
- propertyName: signOnMode
- mapping:
- AUTO_LOGIN: '#/components/schemas/AutoLoginApplication'
- BASIC_AUTH: '#/components/schemas/BasicAuthApplication'
- BOOKMARK: '#/components/schemas/BookmarkApplication'
- BROWSER_PLUGIN: '#/components/schemas/BrowserPluginApplication'
- OPENID_CONNECT: '#/components/schemas/OpenIdConnectApplication'
- SAML_1_1: '#/components/schemas/SamlApplication'
- SAML_2_0: '#/components/schemas/SamlApplication'
- SECURE_PASSWORD_STORE: '#/components/schemas/SecurePasswordStoreApplication'
- WS_FEDERATION: '#/components/schemas/WsFederationApplication'
- ApplicationAccessibility:
+ $ref: '#/components/schemas/LinksSelf'
+ OAuthApplicationCredentials:
+ allOf:
+ - $ref: '#/components/schemas/ApplicationCredentials'
+ - type: object
+ properties:
+ oauthClient:
+ $ref: '#/components/schemas/ApplicationCredentialsOAuthClient'
+ OAuthAuthorizationEndpoint:
+ description: Endpoint for an [OAuth 2.0 Authorization Server (AS)](https://tools.ietf.org/html/rfc6749#page-18)
type: object
properties:
- errorRedirectUrl:
- type: string
- loginRedirectUrl:
+ binding:
+ $ref: '#/components/schemas/ProtocolEndpointBinding'
+ url:
type: string
- selfService:
- type: boolean
- ApplicationCredentials:
+ description: URL of the IdP Authorization Server (AS) authorization endpoint
+ example: https://idp.example.com/authorize
+ OAuthClientSecretLinks:
+ description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of an application using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations.
+ properties:
+ activate:
+ $ref: '#/components/schemas/HrefObjectActivateLink'
+ deactivate:
+ $ref: '#/components/schemas/HrefObjectDeactivateLink'
+ delete:
+ $ref: '#/components/schemas/HrefObjectDeleteLink'
+ readOnly: true
+ OAuthCredentials:
+ description: Client authentication credentials for an [OAuth 2.0 Authorization Server](https://tools.ietf.org/html/rfc6749#section-2.3)
type: object
properties:
+ client:
+ $ref: '#/components/schemas/OAuthCredentialsClient'
signing:
- $ref: '#/components/schemas/ApplicationCredentialsSigning'
- userNameTemplate:
- $ref: '#/components/schemas/ApplicationCredentialsUsernameTemplate'
- ApplicationCredentialsOAuthClient:
+ $ref: '#/components/schemas/AppleClientSigning'
+ OAuthCredentialsClient:
+ description: |-
+ OAuth 2.0 and OpenID Connect Client object
+ > **Note:** You must complete client registration with the IdP Authorization Server for your Okta IdP instance to obtain client credentials.
type: object
properties:
- autoKeyRotation:
- type: boolean
client_id:
type: string
+ description: The [Unique identifier](https://tools.ietf.org/html/rfc6749#section-2.2) issued by the AS for the Okta IdP instance
+ maxLength: 1024
+ example: your-client-id
client_secret:
type: string
+ description: The [Client secret](https://tools.ietf.org/html/rfc6749#section-2.3.1) issued by the AS for the Okta IdP instance
+ maxLength: 1024
+ example: your-client-secret
+ pkce_required:
+ type: boolean
+ description: Require Proof Key for Code Exchange (PKCE) for additional verification
token_endpoint_auth_method:
- $ref: '#/components/schemas/OAuthEndpointAuthenticationMethod'
- ApplicationCredentialsScheme:
+ type: string
+ description: Client authentication methods supported by the token endpoint
+ enum:
+ - private_key_jwt
+ OAuthEndpointAuthenticationMethod:
+ description: Requested authentication method for the token endpoint
+ default: client_secret_basic
type: string
x-okta-known-values:
- - ADMIN_SETS_CREDENTIALS
- - EDIT_PASSWORD_ONLY
- - EDIT_USERNAME_AND_PASSWORD
- - EXTERNAL_PASSWORD_SYNC
- - SHARED_USERNAME_AND_PASSWORD
- ApplicationCredentialsSigning:
+ - client_secret_basic
+ - client_secret_jwt
+ - client_secret_post
+ - none
+ - private_key_jwt
+ OAuthEndpoints:
+ description: |-
+ The `OAUTH2` and `OIDC` protocols support the `authorization` and `token` endpoints. Also, the `OIDC` protocol supports the `userInfo` and `jwks` endpoints.
+
+ The IdP Authorization Server (AS) endpoints are currently defined as part of the [IdP provider]((https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=type&t=request)) and are read-only.
+ type: object
+ properties:
+ authorization:
+ $ref: '#/components/schemas/OAuthAuthorizationEndpoint'
+ jwks:
+ $ref: '#/components/schemas/OidcJwksEndpoint'
+ token:
+ $ref: '#/components/schemas/OAuthTokenEndpoint'
+ userInfo:
+ $ref: '#/components/schemas/OidcUserInfoEndpoint'
+ OAuthGrantType:
+ description: Array of OAuth 2.0 grant type strings
+ type: string
+ x-okta-known-values:
+ - authorization_code
+ - client_credentials
+ - implicit
+ - interaction_code
+ - password
+ - refresh_token
+ - urn:ietf:params:oauth:grant-type:device_code
+ - urn:ietf:params:oauth:grant-type:jwt-bearer
+ - urn:ietf:params:oauth:grant-type:saml2-bearer
+ - urn:ietf:params:oauth:grant-type:token-exchange
+ - urn:openid:params:grant-type:ciba
+ OAuthMetadata:
+ type: object
+ properties:
+ authorization_endpoint:
+ type: string
+ description: URL of the authorization server's authorization endpoint.
+ backchannel_authentication_request_signing_alg_values_supported:
+ description:
A list of signing algorithms that this authorization server supports for signed requests.
+ type: array
+ items:
+ $ref: '#/components/schemas/SigningAlgorithm'
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
+ backchannel_token_delivery_modes_supported:
+ description:
The delivery modes that this authorization server supports for Client-Initiated Backchannel Authentication.
+ type: array
+ items:
+ $ref: '#/components/schemas/TokenDeliveryMode'
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
+ claims_supported:
+ description: A list of the claims supported by this authorization server.
+ type: array
+ items:
+ $ref: '#/components/schemas/Claim'
+ code_challenge_methods_supported:
+ description: A list of PKCE code challenge methods supported by this authorization server.
+ type: array
+ items:
+ $ref: '#/components/schemas/CodeChallengeMethod'
+ device_authorization_endpoint:
+ type: string
+ dpop_signing_alg_values_supported:
+ description: A list of signing algorithms supported by this authorization server for Demonstrating Proof-of-Possession (DPoP) JWTs.
+ type: array
+ items:
+ type: string
+ enum:
+ - ES256
+ - ES384
+ - ES512
+ - RS256
+ - RS384
+ - RS512
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ end_session_endpoint:
+ description: URL of the authorization server's logout endpoint.
+ type: string
+ grant_types_supported:
+ description: A list of the grant type values that this authorization server supports.
+ type: array
+ items:
+ $ref: '#/components/schemas/GrantType'
+ introspection_endpoint:
+ description: URL of the authorization server's introspection endpoint.
+ type: string
+ introspection_endpoint_auth_methods_supported:
+ description: A list of client authentication methods supported by this introspection endpoint.
+ type: array
+ items:
+ $ref: '#/components/schemas/EndpointAuthMethod'
+ issuer:
+ type: string
+ description: The authorization server's issuer identifier. In the context of this document, this is your authorization server's base URL. This becomes the `iss` claim in an access token.
+ jwks_uri:
+ description: URL of the authorization server's JSON Web Key Set document.
+ type: string
+ pushed_authorization_request_endpoint:
+ type: string
+ registration_endpoint:
+ description: URL of the authorization server's JSON Web Key Set document.
+ type: string
+ request_object_signing_alg_values_supported:
+ description: A list of signing algorithms that this authorization server supports for signed requests.
+ type: array
+ items:
+ $ref: '#/components/schemas/SigningAlgorithm'
+ request_parameter_supported:
+ description: Indicates if Request Parameters are supported by this authorization server.
+ type: boolean
+ response_modes_supported:
+ description: A list of the `response_mode` values that this authorization server supports. More information here.
+ type: array
+ items:
+ $ref: '#/components/schemas/ResponseMode'
+ response_types_supported:
+ description: A list of the `response_type` values that this authorization server supports. Can be a combination of `code`, `token`, and `id_token`.
+ type: array
+ items:
+ $ref: '#/components/schemas/ResponseTypesSupported'
+ revocation_endpoint:
+ description: URL of the authorization server's revocation endpoint.
+ type: string
+ revocation_endpoint_auth_methods_supported:
+ description: A list of client authentication methods supported by this revocation endpoint.
+ type: array
+ items:
+ $ref: '#/components/schemas/EndpointAuthMethod'
+ scopes_supported:
+ description: A list of the scope values that this authorization server supports.
+ type: array
+ items:
+ $ref: '#/components/schemas/Scope'
+ subject_types_supported:
+ description: A list of the Subject Identifier types that this authorization server supports. Valid types include `pairwise` and `public`, but only `public` is currently supported. See the [Subject Identifier Types](https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes) section in the OpenID Connect specification.
+ type: array
+ items:
+ $ref: '#/components/schemas/SubjectType'
+ token_endpoint:
+ description: URL of the authorization server's token endpoint.
+ type: string
+ token_endpoint_auth_methods_supported:
+ description: A list of client authentication methods supported by this token endpoint.
+ type: array
+ items:
+ $ref: '#/components/schemas/EndpointAuthMethod'
+ OAuthProvisioningEnabledApp:
+ description: Application name for the provisioning connection
+ type: string
+ x-okta-known-values:
+ - google
+ - office365
+ - slack
+ - zoomus
+ OAuthResponseType:
+ description: Array of OAuth 2.0 response type strings
+ type: string
+ x-okta-known-values:
+ - code
+ - id_token
+ - token
+ OAuthTokenEndpoint:
+ description: Endpoint for an [OAuth 2.0 Authorization Server (AS)](https://tools.ietf.org/html/rfc6749#page-18)
+ type: object
+ properties:
+ binding:
+ $ref: '#/components/schemas/ProtocolEndpointBinding'
+ url:
+ type: string
+ description: URL of the IdP Authorization Server (AS) token endpoint
+ example: https://idp.example.com/token
+ OINApplication:
+ type: object
+ properties:
+ accessibility:
+ $ref: '#/components/schemas/ApplicationAccessibility'
+ credentials:
+ $ref: '#/components/schemas/SchemeApplicationCredentials'
+ label:
+ $ref: '#/components/schemas/ApplicationLabel'
+ licensing:
+ $ref: '#/components/schemas/ApplicationLicensing'
+ name:
+ type: string
+ description: The key name for the OIN app definition
+ profile:
+ type: object
+ description: Contains any valid JSON schema for specifying properties that can be referenced from a request (only available to OAuth 2.0 client apps)
+ additionalProperties:
+ type: object
+ properties: {}
+ signOnMode:
+ type: string
+ description: Authentication mode for the app
+ status:
+ $ref: '#/components/schemas/ApplicationLifecycleStatus'
+ visibility:
+ $ref: '#/components/schemas/ApplicationVisibility'
+ OINSaml11ApplicationSettingsSignOn:
+ title: SAML 1.1 settings
+ description: Contains SAML 1.1 sign-on mode attributes
type: object
properties:
- kid:
+ audienceOverride:
type: string
- lastRotated:
+ description: Audience override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm).
+ defaultRelayState:
type: string
- format: date-time
- readOnly: true
- nextRotation:
+ description: Identifies a specific application resource in an IdP-initiated SSO scenario
+ recipientOverride:
type: string
- format: date-time
- readOnly: true
- rotationMode:
+ description: Recipient override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm).
+ ssoAcsUrlOverride:
type: string
- use:
- $ref: '#/components/schemas/ApplicationCredentialsSigningUse'
- ApplicationCredentialsSigningUse:
- type: string
- x-okta-known-values:
- - sig
- ApplicationCredentialsUsernameTemplate:
+ description: Assertion Consumer Service (ACS) URL override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm).
+ OINSaml20ApplicationSettingsSignOn:
+ title: SAML 2.0 settings
+ description: |-
+ Contains SAML 2.0 sign-on mode attributes.
+ > **Note:** Set `destinationOverride` to configure any other SAML 2.0 attributes in this section.
type: object
properties:
- pushStatus:
- type: string
- suffix:
+ audienceOverride:
type: string
- template:
+ description: Audience override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm).
+ configuredAttributeStatements:
+ type: array
+ items:
+ $ref: '#/components/schemas/SamlAttributeStatement'
+ defaultRelayState:
type: string
- type:
+ description: Identifies a specific application resource in an IdP-initiated SSO scenario
+ destinationOverride:
type: string
- ApplicationFeature:
- type: object
- properties:
- capabilities:
- $ref: '#/components/schemas/CapabilitiesObject'
- description:
+ description: Destination override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm).
+ recipientOverride:
type: string
- name:
+ description: Recipient override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm).
+ samlAssertionLifetimeSeconds:
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ type: integer
+ description: Determines the SAML app session lifetimes with Okta
+ example: 3600
+ ssoAcsUrlOverride:
type: string
- status:
- $ref: '#/components/schemas/EnabledStatus'
- _links:
- additionalProperties:
- type: object
- readOnly: true
- type: object
- ApplicationGroupAssignment:
+ description: Assertion Consumer Service (ACS) URL override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm).
+ OSVersion:
+ description: |
+ Specifies the OS requirement for the policy.
+
+ There are two types of OS requirements:
+
+ * **Static**: A specific OS version requirement that doesn't change until you update the policy. A static OS requirement is specified with the `osVersion.minimum` property.
+ * **Dynamic**: An OS version requirement that is relative to the latest major OS release and security patch. A dynamic OS requirement is specified with the `osVersion.dynamicVersionRequirement` property.
+ > **Note:** Dynamic OS requirements are available only if the **Dynamic OS version compliance** [self-service EA](/openapi/okta-management/guides/release-lifecycle/#early-access-ea) feature is enabled. You can't specify both `osVersion.minimum` and `osVersion.dynamicVersionRequirement` properties at the same time.
type: object
properties:
- id:
- type: string
- readOnly: true
- lastUpdated:
- type: string
- format: date-time
- readOnly: true
- priority:
- type: integer
- profile:
- type: object
- additionalProperties:
- type: object
- properties: {}
- _embedded:
+ dynamicVersionRequirement:
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
+ description:
Contains the necessary properties for a dynamic version requirement
type: object
- additionalProperties:
- type: object
- properties: {}
- readOnly: true
- _links:
- type: object
- additionalProperties:
- type: object
- properties: {}
- readOnly: true
- ApplicationLayout:
+ properties:
+ type:
+ type: string
+ description: Indicates the type of the dynamic OS version requirement
+ enum:
+ - MINIMUM
+ - EXACT
+ - EXACT_ANY_SUPPORTED
+ x-enumDescriptions:
+ MINIMUM: The device version must be equal to or newer than the dynamically determined version. `distanceFromLatestMajor` must be specified for this type.
+ EXACT: The device version must be on the same major version as the dynamically determined version. `distanceFromLatestMajor` must be specified for this type.
+ EXACT_ANY_SUPPORTED: The device version must be on a major version which is supported. You can't specify `distanceFromLatestMajor` for this type.
+ distanceFromLatestMajor:
+ description: Indicates the distance from the latest major version
+ type: integer
+ minimum: 0
+ maximum: 1
+ latestSecurityPatch:
+ description: Indicates whether the device needs to be on the latest security patch
+ type: boolean
+ minimum:
+ description: The device version must be equal to or newer than the specified version string (maximum of three components for iOS and macOS, and maximum of four components for Android)
+ type: string
+ example: 12.4.5
+ OSVersionConstraint:
type: object
properties:
- elements:
- items:
- $ref: '#/components/schemas/ApplicationLayout'
- type: array
- label:
- type: string
- options:
- type: object
- additionalProperties: true
- rule:
+ dynamicVersionRequirement:
type: object
+ description: Contains the necessary properties for a dynamic Windows version requirement
properties:
- effect:
+ type:
type: string
- condition:
- $ref: '#/components/schemas/ApplicationLayoutRuleCondition'
- scope:
+ description: Indicates the type of the dynamic Windows version requirement
+ enum:
+ - MINIMUM
+ - EXACT
+ - EXACT_ANY_SUPPORTED
+ - NOT_ALLOWED
+ x-enumDescriptions:
+ MINIMUM: The device version must be equal to or newer than the dynamically determined Windows version. `distanceFromLatestMajor` must be specified for this type.
+ EXACT: The device version must be on the same major version as the dynamically determined Windows version. `distanceFromLatestMajor` must be specified for this type.
+ EXACT_ANY_SUPPORTED: The device version must be on a Windows major version which is supported. You can't specify `distanceFromLatestMajor` for this type.
+ NOT_ALLOWED: The device version isn't allowed. You can't specify `distanceFromLatestMajor` or `latestSecurityPatch` for this type.
+ distanceFromLatestMajor:
+ description: Indicates the distance from the latest Windows major version
+ type: integer
+ minimum: 0
+ maximum: 1
+ latestSecurityPatch:
+ description: Indicates whether the policy requires Windows devices to be on the latest security patch
+ type: boolean
+ majorVersionConstraint:
type: string
- type:
+ description: Indicates the Windows major version
+ enum:
+ - WINDOWS_11
+ - WINDOWS_10
+ x-enumDescriptions:
+ WINDOWS_11: The device is on Windows 11
+ WINDOWS_10: The device is on Windows 10 or an older Windows version
+ minimum:
+ description: The Windows device version must be equal to or newer than the specified version
type: string
- ApplicationLayoutRuleCondition:
+ example: 12.4.5.9
+ required:
+ - majorVersionConstraint
+ OSVersionFourComponents:
+ description: Current version of the operating system (maximum of four components in the versioning scheme)
type: object
properties:
- schema:
- type: object
- additionalProperties: true
- scope:
+ minimum:
type: string
- ApplicationLicensing:
+ example: 12.4.5.9
+ OSVersionThreeComponents:
+ description: Current version of the operating system (maximum of three components in the versioning scheme)
type: object
properties:
- seatCount:
- type: integer
- ApplicationLifecycleStatus:
- type: string
- readOnly: true
- x-okta-known-values:
- - ACTIVE
- - DELETED
- - INACTIVE
- ApplicationSettings:
+ minimum:
+ type: string
+ example: 12.4.5
+ Office365Application:
+ title: Microsoft Office 365
+ x-tags:
+ - Application
+ x-okta-defined-as:
+ name: office365
+ description: |
+ Schema for the Microsoft Office 365 app (key name: `office365`)
+
+ To create a Microsoft Office 365 app, use the [Create an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) request with the following parameters in the request body.
+ > **Note:** The Office 365 app only supports `BROWSER_PLUGIN` and `SAML_1_1` sign-on modes.
+ allOf:
+ - $ref: '#/components/schemas/OINApplication'
+ - type: object
+ - required:
+ - name
+ - label
+ - settings
+ properties:
+ name:
+ type: string
+ enum:
+ - office365
+ example: office365
+ signOnMode:
+ enum:
+ - BROWSER_PLUGIN
+ - SAML_1_1
+ example: BROWSER_PLUGIN
+ settings:
+ $ref: '#/components/schemas/Office365ApplicationSettings'
+ example:
+ name: office365
+ label: Sample Office365 App
+ signOnMode: SAML_1_1
+ settings:
+ app:
+ domain: myintegration.okta365test.net
+ msftTenant: mycompanyinc
+ Office365ApplicationSettings:
+ allOf:
+ - $ref: '#/components/schemas/ApplicationSettings'
+ - type: object
+ - required:
+ - app
+ properties:
+ app:
+ $ref: '#/components/schemas/Office365ApplicationSettingsApplication'
+ signOn:
+ $ref: '#/components/schemas/OINSaml11ApplicationSettingsSignOn'
+ Office365ApplicationSettingsApplication:
+ description: Office365 app instance properties
type: object
properties:
- identityStoreId:
+ domain:
type: string
- implicitAssignment:
- type: boolean
- inlineHookId:
+ description: The domain for your Office 365 account
+ msftTenant:
type: string
- notes:
- $ref: '#/components/schemas/ApplicationSettingsNotes'
- notifications:
- $ref: '#/components/schemas/ApplicationSettingsNotifications'
- ApplicationSettingsNotes:
+ description: Microsoft tenant name
+ required:
+ - msftTenant
+ - domain
+ Office365ProvisioningSettings:
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ title: Microsoft Office 365 provisioning settings
+ description: Settings required for the Microsoft Office 365 Provisioning Connection
type: object
properties:
- admin:
+ adminPassword:
type: string
- enduser:
+ description: Microsoft Office 365 global administrator password
+ adminUsername:
type: string
- ApplicationSettingsNotifications:
- type: object
- properties:
- vpn:
- $ref: '#/components/schemas/ApplicationSettingsNotificationsVpn'
- ApplicationSettingsNotificationsVpn:
+ description: Microsoft Office 365 global administrator username
+ required:
+ - adminUsername
+ - adminPassword
+ OfflineAccessScopeResourceHrefObject:
type: object
properties:
- helpUrl:
+ href:
type: string
- message:
+ description: Link URI
+ example: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7/scopes/scppb56cIl4GvGxy70g3
+ title:
type: string
- network:
- $ref: '#/components/schemas/ApplicationSettingsNotificationsVpnNetwork'
- ApplicationSettingsNotificationsVpnNetwork:
+ description: Link name
+ example: offline_access
+ Oidc:
+ description: OIDC configuration details
type: object
properties:
- connection:
+ doc:
type: string
- exclude:
+ format: uri
+ description: The URL to your customer-facing instructions for configuring your OIDC integration. See [Customer configuration document guidelines](https://developer.okta.com/docs/guides/submit-app-prereq/main/#customer-configuration-document-guidelines).
+ example: https://example.com/strawberry/help/oidcSetup
+ initiateLoginUri:
+ type: string
+ format: uri
+ description: The URL to redirect users when they click on your app from their Okta End-User Dashboard
+ example: https://${org.subdomain}.example.com/strawberry/oidc/sp-init
+ postLogoutUris:
type: array
+ description: The sign-out redirect URIs for your app. You can send a request to `/v1/logout` to sign the user out and redirect them to one of these URIs.
items:
type: string
- include:
+ format: uri
+ description: 'A sign-out redirect URI. You can use the org properties you defined in the `config` array as variables in your URI. For example: `https://${org.subdomain}.example.com/strawberry/oidc/logged-out`'
+ example: https://${org.subdomain}.example.com/strawberry/oidc/logged-out
+ redirectUris:
type: array
+ minItems: 1
+ description: List of sign-in redirect URIs
items:
type: string
- ApplicationSignOnMode:
- type: string
- x-okta-known-values:
- - AUTO_LOGIN
- - BASIC_AUTH
- - BOOKMARK
- - BROWSER_PLUGIN
- - OPENID_CONNECT
- - SAML_1_1
- - SAML_2_0
- - SECURE_PASSWORD_STORE
- - WS_FEDERATION
- ApplicationVisibility:
- type: object
- properties:
- appLinks:
- type: object
- additionalProperties:
- type: boolean
- autoLaunch:
- type: boolean
- autoSubmitToolbar:
- type: boolean
- hide:
- $ref: '#/components/schemas/ApplicationVisibilityHide'
- ApplicationVisibilityHide:
- type: object
- properties:
- iOS:
- type: boolean
- web:
- type: boolean
- AssignRoleRequest:
- type: object
- properties:
- type:
- $ref: '#/components/schemas/RoleType'
- AuthenticationProvider:
- type: object
- properties:
- name:
- type: string
- type:
- $ref: '#/components/schemas/AuthenticationProviderType'
- AuthenticationProviderType:
- type: string
- x-okta-known-values:
- - ACTIVE_DIRECTORY
- - FEDERATION
- - IMPORT
- - LDAP
- - OKTA
- - SOCIAL
- Authenticator:
- type: object
- properties:
- created:
- format: date-time
- readOnly: true
- type: string
- id:
- readOnly: true
- type: string
- key:
- type: string
- lastUpdated:
- format: date-time
- readOnly: true
- type: string
- name:
- type: string
- provider:
- $ref: '#/components/schemas/AuthenticatorProvider'
- settings:
- $ref: '#/components/schemas/AuthenticatorSettings'
- status:
- $ref: '#/components/schemas/AuthenticatorStatus'
- type:
- $ref: '#/components/schemas/AuthenticatorType'
- _links:
- additionalProperties:
- type: object
- readOnly: true
- type: object
- AuthenticatorProvider:
- properties:
- configuration:
- $ref: '#/components/schemas/AuthenticatorProviderConfiguration'
- type:
- type: string
- AuthenticatorProviderConfiguration:
+ format: uri
+ description: Sign-in redirect URI
+ example: https://${org.subdomain}.example.com/strawberry/oidc/login
+ required:
+ - redirectUris
+ - doc
+ OidcAlgorithms:
+ type: object
properties:
- authPort:
- type: integer
- hostName:
- type: string
- instanceId:
- type: string
- sharedSecret:
- type: string
- userNameTemplate:
- $ref: '#/components/schemas/AuthenticatorProviderConfigurationUserNameTemplate'
- AuthenticatorProviderConfigurationUserNameTemplate:
+ request:
+ $ref: '#/components/schemas/OidcRequestAlgorithm'
+ OidcJwksEndpoint:
+ description: Endpoint for the JSON Web Key Set (JWKS) document. This document contains signing keys that are used to validate the signatures from the provider. For more information on JWKS, see [JSON Web Key](https://tools.ietf.org/html/rfc7517).
+ type: object
properties:
- template:
+ binding:
+ $ref: '#/components/schemas/ProtocolEndpointBinding'
+ url:
type: string
- AuthenticatorSettings:
+ description: URL of the endpoint to the JWK Set
+ example: https://idp.example.com/keys
+ OidcRequestAlgorithm:
+ description: Algorithm settings used to sign an authorization request
type: object
properties:
- allowedFor:
- $ref: '#/components/schemas/AllowedForEnum'
- appInstanceId:
- type: string
- channelBinding:
- $ref: '#/components/schemas/ChannelBinding'
- compliance:
- $ref: '#/components/schemas/Compliance'
- tokenLifetimeInMinutes:
- type: integer
- userVerification:
- $ref: '#/components/schemas/UserVerificationEnum'
- AuthenticatorStatus:
- type: string
- x-okta-known-values:
- - ACTIVE
- - INACTIVE
- AuthenticatorType:
+ signature:
+ $ref: '#/components/schemas/OidcRequestSignatureAlgorithm'
+ OidcRequestSignatureAlgorithm:
+ description: |-
+ Signature Algorithm settings for signing authorization requests sent to the IdP
+ > **Note:** The `algorithm` property is ignored when you disable request signatures (`scope` set as `NONE`).
+ type: object
+ properties:
+ algorithm:
+ $ref: '#/components/schemas/OidcSigningAlgorithm'
+ scope:
+ $ref: '#/components/schemas/ProtocolAlgorithmRequestScope'
+ OidcSigningAlgorithm:
type: string
x-okta-known-values:
- - app
- - email
- - federated
- - password
- - phone
- - security_key
- - security_question
- AuthorizationServer:
+ - HS256
+ - HS384
+ - HS512
+ - RS256
+ - RS384
+ - RS512
+ OidcUserInfoEndpoint:
+ description: Endpoint for getting identity information about the User. For more information on the `/userinfo` endpoint, see [OpenID Connect](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo).
type: object
properties:
- audiences:
- type: array
- items:
- type: string
- created:
+ binding:
+ $ref: '#/components/schemas/ProtocolEndpointBinding'
+ url:
type: string
- format: date-time
- readOnly: true
- credentials:
- $ref: '#/components/schemas/AuthorizationServerCredentials'
+ description: URL of the resource server's `/userinfo` endpoint
+ example: https://idp.example.com/userinfo
+ OktaActiveDirectoryGroupProfile:
+ description: |-
+ Profile for a Group that is imported from Active Directory.
+
+ The `objectClass` for such groups is `okta:windows_security_principal`.
+ type: object
+ properties:
description:
type: string
- id:
- type: string
- readOnly: true
- issuer:
+ example: example.com/West Coast/West Coast Users
+ description: Description of the Windows Group
+ dn:
type: string
- issuerMode:
- $ref: '#/components/schemas/IssuerMode'
- lastUpdated:
+ example: CN=West Coast Users,OU=West Coast,DC=example,DC=com
+ description: The distinguished name of the Windows Group
+ externalId:
type: string
- format: date-time
- readOnly: true
+ example: VKzYZ1C+IkSZxIWlrW5ITg==
+ description: Base-64 encoded GUID (`objectGUID`) of the Windows Group
name:
type: string
- status:
- $ref: '#/components/schemas/LifecycleStatus'
- _links:
- type: object
- additionalProperties:
- type: object
- properties: {}
- readOnly: true
- AuthorizationServerCredentials:
+ example: West Coast Users
+ description: Name of the Windows Group
+ samAccountName:
+ type: string
+ example: West Coast Users
+ description: Pre-Windows 2000 name of the Windows Group
+ windowsDomainQualifiedName:
+ type: string
+ example: EXAMPLE\\West Coast Users
+ description: Fully qualified name of the Windows Group
+ OktaDeviceRiskChangeEvent:
+ description: The device risk level changed
type: object
properties:
- signing:
- $ref: '#/components/schemas/AuthorizationServerCredentialsSigningConfig'
- AuthorizationServerCredentialsRotationMode:
- type: string
- x-okta-known-values:
- - AUTO
- - MANUAL
- AuthorizationServerCredentialsSigningConfig:
+ current_level:
+ type: string
+ description: Current risk level of the device
+ enum:
+ - low
+ - medium
+ - high
+ - secure
+ - none
+ example: low
+ event_timestamp:
+ type: integer
+ format: int64
+ description: The time of the event (UNIX timestamp)
+ example: 1702448550
+ initiating_entity:
+ type: string
+ description: The entity that initiated the event
+ enum:
+ - admin
+ - user
+ - policy
+ - system
+ previous_level:
+ type: string
+ description: Previous risk level of the device
+ enum:
+ - low
+ - medium
+ - high
+ - secure
+ - none
+ example: medium
+ reason_admin:
+ allOf:
+ - $ref: '#/components/schemas/SecurityEventReason'
+ - type: object
+ description: A localized administrative message intended for logging and auditing.
Either `reason_admin` or `reason_user` is required.
+ reason_user:
+ allOf:
+ - $ref: '#/components/schemas/SecurityEventReason'
+ - type: object
+ description: A localized message intended for the end user.
Either `reason_admin` or `reason_user` is required.
+ subject:
+ $ref: '#/components/schemas/SecurityEventSubject'
+ required:
+ - event_timestamp
+ - subject
+ - current_level
+ - previous_level
+ OktaIpChangeEvent:
+ description: IP changed for the subject's session
type: object
properties:
- kid:
- type: string
- lastRotated:
+ current_ip_address:
type: string
- format: date-time
- readOnly: true
- nextRotation:
+ description: Current IP address of the subject
+ example: 123.4.5.6
+ event_timestamp:
+ type: integer
+ format: int64
+ description: The time of the event (UNIX timestamp)
+ example: 1702448550
+ initiating_entity:
type: string
- format: date-time
- readOnly: true
- rotationMode:
- $ref: '#/components/schemas/AuthorizationServerCredentialsRotationMode'
- use:
- $ref: '#/components/schemas/AuthorizationServerCredentialsUse'
- AuthorizationServerCredentialsUse:
- type: string
- x-okta-known-values:
- - sig
- AuthorizationServerPolicy:
+ description: The entity that initiated the event
+ enum:
+ - admin
+ - user
+ - policy
+ - system
+ previous_ip_address:
+ type: string
+ description: Previous IP address of the subject
+ example: 123.45.67.8
+ reason_admin:
+ allOf:
+ - $ref: '#/components/schemas/SecurityEventReason'
+ - type: object
+ description: A localized administrative message intended for logging and auditing.
Either `reason_admin` or `reason_user` is required.
+ reason_user:
+ allOf:
+ - $ref: '#/components/schemas/SecurityEventReason'
+ - type: object
+ description: A localized message intended for the end user.
Either `reason_admin` or `reason_user` is required.
+ subject:
+ $ref: '#/components/schemas/SecurityEventSubject'
+ required:
+ - event_timestamp
+ - subject
+ - current_ip_address
+ - previous_ip_address
+ OktaPersonalAdminFeatureSettings:
+ description: Defines a list of Okta Personal settings that can be enabled or disabled for the org
+ type: object
+ properties:
+ enableEnduserEntryPoints:
+ type: boolean
+ description: Allow entry points for an Okta Personal account in a Workforce org
+ enableExportApps:
+ type: boolean
+ description: Allow users to migrate apps from a Workforce account to an Okta Personal account
+ OktaSignOnPolicy:
allOf:
- $ref: '#/components/schemas/Policy'
- type: object
properties:
conditions:
- $ref: '#/components/schemas/PolicyRuleConditions'
- AuthorizationServerPolicyRule:
+ $ref: '#/components/schemas/OktaSignOnPolicyConditions'
+ OktaSignOnPolicyConditions:
+ allOf:
+ - type: object
+ properties:
+ people:
+ type: object
+ description: Identifies Users and Groups that are used together
+ properties:
+ groups:
+ type: object
+ description: Specifies a set of Groups whose Users are to be included or excluded
+ properties:
+ include:
+ type: array
+ description: Groups to be included
+ items:
+ type: string
+ OktaSignOnPolicyFactorPromptMode:
+ description: |
+ Indicates if the User should be challenged for a second factor (MFA) based on the device being used, a Factor session lifetime, or on every sign-in attempt
+
+ **Note:** Required only if `requireFactor` is set to `true`.
+ type: string
+ x-okta-known-values:
+ - ALWAYS
+ - DEVICE
+ - SESSION
+ OktaSignOnPolicyRule:
allOf:
- $ref: '#/components/schemas/PolicyRule'
- type: object
properties:
actions:
- $ref: '#/components/schemas/AuthorizationServerPolicyRuleActions'
+ $ref: '#/components/schemas/OktaSignOnPolicyRuleActions'
conditions:
- $ref: '#/components/schemas/AuthorizationServerPolicyRuleConditions'
- AuthorizationServerPolicyRuleActions:
+ $ref: '#/components/schemas/OktaSignOnPolicyRuleConditions'
+ OktaSignOnPolicyRuleActions:
allOf:
- $ref: '#/components/schemas/PolicyRuleActions'
- type: object
properties:
- token:
- $ref: '#/components/schemas/TokenAuthorizationServerPolicyRuleAction'
- AuthorizationServerPolicyRuleConditions:
+ signon:
+ $ref: '#/components/schemas/OktaSignOnPolicyRuleSignonActions'
+ OktaSignOnPolicyRuleConditions:
allOf:
- - $ref: '#/components/schemas/PolicyRuleConditions'
- type: object
properties:
- clients:
- $ref: '#/components/schemas/ClientPolicyCondition'
- grantTypes:
- $ref: '#/components/schemas/GrantTypePolicyRuleCondition'
+ authContext:
+ $ref: '#/components/schemas/PolicyRuleAuthContextCondition'
+ network:
+ $ref: '#/components/schemas/PolicyNetworkCondition'
people:
$ref: '#/components/schemas/PolicyPeopleCondition'
- scopes:
- $ref: '#/components/schemas/OAuth2ScopesMediationPolicyRuleCondition'
- AutoLoginApplication:
+ identityProvider:
+ $ref: '#/components/schemas/IdentityProviderPolicyRuleCondition'
+ OktaSignOnPolicyRuleSignonActions:
+ type: object
+ properties:
+ access:
+ type: string
+ enum:
+ - ALLOW
+ - DENY
+ factorLifetime:
+ type: integer
+ description: |
+ Interval of time that must elapse before the User is challenged for MFA, if the Factor prompt mode is set to `SESSION`
+
+ **Note:** Required only if `requireFactor` is `true`.
+ factorPromptMode:
+ $ref: '#/components/schemas/OktaSignOnPolicyFactorPromptMode'
+ primaryFactor:
+ $ref: '#/components/schemas/OktaSignOnPolicyRuleSignonPrimaryFactor'
+ rememberDeviceByDefault:
+ type: boolean
+ description: Indicates if Okta should automatically remember the device
+ default: false
+ requireFactor:
+ type: boolean
+ default: false
+ description: Indicates if multifactor authentication is required
+ session:
+ $ref: '#/components/schemas/OktaSignOnPolicyRuleSignonSessionActions'
+ OktaSignOnPolicyRuleSignonPrimaryFactor:
+ description: |-
+ Indicates the primary factor used to establish a session for the org. Supported values: `PASSWORD_IDP_ANY_FACTOR` (users can use any factor required by the app authentication policy to establish a session), `PASSWORD_IDP` (users must always use a password to establish a session).
+
+ **Note:** Required only if `access` is set to `ALLOW`.
+ type: string
+ x-okta-known-values:
+ - PASSWORD_IDP
+ - PASSWORD_IDP_ANY_FACTOR
+ OktaSignOnPolicyRuleSignonSessionActions:
+ description: Properties governing the User's session lifetime
+ type: object
+ properties:
+ maxSessionIdleMinutes:
+ description: Maximum number of minutes that a User session can be idle before the session is ended
+ type: integer
+ default: 120
+ maxSessionLifetimeMinutes:
+ description: Maximum number of minutes from User sign in that a user's session is active. Set this to force Users to sign in again after the number of specified minutes. Disable by setting to `0`. This property is read-only for the default rule of the default global session policy.
+ type: integer
+ default: 0
+ usePersistentCookie:
+ description: If set to `false`, user session cookies only last the length of a browser session. If set to `true`, user session cookies last across browser sessions. This setting doesn't impact administrators who can never have persistent session cookies. This property is read-only for the default rule of the default global session policy.
+ type: boolean
+ default: false
+ OktaUserGroupProfile:
+ description: |-
+ Profile for any Group that is not imported from Active Directory. Specifies the standard
+ and custom profile properties for a Group.
+
+ The `objectClass` for these groups is `okta:user_group`.
+ type: object
+ properties:
+ description:
+ type: string
+ example: All Users West of The Rockies
+ description: Description of the Group
+ name:
+ type: string
+ example: West Coast Users
+ description: Name of the Group
+ x-okta-extensible: true
+ OktaUserRiskChangeEvent:
+ description: The user risk level changed
+ type: object
+ properties:
+ current_level:
+ type: string
+ description: Current risk level of the user
+ enum:
+ - low
+ - medium
+ - high
+ - secure
+ - none
+ example: low
+ event_timestamp:
+ type: integer
+ format: int64
+ description: The time of the event (UNIX timestamp)
+ example: 1702448550
+ initiating_entity:
+ type: string
+ description: The entity that initiated the event
+ enum:
+ - admin
+ - user
+ - policy
+ - system
+ previous_level:
+ type: string
+ description: Previous risk level of the user
+ enum:
+ - low
+ - medium
+ - high
+ - secure
+ - none
+ example: medium
+ reason_admin:
+ allOf:
+ - $ref: '#/components/schemas/SecurityEventReason'
+ - type: object
+ description: A localized administrative message intended for logging and auditing.
Either `reason_admin` or `reason_user` is required.
+ reason_user:
+ allOf:
+ - $ref: '#/components/schemas/SecurityEventReason'
+ - type: object
+ description: A localized message intended for the end user.
Either `reason_admin` or `reason_user` is required.
+ subject:
+ $ref: '#/components/schemas/SecurityEventSubject'
+ required:
+ - event_timestamp
+ - subject
+ - current_level
+ - previous_level
+ OpenIdConnectApplication:
+ x-okta-defined-as:
+ name: oidc_client
allOf:
- $ref: '#/components/schemas/Application'
- type: object
properties:
credentials:
- $ref: '#/components/schemas/SchemeApplicationCredentials'
+ $ref: '#/components/schemas/OAuthApplicationCredentials'
name:
type: string
+ description: '`oidc_client` is the key name for an OAuth 2.0 client app instance'
+ enum:
+ - oidc_client
settings:
- $ref: '#/components/schemas/AutoLoginApplicationSettings'
- AutoLoginApplicationSettings:
+ $ref: '#/components/schemas/OpenIdConnectApplicationSettings'
+ required:
+ - name
+ - settings
+ - credentials
+ OpenIdConnectApplicationConsentMethod:
+ description: |
+ Indicates whether user consent is required or implicit.
+ A consent dialog appears for the end user depending on the values of three elements:
+
+ * [prompt](/openapi/okta-oauth/oauth/tag/OrgAS/#tag/OrgAS/operation/authorize!in=query&path=prompt&t=request): A query parameter that is used in requests to `/authorize`
+ * `consent_method` (this property)
+ * [consent](/openapi/okta-management/management/tag/AuthorizationServerScopes/#tag/AuthorizationServerScopes/operation/createOAuth2Scope!path=consent&t=request): A [Scope](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/AuthorizationServerScopes/) property that allows you to enable or disable user consent for an individual scope
+
+ | `prompt` | `consent_method` | `consent` | Result
+ | ---------- | ----------- | ---------- | ----------- |
+ | CONSENT | TRUSTED or REQUIRED | REQUIRED | Prompted |
+ | CONSENT | TRUSTED or REQUIRED | FLEXIBLE | Prompted |
+ | CONSENT | TRUSTED | IMPLICIT | Not prompted |
+ | NONE | TRUSTED | FLEXIBLE, IMPLICIT, or REQUIRED | Not prompted |
+ | NONE | REQUIRED | FLEXIBLE or REQUIRED | Prompted |
+ | NONE | REQUIRED | IMPLICIT | Not prompted |
+
+ > **Notes:**
+ > * If you request a scope that requires consent while using the `client_credentials` flow, an error is returned because the flow doesn't support user consent.
+ > * If the `prompt` value is set to `NONE`, but the `consent_method` and the consent values are set to `REQUIRED`, then an error occurs.
+ > * When a scope is requested during a Client Credentials grant flow and `consent` is set to `FLEXIBLE`, the scope is granted in the access token with no consent prompt. This occurs because there is no user involved in a two-legged OAuth 2.0 [Client Credentials](https://developer.okta.com/docs/guides/implement-grant-type/clientcreds/main/) grant flow.
+ default: TRUSTED
+ type: string
+ x-enumDescriptions:
+ TRUSTED: The client is fully trusted (for example, a first-party app). The default consent method for app instances created with a [Create an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) request
+ REQUIRED: The client requires consent (for example, a third-party app). The default consent method for app instances created with a [Create a Client Application](/openapi/okta-oauth/oauth/tag/Client/#tag/Client/operation/createClient) request
+ x-okta-known-values:
+ - REQUIRED
+ - TRUSTED
+ OpenIdConnectApplicationIdpInitiatedLogin:
+ description: The type of IdP-initiated sign-in flow that the client supports
+ type: object
+ properties:
+ default_scope:
+ type: array
+ description: The scopes to use for the request when `mode` is `OKTA`
+ items:
+ type: string
+ mode:
+ type: string
+ description: |
+ The mode to use for the IdP-initiated sign-in flow. For `OKTA` or `SPEC` modes, the client must have an `initiate_login_uri` registered.
+ > **Note:** For web and SPA apps, if the mode is `SPEC` or `OKTA`, you must set `grant_types` to `authorization_code`, `implicit`, or `interaction_code`.
+ enum:
+ - DISABLED
+ - SPEC
+ - OKTA
+ x-enumDescriptions:
+ DISABLED: The client doesn't support the IdP-initiated sign-in flow.
+ SPEC: The client is redirected to the Relying Party's `initiate_login_uri`.
+ OKTA: Tokens are directly sent to the Relying Party. This corresponds to the **Okta Simplified** option in the Admin Console.
+ required:
+ - mode
+ OpenIdConnectApplicationIssuerMode:
+ description: Indicates whether the Okta authorization server uses the original Okta org domain URL or a custom domain URL as the issuer of the ID token for this client
+ type: string
+ x-enumDescriptions:
+ CUSTOM_URL: The issuer is returned in the appropriate OIDC token response. This is the default `issuer_mode` when you configured a custom domain for your org.
+ DYNAMIC: A request for the ID token made from the custom domain has the custom URL as the issuer. A request for the ID token made from an Okta org has the Org URL as the issuer. You can only set `issuer_mode` as DYNAMIC if the Dynamic Issuer Mode feature is enabled. Contact Okta Support to enable this feature.
+ ORG_URL: The issuer is returned based on the URL of your Okta organization. This is useful when you are using Okta’s default domain and do not have a custom domain configured.
+ x-okta-known-values:
+ - CUSTOM_URL
+ - DYNAMIC
+ - ORG_URL
+ OpenIdConnectApplicationSettings:
allOf:
- $ref: '#/components/schemas/ApplicationSettings'
- type: object
properties:
- signOn:
- $ref: '#/components/schemas/AutoLoginApplicationSettingsSignOn'
- AutoLoginApplicationSettingsSignOn:
+ oauthClient:
+ $ref: '#/components/schemas/OpenIdConnectApplicationSettingsClient'
+ OpenIdConnectApplicationSettingsClient:
type: object
properties:
- loginUrl:
+ application_type:
+ $ref: '#/components/schemas/OpenIdConnectApplicationType'
+ backchannel_authentication_request_signing_alg:
+ description: |
+ The signing algorithm for Client-Initiated Backchannel Authentication (CIBA) signed requests using JWT. If this value isn't set and a JWT-signed request is sent, the request fails.
+ > **Note:** This property appears for clients with `urn:openid:params:grant-type:ciba` defined as one of the `grant_types`.
+ type: string
+ enum:
+ - HS256
+ - HS384
+ - HS512
+ - RS256
+ - RS384
+ - RS512
+ - ES256
+ - ES384
+ - ES512
+ backchannel_custom_authenticator_id:
+ description: |
+ The ID of the custom authenticator that authenticates the user
+ > **Note:** This property appears for clients with `urn:openid:params:grant-type:ciba` defined as one of the `grant_types`.
+ type: string
+ maxLength: 20
+ minLength: 20
+ backchannel_token_delivery_mode:
+ description: |
+ The delivery mode for Client-Initiated Backchannel Authentication (CIBA). Currently, only `poll` is supported.
+ > **Note:** This property appears for clients with `urn:openid:params:grant-type:ciba` defined as one of the `grant_types`.
+ enum:
+ - poll
+ - ping
+ - push
+ type: string
+ client_uri:
+ type: string
+ description: URL string of a web page providing information about the client
+ maxLength: 1024
+ consent_method:
+ $ref: '#/components/schemas/OpenIdConnectApplicationConsentMethod'
+ dpop_bound_access_tokens:
+ type: boolean
+ description: |
+ Indicates that the client application uses Demonstrating Proof-of-Possession (DPoP) for token requests. If `true`, the authorization server rejects token requests from this client that don't contain the DPoP header.
+ > **Note:** If `dpop_bound_access_tokens` is true, then `client_credentials` and `implicit` aren't allowed in `grant_types`.
+ default: false
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ frontchannel_logout_session_required:
+ description:
Determines whether Okta sends `sid` and `iss` in the logout request
+ type: boolean
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
+ frontchannel_logout_uri:
+ description:
URL where Okta sends the logout request
+ type: string
+ maxLength: 1024
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
+ grant_types:
+ type: array
+ items:
+ $ref: '#/components/schemas/OAuthGrantType'
+ idp_initiated_login:
+ $ref: '#/components/schemas/OpenIdConnectApplicationIdpInitiatedLogin'
+ initiate_login_uri:
type: string
- redirectUrl:
+ description: URL string that a third party can use to initiate the sign-in flow by the client
+ issuer_mode:
+ $ref: '#/components/schemas/OpenIdConnectApplicationIssuerMode'
+ jwks:
+ $ref: '#/components/schemas/OpenIdConnectApplicationSettingsClientKeys'
+ jwks_uri:
+ description: URL string that references a JSON Web Key Set for validating JWTs presented to Okta
type: string
- AutoUpdateSchedule:
- description: The schedule of auto-update configured by admin.
- type: object
- properties:
- cron:
+ logo_uri:
type: string
- delay:
- description: delay in days
- type: integer
- duration:
- description: duration in minutes
- type: integer
- lastUpdated:
- description: last time when the updated finished (success or failed, exclude cancelled), null if job haven't finished once yet.
+ description: The URL string that references a logo for the client. This logo appears on the client tile in the End-User Dashboard. It also appears on the client consent dialog during the client consent flow.
+ maxLength: 1024
+ participate_slo:
+ description: |
+
Allows the app to participate in front-channel Single Logout
+
+ > **Note:** You can only enable `participate_slo` for `web` and `browser` application types (`application_type`).
+ type: boolean
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
+ policy_uri:
type: string
- format: date-time
- timezone:
+ description: URL string of a web page providing the client's policy document
+ post_logout_redirect_uris:
+ type: array
+ description: Array of redirection URI strings for relying party-initiated logouts
+ items:
+ type: string
+ redirect_uris:
+ type: array
+ description: |-
+ Array of redirection URI strings for use in redirect-based flows.
+ > **Note:** At least one `redirect_uris` and `response_types` are required for all client types, with exceptions: if the client uses the [Resource Owner Password ](https://tools.ietf.org/html/rfc6749#section-4.3)flow (`grant_types` contains `password`) or [Client Credentials](https://tools.ietf.org/html/rfc6749#section-4.4)flow (`grant_types` contains `client_credentials`), then no `redirect_uris` or `response_types` is necessary. In these cases, you can pass either null or an empty array for these attributes.
+ items:
+ type: string
+ refresh_token:
+ $ref: '#/components/schemas/OpenIdConnectApplicationSettingsRefreshToken'
+ request_object_signing_alg:
+ description: The type of JSON Web Key Set (JWKS) algorithm that must be used for signing request objects
type: string
- BaseEmailDomain:
- type: object
- properties:
- displayName:
+ enum:
+ - HS256
+ - HS384
+ - HS512
+ - RS256
+ - RS384
+ - RS512
+ - ES256
+ - ES384
+ - ES512
+ response_types:
+ type: array
+ description: Array of OAuth 2.0 response type strings
+ items:
+ $ref: '#/components/schemas/OAuthResponseType'
+ sector_identifier_uri:
type: string
- userName:
+ description: The sector identifier used for pairwise `subject_type`. See [OIDC Pairwise Identifier Algorithm](https://openid.net/specs/openid-connect-messages-1_0-20.html#idtype.pairwise.alg)
+ maxLength: 1024
+ subject_type:
+ description: Type of the subject
+ type: string
+ enum:
+ - public
+ - pairwise
+ tos_uri:
type: string
+ description: URL string of a web page providing the client's terms of service document
+ wildcard_redirect:
+ type: string
+ description: Indicates if the client is allowed to use wildcard matching of `redirect_uris`
+ enum:
+ - DISABLED
+ - SUBDOMAIN
+ x-enumDescriptions:
+ DISABLED: All redirect URIs must be absolute URIs and not include a fragment component.
+ SUBDOMAIN: |
+ Any configured redirect URIs may contain a single `*` character in the lowest-level domain (for example, `https://redirect-*-domain.example.com/oidc/redirect`) to act as a wildcard.
+ The wildcard subdomain must have at least one subdomain between it and the top level domain.
+ The wildcard can match any valid hostname characters, but can't span more than one domain.
+ For example, if `https://redirect-*-domain.example.com/oidc/redirect` is configured as a redirect URI, then `https://redirect-1-domain.example.com/oidc/redirect` and `https://redirect-sub-domain.example.com/oidc/redirect` match, but `https://redirect-1.sub-domain.example.com/oidc/redirect` doesn't match.
+ Only the `https` URI scheme can use wildcard redirect URIs.
+ > **Note:** The use of wildcard subdomains is discouraged as an insecure practice, since it may allow malicious actors to have tokens or authorization codes sent to unexpected or attacker-controlled pages. Exercise caution if you decide to include a wildcard redirect URI in your configuration.
required:
- - displayName
- - userName
- BasicApplicationSettings:
- allOf:
- - $ref: '#/components/schemas/ApplicationSettings'
- - type: object
- properties:
- app:
- $ref: '#/components/schemas/BasicApplicationSettingsApplication'
- BasicApplicationSettingsApplication:
+ - grant_types
+ OpenIdConnectApplicationSettingsClientKeys:
+ description: A [JSON Web Key Set](https://tools.ietf.org/html/rfc7517#section-5) for validating JWTs presented to Okta
type: object
properties:
- authURL:
- type: string
- url:
- type: string
- BasicAuthApplication:
- x-okta-defined-as:
- name: template_basic_auth
- allOf:
- - $ref: '#/components/schemas/Application'
- - type: object
- properties:
- credentials:
- $ref: '#/components/schemas/SchemeApplicationCredentials'
- name:
- type: string
- default: template_basic_auth
- settings:
- $ref: '#/components/schemas/BasicApplicationSettings'
- BeforeScheduledActionPolicyRuleCondition:
+ keys:
+ type: array
+ items:
+ $ref: '#/components/schemas/schemas-JsonWebKey'
+ OpenIdConnectApplicationSettingsRefreshToken:
+ description: |
+ Refresh token configuration for an OAuth 2.0 client
+
+ When you create or update an OAuth 2.0 client, you can configure refresh token rotation by setting the `rotation_type` and `leeway` properties. If you don't set these properties when you create an app integration, the default values are used.
+ When you update an app integration, your previously configured values are used.
type: object
properties:
- duration:
- $ref: '#/components/schemas/Duration'
- lifecycleAction:
- $ref: '#/components/schemas/ScheduledUserLifecycleAction'
- BehaviorRule:
- title: Behavior Detection Rule
+ leeway:
+ type: integer
+ minimum: 0
+ maximum: 60
+ description: |
+ The leeway, in seconds, allowed for the OAuth 2.0 client.
+ After the refresh token is rotated, the previous token remains valid for the specified period of time so clients can get the new token.
+
+ > **Note:** A leeway of 0 doesn't necessarily mean that the previous token is immediately invalidated. The previous token is invalidated after the new token is generated and returned in the response.
+ default: 30
+ example: 20
+ rotation_type:
+ $ref: '#/components/schemas/OpenIdConnectRefreshTokenRotationType'
+ required:
+ - rotation_type
+ OpenIdConnectApplicationType:
+ description: |-
+ The type of client app
+ Specific `grant_types` are valid for each `application_type`. See [Create a Client Application](/openapi/okta-oauth/oauth/tag/Client/#tag/Client/operation/createClient).
+ type: string
+ x-enumDescriptions:
+ browser: Single-Page app (SPA)
+ native: Native app
+ service: API service app
+ web: Web app
+ x-okta-known-values:
+ - browser
+ - native
+ - service
+ - web
+ OpenIdConnectRefreshTokenRotationType:
+ description: The refresh token rotation mode for the OAuth 2.0 client
+ example: STATIC
+ type: string
+ x-enumDescriptions:
+ ROTATE: The default rotation type for single-page apps (SPAs)
+ STATIC: The default rotation type for all clients, except SPAs
+ x-okta-known-values:
+ - ROTATE
+ - STATIC
+ OperationRequest:
type: object
properties:
+ assignmentId:
+ type: string
+ OperationResponse:
+ type: object
+ properties:
+ assignmentOperation:
+ type: object
+ properties:
+ configuration:
+ type: object
+ properties:
+ actions:
+ type: object
+ properties:
+ assignUserToRealm:
+ type: object
+ properties:
+ realmId:
+ type: string
+ conditions:
+ $ref: '#/components/schemas/Conditions'
+ id:
+ type: string
+ name:
+ type: string
+ completed:
+ type: string
+ format: date-time
+ readOnly: true
created:
type: string
format: date-time
@@ -15724,2500 +58706,3549 @@ components:
id:
type: string
readOnly: true
- lastUpdated:
+ numUserMoved:
+ type: number
+ readOnly: true
+ realmId:
type: string
- format: date-time
readOnly: true
- name:
+ realmName:
type: string
- maxLength: 128
+ readOnly: true
+ started:
+ type: string
+ format: date-time
+ readOnly: true
status:
- $ref: '#/components/schemas/LifecycleStatus'
+ type: string
+ readOnly: true
+ enum:
+ - COMPLETED
+ - SCHEDULED
+ - IN_PROGRESS
+ - FAILED
type:
- $ref: '#/components/schemas/BehaviorRuleType'
- _link:
- type: object
- properties:
- self:
- $ref: '#/components/schemas/HrefObject'
+ type: string
readOnly: true
- required:
- - name
- - type
- discriminator:
- propertyName: type
- mapping:
- ANOMALOUS_LOCATION: '#/components/schemas/BehaviorRuleAnomalousLocation'
- ANOMALOUS_IP: '#/components/schemas/BehaviorRuleAnomalousIP'
- ANOMALOUS_DEVICE: '#/components/schemas/BehaviorRuleAnomalousDevice'
- VELOCITY: '#/components/schemas/BehaviorRuleVelocity'
- BehaviorRuleAnomalousDevice:
- allOf:
- - $ref: '#/components/schemas/BehaviorRule'
- - type: object
- properties:
- settings:
- $ref: '#/components/schemas/BehaviorRuleSettingsAnomalousDevice'
- BehaviorRuleAnomalousIP:
- allOf:
- - $ref: '#/components/schemas/BehaviorRule'
- - type: object
- properties:
- settings:
- $ref: '#/components/schemas/BehaviorRuleSettingsAnomalousIP'
- BehaviorRuleAnomalousLocation:
- allOf:
- - $ref: '#/components/schemas/BehaviorRule'
- - type: object
- properties:
- settings:
- $ref: '#/components/schemas/BehaviorRuleSettingsAnomalousLocation'
- BehaviorRuleSettings:
- title: Behavior Detection Rule Settings
- type: object
- BehaviorRuleSettingsAnomalousDevice:
- allOf:
- - $ref: '#/components/schemas/BehaviorRuleSettingsHistoryBased'
- BehaviorRuleSettingsAnomalousIP:
- allOf:
- - $ref: '#/components/schemas/BehaviorRuleSettingsHistoryBased'
- - type: object
- properties:
- maxEventsUsedForEvaluation:
- type: integer
- minimum: 0
- maximum: 100
- default: 50
- BehaviorRuleSettingsAnomalousLocation:
- allOf:
- - $ref: '#/components/schemas/BehaviorRuleSettingsHistoryBased'
- - type: object
- properties:
- granularity:
- $ref: '#/components/schemas/LocationGranularity'
- radiusKilometers:
- type: integer
- description: Required when `granularity` is `LAT_LONG`. Radius from the provided coordinates in kilometers.
- required:
- - granularity
- BehaviorRuleSettingsHistoryBased:
- allOf:
- - $ref: '#/components/schemas/BehaviorRuleSettings'
- - title: Behavior Detection Rule Settings based on Event History
- type: object
- properties:
- maxEventsUsedForEvaluation:
- type: integer
- minimum: 1
- maximum: 100
- default: 20
- minEventsNeededForEvaluation:
- type: integer
- minimum: 0
- maximum: 10
- default: 0
- BehaviorRuleSettingsVelocity:
- allOf:
- - $ref: '#/components/schemas/BehaviorRuleSettings'
- - title: Behavior Detection Rule Settings based on device velocity in kilometers per hour.
- type: object
- properties:
- velocityKph:
- type: integer
- minimum: 1
- default: 805
- required:
- - velocityKph
- BehaviorRuleType:
+ _links:
+ $ref: '#/components/schemas/LinksSelf'
+ OperationalStatus:
+ description: Operational status of a given agent
type: string
x-okta-known-values:
- - ANOMALOUS_DEVICE
- - ANOMALOUS_IP
- - ANOMALOUS_LOCATION
- - VELOCITY
- BehaviorRuleVelocity:
- allOf:
- - $ref: '#/components/schemas/BehaviorRule'
- - type: object
- properties:
- settings:
- $ref: '#/components/schemas/BehaviorRuleSettingsVelocity'
- BookmarkApplication:
+ - DEGRADED
+ - DISRUPTED
+ - INACTIVE
+ - OPERATIONAL
+ OptInStatusResponse:
+ type: object
+ properties:
+ optInStatus:
+ type: string
+ enum:
+ - OPTING_IN
+ - OPTED_IN
+ - OPTING_OUT
+ - OPTED_OUT
+ _links:
+ allOf:
+ - properties:
+ optInStatus:
+ $ref: '#/components/schemas/HrefObject'
+ Org2OrgApplication:
+ title: Org2Org
+ x-tags:
+ - Application
x-okta-defined-as:
- name: bookmark
+ name: okta_org2org
+ example:
+ name: okta_org2org
+ label: Okta Org2Org
+ signOnMode: SAML_2_0
+ settings:
+ app:
+ acsUrl: https://example.okta.com/sso/saml2/exampleid
+ audRestriction: https://www.okta.com/saml2/service-provider/exampleid
+ baseUrl: https://example.okta.com
+ description: |
+ Schema for the Okta Org2Org app (key name: `okta_org2org`)
+
+ To create an Org2Org app, use the [Create an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) request with the following parameters in the request body.
+ > **Notes:**
+ > * The Okta Org2Org (`okta_org2org`) app isn't available in Okta Developer Edition orgs. If you need to test this feature in your Developer Edition org, contact your Okta account team.
+ > * The Okta Org2Org app supports `SAML_2_0` and `AUTO_LOGIN` sign-on modes.
allOf:
- - $ref: '#/components/schemas/Application'
+ - $ref: '#/components/schemas/OINApplication'
- type: object
+ - required:
+ - name
+ - label
+ - settings
properties:
- credentials:
- $ref: '#/components/schemas/ApplicationCredentials'
name:
type: string
- default: bookmark
+ enum:
+ - okta_org2org
+ example: okta_org2org
+ signOnMode:
+ default: SAML_2_0
+ enum:
+ - SAML_2_0
+ - AUTO_LOGIN
+ x-enumDescriptions:
+ SAML_2_0: Federated Authentication with SAML 2.0 WebSSO
+ AUTO_LOGIN: Secure Web Authentication (SWA)
settings:
- $ref: '#/components/schemas/BookmarkApplicationSettings'
- BookmarkApplicationSettings:
+ $ref: '#/components/schemas/Org2OrgApplicationSettings'
+ Org2OrgApplicationSettings:
allOf:
- $ref: '#/components/schemas/ApplicationSettings'
- type: object
+ - required:
+ - app
properties:
app:
- $ref: '#/components/schemas/BookmarkApplicationSettingsApplication'
- BookmarkApplicationSettingsApplication:
+ $ref: '#/components/schemas/Org2OrgApplicationSettingsApplication'
+ signOn:
+ $ref: '#/components/schemas/OINSaml20ApplicationSettingsSignOn'
+ Org2OrgApplicationSettingsApplication:
+ description: Org2Org app instance properties
type: object
properties:
- requestIntegration:
+ acsUrl:
+ type: string
+ description: The Assertion Consumer Service (ACS) URL of the source org (for `SAML_2_0` sign-on mode)
+ audRestriction:
+ type: string
+ description: The entity ID of the SP (for `SAML_2_0` sign-on mode)
+ example: https://www.okta.com/saml2/service-provider/exampleid
+ baseUrl:
+ type: string
+ description: The base URL of the target Okta org (for `SAML_2_0` sign-on mode)
+ creationState:
+ type: string
+ description: Used to track and manage the state of the app's creation or the provisioning process between two Okta orgs
+ preferUsernameOverEmail:
type: boolean
- url:
+ description: Indicates that you don't want to use an email address as the username
+ token:
type: string
- BouncesRemoveListError:
+ description: An API token from the target org that's used to secure the connection between the orgs
+ tokenEncrypted:
+ type: string
+ description: Encrypted token to enhance security
+ required:
+ - baseUrl
+ OrgAerialConsent:
type: object
properties:
- emailAddress:
- type: string
- reason:
+ accountId:
+ description: The unique ID of the Aerial account
type: string
- BouncesRemoveListObj:
+ required:
+ - accountId
+ OrgAerialConsentDetails:
type: object
properties:
- emailAddresses:
- type: array
- items:
- type: string
- BouncesRemoveListResult:
+ accountId:
+ description: The unique ID of the Aerial account
+ type: string
+ grantedBy:
+ type: string
+ description: Principal ID of the user who granted the permission
+ example: 00u23ej02I2RLFxS5406
+ grantedDate:
+ type: string
+ description: Date when grant was created
+ example: '2024-07-24T16:01:13.000Z'
+ _links:
+ $ref: '#/components/schemas/LinksAerialConsentGranted'
+ required:
+ - accountId
+ OrgAerialConsentRevoked:
type: object
properties:
- errors:
- type: array
- items:
- $ref: '#/components/schemas/BouncesRemoveListError'
- Brand:
+ _links:
+ $ref: '#/components/schemas/LinksAerialConsentRevoked'
+ OrgAerialGrantNotFound:
type: object
properties:
- agreeToCustomPrivacyPolicy:
- type: boolean
- customPrivacyPolicyUrl:
+ accountId:
+ description: The unique ID of the Aerial account
type: string
- defaultApp:
- type: object
- properties:
- appInstanceId:
- type: string
- appLinkName:
- type: string
- displayLanguage:
- $ref: '#/components/schemas/Language'
- id:
- readOnly: true
+ grantedBy:
type: string
- optOutOfUserCommunications:
- type: boolean
- removePoweredByOkta:
- type: boolean
+ description: Principal ID of the user who granted the permission
+ example: 00u23ej02I2RLFxS5406
+ grantedDate:
+ type: string
+ description: Date when grant was created
+ example: '2024-07-24T16:01:13.000Z'
_links:
- additionalProperties:
- type: object
- readOnly: true
- type: object
- BrowserPluginApplication:
- allOf:
- - $ref: '#/components/schemas/Application'
- - type: object
- properties:
- credentials:
- $ref: '#/components/schemas/SchemeApplicationCredentials'
- name:
- type: string
- settings:
- $ref: '#/components/schemas/SwaApplicationSettings'
- CAPTCHAInstance:
- title: CAPTCHAInstance
+ $ref: '#/components/schemas/LinksAerialConsentGranted'
+ OrgCAPTCHASettings:
+ title: OrgCAPTCHASettings
description: ''
type: object
properties:
- id:
- type: string
- readOnly: true
- name:
- type: string
- secretKey:
- type: string
- writeOnly: true
- siteKey:
+ captchaId:
+ description: The unique key of the associated CAPTCHA instance
type: string
- type:
- $ref: '#/components/schemas/CAPTCHAType'
- _link:
+ enabledPages:
+ description: An array of pages that have CAPTCHA enabled
+ type: array
+ items:
+ $ref: '#/components/schemas/enabledPagesType'
+ _links:
type: object
+ description: Link relations for the CAPTCHA settings object
properties:
self:
$ref: '#/components/schemas/HrefObject'
readOnly: true
- CAPTCHAType:
+ OrgContactType:
+ description: Type of contact
type: string
x-okta-known-values:
- - HCAPTCHA
- - RECAPTCHA_V2
- CallUserFactor:
- allOf:
- - $ref: '#/components/schemas/UserFactor'
- - type: object
- properties:
- profile:
- $ref: '#/components/schemas/CallUserFactorProfile'
- CallUserFactorProfile:
- type: object
- properties:
- phoneExtension:
- type: string
- phoneNumber:
- type: string
- CapabilitiesCreateObject:
+ - BILLING
+ - TECHNICAL
+ OrgContactTypeObj:
+ anyOf:
+ - $ref: '#/components/schemas/orgBillingContactType'
+ - $ref: '#/components/schemas/orgTechnicalContactType'
type: object
properties:
- lifecycleCreate:
- $ref: '#/components/schemas/LifecycleCreateSettingObject'
- CapabilitiesObject:
+ contactType:
+ $ref: '#/components/schemas/OrgContactType'
+ discriminator:
+ propertyName: contactType
+ mapping:
+ BILLING: '#/components/schemas/orgBillingContactType'
+ TECHNICAL: '#/components/schemas/orgTechnicalContactType'
+ OrgContactUser:
type: object
properties:
- create:
- $ref: '#/components/schemas/CapabilitiesCreateObject'
- update:
- $ref: '#/components/schemas/CapabilitiesUpdateObject'
- CapabilitiesUpdateObject:
+ userId:
+ type: string
+ description: Contact user ID
+ _links:
+ type: object
+ description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the Contact Type User object using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification
+ readOnly: true
+ properties:
+ user:
+ $ref: '#/components/schemas/HrefObjectUserLink'
+ OrgCreationAdmin:
+ description: |-
+ Profile and credential information for the first super admin user of the child org.
+ If you plan to configure and manage the org programmatically, create a system user with a dedicated email address and a strong password.
+ > **Note:** If you don't provide `credentials`, the super admin user is prompted to set up their credentials when they sign in to the org for the first time.
+ writeOnly: true
type: object
properties:
- lifecycleDeactivate:
- $ref: '#/components/schemas/LifecycleDeactivateSettingObject'
- password:
- $ref: '#/components/schemas/PasswordSettingObject'
+ credentials:
+ type: object
+ description: Specifies primary authentication and recovery credentials for a user. Credential types and requirements vary depending on the provider and security policy of the org.
+ properties:
+ password:
+ type: object
+ description: |-
+ Specifies a password for a user
+ > **Note:** For information on defaults and configuring your password policies, see [Configure the password authenticator](https://help.okta.com/okta_help.htm?type=oie&id=ext-configure-password) in the help documentation.
+ properties:
+ value:
+ type: string
+ writeOnly: true
+ description: Password value (which is validated by the password policy)
+ format: password
+ example: pa$$word
+ recovery_question:
+ $ref: '#/components/schemas/RecoveryQuestionCredential'
profile:
- $ref: '#/components/schemas/ProfileSettingObject'
- CatalogApplication:
+ type: object
+ description: |-
+ Specifies the profile attributes for the first super admin user. The minimal set of required attributes are `email`, `firstName`, `lastName`, and `login`.
+ See [profile](/openapi/okta-management/management/tag/User/#tag/User/operation/getUser!c=200&path=profile&t=response) for additional profile attributes.
+ properties:
+ firstName:
+ type: string
+ description: Given name of the User (`givenName`)
+ minLength: 1
+ maxLength: 50
+ nullable: true
+ lastName:
+ type: string
+ description: The family name of the User (`familyName`)
+ minLength: 1
+ maxLength: 50
+ nullable: true
+ email:
+ type: string
+ description: The primary email address of the User. For validation, see [RFC 5322 Section 3.2.3](https://datatracker.ietf.org/doc/html/rfc5322#section-3.2.3).
+ format: email
+ minLength: 5
+ maxLength: 100
+ login:
+ type: string
+ description: The unique identifier for the User (`username`)
+ maxLength: 100
+ additionalProperties: true
+ required:
+ - email
+ - login
+ - firstName
+ - lastName
+ required:
+ - profile
+ OrgOktaCommunicationSetting:
type: object
properties:
- category:
- type: string
- description:
- type: string
- displayName:
- type: string
- features:
- type: array
- items:
- type: string
- id:
- type: string
- readOnly: true
- lastUpdated:
- type: string
- format: date-time
+ optOutEmailUsers:
+ type: boolean
+ description: Indicates whether org users receive Okta communication emails
readOnly: true
- name:
- type: string
- signOnModes:
- type: array
- items:
- type: string
- status:
- $ref: '#/components/schemas/CatalogApplicationStatus'
- verificationStatus:
- type: string
- website:
- type: string
_links:
type: object
- additionalProperties:
- type: object
- properties: {}
+ description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for this object using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification
readOnly: true
- CatalogApplicationStatus:
- type: string
- x-okta-known-values:
- - ACTIVE
- - INACTIVE
- ChangeEnum:
+ properties:
+ optIn:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to opt users in to communication emails
+ optOut:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to opt users out of communication emails
+ OrgOktaSupportSetting:
+ description: Status of Okta Support Settings
type: string
x-okta-known-values:
- - CHANGE
- - KEEP_EXISTING
- ChangePasswordRequest:
- type: object
- properties:
- newPassword:
- $ref: '#/components/schemas/PasswordCredential'
- oldPassword:
- $ref: '#/components/schemas/PasswordCredential'
- ChannelBinding:
+ - DISABLED
+ - ENABLED
+ OrgOktaSupportSettingsObj:
type: object
properties:
- required:
- $ref: '#/components/schemas/RequiredEnum'
- style:
+ expiration:
+ format: date-time
type: string
- ClientPolicyCondition:
- type: object
- properties:
- include:
- type: array
- items:
- type: string
- Compliance:
- type: object
- properties:
- fips:
- $ref: '#/components/schemas/FipsEnum'
- ContextPolicyRuleCondition:
- allOf:
- - $ref: '#/components/schemas/DevicePolicyRuleCondition'
- - type: object
+ description: Expiration of Okta Support
+ readOnly: true
+ nullable: true
+ support:
+ $ref: '#/components/schemas/OrgOktaSupportSetting'
+ _links:
+ type: object
+ description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the Okta Support Settings object using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification
+ readOnly: true
properties:
- expression:
- type: string
- CreateSessionRequest:
- type: object
- properties:
- sessionToken:
- type: string
- CreateUserRequest:
+ extend:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to [extend Okta Support Access](/openapi/okta-management/management/tag/OrgSettingSupport/#tag/OrgSettingSupport/operation/extendOktaSupport)
+ revoke:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to [revoke Okta Support Access](/openapi/okta-management/management/tag/OrgSettingSupport/#tag/OrgSettingSupport/operation/revokeOktaSupport)
+ grant:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to [grant Okta Support Access](/openapi/okta-management/management/tag/OrgSettingSupport/#tag/OrgSettingSupport/operation/grantOktaSupport)
+ OrgPreferences:
type: object
properties:
- credentials:
- $ref: '#/components/schemas/UserCredentials'
- groupIds:
- type: array
- items:
- type: string
- profile:
- $ref: '#/components/schemas/UserProfile'
- type:
- $ref: '#/components/schemas/UserType'
- required:
- - profile
- Csr:
+ showEndUserFooter:
+ type: boolean
+ description: Indicates if the footer is shown on the End-User Dashboard
+ readOnly: true
+ _links:
+ type: object
+ description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for this object using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification
+ readOnly: true
+ properties:
+ hideEndUserFooter:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to hide the footer in the End-User Dashboard
+ showEndUserFooter:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to show the footer on the End-User Dashboard
+ OrgSetting:
type: object
properties:
- created:
+ address1:
+ type: string
+ description: Primary address of the organization associated with the org
+ address2:
type: string
+ description: Secondary address of the organization associated with the org
+ city:
+ type: string
+ description: City of the organization associated with the org
+ companyName:
+ type: string
+ description: Name of org
+ country:
+ type: string
+ description: County of the organization associated with the org
+ created:
format: date-time
readOnly: true
- csr:
type: string
+ description: When org was created
+ endUserSupportHelpURL:
+ type: string
+ description: Support link of org
+ expiresAt:
+ format: date-time
readOnly: true
- id:
type: string
+ description: Expiration of org
+ id:
readOnly: true
- kty:
type: string
+ description: Org ID
+ lastUpdated:
+ format: date-time
readOnly: true
- CsrMetadata:
- type: object
- properties:
- subject:
- $ref: '#/components/schemas/CsrMetadataSubject'
- subjectAltNames:
- $ref: '#/components/schemas/CsrMetadataSubjectAltNames'
- CsrMetadataSubject:
- type: object
- properties:
- commonName:
type: string
- countryName:
+ description: When org was last updated
+ phoneNumber:
type: string
- localityName:
+ description: Phone number of the organization associated with the org
+ postalCode:
type: string
- organizationalUnitName:
+ description: Postal code of the organization associated with the org
+ state:
type: string
- organizationName:
+ description: State of the organization associated with the org
+ status:
+ readOnly: true
type: string
- stateOrProvinceName:
+ description: Status of org
+ enum:
+ - ACTIVE
+ - INACTIVE
+ subdomain:
+ readOnly: true
type: string
- CsrMetadataSubjectAltNames:
+ description: Subdomain of org
+ supportPhoneNumber:
+ type: string
+ description: Support help phone of the organization associated with the org
+ website:
+ type: string
+ description: Website of the organization associated with the org
+ _links:
+ $ref: '#/components/schemas/orgGeneralSettingLinks'
+ OtpProtocol:
+ description: The protocol used
+ type: string
+ x-okta-known-values:
+ - SYMANTEC
+ - TOTP
+ - YUBICO
+ OtpTotpAlgorithm:
+ description: HMAC algorithm
+ type: string
+ x-okta-known-values:
+ - HMacSHA1
+ - HMacSHA256
+ - HMacSHA512
+ OtpTotpEncoding:
+ description: The shared secret encoding
+ type: string
+ x-okta-known-values:
+ - base32
+ - base64
+ - hexadecimal
+ OtpTotpPassCodeLength:
+ description: Number of digits in an OTP value
+ minimum: 6
+ maximum: 10
+ multipleOf: 2
+ type: integer
+ OtpTotpTimeIntervalInSeconds:
+ description: Time interval for TOTP in seconds
+ type: integer
+ PageRoot:
type: object
properties:
- dnsNames:
- type: array
- items:
- type: string
- CustomHotpUserFactor:
- allOf:
- - $ref: '#/components/schemas/UserFactor'
- - type: object
+ _embedded:
+ type: object
properties:
- factorProfileId:
+ default:
+ $ref: '#/components/schemas/CustomizablePage'
+ customized:
+ $ref: '#/components/schemas/CustomizablePage'
+ customizedUrl:
type: string
- profile:
- $ref: '#/components/schemas/CustomHotpUserFactorProfile'
- CustomHotpUserFactorProfile:
+ format: uri
+ preview:
+ $ref: '#/components/schemas/CustomizablePage'
+ previewUrl:
+ type: string
+ format: uri
+ readOnly: true
+ _links:
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - properties:
+ default:
+ $ref: '#/components/schemas/HrefObject'
+ customized:
+ $ref: '#/components/schemas/HrefObject'
+ preview:
+ $ref: '#/components/schemas/HrefObject'
+ Parameters:
+ description: Attributes used for processing AD Group membership update
type: object
properties:
- sharedSecret:
+ action:
type: string
- CustomizablePage:
+ description: The update action to take
+ enum:
+ - ADD
+ - REMOVE
+ x-enumDescriptions:
+ ADD: Add to the membership of the group
+ REMOVE: Remove from the membership of the group
+ attribute:
+ type: string
+ description: The attribute that tracks group memberships in AD. This should be `member` for AD.
+ values:
+ type: array
+ description: List of user IDs whose group memberships to update
+ items:
+ type: string
+ description: ID of an existing user
+ PasswordCredential:
+ description: |-
+ Specifies a password for a user.
+
+ When a user has a valid password, imported hashed password, or password hook, and a response object contains
+ a password credential, then the password object is a bare object without the value property defined (for example, `password: {}`). This indicates that a password value exists. You can modify password policy requirements in the Admin Console by editing the Password authenticator: **Security** > **Authenticators** > **Password** (or for Okta Classic orgs, use **Security** > **Authentication** > **Password**).
+
+ For information on defaults and configuring your password policies, see [Configure the password authenticator](https://help.okta.com/okta_help.htm?type=oie&id=ext-configure-password) in the help documentation.
type: object
properties:
- pageContent:
+ hash:
+ $ref: '#/components/schemas/PasswordCredentialHash'
+ hook:
+ $ref: '#/components/schemas/PasswordCredentialHook'
+ value:
type: string
- required:
- - pageContent
- DNSRecord:
+ writeOnly: true
+ description: Specifies the password for a user. The password policy validates this password.
+ format: password
+ example: pa$$word
+ PasswordCredentialHash:
+ description: |-
+ Specifies a hashed password to import into Okta. This allows an existing password to be imported into Okta directly
+ from some other store. Okta supports the BCRYPT, SHA-512, SHA-256, SHA-1, MD5, and PBKDF2 hash functions for password import.
+ A hashed password may be specified in a password object when creating or updating a user, but not for other operations.
+ See the **Create user with imported hashed password** section in the [Users API](https://developer.okta.com/docs/reference/api/users/#create-user-with-imported-hashed-password) description. When updating a user with a hashed password, the usermust be in the `STAGED` status.
type: object
properties:
- expiration:
+ algorithm:
+ $ref: '#/components/schemas/PasswordCredentialHashAlgorithm'
+ digestAlgorithm:
+ $ref: '#/components/schemas/DigestAlgorithm'
+ iterationCount:
+ type: integer
+ description: The number of iterations used when hashing passwords using PBKDF2. Must be >= 4096. Only required for PBKDF2 algorithm.
+ keySize:
+ type: integer
+ description: Size of the derived key in bytes. Only required for PBKDF2 algorithm.
+ salt:
+ description: |-
+ Only required for salted hashes. For BCRYPT, this specifies Radix-64 as the encoded salt used to generate the hash,
+ which must be 22 characters long. For other salted hashes, this specifies the Base64-encoded salt used to
+ generate the hash.
type: string
- fqdn:
+ saltOrder:
type: string
- recordType:
- $ref: '#/components/schemas/DNSRecordType'
- values:
- type: array
- items:
- type: string
- DNSRecordType:
+ description: Specifies whether salt was pre- or postfixed to the password before hashing. Only required for salted algorithms.
+ value:
+ description: |-
+ For SHA-512, SHA-256, SHA-1, MD5, and PBKDF2, this is the actual base64-encoded hash of the password (and salt, if used).
+ This is the Base64-encoded `value` of the SHA-512/SHA-256/SHA-1/MD5/PBKDF2 digest that was computed by either pre-fixing or post-fixing
+ the `salt` to the `password`, depending on the `saltOrder`. If a `salt` was not used in the `source` system, then this should just be
+ the Base64-encoded `value` of the password's SHA-512/SHA-256/SHA-1/MD5/PBKDF2 digest. For BCRYPT, this is the actual Radix-64 encoded hashed password.
+ type: string
+ workFactor:
+ type: integer
+ description: Governs the strength of the hash and the time required to compute it. Only required for BCRYPT algorithm.
+ minimum: 1
+ maximum: 20
+ PasswordCredentialHashAlgorithm:
+ description: The algorithm used to generate the hash using the password (and salt, when applicable).
type: string
x-okta-known-values:
- - CNAME
- - TXT
- DeviceAccessPolicyRuleCondition:
- allOf:
- - $ref: '#/components/schemas/DevicePolicyRuleCondition'
- - type: object
- properties:
- managed:
- type: boolean
- registered:
- type: boolean
- DeviceAssurance:
- title: DeviceAssurance
+ - BCRYPT
+ - MD5
+ - PBKDF2
+ - SHA-1
+ - SHA-256
+ - SHA-512
+ PasswordCredentialHook:
+ description: Specify a [password import inline hook](/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createPasswordImportInlineHook) to trigger verification of the user's password the first time the user signs in. This allows an existing password to be imported into Okta directly from some other store.
type: object
properties:
- createdBy:
- type: string
- readOnly: true
- createdDate:
- type: string
- readOnly: true
- diskEncryptionType:
- type: object
- properties:
- include:
- type: array
- items:
- $ref: '#/components/schemas/DiskEncryptionType'
- id:
+ type:
type: string
- readOnly: true
- jailbreak:
+ description: The type of password inline hook. Currently, must be set to default.
+ PasswordDictionary:
+ description: Weak password dictionary lookup settings
+ type: object
+ properties:
+ common:
+ $ref: '#/components/schemas/PasswordDictionaryCommon'
+ PasswordDictionaryCommon:
+ description: Lookup settings for commonly used passwords
+ type: object
+ properties:
+ exclude:
type: boolean
- lastUpdatedBy:
+ description: Indicates whether to check passwords against the common password dictionary
+ default: false
+ PasswordExpirationPolicyRuleCondition:
+ type: object
+ properties:
+ number:
+ type: integer
+ unit:
type: string
- readOnly: true
- lastUpdatedDate:
+ PasswordImportRequest:
+ type: object
+ properties:
+ data:
+ $ref: '#/components/schemas/PasswordImportRequestData'
+ eventType:
type: string
- readOnly: true
- name:
+ description: The type of inline hook. The password import inline hook type is `com.okta.user.credential.password.import`.
+ source:
+ description: The ID and URL of the password import inline hook
type: string
- description: Display name of the Device Assurance Policy
- osVersion:
- $ref: '#/components/schemas/VersionObject'
- platform:
- $ref: '#/components/schemas/Platform'
- screenLockType:
+ PasswordImportRequestData:
+ type: object
+ properties:
+ action:
type: object
+ description: This object specifies the default action Okta is set to take. Okta takes this action if your external service sends an empty HTTP 204 response. You can override the default action by returning a commands object in your response specifying the action to take.
properties:
- include:
- type: array
- items:
- $ref: '#/components/schemas/ScreenLockType'
- secureHardwarePresent:
- type: boolean
- _links:
+ credential:
+ description: The status of the user credential, either `UNVERIFIED` or `VERIFIED`
+ default: UNVERIFIED
+ type: string
+ context:
type: object
properties:
- self:
- $ref: '#/components/schemas/HrefObject'
- readOnly: true
- DevicePolicyMDMFramework:
- type: string
- x-okta-known-values:
- - AFW
- - NATIVE
- - SAFE
- DevicePolicyPlatformType:
- type: string
- x-okta-known-values:
- - ANDROID
- - IOS
- - OSX
- - WINDOWS
- DevicePolicyRuleCondition:
- type: object
- properties:
- migrated:
- type: boolean
- platform:
- $ref: '#/components/schemas/DevicePolicyRuleConditionPlatform'
- rooted:
- type: boolean
- trustLevel:
- $ref: '#/components/schemas/DevicePolicyTrustLevel'
- DevicePolicyRuleConditionPlatform:
+ request:
+ $ref: '#/components/schemas/InlineHookRequestObject'
+ credential:
+ type: object
+ properties:
+ username:
+ description: The `username` that the user supplied when attempting to sign in to Okta.
+ type: string
+ password:
+ description: The `password` that the user supplied when attempting to sign in to Okta.
+ type: string
+ PasswordImportRequestExecute:
+ description: Password import inline hook request
+ allOf:
+ - $ref: '#/components/schemas/InlineHookBasePayload'
+ - $ref: '#/components/schemas/PasswordImportRequest'
+ PasswordImportResponse:
+ description: Password import inline hook response
type: object
properties:
- supportedMDMFrameworks:
+ commands:
+ description: The `commands` object specifies whether Okta accepts the end user's sign-in credentials as valid or not. For the password import inline hook, you typically only return one `commands` object with one array element in it.
type: array
items:
- $ref: '#/components/schemas/DevicePolicyMDMFramework'
- types:
+ type: object
+ properties:
+ type:
+ description: The location where you specify the command. For the password import inline hook, there's only one command, `com.okta.action.update`.
+ value:
+ description: |-
+ The parameter value of the command.
+ * To indicate that the supplied credentials are valid, supply a type property set to `com.okta.action.update` together with a value property set to `{"credential": "VERIFIED"}`.
+ * To indicate that the supplied credentials are invalid, supply a type property set to `com.okta.action.update` together with a value property set to `{"credential": "UNVERIFIED"}`.
+ Alternatively, you can send an empty response (`204`). By default, the `data.action.credential` is always set to `UNVERIFIED`.
+ type: object
+ properties:
+ credential:
+ type: string
+ enum:
+ - UNVERIFIED
+ - VERIFIED
+ PasswordPolicy:
+ allOf:
+ - $ref: '#/components/schemas/Policy'
+ - type: object
+ properties:
+ conditions:
+ $ref: '#/components/schemas/PasswordPolicyConditions'
+ settings:
+ $ref: '#/components/schemas/PasswordPolicySettings'
+ PasswordPolicyAuthenticationProviderCondition:
+ type: object
+ properties:
+ include:
type: array
items:
- $ref: '#/components/schemas/DevicePolicyPlatformType'
- DevicePolicyTrustLevel:
+ type: string
+ provider:
+ $ref: '#/components/schemas/PasswordPolicyAuthenticationProviderType'
+ PasswordPolicyAuthenticationProviderType:
type: string
x-okta-known-values:
+ - ACTIVE_DIRECTORY
- ANY
- - TRUSTED
- DiskEncryptionType:
- type: string
- x-okta-known-values:
- - ALL_INTERNAL_VOLUMES
- - FULL
- - USER
- Domain:
+ - LDAP
+ - OKTA
+ PasswordPolicyConditions:
+ allOf:
+ - type: object
+ properties:
+ authProvider:
+ $ref: '#/components/schemas/PasswordPolicyAuthenticationProviderCondition'
+ people:
+ type: object
+ description: Identifies Users and Groups that are used together
+ properties:
+ groups:
+ type: object
+ description: Specifies a set of Groups whose Users are to be included or excluded
+ properties:
+ include:
+ type: array
+ description: Groups to be included
+ items:
+ type: string
+ PasswordPolicyDelegationSettings:
type: object
properties:
- certificateSourceType:
- $ref: '#/components/schemas/DomainCertificateSourceType'
- dnsRecords:
- type: array
- items:
- $ref: '#/components/schemas/DNSRecord'
- domain:
- type: string
- id:
- type: string
- publicCertificate:
- $ref: '#/components/schemas/DomainCertificateMetadata'
- validationStatus:
- $ref: '#/components/schemas/DomainValidationStatus'
- DomainCertificate:
+ options:
+ $ref: '#/components/schemas/PasswordPolicyDelegationSettingsOptions'
+ PasswordPolicyDelegationSettingsOptions:
type: object
properties:
- certificate:
- type: string
- certificateChain:
- type: string
- privateKey:
- type: string
- type:
- $ref: '#/components/schemas/DomainCertificateType'
- DomainCertificateMetadata:
+ skipUnlock:
+ type: boolean
+ description: Indicates if, when performing an unlock operation on an Active Directory sourced User who is locked out of Okta, the system should also attempt to unlock the User's Windows account
+ default: false
+ PasswordPolicyPasswordSettings:
type: object
properties:
- expiration:
- type: string
- fingerprint:
- type: string
- subject:
- type: string
- DomainCertificateSourceType:
- type: string
- x-okta-known-values:
- - MANUAL
- - OKTA_MANAGED
- DomainCertificateType:
- type: string
- x-okta-known-values:
- - PEM
- DomainLinks:
+ age:
+ $ref: '#/components/schemas/PasswordPolicyPasswordSettingsAge'
+ complexity:
+ $ref: '#/components/schemas/PasswordPolicyPasswordSettingsComplexity'
+ lockout:
+ $ref: '#/components/schemas/PasswordPolicyPasswordSettingsLockout'
+ PasswordPolicyPasswordSettingsAge:
+ description: Age settings
type: object
properties:
- certificate:
- type: object
- properties: {}
- self:
- type: object
- properties: {}
- verify:
- type: object
- properties: {}
- DomainListResponse:
+ expireWarnDays:
+ type: integer
+ description: 'Specifies the number of days prior to password expiration when a User is warned to reset their password: `0` indicates no warning'
+ default: 0
+ historyCount:
+ type: integer
+ description: 'Specifies the number of distinct passwords that a User must create before they can reuse a previous password: `0` indicates none'
+ default: 0
+ maxAgeDays:
+ type: integer
+ description: 'Specifies how long (in days) a password remains valid before it expires: `0` indicates no limit'
+ default: 0
+ minAgeMinutes:
+ type: integer
+ description: 'Specifies the minimum time interval (in minutes) between password changes: `0` indicates no limit'
+ default: 0
+ PasswordPolicyPasswordSettingsComplexity:
+ description: Complexity settings
type: object
properties:
- domains:
+ dictionary:
+ $ref: '#/components/schemas/PasswordDictionary'
+ excludeAttributes:
type: array
+ description: 'The User profile attributes whose values must be excluded from the password: currently only supports `firstName` and `lastName`'
+ default: []
items:
- $ref: '#/components/schemas/DomainResponse'
- DomainResponse:
+ type: string
+ excludeUsername:
+ type: boolean
+ description: Indicates if the Username must be excluded from the password
+ default: true
+ minLength:
+ type: integer
+ description: Minimum password length
+ default: 8
+ minLowerCase:
+ type: integer
+ description: 'Indicates if a password must contain at least one lower case letter: `0` indicates no, `1` indicates yes'
+ default: 1
+ minNumber:
+ type: integer
+ description: 'Indicates if a password must contain at least one number: `0` indicates no, `1` indicates yes'
+ default: 1
+ minSymbol:
+ type: integer
+ description: 'Indicates if a password must contain at least one symbol (For example: !@#$%^&*): `0` indicates no, `1` indicates yes'
+ default: 1
+ minUpperCase:
+ type: integer
+ description: 'Indicates if a password must contain at least one upper case letter: `0` indicates no, `1` indicates yes'
+ default: 1
+ PasswordPolicyPasswordSettingsLockout:
+ description: Lockout settings
type: object
properties:
- certificateSourceType:
- $ref: '#/components/schemas/DomainCertificateSourceType'
- dnsRecords:
+ autoUnlockMinutes:
+ type: integer
+ description: 'Specifies the time interval (in minutes) a locked account remains locked before it is automatically unlocked: `0` indicates no limit'
+ default: 0
+ maxAttempts:
+ type: integer
+ description: 'Specifies the number of times Users can attempt to sign in to their accounts with an invalid password before their accounts are locked: `0` indicates no limit'
+ default: 10
+ showLockoutFailures:
+ type: boolean
+ description: Indicates if the User should be informed when their account is locked
+ default: false
+ userLockoutNotificationChannels:
type: array
+ description: How the user is notified when their account becomes locked. The only acceptable values are `[]` and `['EMAIL']`.
+ default: []
items:
- $ref: '#/components/schemas/DNSRecord'
- domain:
- type: string
- id:
- type: string
- publicCertificate:
- $ref: '#/components/schemas/DomainCertificateMetadata'
- validationStatus:
- $ref: '#/components/schemas/DomainValidationStatus'
- _links:
- $ref: '#/components/schemas/DomainLinks'
- DomainValidationStatus:
- type: string
- x-okta-known-values:
- - COMPLETED
- - IN_PROGRESS
- - NOT_STARTED
- - VERIFIED
- Duration:
+ type: string
+ PasswordPolicyRecoveryEmail:
type: object
properties:
- number:
+ properties:
+ $ref: '#/components/schemas/PasswordPolicyRecoveryEmailProperties'
+ status:
+ $ref: '#/components/schemas/LifecycleStatus'
+ PasswordPolicyRecoveryEmailProperties:
+ type: object
+ properties:
+ recoveryToken:
+ $ref: '#/components/schemas/PasswordPolicyRecoveryEmailRecoveryToken'
+ PasswordPolicyRecoveryEmailRecoveryToken:
+ type: object
+ properties:
+ tokenLifetimeMinutes:
+ description: Lifetime (in minutes) of the recovery token
type: integer
- unit:
- type: string
- EmailContent:
+ default: 10080
+ PasswordPolicyRecoveryFactorSettings:
type: object
properties:
- body:
- type: string
- description: The email's HTML body. May contain [variable references](https://velocity.apache.org/engine/1.7/user-guide.html#references).
- subject:
- type: string
- description: The email's subject. May contain [variable references](https://velocity.apache.org/engine/1.7/user-guide.html#references).
- required:
- - subject
- - body
- EmailCustomization:
- allOf:
- - $ref: '#/components/schemas/EmailContent'
- - type: object
- properties:
- created:
- type: string
- format: date-time
- readOnly: true
- description: The UTC time at which this email customization was created.
- id:
- type: string
- readOnly: true
- description: A unique identifier for this email customization.
- isDefault:
- type: boolean
- description: Whether this is the default customization for the email template. Each customized email template must have exactly one default customization. Defaults to `true` for the first customization and `false` thereafter.
- language:
- $ref: '#/components/schemas/Language'
- lastUpdated:
- type: string
- format: date-time
- readOnly: true
- description: The UTC time at which this email customization was last updated.
- _links:
- type: object
- properties:
- self:
- $ref: '#/components/schemas/HrefObject'
- template:
- $ref: '#/components/schemas/HrefObject'
- preview:
- $ref: '#/components/schemas/HrefObject'
- test:
- $ref: '#/components/schemas/HrefObject'
- readOnly: true
- description: Links to resources related to this email customization.
- required:
- - language
- EmailDefaultContent:
+ status:
+ $ref: '#/components/schemas/LifecycleStatus'
+ PasswordPolicyRecoveryFactors:
+ description: Settings for the Factors that can be used for recovery
+ type: object
+ properties:
+ okta_call:
+ $ref: '#/components/schemas/PasswordPolicyRecoveryFactorSettings'
+ okta_email:
+ $ref: '#/components/schemas/PasswordPolicyRecoveryEmail'
+ okta_sms:
+ $ref: '#/components/schemas/PasswordPolicyRecoveryFactorSettings'
+ recovery_question:
+ $ref: '#/components/schemas/PasswordPolicyRecoveryQuestion'
+ PasswordPolicyRecoveryQuestion:
+ type: object
+ properties:
+ properties:
+ $ref: '#/components/schemas/PasswordPolicyRecoveryQuestionProperties'
+ status:
+ $ref: '#/components/schemas/LifecycleStatus'
+ PasswordPolicyRecoveryQuestionComplexity:
+ type: object
+ properties:
+ minLength:
+ description: Minimum length of the password recovery question answer
+ type: integer
+ readOnly: true
+ default: 4
+ PasswordPolicyRecoveryQuestionProperties:
+ type: object
+ properties:
+ complexity:
+ $ref: '#/components/schemas/PasswordPolicyRecoveryQuestionComplexity'
+ PasswordPolicyRecoverySettings:
+ type: object
+ properties:
+ factors:
+ $ref: '#/components/schemas/PasswordPolicyRecoveryFactors'
+ PasswordPolicyRule:
allOf:
- - $ref: '#/components/schemas/EmailContent'
+ - $ref: '#/components/schemas/PolicyRule'
- type: object
properties:
- _links:
- type: object
- properties:
- self:
- $ref: '#/components/schemas/HrefObject'
- template:
- $ref: '#/components/schemas/HrefObject'
- preview:
- $ref: '#/components/schemas/HrefObject'
- test:
- $ref: '#/components/schemas/HrefObject'
- readOnly: true
- description: Links to resources related to this email template's default content.
- EmailDomain:
+ actions:
+ $ref: '#/components/schemas/PasswordPolicyRuleActions'
+ conditions:
+ $ref: '#/components/schemas/PasswordPolicyRuleConditions'
+ PasswordPolicyRuleAction:
+ type: object
+ properties:
+ access:
+ $ref: '#/components/schemas/PolicyAccess'
+ PasswordPolicyRuleActions:
allOf:
- - $ref: '#/components/schemas/BaseEmailDomain'
+ - $ref: '#/components/schemas/PolicyRuleActions'
+ - type: object
+ properties:
+ passwordChange:
+ $ref: '#/components/schemas/PasswordPolicyRuleAction'
+ selfServicePasswordReset:
+ $ref: '#/components/schemas/SelfServicePasswordResetAction'
+ selfServiceUnlock:
+ $ref: '#/components/schemas/PasswordPolicyRuleAction'
+ PasswordPolicyRuleConditions:
type: object
properties:
- domain:
- type: string
- required:
- - domain
- EmailDomainListResponse:
+ network:
+ $ref: '#/components/schemas/PolicyNetworkCondition'
+ people:
+ $ref: '#/components/schemas/PolicyPeopleCondition'
+ PasswordPolicySettings:
type: object
properties:
- email-domains:
- type: array
- items:
- $ref: '#/components/schemas/EmailDomainResponse'
- EmailDomainResponse:
- allOf:
- - $ref: '#/components/schemas/BaseEmailDomain'
+ delegation:
+ $ref: '#/components/schemas/PasswordPolicyDelegationSettings'
+ password:
+ $ref: '#/components/schemas/PasswordPolicyPasswordSettings'
+ recovery:
+ $ref: '#/components/schemas/PasswordPolicyRecoverySettings'
+ PasswordProtectionWarningTrigger:
+ description: Indicates whether the Password Protection Warning feature is enabled
+ example: PHISHING_REUSE
+ type: string
+ x-enumDescriptions:
+ PASSWORD_PROTECTION_OFF: Password protection warning is off
+ PASSWORD_REUSE: Password protection warning is triggered by password reuse
+ PHISHING_REUSE: Password protection warning is triggered by password reuse on a phishing page
+ x-okta-known-values:
+ - PASSWORD_PROTECTION_OFF
+ - PASSWORD_REUSE
+ - PHISHING_REUSE
+ PasswordSettingObject:
+ description: Determines whether Okta creates and pushes a password in the app for each assigned user
type: object
properties:
- dnsValidationRecords:
- type: array
- items:
- $ref: '#/components/schemas/DNSRecord'
- domain:
- type: string
- id:
- type: string
- validationStatus:
- $ref: '#/components/schemas/EmailDomainStatus'
- EmailDomainStatus:
+ change:
+ $ref: '#/components/schemas/ChangeEnum'
+ seed:
+ $ref: '#/components/schemas/SeedEnum'
+ status:
+ allOf:
+ - $ref: '#/components/schemas/EnabledStatus'
+ - default: DISABLED
+ - example: ENABLED
+ PatchAction:
+ description: The operation (PATCH action)
type: string
+ x-enumDescriptions:
+ remove: Removes the attribute in `path`
+ replace: Replaces the attribute in content `path` with the content in `value`
x-okta-known-values:
- - DELETED
- - ERROR
- - NOT_STARTED
- - POLLING
- - VERIFIED
- EmailPreview:
+ - remove
+ - replace
+ PerClientRateLimitMode:
+ type: string
+ x-okta-known-values:
+ - DISABLE
+ - ENFORCE
+ - PREVIEW
+ PerClientRateLimitSettings:
+ title: PerClientRateLimitSettings
+ description: ''
type: object
properties:
- body:
+ defaultMode:
+ $ref: '#/components/schemas/PerClientRateLimitMode'
+ description: The default PerClientRateLimitMode that applies to any use case in the absence of a more specific override
+ useCaseModeOverrides:
+ description: A map of Per-Client Rate Limit Use Case to the applicable PerClientRateLimitMode. Overrides the `defaultMode` property for the specified use cases.
+ type: object
+ properties:
+ LOGIN_PAGE:
+ $ref: '#/components/schemas/PerClientRateLimitMode'
+ OAUTH2_AUTHORIZE:
+ $ref: '#/components/schemas/PerClientRateLimitMode'
+ OIE_APP_INTENT:
+ $ref: '#/components/schemas/PerClientRateLimitMode'
+ required:
+ - defaultMode
+ Permission:
+ type: object
+ properties:
+ conditions:
+ $ref: '#/components/schemas/PermissionConditions'
+ created:
type: string
+ format: date-time
+ description: Timestamp when the role was created
readOnly: true
- description: The email's HTML body.
- subject:
+ label:
type: string
+ description: The permission type
+ readOnly: true
+ lastUpdated:
+ type: string
+ format: date-time
+ description: Timestamp when the role was last updated
readOnly: true
- description: The email's subject.
_links:
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - properties:
+ role:
+ $ref: '#/components/schemas/HrefObject'
+ PermissionConditions:
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ description: Conditions for further restricting a permission
+ nullable: true
+ type: object
+ properties:
+ exclude:
type: object
- properties:
- self:
- $ref: '#/components/schemas/HrefObject'
- contentSource:
- $ref: '#/components/schemas/HrefObject'
- template:
- $ref: '#/components/schemas/HrefObject'
- test:
- $ref: '#/components/schemas/HrefObject'
- defaultContent:
- $ref: '#/components/schemas/HrefObject'
- readOnly: true
- description: Links to resources related to this email preview.
- EmailSettings:
+ description: Exclude attributes with specific values for the permission
+ additionalProperties:
+ type: object
+ properties: {}
+ nullable: true
+ include:
+ type: object
+ description: Include attributes with specific values for the permission
+ additionalProperties:
+ type: object
+ properties: {}
+ nullable: true
+ Permissions:
type: object
properties:
- recipients:
- type: string
- enum:
- - ALL_USERS
- - ADMINS_ONLY
- - NO_USERS
- required:
- - recipients
- EmailTemplate:
+ permissions:
+ type: array
+ items:
+ $ref: '#/components/schemas/Permission'
+ PersonalAppsBlockList:
+ description: Defines a list of email domains with a subset of the properties for each domain
type: object
properties:
- name:
+ domains:
+ type: array
+ description: List of blocked email domains
+ PinRequest:
+ description: Pin Request
+ type: object
+ properties:
+ authenticatorEnrollmentId:
+ description: ID for a WebAuthn Preregistration Factor in Okta
type: string
- readOnly: true
- description: The name of this email template.
- _embedded:
- type: object
- properties:
- settings:
- $ref: '#/components/schemas/EmailSettings'
- customizationCount:
- type: integer
- readOnly: true
- _links:
- type: object
- properties:
- self:
- $ref: '#/components/schemas/HrefObject'
- settings:
- $ref: '#/components/schemas/HrefObject'
- defaultContent:
- $ref: '#/components/schemas/HrefObject'
- customizations:
- $ref: '#/components/schemas/HrefObject'
- test:
- $ref: '#/components/schemas/HrefObject'
- readOnly: true
- description: Links to resources related to this email template.
- EmailTemplateTouchPointVariant:
+ fulfillmentProvider:
+ description: Name of the fulfillment provider for the WebAuthn Preregistration Factor
+ type: string
+ enum:
+ - yubico
+ userId:
+ description: ID of an existing Okta user
+ type: string
+ PipelineType:
+ description: The authentication pipeline of the org
type: string
+ x-enumDescriptions:
+ idx: Identity Engine
+ v1: Classic Engine
x-okta-known-values:
- - FULL_THEME
- - OKTA_DEFAULT
- EmailUserFactor:
- allOf:
- - $ref: '#/components/schemas/UserFactor'
- - type: object
- properties:
- profile:
- $ref: '#/components/schemas/EmailUserFactorProfile'
- EmailUserFactorProfile:
+ - idx
+ - v1
+ Platform:
+ type: string
+ x-okta-known-values:
+ - ANDROID
+ - CHROMEOS
+ - IOS
+ - MACOS
+ - WINDOWS
+ PlatformConditionEvaluatorPlatform:
type: object
properties:
- email:
+ os:
+ $ref: '#/components/schemas/PlatformConditionEvaluatorPlatformOperatingSystem'
+ type:
+ $ref: '#/components/schemas/PolicyPlatformType'
+ PlatformConditionEvaluatorPlatformOperatingSystem:
+ type: object
+ properties:
+ expression:
type: string
- EnabledStatus:
- type: string
- x-okta-known-values:
- - DISABLED
- - ENABLED
- EndUserDashboardTouchPointVariant:
+ type:
+ $ref: '#/components/schemas/PolicyPlatformOperatingSystemType'
+ version:
+ $ref: '#/components/schemas/PlatformConditionEvaluatorPlatformOperatingSystemVersion'
+ PlatformConditionEvaluatorPlatformOperatingSystemVersion:
+ type: object
+ properties:
+ matchType:
+ $ref: '#/components/schemas/PlatformConditionOperatingSystemVersionMatchType'
+ value:
+ type: string
+ PlatformConditionOperatingSystemVersionMatchType:
type: string
x-okta-known-values:
- - FULL_THEME
- - LOGO_ON_FULL_WHITE_BACKGROUND
- - OKTA_DEFAULT
- - WHITE_LOGO_BACKGROUND
- Error:
- title: Error
+ - EXPRESSION
+ - SEMVER
+ PlatformPolicyRuleCondition:
type: object
properties:
- errorCauses:
+ exclude:
type: array
items:
- type: object
- properties:
- errorSummary:
- type: string
- errorCode:
- type: string
- description: An Okta code for this type of error
- errorId:
- type: string
- description: A unique identifier for this error. This can be used by Okta Support to help with troubleshooting.
- errorLink:
- type: string
- description: An Okta code for this type of error
- errorSummary:
- type: string
- description: A short description of what caused this error. Sometimes this contains dynamically-generated information about your specific error.
- ErrorPageTouchPointVariant:
+ $ref: '#/components/schemas/PlatformConditionEvaluatorPlatform'
+ include:
+ type: array
+ items:
+ $ref: '#/components/schemas/PlatformConditionEvaluatorPlatform'
+ PlayProtectVerdict:
+ description: Indicates if Google Play Protect is enabled on the device and whether it has found known malware
type: string
+ x-enumDescriptions:
+ LOW: Play Protect is turned on and didn't find any app issues on the device
+ MEDIUM: Play Protect is turned on and either hasn't performed a scan yet or has found potentially harmful apps installed on the device
+ HIGH: Play Protect is turned on and has either found dangerous apps installed on the device or its verdict wasn't evaluated. That is, the device isn't trustworthy enough.
x-okta-known-values:
- - BACKGROUND_IMAGE
- - BACKGROUND_SECONDARY_COLOR
- - OKTA_DEFAULT
- EventHook:
+ - HIGH
+ - LOW
+ - MEDIUM
+ Policy:
type: object
properties:
- channel:
- $ref: '#/components/schemas/EventHookChannel'
created:
+ description: Timestamp when the Policy was created
type: string
format: date-time
readOnly: true
- createdBy:
+ default: Assigned
+ description:
+ description: Description of the Policy
type: string
- events:
- $ref: '#/components/schemas/EventSubscriptions'
+ default: null
id:
+ description: Identifier of the Policy
type: string
readOnly: true
+ default: Assigned
lastUpdated:
+ description: Timestamp when the Policy was last modified
type: string
format: date-time
readOnly: true
+ default: Assigned
name:
+ description: Name of the Policy
type: string
+ priority:
+ description: Specifies the order in which this Policy is evaluated in relation to the other policies
+ type: integer
+ default: Last / Lowest Priority, for example `1`
status:
$ref: '#/components/schemas/LifecycleStatus'
- verificationStatus:
- $ref: '#/components/schemas/EventHookVerificationStatus'
- _links:
+ system:
+ description: Specifies whether Okta created the Policy
+ type: boolean
+ default: false
+ type:
+ $ref: '#/components/schemas/PolicyType'
+ _embedded:
type: object
additionalProperties:
type: object
properties: {}
readOnly: true
- EventHookChannel:
+ _links:
+ $ref: '#/components/schemas/PolicyLinks'
+ required:
+ - name
+ - type
+ discriminator:
+ propertyName: type
+ mapping:
+ ACCESS_POLICY: '#/components/schemas/AccessPolicy'
+ IDP_DISCOVERY: '#/components/schemas/IdpDiscoveryPolicy'
+ MFA_ENROLL: '#/components/schemas/AuthenticatorEnrollmentPolicy'
+ OKTA_SIGN_ON: '#/components/schemas/OktaSignOnPolicy'
+ PASSWORD: '#/components/schemas/PasswordPolicy'
+ PROFILE_ENROLLMENT: '#/components/schemas/ProfileEnrollmentPolicy'
+ POST_AUTH_SESSION: '#/components/schemas/PostAuthSessionPolicy'
+ ENTITY_RISK: '#/components/schemas/EntityRiskPolicy'
+ PolicyAccess:
+ type: string
+ x-okta-known-values:
+ - ALLOW
+ - DENY
+ PolicyAccountLink:
+ description: Specifies the behavior for linking an IdP User to an existing Okta User
type: object
properties:
- config:
- $ref: '#/components/schemas/EventHookChannelConfig'
- type:
- $ref: '#/components/schemas/EventHookChannelType'
- version:
- type: string
- EventHookChannelConfig:
+ action:
+ $ref: '#/components/schemas/PolicyAccountLinkAction'
+ filter:
+ $ref: '#/components/schemas/PolicyAccountLinkFilter'
+ PolicyAccountLinkAction:
+ description: Specifies the account linking action for an IdP User
+ type: string
+ x-enumDescriptions:
+ AUTO: The IdP User is automatically linked to an Okta User when the transformed IdP User matches an existing Okta User according to [subject match rules](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=policy/subject&t=request).
+ DISABLED: Okta never attempts to link the IdP User to an existing Okta User, but may still attempt to provision a new Okta User according to the [provisioning action type](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=policy/provisioning/action&t=request).
+ x-okta-known-values:
+ - AUTO
+ - DISABLED
+ PolicyAccountLinkFilter:
+ description: Specifies Group memberships to restrict which Users are available for account linking by an IdP
type: object
properties:
- authScheme:
- $ref: '#/components/schemas/EventHookChannelConfigAuthScheme'
- headers:
+ groups:
+ $ref: '#/components/schemas/PolicyAccountLinkFilterGroups'
+ PolicyAccountLinkFilterGroups:
+ description: Group memberships used to determine link candidates
+ type: object
+ properties:
+ include:
type: array
+ description: Specifies the allowlist of Group identifiers to match against. Group memberships are restricted to type `OKTA_GROUP`.
items:
- $ref: '#/components/schemas/EventHookChannelConfigHeader'
- uri:
+ type: string
+ example: 00gjg5lzfBpn62wuF0g3
+ PolicyContext:
+ type: object
+ properties:
+ device:
+ type: object
+ properties:
+ platform:
+ type: string
+ description: The platform of the device, for example, IOS.
+ registered:
+ type: boolean
+ description: If the device is registered
+ managed:
+ type: boolean
+ description: If the device is managed
+ assuranceId:
+ type: string
+ description: The device assurance policy ID for the simulation
+ groups:
+ type: object
+ description: An array of Group IDs for the simulate operation. Only user IDs or Group IDs are allowed, not both.
+ properties:
+ ids:
+ type: array
+ items:
+ type: string
+ uniqueItems: true
+ required:
+ - ids
+ ip:
type: string
- EventHookChannelConfigAuthScheme:
+ description: The network rule condition, zone, or IP address
+ risk:
+ type: object
+ description: The risk rule condition level
+ properties:
+ level:
+ type: string
+ enum:
+ - LOW
+ - MEDIUM
+ - HIGH
+ user:
+ type: object
+ description: The user ID for the simulate operation. Only user IDs or Group IDs are allowed, not both.
+ properties:
+ id:
+ type: string
+ description: The unique ID number for the user.
+ required:
+ - id
+ zones:
+ type: object
+ description: The zone ID under the network rule condition.
+ properties:
+ ids:
+ type: array
+ items:
+ type: string
+ required:
+ - user
+ - groups
+ PolicyLinks:
type: object
properties:
- key:
+ activate:
+ $ref: '#/components/schemas/HrefObjectActivateLink'
+ deactivate:
+ $ref: '#/components/schemas/HrefObjectDeactivateLink'
+ mappings:
+ $ref: '#/components/schemas/HrefObjectMappingsLink'
+ rules:
+ $ref: '#/components/schemas/HrefObjectRulesLink'
+ self:
+ $ref: '#/components/schemas/HrefObjectSelfLink'
+ readOnly: true
+ PolicyMapping:
+ type: object
+ properties:
+ id:
type: string
- type:
- $ref: '#/components/schemas/EventHookChannelConfigAuthSchemeType'
- value:
+ _links:
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - properties:
+ application:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the mapped application
+ policy:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the mapped policy
+ PolicyMappingRequest:
+ type: object
+ properties:
+ resourceId:
type: string
- EventHookChannelConfigAuthSchemeType:
+ resourceType:
+ $ref: '#/components/schemas/PolicyMappingResourceType'
+ PolicyMappingResourceType:
type: string
x-okta-known-values:
- - HEADER
- EventHookChannelConfigHeader:
+ - APP
+ PolicyNetworkCondition:
type: object
properties:
- key:
- type: string
- value:
- type: string
- EventHookChannelType:
+ connection:
+ $ref: '#/components/schemas/PolicyNetworkConnection'
+ exclude:
+ type: array
+ description: The zones to exclude. Required only if connection data type is `ZONE`
+ items:
+ type: string
+ include:
+ type: array
+ description: The zones to include. Required only if connection data type is `ZONE`
+ items:
+ type: string
+ PolicyNetworkConnection:
+ description: Network selection mode
type: string
x-okta-known-values:
- - HTTP
- EventHookVerificationStatus:
+ - ANYWHERE
+ - ZONE
+ PolicyPeopleCondition:
+ description: Identifies Users and Groups that are used together
+ type: object
+ properties:
+ groups:
+ $ref: '#/components/schemas/GroupCondition'
+ users:
+ $ref: '#/components/schemas/UserCondition'
+ required:
+ - groups
+ - users
+ PolicyPlatformOperatingSystemType:
type: string
x-okta-known-values:
- - UNVERIFIED
- - VERIFIED
- EventSubscriptionType:
+ - ANDROID
+ - ANY
+ - IOS
+ - OSX
+ - OTHER
+ - WINDOWS
+ PolicyPlatformType:
type: string
x-okta-known-values:
- - EVENT_TYPE
- - FLOW_EVENT
- EventSubscriptions:
+ - ANY
+ - DESKTOP
+ - MOBILE
+ - OTHER
+ PolicyRule:
type: object
properties:
- items:
- type: array
- items:
- type: string
+ created:
+ type: string
+ description: Timestamp when the rule was created
+ format: date-time
+ readOnly: true
+ nullable: true
+ id:
+ type: string
+ description: Identifier for the rule
+ lastUpdated:
+ type: string
+ description: Timestamp when the rule was last modified
+ format: date-time
+ readOnly: true
+ nullable: true
+ name:
+ type: string
+ description: Name of the rule
+ priority:
+ type: integer
+ description: Priority of the rule
+ status:
+ $ref: '#/components/schemas/LifecycleStatus'
+ system:
+ type: boolean
+ description: Specifies whether Okta created the Policy Rule (`system=true`). You can't delete Policy Rules that have `system` set to `true`.
+ default: false
type:
- $ref: '#/components/schemas/EventSubscriptionType'
+ $ref: '#/components/schemas/PolicyRuleType'
+ _links:
+ $ref: '#/components/schemas/PolicyLinks'
discriminator:
propertyName: type
- FCMConfiguration:
+ mapping:
+ ACCESS_POLICY: '#/components/schemas/AccessPolicyRule'
+ PASSWORD: '#/components/schemas/PasswordPolicyRule'
+ PROFILE_ENROLLMENT: '#/components/schemas/ProfileEnrollmentPolicyRule'
+ RESOURCE_ACCESS: '#/components/schemas/AuthorizationServerPolicyRule'
+ SIGN_ON: '#/components/schemas/OktaSignOnPolicyRule'
+ IDP_DISCOVERY: '#/components/schemas/IdpDiscoveryPolicyRule'
+ POST_AUTH_SESSION: '#/components/schemas/PostAuthSessionPolicyRule'
+ ENTITY_RISK: '#/components/schemas/EntityRiskPolicyRule'
+ MFA_ENROLL: '#/components/schemas/AuthenticatorEnrollmentPolicyRule'
+ PolicyRuleActions:
+ type: object
+ PolicyRuleActionsEnroll:
+ type: object
properties:
- fileName:
- type: string
- description: (Optional) File name for Admin Console display
- projectId:
- type: string
- description: Project ID of FCM configuration
- readOnly: true
- serviceAccountJson:
- type: object
- description: JSON containing the private service account key and service account details. See [Creating and managing service account keys](https://cloud.google.com/iam/docs/creating-managing-service-account-keys) for more information on creating service account keys in JSON.
- writeOnly: true
- FCMPushProvider:
- allOf:
- - $ref: '#/components/schemas/PushProvider'
- - type: object
- properties:
- configuration:
- $ref: '#/components/schemas/FCMConfiguration'
- FactorProvider:
+ self:
+ $ref: '#/components/schemas/PolicyRuleActionsEnrollSelf'
+ PolicyRuleActionsEnrollSelf:
type: string
x-okta-known-values:
- - CUSTOM
- - DUO
- - FIDO
- - GOOGLE
- - OKTA
- - RSA
- - SYMANTEC
- - YUBICO
- FactorResultType:
+ - CHALLENGE
+ - LOGIN
+ - NEVER
+ PolicyRuleAuthContextCondition:
+ type: object
+ properties:
+ authType:
+ $ref: '#/components/schemas/PolicyRuleAuthContextType'
+ PolicyRuleAuthContextType:
type: string
x-okta-known-values:
- - CANCELLED
- - CHALLENGE
- - ERROR
- - FAILED
- - PASSCODE_REPLAYED
- - REJECTED
- - SUCCESS
- - TIMEOUT
- - TIME_WINDOW_EXCEEDED
- - WAITING
- FactorStatus:
+ - ANY
+ - LDAP_INTERFACE
+ - RADIUS
+ PolicyRuleConditions:
+ type: object
+ properties:
+ app:
+ $ref: '#/components/schemas/AppAndInstancePolicyRuleCondition'
+ apps:
+ $ref: '#/components/schemas/AppInstancePolicyRuleCondition'
+ authContext:
+ $ref: '#/components/schemas/PolicyRuleAuthContextCondition'
+ authProvider:
+ $ref: '#/components/schemas/PasswordPolicyAuthenticationProviderCondition'
+ beforeScheduledAction:
+ $ref: '#/components/schemas/BeforeScheduledActionPolicyRuleCondition'
+ clients:
+ $ref: '#/components/schemas/ClientPolicyCondition'
+ context:
+ $ref: '#/components/schemas/ContextPolicyRuleCondition'
+ device:
+ $ref: '#/components/schemas/DevicePolicyRuleCondition'
+ grantTypes:
+ $ref: '#/components/schemas/GrantTypePolicyRuleCondition'
+ groups:
+ $ref: '#/components/schemas/GroupPolicyRuleCondition'
+ identityProvider:
+ $ref: '#/components/schemas/IdentityProviderPolicyRuleCondition'
+ mdmEnrollment:
+ $ref: '#/components/schemas/MDMEnrollmentPolicyRuleCondition'
+ network:
+ $ref: '#/components/schemas/PolicyNetworkCondition'
+ people:
+ $ref: '#/components/schemas/PolicyPeopleCondition'
+ platform:
+ $ref: '#/components/schemas/PlatformPolicyRuleCondition'
+ risk:
+ $ref: '#/components/schemas/RiskPolicyRuleCondition'
+ riskScore:
+ $ref: '#/components/schemas/RiskScorePolicyRuleCondition'
+ scopes:
+ $ref: '#/components/schemas/OAuth2ScopesMediationPolicyRuleCondition'
+ userIdentifier:
+ $ref: '#/components/schemas/UserIdentifierPolicyRuleCondition'
+ users:
+ $ref: '#/components/schemas/UserPolicyRuleCondition'
+ userStatus:
+ $ref: '#/components/schemas/UserStatusPolicyRuleCondition'
+ PolicyRuleType:
+ description: Rule type
type: string
x-okta-known-values:
- - ACTIVE
- - DISABLED
- - ENROLLED
- - EXPIRED
- - INACTIVE
- - NOT_SETUP
- - PENDING_ACTIVATION
- FactorType:
+ - ACCESS_POLICY
+ - ENTITY_RISK
+ - IDP_DISCOVERY
+ - MFA_ENROLL
+ - PASSWORD
+ - POST_AUTH_SESSION
+ - PROFILE_ENROLLMENT
+ - RESOURCE_ACCESS
+ - SIGN_ON
+ PolicyRuleVerificationMethodType:
+ description: Verification method type
type: string
x-okta-known-values:
- - call
- - email
- - hotp
- - push
- - question
- - sms
- - token
- - token:hardware
- - token:hotp
- - token:software:totp
- - u2f
- - web
- - webauthn
- Feature:
+ - ASSURANCE
+ - AUTH_METHOD_CHAIN
+ PolicySubject:
+ description: Specifies the behavior for establishing, validating, and matching a username for an IdP User
type: object
properties:
- description:
- type: string
- id:
+ filter:
type: string
- readOnly: true
- name:
+ description: |-
+ Optional [regular expression pattern](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Regular_expressions) used to filter untrusted IdP usernames.
+ * As a best security practice, you should define a regular expression pattern to filter untrusted IdP usernames. This is especially important if multiple IdPs are connected to your org. The filter prevents an IdP from issuing an assertion for any User, including partners or directory Users in your Okta org.
+ * For example, the filter pattern `(\S+@example\.com)` allows only Users that have an `@example.com` username suffix. It rejects assertions that have any other suffix such as `@corp.example.com` or `@partner.com`.
+ * Only `SAML2` and `OIDC` IdP providers support the `filter` property.
+ maxLength: 1024
+ example: (\S+@example\.com)
+ matchAttribute:
type: string
- stage:
- $ref: '#/components/schemas/FeatureStage'
- status:
- $ref: '#/components/schemas/EnabledStatus'
- type:
- $ref: '#/components/schemas/FeatureType'
- _links:
- type: object
- additionalProperties:
- type: object
- properties: {}
- readOnly: true
- FeatureStage:
- type: object
- properties:
- state:
- $ref: '#/components/schemas/FeatureStageState'
- value:
- $ref: '#/components/schemas/FeatureStageValue'
- FeatureStageState:
- type: string
- x-okta-known-values:
- - CLOSED
- - OPEN
- FeatureStageValue:
+ description: |-
+ Okta User profile attribute for matching a transformed IdP username. Only for matchType `CUSTOM_ATTRIBUTE`.
+ The `matchAttribute` must be a valid Okta User profile attribute of one of the following types:
+ * String (with no format or 'email' format only)
+ * Integer
+ * Number
+ example: login
+ matchType:
+ $ref: '#/components/schemas/PolicySubjectMatchType'
+ userNameTemplate:
+ $ref: '#/components/schemas/PolicyUserNameTemplate'
+ PolicySubjectMatchType:
+ description: Determines the Okta User profile attribute match conditions for account linking and authentication of the transformed IdP username
type: string
x-okta-known-values:
- - BETA
- - EA
- FeatureType:
+ - CUSTOM_ATTRIBUTE
+ - EMAIL
+ - USERNAME
+ - USERNAME_OR_EMAIL
+ PolicyType:
+ description: |-
+ All Okta orgs contain only one IdP Discovery Policy with an immutable default Rule routing to your org's sign-in page.
+ Creating or replacing a policy with the `IDP_DISCOVERY` type isn't supported. The following policy types are available with
+ Identity Engine: `ACCESS_POLICY`, `PROFILE_ENROLLMENT`, `POST_AUTH_SESSION`, and `ENTITY_RISK`.
type: string
x-okta-known-values:
- - self-service
- FipsEnum:
+ - ACCESS_POLICY
+ - ENTITY_RISK
+ - IDP_DISCOVERY
+ - MFA_ENROLL
+ - OKTA_SIGN_ON
+ - PASSWORD
+ - POST_AUTH_SESSION
+ - PROFILE_ENROLLMENT
+ - RESOURCE_ACCESS
+ PolicyTypeSimulation:
type: string
x-okta-known-values:
- - OPTIONAL
- - REQUIRED
- ForgotPasswordResponse:
+ - ACCESS_POLICY
+ - MFA_ENROLL
+ - OKTA_SIGN_ON
+ - PROFILE_ENROLLMENT
+ PolicyUserNameTemplate:
+ description: |-
+ [Okta Expression Language (EL) expression](https://developer.okta.com/docs/reference/okta-expression-language/) to generate or transform a unique username for the IdP User.
+ * IdP User profile attributes can be referenced with the `idpuser` prefix such as `idpuser.subjectNameId`.
+ * You must define an IdP User profile attribute before it can be referenced in an Okta EL expression. To define an IdP User attribute policy, you may need to create a new IdP instance without a base profile property. Then edit the IdP User profile to update the IdP instance with an expression that references the IdP User profile attribute that you just created.
type: object
properties:
- resetPasswordUrl:
+ template:
type: string
- readOnly: true
- GrantOrTokenStatus:
+ minLength: 9
+ maxLength: 1024
+ example: idpuser.subjectNameId
+ PolicyUserStatus:
type: string
x-okta-known-values:
+ - ACTIVATING
- ACTIVE
- - REVOKED
- GrantTypePolicyRuleCondition:
- type: object
- properties:
- include:
- type: array
- items:
- type: string
- Group:
+ - DELETED
+ - DELETING
+ - EXPIRED_PASSWORD
+ - INACTIVE
+ - PENDING
+ - SUSPENDED
+ PossessionConstraint:
+ allOf:
+ - $ref: '#/components/schemas/AccessPolicyConstraint'
+ - type: object
+ properties:
+ deviceBound:
+ type: string
+ description: Indicates if device-bound Factors are required. This property is only set for `POSSESSION` constraints.
+ enum:
+ - OPTIONAL
+ - REQUIRED
+ default: OPTIONAL
+ hardwareProtection:
+ type: string
+ description: Indicates if any secrets or private keys used during authentication must be hardware protected and not exportable. This property is only set for `POSSESSION` constraints.
+ enum:
+ - OPTIONAL
+ - REQUIRED
+ default: OPTIONAL
+ phishingResistant:
+ type: string
+ description: Indicates if phishing-resistant Factors are required. This property is only set for `POSSESSION` constraints.
+ enum:
+ - OPTIONAL
+ - REQUIRED
+ default: OPTIONAL
+ userPresence:
+ type: string
+ description: Indicates if the user needs to approve an Okta Verify prompt or provide biometrics (meets NIST AAL2 requirements). This property is only set for `POSSESSION` constraints.
+ enum:
+ - OPTIONAL
+ - REQUIRED
+ default: REQUIRED
+ userVerification:
+ type: string
+ description: Indicates the user interaction requirement (PIN or biometrics) to ensure verification of a possession factor
+ enum:
+ - OPTIONAL
+ - REQUIRED
+ default: OPTIONAL
+ PostAuthKeepMeSignedInPrompt:
type: object
properties:
- created:
+ acceptButtonText:
type: string
- format: date-time
- readOnly: true
- id:
+ description: The label on the accept button when prompting for Stay signed in
+ rejectButtonText:
type: string
- readOnly: true
- lastMembershipUpdated:
+ description: The label on the reject button when prompting for Stay signed in
+ subtitle:
type: string
- format: date-time
- readOnly: true
- lastUpdated:
+ description: The subtitle on the Sign-In Widget when prompting for Stay signed in
+ title:
type: string
- format: date-time
- readOnly: true
- objectClass:
- type: array
- readOnly: true
- items:
- type: string
- profile:
- $ref: '#/components/schemas/GroupProfile'
- type:
- $ref: '#/components/schemas/GroupType'
- _embedded:
- type: object
- additionalProperties:
- type: object
- properties: {}
- readOnly: true
- _links:
- type: object
- additionalProperties:
- type: object
- properties: {}
- readOnly: true
- GroupCondition:
+ description: The title on the Sign-In Widget when prompting for Stay signed in
+ PostAuthSessionFailureActionsObject:
type: object
properties:
- exclude:
- type: array
- items:
- type: string
- include:
- type: array
- items:
- type: string
- GroupPolicyRuleCondition:
+ action:
+ type: string
+ enum:
+ - RUN_WORKFLOW
+ - TERMINATE_SESSION
+ discriminator:
+ propertyName: action
+ mapping:
+ RUN_WORKFLOW: '#/components/schemas/PostAuthSessionPolicyRuleRunWorkflow'
+ TERMINATE_SESSION: '#/components/schemas/PostAuthSessionPolicyRuleTerminateSession'
+ PostAuthSessionPolicy:
+ allOf:
+ - $ref: '#/components/schemas/Policy'
+ - type: object
+ properties:
+ conditions:
+ type: string
+ description: Policy conditions aren't supported for this policy type.
+ default: null
+ nullable: true
+ PostAuthSessionPolicyRule:
+ allOf:
+ - $ref: '#/components/schemas/PolicyRule'
+ - type: object
+ properties:
+ actions:
+ type: object
+ description: The action to take in response to a failure of the reevaluated global session policy or authentication polices.
+ properties:
+ postAuthSession:
+ type: object
+ description: This object contains a `failureActions` array that defines the specific action to take when post auth session evaluation detects a failure.
+ properties:
+ failureActions:
+ type: array
+ description: An array of objects that define the action. It can be empty or contain two `action` value pairs.
+ items:
+ $ref: '#/components/schemas/PostAuthSessionFailureActionsObject'
+ conditions:
+ type: object
+ properties:
+ people:
+ $ref: '#/components/schemas/PolicyPeopleCondition'
+ PostAuthSessionPolicyRuleRunWorkflow:
type: object
properties:
- exclude:
- type: array
- items:
- type: string
- include:
- type: array
- items:
- type: string
- GroupProfile:
+ action:
+ type: string
+ enum:
+ - RUN_WORKFLOW
+ workflow:
+ type: object
+ description: This action runs a workflow
+ properties:
+ id:
+ type: integer
+ description: The `id` of the workflow that runs.
+ PostAuthSessionPolicyRuleTerminateSession:
type: object
properties:
- description:
+ action:
type: string
- name:
+ description: The action to take when post auth session evaluation detects a failure.
+ enum:
+ - TERMINATE_SESSION
+ PreRegistrationInlineHook:
+ type: object
+ properties:
+ inlineHookId:
type: string
- x-okta-extensible: true
- GroupRule:
+ PrincipalRateLimitEntity:
+ title: PrincipalRateLimitEntity
+ description: ''
type: object
properties:
- actions:
- $ref: '#/components/schemas/GroupRuleAction'
- conditions:
- $ref: '#/components/schemas/GroupRuleConditions'
- created:
+ createdBy:
+ type: string
+ readOnly: true
+ createdDate:
type: string
format: date-time
readOnly: true
+ defaultConcurrencyPercentage:
+ type: integer
+ readOnly: true
+ defaultPercentage:
+ type: integer
+ readOnly: true
id:
type: string
readOnly: true
- lastUpdated:
+ lastUpdate:
type: string
format: date-time
readOnly: true
- name:
- type: string
- status:
- $ref: '#/components/schemas/GroupRuleStatus'
- type:
+ lastUpdatedBy:
type: string
- GroupRuleAction:
- type: object
- properties:
- assignUserToGroups:
- $ref: '#/components/schemas/GroupRuleGroupAssignment'
- GroupRuleConditions:
- type: object
- properties:
- expression:
- $ref: '#/components/schemas/GroupRuleExpression'
- people:
- $ref: '#/components/schemas/GroupRulePeopleCondition'
- GroupRuleExpression:
- type: object
- properties:
- type:
+ readOnly: true
+ orgId:
type: string
- value:
+ readOnly: true
+ principalId:
type: string
- GroupRuleGroupAssignment:
- type: object
- properties:
- groupIds:
- type: array
- items:
- type: string
- GroupRuleGroupCondition:
- type: object
- properties:
- exclude:
- type: array
- items:
- type: string
- include:
- type: array
- items:
- type: string
- GroupRulePeopleCondition:
- type: object
- properties:
- groups:
- $ref: '#/components/schemas/GroupRuleGroupCondition'
- users:
- $ref: '#/components/schemas/GroupRuleUserCondition'
- GroupRuleStatus:
+ principalType:
+ $ref: '#/components/schemas/PrincipalType'
+ required:
+ - principalId
+ - principalType
+ PrincipalType:
type: string
x-okta-known-values:
- - ACTIVE
- - INACTIVE
- - INVALID
- GroupRuleUserCondition:
- type: object
- properties:
- exclude:
- type: array
- items:
- type: string
- include:
- type: array
- items:
- type: string
- GroupSchema:
+ - SSWS_TOKEN
+ PrivilegedAccount:
type: object
properties:
- $schema:
- readOnly: true
- type: string
+ accountType:
+ $ref: '#/components/schemas/PrivilegedAccountType'
created:
- readOnly: true
type: string
- definitions:
- $ref: '#/components/schemas/GroupSchemaDefinitions'
+ format: date-time
+ description: Timestamp when the Privileged Account was created
+ readOnly: true
description:
+ description: The description of the Privileged Account
+ format: regex
+ maxLength: 255
+ minLength: 0
type: string
+ example: This is for accessing AWS Prod-5
id:
+ description: The UUID of the Privileged Account
+ format: regex
+ pattern: (?i)^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$
readOnly: true
type: string
+ example: a747a818-a4c4-4446-8a87-704216495a08
lastUpdated:
- readOnly: true
- type: string
- name:
- readOnly: true
type: string
- properties:
- $ref: '#/components/schemas/UserSchemaProperties'
- title:
- type: string
- type:
- readOnly: true
- type: string
- _links:
- additionalProperties:
- type: object
+ format: date-time
+ description: Timestamp when the Privileged Account was last updated
readOnly: true
- type: object
- x-okta-allow-null-property-value-for-updates: true
- GroupSchemaAttribute:
- type: object
- properties:
- description:
+ name:
+ description: The human-readable name for the Privileged Account
+ format: regex
+ maxLength: 50
+ minLength: 1
+ pattern: ^[\w\-_. ]+$
type: string
- enum:
+ example: AWS Prod-5 account
+ ownerGroupIds:
+ description: A list of IDs of the Okta groups that own the Privileged Account
+ type: array
items:
type: string
+ minItems: 0
+ maxItems: 10
+ example:
+ - 00g57qp78yZT2XBA40g7
+ ownerUserIds:
+ description: A list of IDs of the Okta users that own the Privileged Account
type: array
- externalName:
+ items:
+ type: string
+ minItems: 0
+ maxItems: 10
+ example:
+ - 00u11s48P9zGW8yqm0g5
+ status:
+ $ref: '#/components/schemas/PrivilegedAccountStatus'
+ statusDetail:
+ $ref: '#/components/schemas/PrivilegedAccountStatusDetail'
+ required:
+ - name
+ - accountType
+ discriminator:
+ propertyName: accountType
+ mapping:
+ APP_ACCOUNT: '#/components/schemas/PrivilegedAccountDetailsAppAccount'
+ OKTA_USER_ACCOUNT: '#/components/schemas/PrivilegedAccountDetailsOktaUserAccount'
+ PrivilegedAccountCredentials:
+ description: Credentials for a Privileged Account
+ type: object
+ properties:
+ password:
type: string
- externalNamespace:
+ writeOnly: true
+ description: The password associated with the Privileged Account
+ format: password
+ username:
type: string
- items:
- $ref: '#/components/schemas/UserSchemaAttributeItems'
- master:
- $ref: '#/components/schemas/UserSchemaAttributeMaster'
- maxLength:
- type: integer
- minLength:
- type: integer
- mutability:
+ description: The username associated with the Privileged Account
+ minLength: 1
+ maxLength: 100
+ example: testuser@example.com
+ required:
+ - username
+ PrivilegedAccountDetailsAppAccount:
+ description: Details for a SaaS Application Account, which will be managed as a Privileged Account
+ allOf:
+ - $ref: '#/components/schemas/PrivilegedAccount'
+ - type: object
+ properties:
+ details:
+ $ref: '#/components/schemas/PrivilegedAccountDetailsAppAccountSub'
+ required:
+ - details
+ PrivilegedAccountDetailsAppAccountSub:
+ description: Details for a SaaS Application Account, which will be managed as a Privileged Account
+ type: object
+ properties:
+ appGlobalName:
+ description: The name of the SaaS Application in the Okta Integration Network catalog
type: string
- oneOf:
- items:
- $ref: '#/components/schemas/UserSchemaAttributeEnum'
- type: array
- permissions:
- items:
- $ref: '#/components/schemas/UserSchemaAttributePermission'
- type: array
- required:
- type: boolean
- scope:
- $ref: '#/components/schemas/UserSchemaAttributeScope'
- title:
+ example: Salesforce
+ appInstanceName:
+ description: The instance name of the SaaS Application
type: string
- type:
- $ref: '#/components/schemas/UserSchemaAttributeType'
- union:
- $ref: '#/components/schemas/UserSchemaAttributeUnion'
- unique:
+ example: Salesforce Prod
+ credentials:
+ $ref: '#/components/schemas/PrivilegedAccountCredentials'
+ oktaApplicationId:
+ description: The Okta app instance ID of the SaaS Application
type: string
- GroupSchemaBase:
+ example: aln1aqcs055ZRoizW0g8
+ required:
+ - oktaApplicationId
+ - credentials
+ PrivilegedAccountDetailsOktaUserAccount:
+ description: Details for managing an Okta Universal Directory Account as a Privileged Account
+ allOf:
+ - $ref: '#/components/schemas/PrivilegedAccount'
+ - type: object
+ properties:
+ details:
+ $ref: '#/components/schemas/PrivilegedAccountDetailsOktaUserAccountSub'
+ required:
+ - details
+ PrivilegedAccountDetailsOktaUserAccountSub:
+ description: Details for managing an Okta Universal Directory Account as a Privileged Account
type: object
properties:
- id:
- readOnly: true
+ credentials:
+ $ref: '#/components/schemas/PrivilegedAccountCredentials'
+ email:
+ description: The email address for the Okta Universal Directory Account
type: string
- properties:
- $ref: '#/components/schemas/GroupSchemaBaseProperties'
- required:
- items:
- type: string
- type: array
- type:
+ example: foo@bar.com
+ minLength: 5
+ maxLength: 100
+ oktaUserId:
+ description: An optional Okta user ID. If supplied, converts the matching Okta Universal Directory Account to a Privileged Account and updates the account with the provided details.
type: string
- GroupSchemaBaseProperties:
+ example: 00u11s48P9zGW8yqm0g5
+ required:
+ - email
+ - credentials
+ PrivilegedAccountForUpdate:
type: object
properties:
description:
- $ref: '#/components/schemas/GroupSchemaAttribute'
+ description: The description of the Privileged Account
+ format: regex
+ maxLength: 255
+ minLength: 0
+ type: string
+ example: This is for accessing AWS Prod-5
+ email:
+ description: The email address for the Okta Universal Directory Account
+ type: string
+ example: foo@bar.com
+ minLength: 5
+ maxLength: 100
name:
- $ref: '#/components/schemas/GroupSchemaAttribute'
- GroupSchemaCustom:
- type: object
- properties:
- id:
- readOnly: true
+ description: The human-readable name for the Privileged Account
+ format: regex
+ maxLength: 50
+ minLength: 1
+ pattern: ^[\w\-_. ]+$
type: string
- properties:
- additionalProperties:
- $ref: '#/components/schemas/GroupSchemaAttribute'
- type: object
- required:
+ example: AWS Prod-5 account
+ ownerGroupIds:
+ description: A list of IDs of the Okta groups who own the Privileged Account
+ type: array
items:
type: string
+ minItems: 0
+ maxItems: 10
+ example:
+ - 00g57qp78yZT2XBA40g7
+ ownerUserIds:
+ description: A list of IDs of the Okta users who own the Privileged Account
type: array
- type:
+ items:
+ type: string
+ minItems: 0
+ maxItems: 10
+ example:
+ - 00u11s48P9zGW8yqm0g5
+ username:
type: string
- GroupSchemaDefinitions:
- type: object
- properties:
- base:
- $ref: '#/components/schemas/GroupSchemaBase'
- custom:
- $ref: '#/components/schemas/GroupSchemaCustom'
- GroupType:
+ description: The username associated with the Privileged Account
+ minLength: 1
+ maxLength: 100
+ example: testuser@example.com
+ PrivilegedAccountStatus:
+ description: Describes the current status of a Privileged Account
type: string
- x-okta-known-values:
- - APP_GROUP
- - BUILT_IN
- - OKTA_GROUP
- HardwareUserFactor:
- allOf:
- - $ref: '#/components/schemas/UserFactor'
- - type: object
- properties:
- profile:
- $ref: '#/components/schemas/HardwareUserFactorProfile'
- HardwareUserFactorProfile:
- type: object
- properties:
- credentialId:
- type: string
- HostedPage:
- type: object
- properties:
- type:
- $ref: '#/components/schemas/HostedPageType'
- url:
- type: string
- required:
- - type
- HostedPageType:
+ x-enumDescriptions:
+ NO_ISSUES: The Account is ready for use in Okta Privileged Access
+ UNSECURED: The Account needs to be assigned to a Resource Group and a Project in Okta Privileged Access
+ INFO: An action involving the Account is currently in progress in Okta Privileged Access
+ ALERT: The Account requires attention from an Administrator
+ ERROR: An error is preventing the Account from being used in Okta Privileged Access
+ x-okta-known-values:
+ - ALERT
+ - ERROR
+ - INFO
+ - NO_ISSUES
+ - UNSECURED
+ PrivilegedAccountStatusDetail:
+ description: Describes the detailed status of a Privileged Account
type: string
+ x-enumDescriptions:
+ PENDING: The Account is in the process of being created
+ CREATION_FAILED: The Account could not be created
+ STAGED: The Account is in the Okta Privileged Access resource assignment area
+ ROTATING: The Account is assigned to a Project in Okta Privileged Access. Credentials are currently being synced using Okta Lifecycle Management.
+ ROTATED: The Account is assigned to a Project in Okta Privileged Access. Password rotations are fulfilled by Okta Lifecycle Management.
+ ROTATION_FAILED: The Account is assigned to a Project in Okta Privileged Access. An error occurred while using Okta Lifecycle Management to rotate the password.
+ VAULTED: The Account is assigned to a Project in Okta Privileged Access. A manually managed password is assigned to the Account.
+ MISSING_PASSWORD: The Account is assigned to a Project in Okta Privileged Access. A password is not assigned to the Account.
x-okta-known-values:
- - EXTERNALLY_HOSTED
- - OKTA_DEFAULT
- HrefObject:
- title: hrefObject
- description: Used for links
- type: object
- properties:
- hints:
- type: object
- properties:
- allow:
- type: array
- items:
- $ref: '#/components/schemas/HttpMethod'
- href:
- type: string
- HttpMethod:
+ - CREATION_FAILED
+ - MISSING_PASSWORD
+ - PENDING
+ - ROTATED
+ - ROTATING
+ - ROTATION_FAILED
+ - STAGED
+ - VAULTED
+ PrivilegedAccountType:
+ description: The type of Privileged Account
type: string
+ x-enumDescriptions:
+ APP_ACCOUNT: SaaS Application Account
+ OKTA_USER_ACCOUNT: Okta Universal Directory Account
x-okta-known-values:
- - DELETE
- - GET
- - POST
- - PUT
- IdentityProvider:
+ - APP_ACCOUNT
+ - OKTA_USER_ACCOUNT
+ PrivilegedResource:
+ default:
+ resourceType: OKTA_USER_ACCOUNT
type: object
properties:
created:
type: string
+ description: Timestamp when the object was created
format: date-time
readOnly: true
- nullable: true
+ example: '2024-06-10T11:11:01.000Z'
+ credentialSyncInfo:
+ $ref: '#/components/schemas/CredentialSyncInfo'
+ readOnly: true
+ example:
+ secretVersionId: 9f8400-e29b-41d4-a716-926655440034
+ syncTime: '2024-06-10T11:13:01.000Z'
+ syncState: NOT_SYNCED
+ errorCode: UNKNOWN_ERROR
+ errorReason: Unknown error
id:
type: string
+ description: ID of the privileged resource
readOnly: true
- issuerMode:
- $ref: '#/components/schemas/IssuerMode'
+ example: opa100xTfFs4MasRf0g4
lastUpdated:
type: string
+ description: Timestamp when the object was last updated
format: date-time
readOnly: true
- name:
- type: string
- policy:
- $ref: '#/components/schemas/IdentityProviderPolicy'
- protocol:
- $ref: '#/components/schemas/Protocol'
+ example: '2024-06-10T11:13:01.000Z'
+ resourceType:
+ $ref: '#/components/schemas/PrivilegedResourceType'
+ example: APP_ACCOUNT
status:
- $ref: '#/components/schemas/LifecycleStatus'
- type:
- $ref: '#/components/schemas/IdentityProviderType'
- _links:
- type: object
- additionalProperties:
- type: object
- properties: {}
- readOnly: true
- IdentityProviderApplicationUser:
+ $ref: '#/components/schemas/PrivilegedResourceStatus'
+ example: ACTIVE
+ discriminator:
+ propertyName: resourceType
+ mapping:
+ APP_ACCOUNT: '#/components/schemas/PrivilegedResourceAccountApp'
+ OKTA_USER_ACCOUNT: '#/components/schemas/PrivilegedResourceAccountOkta'
+ PrivilegedResourceAccountApp:
+ allOf:
+ - type: object
+ properties:
+ containerDetails:
+ $ref: '#/components/schemas/AppAccountContainerDetails'
+ credentials:
+ $ref: '#/components/schemas/PrivilegedResourceCredentials'
+ - $ref: '#/components/schemas/PrivilegedResource'
+ required:
+ - containerId
+ PrivilegedResourceAccountOkta:
+ allOf:
+ - type: object
+ properties:
+ resourceId:
+ type: string
+ description: The user ID associated with the Okta privileged resource
+ example: 00u100xTfFs4MasRf0g4
+ credentials:
+ $ref: '#/components/schemas/PrivilegedResourceCredentials'
+ profile:
+ $ref: '#/components/schemas/profile'
+ example:
+ email: testuser@example.com
+ - $ref: '#/components/schemas/PrivilegedResource'
+ PrivilegedResourceCredentials:
+ description: Credentials for the privileged account
type: object
properties:
- created:
- type: string
- externalId:
- type: string
- id:
+ password:
type: string
- readOnly: true
- lastUpdated:
+ description: The password associated with the privileged resource
+ format: password
+ writeOnly: true
+ example: xf1bs9am2
+ userName:
type: string
- profile:
- type: object
- additionalProperties:
- type: object
- properties: {}
- _embedded:
- type: object
- additionalProperties:
- type: object
- properties: {}
- readOnly: true
- _links:
- type: object
- additionalProperties:
- type: object
- properties: {}
- readOnly: true
- IdentityProviderCredentials:
- type: object
- properties:
- client:
- $ref: '#/components/schemas/IdentityProviderCredentialsClient'
- signing:
- $ref: '#/components/schemas/IdentityProviderCredentialsSigning'
- trust:
- $ref: '#/components/schemas/IdentityProviderCredentialsTrust'
- IdentityProviderCredentialsClient:
+ description: The username associated with the privileged resource
+ minLength: 1
+ maxLength: 100
+ example: testuser@example.com
+ required:
+ - userName
+ PrivilegedResourceStatus:
+ description: Current status of the privileged resource
+ type: string
+ x-enumDescriptions:
+ CREATED: The privileged resource is created but not yet managed by OPA
+ ACTIVE: The privileged resource is currently managed by OPA
+ INACTIVE: The privileged resource is `INACTIVE` and not currently managed by OPA
+ readOnly: true
+ x-okta-known-values:
+ - ACTIVE
+ - CREATED
+ - CREATION_FAILED
+ - INACTIVE
+ - PENDING
+ PrivilegedResourceType:
+ description: The type of the resource
+ type: string
+ x-okta-known-values:
+ - APP_ACCOUNT
+ - OKTA_USER_ACCOUNT
+ PrivilegedResourceUpdateRequest:
+ description: Update request for a privileged resource
type: object
properties:
- client_id:
- type: string
- client_secret:
+ profile:
+ $ref: '#/components/schemas/profile'
+ example:
+ email: testuser@example.com
+ userName:
type: string
- IdentityProviderCredentialsSigning:
+ description: The username associated with the privileged resource
+ minLength: 1
+ maxLength: 100
+ example: testuser@example.com
+ ProfileEnrollmentPolicy:
+ allOf:
+ - $ref: '#/components/schemas/Policy'
+ - type: object
+ properties:
+ conditions:
+ type: string
+ description: Policy conditions aren't supported for this policy type
+ default: null
+ nullable: true
+ ProfileEnrollmentPolicyRule:
+ allOf:
+ - $ref: '#/components/schemas/PolicyRule'
+ - type: object
+ properties:
+ actions:
+ $ref: '#/components/schemas/ProfileEnrollmentPolicyRuleActions'
+ conditions:
+ type: string
+ description: Policy Rule conditions aren't supported for this policy type
+ default: null
+ nullable: true
+ ProfileEnrollmentPolicyRuleAction:
type: object
properties:
- kid:
+ access:
type: string
- IdentityProviderCredentialsTrust:
- type: object
- properties:
- audience:
+ enum:
+ - ALLOW
+ - DENY
+ description: '**Note:** The Profile Enrollment Action object can''t be modified to set the `access` property to `DENY` after the policy is created.'
+ activationRequirements:
+ $ref: '#/components/schemas/ProfileEnrollmentPolicyRuleActivationRequirement'
+ allowedIdentifiers:
+ items:
+ type: string
+ type: array
+ description: A list of attributes to identify an end user. Can be used across Okta sign-in, unlock, and recovery flows.
+ default:
+ - login
+ enrollAuthenticatorTypes:
+ items:
+ type: string
+ type: array
+ description: Additional authenticator fields that can be used on the first page of user registration. Valid values only includes `'password'`.
+ preRegistrationInlineHooks:
+ items:
+ $ref: '#/components/schemas/PreRegistrationInlineHook'
+ type: array
+ description: (Optional) The `id` of at most one registration inline hook
+ profileAttributes:
+ items:
+ $ref: '#/components/schemas/ProfileEnrollmentPolicyRuleProfileAttribute'
+ type: array
+ description: A list of attributes to prompt the user during registration or progressive profiling. Where defined on the User schema, these attributes are persisted in the User profile. Non-schema attributes can also be added, which aren't persisted to the User's profile, but are included in requests to the registration inline hook. A maximum of 10 Profile properties is supported.
+ progressiveProfilingAction:
type: string
- issuer:
+ enum:
+ - ENABLED
+ - DISABLED
+ description: Progressive profile enrollment helps evaluate the profile enrollment policy at every user login. Users can be prompted to provide input for newly required attributes.
+ targetGroupIds:
+ items:
+ type: string
+ type: array
+ description: (Optional, max 1 entry) The `id` of a Group that this User should be added to
+ uiSchemaId:
type: string
- kid:
+ description: Value created by the backend. If present, all policy updates must include this attribute/value.
+ unknownUserAction:
type: string
- revocation:
- $ref: '#/components/schemas/IdentityProviderCredentialsTrustRevocation'
- revocationCacheLifetime:
- type: integer
- IdentityProviderCredentialsTrustRevocation:
- type: string
- x-okta-known-values:
- - CRL
- - DELTA_CRL
- - OCSP
- IdentityProviderPolicy:
+ enum:
+ - DENY
+ - REGISTER
+ description: Which action should be taken if this User is new
+ ProfileEnrollmentPolicyRuleActions:
allOf:
- - $ref: '#/components/schemas/Policy'
+ - $ref: '#/components/schemas/PolicyRuleActions'
- type: object
properties:
- accountLink:
- $ref: '#/components/schemas/PolicyAccountLink'
- conditions:
- $ref: '#/components/schemas/PolicyRuleConditions'
- maxClockSkew:
- type: integer
- provisioning:
- $ref: '#/components/schemas/Provisioning'
- subject:
- $ref: '#/components/schemas/PolicySubject'
- IdentityProviderPolicyProvider:
- type: string
- x-okta-known-values:
- - ANY
- - OKTA
- - SPECIFIC_IDP
- IdentityProviderPolicyRuleCondition:
+ profileEnrollment:
+ $ref: '#/components/schemas/ProfileEnrollmentPolicyRuleAction'
+ ProfileEnrollmentPolicyRuleActivationRequirement:
+ description: Contains a single Boolean property that indicates whether `emailVerification` should occur (`true`) or not (`false`, default)
type: object
properties:
- idpIds:
- type: array
- items:
- type: string
- provider:
- $ref: '#/components/schemas/IdentityProviderPolicyProvider'
- IdentityProviderType:
- type: string
- x-okta-known-values:
- - AgentlessDSSO
- - FACEBOOK
- - GOOGLE
- - IWA
- - LINKEDIN
- - MICROSOFT
- - OIDC
- - OKTA
- - SAML2
- - X509
- IdpPolicyRuleAction:
+ emailVerification:
+ type: boolean
+ ProfileEnrollmentPolicyRuleProfileAttribute:
type: object
properties:
- providers:
- items:
- $ref: '#/components/schemas/IdpPolicyRuleActionProvider'
- type: array
- IdpPolicyRuleActionProvider:
+ label:
+ type: string
+ description: A display-friendly label for this property
+ name:
+ type: string
+ description: The name of a User Profile property. Can be an existing property.
+ required:
+ type: boolean
+ description: (Optional, default `FALSE`) Indicates if this property is required for enrollment
+ default: false
+ ProfileMapping:
+ description: |-
+ The Profile Mapping object describes a mapping between an Okta User's and an App User's properties using [JSON Schema Draft 4](https://datatracker.ietf.org/doc/html/draft-zyp-json-schema-04).
+
+ > **Note:** Same type source/target mappings aren't supported by this API. Profile mappings must either be Okta->App or App->Okta.
type: object
properties:
id:
- readOnly: true
type: string
- type:
+ description: Unique identifier for a profile mapping
+ readOnly: true
+ properties:
+ type: object
+ additionalProperties:
+ $ref: '#/components/schemas/ProfileMappingProperty'
+ readOnly: false
+ source:
+ $ref: '#/components/schemas/ProfileMappingSource'
+ target:
+ $ref: '#/components/schemas/ProfileMappingTarget'
+ _links:
+ $ref: '#/components/schemas/LinksSelf'
+ ProfileMappingProperty:
+ description: A target property, in string form, that maps to a valid [JSON Schema Draft](https://tools.ietf.org/html/draft-zyp-json-schema-04) document.
+ type: object
+ properties:
+ expression:
+ description: Combination or single source properties that are mapped to the target property
type: string
- IframeEmbedScopeAllowedApps:
+ pushStatus:
+ $ref: '#/components/schemas/ProfileMappingPropertyPushStatus'
+ ProfileMappingPropertyPushStatus:
+ description: |-
+ Indicates whether to update target properties for user create and update or just for user create.
+
+ Having a pushStatus of `PUSH` causes properties in the target to be updated on create and update. Having a pushStatus of `DONT_PUSH` causes properties in the target to be updated only on create.
type: string
x-okta-known-values:
- - OKTA_ENDUSER
- ImageUploadResponse:
+ - DONT_PUSH
+ - PUSH
+ ProfileMappingRequest:
+ description: The updated request body properties
type: object
properties:
- url:
- readOnly: true
- type: string
- InactivityPolicyRuleCondition:
+ properties:
+ type: object
+ additionalProperties:
+ $ref: '#/components/schemas/ProfileMappingProperty'
+ required:
+ - properties
+ - additionalProperties
+ - expression
+ - pushStatus
+ ProfileMappingSource:
+ description: |-
+ The parameter is the source of a profile mapping and is a valid [JSON Schema Draft 4](https://datatracker.ietf.org/doc/html/draft-zyp-json-schema-04) document with the following properties. The data type can be an app instance or an Okta object.
+
+ > **Note:** If the source is Okta and the UserTypes feature isn't enabled, then the source `_links` only has a link to the schema.
type: object
properties:
- number:
- type: integer
- unit:
+ id:
type: string
- InlineHook:
- type: object
- properties:
- channel:
- $ref: '#/components/schemas/InlineHookChannel'
- created:
+ description: Unique identifier for the application instance or userType
+ readOnly: true
+ name:
type: string
- format: date-time
+ description: Variable name of the application instance or name of the referenced UserType
readOnly: true
- id:
+ type:
type: string
+ description: Type of user referenced in the mapping
readOnly: true
- lastUpdated:
+ _links:
+ $ref: '#/components/schemas/SourceLinks'
+ ProfileMappingTarget:
+ description: |-
+ The parameter is the target of a profile mapping and is a valid [JSON Schema Draft 4](https://datatracker.ietf.org/doc/html/draft-zyp-json-schema-04) document with the following properties. The data type can be an app instance or an Okta object.
+
+ > **Note:** If the target is Okta and the UserTypes feature isn't enabled, then the target `_links` only has a link to the schema.
+ type: object
+ properties:
+ id:
type: string
- format: date-time
+ description: Unique identifier for the application instance or UserType
readOnly: true
name:
type: string
- status:
- $ref: '#/components/schemas/InlineHookStatus'
+ description: Variable name of the application instance or name of the referenced userType
+ readOnly: true
type:
- $ref: '#/components/schemas/InlineHookType'
- version:
type: string
- _links:
- type: object
- additionalProperties:
- type: object
- properties: {}
+ description: Type of user referenced in the mapping
readOnly: true
- InlineHookChannel:
+ _links:
+ $ref: '#/components/schemas/SourceLinks'
+ ProfileSettingObject:
+ description: |
+ This setting determines whether a user in the app gets updated when they're updated in Okta.
+
+ If enabled, Okta updates a user's attributes in the app when the app is assigned.
+ Future changes made to the Okta user's profile automatically overwrite the corresponding attribute value in the app.
type: object
properties:
- config:
- $ref: '#/components/schemas/InlineHookChannelConfig'
+ status:
+ allOf:
+ - $ref: '#/components/schemas/EnabledStatus'
+ - example: DISABLED
+ - default: DISABLED
+ ProtocolAlgorithmRequestScope:
+ description: Specifies whether to digitally sign authorization requests to the IdP
+ example: REQUEST
+ type: string
+ x-okta-known-values:
+ - NONE
+ - REQUEST
+ ProtocolAlgorithmResponseScope:
+ description: Specifies whether to verify responses from the IdP
+ example: ANY
+ type: string
+ x-okta-known-values:
+ - ANY
+ - RESPONSE
+ - TOKEN
+ ProtocolCredentialsKeyId:
+ description: IdP Key Credential reference to the Okta X.509 signature certificate
+ example: your-key-id
+ type: string
+ ProtocolEndpointBinding:
+ type: string
+ x-okta-known-values:
+ - HTTP-POST
+ - HTTP-REDIRECT
+ ProtocolMtls:
+ title: Mutual TLS Protocol
+ description: Protocol settings for the [MTLS Protocol](https://tools.ietf.org/html/rfc5246#section-7.4.4)
+ type: object
+ properties:
+ credentials:
+ $ref: '#/components/schemas/MtlsCredentials'
+ endpoints:
+ $ref: '#/components/schemas/MtlsEndpoints'
type:
- $ref: '#/components/schemas/InlineHookChannelType'
- version:
type: string
- InlineHookChannelConfig:
+ description: Mutual TLS
+ enum:
+ - MTLS
+ ProtocolOAuth:
+ title: OAuth 2.0 Protocol
+ description: Protocol settings for authentication using the [OAuth 2.0 Authorization Code flow](https://tools.ietf.org/html/rfc6749#section-4.1)
type: object
properties:
- authScheme:
- $ref: '#/components/schemas/InlineHookChannelConfigAuthScheme'
- headers:
+ credentials:
+ $ref: '#/components/schemas/OAuthCredentials'
+ endpoints:
+ $ref: '#/components/schemas/OAuthEndpoints'
+ scopes:
type: array
+ description: |-
+ IdP-defined permission bundles to request delegated access from the User
+ > **Note:** The [Identity Provider type](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=type&t=request) table lists the scopes that are supported for each Identity Provider.
items:
- $ref: '#/components/schemas/InlineHookChannelConfigHeaders'
- method:
- type: string
- uri:
+ type: string
+ example: public_profile
+ type:
type: string
- InlineHookChannelConfigAuthScheme:
+ description: OAuth 2.0 Authorization Code flow
+ enum:
+ - OAUTH2
+ ProtocolOidc:
+ title: OpenID Connect Protocol
+ description: Protocol settings for authentication using the [OpenID Connect Protocol](http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth)
type: object
properties:
- key:
- type: string
+ algorithms:
+ $ref: '#/components/schemas/OidcAlgorithms'
+ credentials:
+ $ref: '#/components/schemas/OAuthCredentials'
+ endpoints:
+ $ref: '#/components/schemas/OAuthEndpoints'
+ scopes:
+ type: array
+ description: |-
+ OpenID Connect and IdP-defined permission bundles to request delegated access from the User
+ > **Note:** The [Identity Provider type](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=type&t=request) table lists the scopes that are supported for each Identity Provider.
+ items:
+ type: string
+ example: openid
type:
type: string
- value:
- type: string
- InlineHookChannelConfigHeaders:
+ description: OpenID Connect Authorization Code flow
+ enum:
+ - OIDC
+ ProtocolSaml:
+ title: SAML 2.0 Protocol
+ description: Protocol settings for the [SAML 2.0 Authentication Request Protocol](http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf)
type: object
properties:
- key:
- type: string
- value:
+ algorithms:
+ $ref: '#/components/schemas/SamlAlgorithms'
+ credentials:
+ $ref: '#/components/schemas/SamlCredentials'
+ endpoints:
+ $ref: '#/components/schemas/SamlEndpoints'
+ relayState:
+ $ref: '#/components/schemas/SamlRelayState'
+ settings:
+ $ref: '#/components/schemas/SamlSettings'
+ type:
type: string
- InlineHookChannelType:
+ description: SAML 2.0 protocol
+ enum:
+ - SAML2
+ ProviderType:
type: string
x-okta-known-values:
- - HTTP
- InlineHookPayload:
- type: object
- x-okta-extensible: true
- InlineHookResponse:
- type: object
- properties:
- commands:
- type: array
- items:
- $ref: '#/components/schemas/InlineHookResponseCommands'
- InlineHookResponseCommandValue:
+ - APNS
+ - FCM
+ Provisioning:
+ description: Specifies the behavior for just-in-time (JIT) provisioning of an IdP User as a new Okta User and their Group memberships
type: object
properties:
- op:
- type: string
- path:
- type: string
- value:
- type: string
- InlineHookResponseCommands:
+ action:
+ $ref: '#/components/schemas/ProvisioningAction'
+ conditions:
+ $ref: '#/components/schemas/ProvisioningConditions'
+ groups:
+ $ref: '#/components/schemas/ProvisioningGroups'
+ profileMaster:
+ type: boolean
+ description: Determines if the IdP should act as a source of truth for User profile attributes
+ ProvisioningAction:
+ description: |-
+ Specifies the User provisioning action during authentication when an IdP User isn't linked to an existing Okta User.
+ * To successfully provision a new Okta User, you must enable just-in-time (JIT) provisioning in your org security settings.
+ * If the target username isn't unique or the resulting Okta User profile is missing a required profile attribute, JIT provisioning may fail.
+ * New Okta Users are provisioned with either a `FEDERATION` or `SOCIAL` authentication provider depending on the IdP type.
+ type: string
+ x-enumDescriptions:
+ AUTO: The IdP User profile is transformed through defined universal directory profile mappings to an Okta User profile and automatically provisioned as an Okta User.
+ DISABLED: Okta rejects the authentication request and skips provisioning of a new Okta User if the IdP User isn't linked to an existing Okta User.
+ x-okta-known-values:
+ - AUTO
+ - DISABLED
+ ProvisioningConditions:
+ description: Conditional behaviors for an IdP User during authentication
type: object
properties:
- type:
- type: string
- value:
- type: array
- items:
- $ref: '#/components/schemas/InlineHookResponseCommandValue'
- InlineHookStatus:
+ deprovisioned:
+ $ref: '#/components/schemas/ProvisioningDeprovisionedCondition'
+ suspended:
+ $ref: '#/components/schemas/ProvisioningSuspendedCondition'
+ ProvisioningConnectionAuthScheme:
+ description: Defines the method of authentication
type: string
+ x-enumDescriptions:
+ TOKEN: A token is used to authenticate with the app.
+ OAUTH2: OAuth 2.0 is used to authenticate with the app.
+ UNKNOWN: The authentication scheme used by the app isn't supported, or the app doesn't support provisioning.
x-okta-known-values:
- - ACTIVE
- - INACTIVE
- InlineHookType:
+ - OAUTH2
+ - TOKEN
+ - UNKNOWN
+ ProvisioningConnectionOauthAuthScheme:
+ description: OAuth 2.0 is used to authenticate with the app.
type: string
x-okta-known-values:
- - com.okta.import.transform
- - com.okta.oauth2.tokens.transform
- - com.okta.saml.tokens.transform
- - com.okta.user.credential.password.import
- - com.okta.user.pre-registration
- IssuerMode:
+ - OAUTH2
+ ProvisioningConnectionOauthRequest:
+ title: OAuth 2.0-based connection
+ allOf:
+ - $ref: '#/components/schemas/ProvisioningConnectionRequest'
+ - description: OAuth 2.0-based Provisioning Connection request
+ properties:
+ profile:
+ $ref: '#/components/schemas/ProvisioningConnectionOauthRequestProfile'
+ required:
+ - profile
+ ProvisioningConnectionOauthRequestProfile:
+ properties:
+ authScheme:
+ $ref: '#/components/schemas/ProvisioningConnectionOauthAuthScheme'
+ clientId:
+ type: string
+ description: Only used for the Okta Org2Org (`okta_org2org`) app. The unique client identifier for the OAuth 2.0 service app from the target org.
+ settings:
+ $ref: '#/components/schemas/Office365ProvisioningSettings'
+ required:
+ - authScheme
+ ProvisioningConnectionProfileOauth:
+ description: |
+ The app provisioning connection profile used to configure the method of authentication and the credentials.
+ Currently, token-based and OAuth 2.0-based authentication are supported.
+ properties:
+ authScheme:
+ $ref: '#/components/schemas/ProvisioningConnectionOauthAuthScheme'
+ clientId:
+ type: string
+ required:
+ - authScheme
+ ProvisioningConnectionRequest:
+ type: object
+ ProvisioningConnectionRequestAuthScheme:
type: string
x-okta-known-values:
- - CUSTOM_URL
- - DYNAMIC
- - ORG_URL
- JsonWebKey:
+ - OAUTH2
+ - TOKEN
+ ProvisioningConnectionResponse:
type: object
properties:
- alg:
- type: string
- created:
- type: string
- format: date-time
- e:
- type: string
- expiresAt:
- type: string
- format: date-time
- key_ops:
- type: array
- items:
- type: string
- kid:
- type: string
- kty:
- type: string
- lastUpdated:
- type: string
- format: date-time
- 'n':
+ authScheme:
+ $ref: '#/components/schemas/ProvisioningConnectionTokenAuthScheme'
+ baseUrl:
type: string
+ description: Base URL
+ profile:
+ $ref: '#/components/schemas/ProvisioningConnectionResponseProfile'
status:
- type: string
- use:
- type: string
- x5c:
- type: array
- items:
- type: string
- x5t:
- type: string
- x5t#S256:
- type: string
- x5u:
- type: string
+ $ref: '#/components/schemas/ProvisioningConnectionStatus'
_links:
- type: object
- additionalProperties:
- type: object
- properties: {}
- readOnly: true
- JwkUse:
- type: object
+ $ref: '#/components/schemas/LinksSelfLifecycleAndAuthorize'
+ required:
+ - profile
+ - status
+ ProvisioningConnectionResponseProfile:
properties:
- use:
- $ref: '#/components/schemas/JwkUseType'
- JwkUseType:
+ authScheme:
+ $ref: '#/components/schemas/ProvisioningConnectionAuthScheme'
+ required:
+ - authScheme
+ ProvisioningConnectionStatus:
+ description: Provisioning Connection status
+ default: DISABLED
type: string
+ x-enumDescriptions:
+ DISABLED: The Provisioning Connection is disabled.
+ ENABLED: The Provisioning Connection is enabled.
+ UNKNOWN: Provisioning isn't supported by the app, or the authentication method is unknown.
x-okta-known-values:
- - sig
- KnowledgeConstraint:
- allOf:
- - $ref: '#/components/schemas/AccessPolicyConstraint'
- Language:
- description: The language specified as an [IETF BCP 47 language tag](https://datatracker.ietf.org/doc/html/rfc5646).
+ - DISABLED
+ - ENABLED
+ - UNKNOWN
+ ProvisioningConnectionTokenAuthScheme:
+ description: A token is used to authenticate with the app. This property is only returned for the `TOKEN` authentication scheme.
type: string
- LifecycleCreateSettingObject:
- type: object
- properties:
- status:
- $ref: '#/components/schemas/EnabledStatus'
- LifecycleDeactivateSettingObject:
- type: object
- properties:
- status:
- $ref: '#/components/schemas/EnabledStatus'
- LifecycleExpirationPolicyRuleCondition:
- type: object
+ x-okta-known-values:
+ - TOKEN
+ ProvisioningConnectionTokenRequest:
+ title: Token-based connection
+ allOf:
+ - $ref: '#/components/schemas/ProvisioningConnectionRequest'
+ - description: Token-based Provisioning Connection request
+ properties:
+ baseUrl:
+ type: string
+ description: Only used for the Zscaler 2.0 (`zscalerbyz`) app. The base URL for the Zscaler 2.0 target app, which also contains the Zscaler ID.
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ profile:
+ $ref: '#/components/schemas/ProvisioningConnectionTokenRequestProfile'
+ required:
+ - profile
+ ProvisioningConnectionTokenRequestProfile:
properties:
- lifecycleStatus:
- type: string
- number:
- type: integer
- unit:
+ authScheme:
+ $ref: '#/components/schemas/ProvisioningConnectionTokenAuthScheme'
+ token:
type: string
- LifecycleStatus:
+ description: Token used to authenticate with the app
+ required:
+ - authScheme
+ ProvisioningDeprovisionedAction:
+ description: Specifies the action during authentication when an IdP User is linked to a previously deprovisioned Okta User
type: string
+ x-enumDescriptions:
+ NONE: Take no action. If an IdP User that matches a previously deprovisioned Okta User attempts to authenticate, authentication fails.
+ REACTIVATE: If an IdP User that matches a previously deprovisioned Okta User attempts to authenticate, reactivate the matching User in Okta and allow the authentication attempt to proceed.
x-okta-known-values:
- - ACTIVE
- - INACTIVE
- LinkedObject:
+ - NONE
+ - REACTIVATE
+ ProvisioningDeprovisionedCondition:
+ description: Behavior for a previously deprovisioned IdP User during authentication. Not supported with OIDC IdPs.
type: object
properties:
- associated:
- $ref: '#/components/schemas/LinkedObjectDetails'
- primary:
- $ref: '#/components/schemas/LinkedObjectDetails'
- _links:
- type: object
- additionalProperties:
- type: object
- properties: {}
- readOnly: true
- LinkedObjectDetails:
+ action:
+ $ref: '#/components/schemas/ProvisioningDeprovisionedAction'
+ ProvisioningGroups:
+ description: Provisioning settings for a User's Group memberships
type: object
properties:
- description:
- type: string
- name:
- type: string
- title:
+ action:
+ $ref: '#/components/schemas/ProvisioningGroupsAction'
+ assignments:
+ type: array
+ description: List of `OKTA_GROUP` Group identifiers to add an IdP User as a member with the `ASSIGN` action
+ items:
+ type: string
+ example: 00gak46y5hydV6NdM0g4
+ filter:
+ type: array
+ description: Allowlist of `OKTA_GROUP` Group identifiers for the `APPEND` or `SYNC` provisioning action
+ items:
+ type: string
+ example: 00gak46y5hydV6NdM0g4
+ sourceAttributeName:
type: string
- type:
- $ref: '#/components/schemas/LinkedObjectDetailsType'
- LinkedObjectDetailsType:
+ description: IdP User profile attribute name (case-insensitive) for an array value that contains Group memberships
+ maxLength: 1024
+ example: Groups
+ ProvisioningGroupsAction:
+ description: |-
+ Provisioning action for the IdP User's Group memberships
+
+ | Enum | Description | Existing OKTA_GROUP Memberships | Existing APP_GROUP Memberships | Existing BUILT_IN Memberships |
+ | -------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------ | ----------------------------- |
+ | `APPEND` | Adds a User to any Group defined by the IdP as a value of the `sourceAttributeName` array that matches the name of the allow listed Group defined in the `filter` | Unchanged | Unchanged | Unchanged |
+ | `ASSIGN` | Assigns a User to Groups defined in the `assignments` array | Unchanged | Unchanged | Unchanged |
+ | `NONE` | Skips processing of Group memberships | Unchanged | Unchanged | Unchanged |
+ | `SYNC` | Group memberships are sourced by the IdP as a value of the `sourceAttributeName` array that matches the name of the Group defined in the `filter` | Removed if not defined by the IdP in `sourceAttributeName` and matching name of the Group in `filter` | Unchanged | Unchanged |
+
+ > **Note:** Group provisioning action is processed independently from profile sourcing. You can sync Group memberships through SAML with profile sourcing disabled.
type: string
x-okta-known-values:
- - USER
- LocationGranularity:
+ - APPEND
+ - ASSIGN
+ - NONE
+ - SYNC
+ ProvisioningSuspendedAction:
+ description: Specifies the action during authentication when an IdP User is linked to a previously suspended Okta User
type: string
+ x-enumDescriptions:
+ NONE: Take no action. If an IdP User that matches a previously suspended Okta User attempts to authenticate, authentication fails.
+ UNSUSPEND: If an IdP User that matches a previously suspended Okta User attempts to authenticate, unsuspend the matching User in Okta and allow the authentication attempt to proceed.
x-okta-known-values:
- - CITY
- - COUNTRY
- - LAT_LONG
- - SUBDIVISION
- LogActor:
+ - NONE
+ - UNSUSPEND
+ ProvisioningSuspendedCondition:
+ description: Behavior for a previously suspended IdP User during authentication. Not supported with OIDC IdPs.
+ type: object
+ properties:
+ action:
+ $ref: '#/components/schemas/ProvisioningSuspendedAction'
+ PushMethodKeyProtection:
+ description: Indicates whether you must use a hardware key store
+ type: string
+ x-okta-known-values:
+ - ANY
+ - HARDWARE
+ PushProvider:
+ title: PushProvider
type: object
properties:
- alternateId:
- type: string
- readOnly: true
- detail:
- type: object
- additionalProperties:
- type: object
- properties: {}
- readOnly: true
- displayName:
- type: string
- readOnly: true
id:
type: string
readOnly: true
- type:
+ description: Unique key for the Push Provider
+ lastUpdatedDate:
type: string
readOnly: true
- LogAuthenticationContext:
+ description: Timestamp when the Push Provider was last modified
+ name:
+ type: string
+ description: Display name of the push provider
+ providerType:
+ $ref: '#/components/schemas/ProviderType'
+ _links:
+ $ref: '#/components/schemas/LinksSelf'
+ discriminator:
+ propertyName: providerType
+ mapping:
+ APNS: '#/components/schemas/APNSPushProvider'
+ FCM: '#/components/schemas/FCMPushProvider'
+ RateLimitAdminNotifications:
+ title: RateLimitAdminNotifications
+ description: ''
type: object
properties:
- authenticationProvider:
- $ref: '#/components/schemas/LogAuthenticationProvider'
- authenticationStep:
+ notificationsEnabled:
+ type: boolean
+ required:
+ - notificationsEnabled
+ RateLimitWarningThresholdRequest:
+ title: RateLimitWarningThreshold
+ description: ''
+ type: object
+ properties:
+ warningThreshold:
+ description: The threshold value (percentage) of a rate limit that, when exceeded, triggers a warning notification. By default, this value is 90 for Workforce orgs and 60 for CIAM orgs.
+ type: integer
+ minimum: 30
+ maximum: 90
+ required:
+ - warningThreshold
+ RateLimitWarningThresholdResponse:
+ title: RateLimitWarningThreshold
+ description: ''
+ type: object
+ properties:
+ warningThreshold:
+ description: The threshold value (percentage) of a rate limit that, when exceeded, triggers a warning notification. By default, this value is 90 for Workforce orgs and 60 for CIAM orgs.
type: integer
+ minimum: 30
+ maximum: 90
+ Realm:
+ type: object
+ properties:
+ created:
+ type: string
+ format: date-time
+ description: Timestamp when the Realm was created
readOnly: true
- credentialProvider:
- $ref: '#/components/schemas/LogCredentialProvider'
- credentialType:
- $ref: '#/components/schemas/LogCredentialType'
- externalSessionId:
+ id:
type: string
+ description: Unique key for the Realm
readOnly: true
- interface:
+ isDefault:
+ type: boolean
+ description: Conveys whether the Realm is the default
+ readOnly: true
+ lastUpdated:
type: string
+ format: date-time
+ description: Timestamp when the Realm was last updated
readOnly: true
- issuer:
- $ref: '#/components/schemas/LogIssuer'
- LogAuthenticationProvider:
- type: string
- x-okta-known-values:
- - ACTIVE_DIRECTORY
- - FACTOR_PROVIDER
- - FEDERATION
- - LDAP
- - OKTA_AUTHENTICATION_PROVIDER
- - SOCIAL
- LogClient:
+ profile:
+ $ref: '#/components/schemas/RealmProfile'
+ _links:
+ $ref: '#/components/schemas/LinksSelf'
+ RealmAssignment:
type: object
properties:
- device:
+ actions:
+ $ref: '#/components/schemas/Actions'
+ conditions:
+ $ref: '#/components/schemas/Conditions'
+ created:
type: string
+ format: date-time
readOnly: true
- geographicalContext:
- $ref: '#/components/schemas/LogGeographicalContext'
id:
type: string
readOnly: true
- ipAddress:
- type: string
+ isDefault:
+ type: boolean
readOnly: true
- userAgent:
- $ref: '#/components/schemas/LogUserAgent'
- zone:
+ lastUpdated:
type: string
+ format: date-time
readOnly: true
- LogCredentialProvider:
+ name:
+ type: string
+ priority:
+ type: integer
+ status:
+ $ref: '#/components/schemas/LifecycleStatus'
+ _links:
+ $ref: '#/components/schemas/LinksSelf'
+ RealmProfile:
+ type: object
+ properties:
+ name:
+ type: string
+ description: Name of a Realm
+ realmType:
+ type: string
+ description: Used to store partner users. This must be set to Partner to access Okta's external partner portal.
+ enum:
+ - PARTNER
+ - DEFAULT
+ x-enumDescriptions:
+ PARTNER: Realm with external partner portal
+ DEFAULT: Default
+ required:
+ - name
+ RecoveryQuestionCredential:
+ description: |-
+ Specifies a secret question and answer that's validated (case insensitive) when a user forgets their
+ password or unlocks their account. The answer property is write-only.
+ type: object
+ properties:
+ answer:
+ type: string
+ description: The answer to the recovery question
+ minimum: 1
+ maximum: 100
+ writeOnly: true
+ example: se7en
+ question:
+ type: string
+ description: The recovery question
+ minimum: 1
+ maximum: 100
+ example: what is your favourite movie?
+ RefreshToken:
+ description: The refresh token
+ type: object
+ properties:
+ jti:
+ description: The refresh token ID
+ type: string
+ RegistrationInlineHook:
+ allOf:
+ - $ref: '#/components/schemas/InlineHook'
+ - type: object
+ RegistrationInlineHookCommand:
+ type: object
+ properties:
+ type:
+ type: string
+ enum:
+ - com.okta.user.profile.update
+ - com.okta.action.update
+ - com.okta.user.progressive.profile.update
+ RegistrationInlineHookPPData:
+ allOf:
+ - $ref: '#/components/schemas/InlineHookBasePayload'
+ - $ref: '#/components/schemas/RegistrationInlineHookRequest'
+ - type: object
+ properties:
+ data:
+ type: object
+ properties:
+ context:
+ type: object
+ properties:
+ request:
+ $ref: '#/components/schemas/InlineHookRequestObject'
+ user:
+ type: object
+ properties:
+ passwordChanged:
+ type: string
+ format: date-time
+ description: The last time the user's password was updated
+ _links:
+ description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of the user. These links are used to discover what groups the user is a part of and what factors they have enrolled.
+ type: object
+ properties:
+ groups:
+ description: URL to retrieve the individual user's group memberships
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ factors:
+ description: URL to retrieve individual user's factor enrollments
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ profile:
+ additionalProperties: true
+ type: object
+ description: The user to update's current attributes
+ id:
+ type: string
+ action:
+ description: The default action the system takes. Set to `ALLOW`. `DENY` is never sent to your external service
+ type: string
+ userProfileUpdate:
+ additionalProperties: true
+ type: object
+ description: Name-value pairs for each new attribute supplied by the user in the Progressive Profile form
+ RegistrationInlineHookRequest:
+ description: Registration inline hook request
+ type: object
+ properties:
+ eventType:
+ type: string
+ description: The type of inline hook. The registration inline hook type is `com.okta.user.pre-registration`.
+ requestType:
+ $ref: '#/components/schemas/RegistrationInlineHookRequestType'
+ discriminator:
+ propertyName: requestType
+ mapping:
+ self.service.registration: '#/components/schemas/RegistrationInlineHookSSRData'
+ progressive.profile: '#/components/schemas/RegistrationInlineHookPPData'
+ RegistrationInlineHookRequestType:
+ description: The type of registration hook. Use either `self.service.registration` or `progressive.profile`.
type: string
x-okta-known-values:
- - DUO
- - GOOGLE
- - OKTA_AUTHENTICATION_PROVIDER
- - OKTA_CREDENTIAL_PROVIDER
- - RSA
- - SYMANTEC
- - YUBIKEY
- LogCredentialType:
+ - progressive.profile
+ - self.service.registration
+ RegistrationInlineHookResponse:
+ description: Registration inline hook response
+ type: object
+ properties:
+ commands:
+ type: array
+ RegistrationInlineHookSSRData:
+ allOf:
+ - $ref: '#/components/schemas/InlineHookBasePayload'
+ - $ref: '#/components/schemas/RegistrationInlineHookRequest'
+ - type: object
+ properties:
+ data:
+ type: object
+ properties:
+ context:
+ type: object
+ properties:
+ request:
+ $ref: '#/components/schemas/InlineHookRequestObject'
+ action:
+ description: The default action the system will take. Will be `ALLOW`. `DENY` will never be sent to your external service.
+ type: string
+ userProfile:
+ additionalProperties: true
+ type: object
+ description: The name-value pairs for each registration-related attribute supplied by the user in the Profile Enrollment form.
+ RegistrationResponse:
+ type: object
+ properties:
+ commands:
+ description: |-
+ The `commands` object lets you invoke commands to modify or add values to the attributes in the Okta user profile that are created for this user. The object also lets you control whether or not the registration attempt is allowed to proceed.
+
+ This object is an array, allowing you to send multiple commands in your response. Each array element requires a `type` property and a `value` property. The `type` property is where you specify which of the supported commands you wish to execute, and `value` is where you supply parameters for that command.
+
+ The registration inline hook supports these three commands:
+ * `com.okta.user.profile.update`: Change attribute values in the user's Okta user profile. For SSR only. Invalid if used with a Progressive Profile response.
+ * `com.okta.action.update`: Allow or deny the user's registration.
+ * `com.okta.user.progressive.profile.update`: Change attribute values in the user's Okta Progressive Profile.
+ type: array
+ items:
+ type: object
+ properties:
+ type:
+ description: |-
+ The location where you specify the command. To set attributes in the user's Okta profile, supply a `type` property set to `com.okta.user.profile.update`, together with a `value` property set to a list of key-value pairs corresponding to the Okta user profile attributes you want to set. The attributes must already exist in your user profile schema.
+
+ To explicitly allow or deny registration to the user, supply a type property set to `com.okta.action.update`, together with a value property set to `{"registration": "ALLOW"}` or `{"registration": "DENY"}`. The default is to allow registration.
+
+ In Okta Identity Engine, to set attributes in the user's profile, supply a `type` property set to `com.okta.user.progressive.profile.update`, together with a `value` property set to a list of key-value pairs corresponding to the Progressive Enrollment attributes that you want to set. See [Registration inline hook - Send response](https://developer.okta.com/docs/guides/registration-inline-hook/nodejs/main/#send-response).
+
+ Commands are applied in the order that they appear in the array. Within a single `com.okta.user.profile.update` or `com.okta.user.progressive.profile.update command`, attributes are updated in the order that they appear in the `value` object.
+
+ You can never use a command to update the user's password, but you are allowed to set the values of attributes other than password that are designated sensitive in your Okta user schema. However, the values of those sensitive attributes, if included as fields in the Profile Enrollment form, aren't included in the `data.userProfile` object sent to your external service by Okta. See [data.userProfile](/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/create-registration-hook!path=0/data/userProfile&t=request).
+ type: string
+ value:
+ additionalProperties: true
+ description: |-
+ The `value` object is the parameter to pass to the command.
+
+ For `com.okta.user.profile.update` commands, `value` should be an object containing one or more name-value pairs for the attributes you wish to update.
+
+ For `com.okta.action.update` commands, the value should be an object containing the attribute `action` set to a value of either `ALLOW` or `DENY`, indicating whether the registration should be permitted or not.
+
+ Registrations are allowed by default, so setting a value of `ALLOW` for the action field is valid but superfluous.
+ type: object
+ Error:
+ description: |-
+ For the registration inline hook, the `error` object provides a way of displaying an error message to the end user who is trying to register or update their profile.
+
+ * If you're using the Okta Sign-In Widget for Profile Enrollment, only the `errorSummary` messages of the `errorCauses` objects that your external service returns appear as inline errors, given the following:
+ * You don't customize the error handling behavior of the widget.
+ * The `location` of `errorSummary` in the `errorCauses` object specifies the request object's user profile attribute.
+ * If you don't return a value for the `errorCauses` object, and deny the user's registration attempt through the `commands` object in your response to Okta, one of the following generic messages appears to the end user:
+ * "Registration cannot be completed at this time." (SSR)
+ * "We found some errors. Please review the form and make corrections." (Progressive Enrollment)
+ * If you don't return an `error` object at all and the registration is denied, the following generic message appears to the end user:
+ * "Registration denied." (SSR)
+ * "Profile update denied." (Progressive Enrollment)
+
+ >**Note:** If you include an error object in your response, no commands are executed and the registration fails. This holds true even if the top-level `errorSummary` and the `errorCauses` objects are omitted.
+ type: object
+ properties:
+ errorSummary:
+ type: string
+ description: Human-readable summary of one or more errors
+ errorCauses:
+ type: array
+ items:
+ type: object
+ properties:
+ errorSummary:
+ type: string
+ description: Human-readable summary of the error.
+ reason:
+ type: string
+ description: A brief, enum-like string that indicates the nature of the error. For example, `UNIQUE_CONSTRAINT` for a property uniqueness violation.
+ locationType:
+ type: string
+ description: Where in the request the error was found (`body`, `header`, `url`, or `query`).
+ location:
+ description: The valid JSON path to the location of the error. For example, if there was an error in the user's `login` field, the `location` might be `data.userProfile.login`.
+ type: string
+ domain:
+ type: string
+ description: Indicates the source of the error. If the error was in the user's profile, for example, you might use `end-user`. If the error occurred in the external service, you might use `external-service`.
+ ReleaseChannel:
+ description: Release channel for auto-update
type: string
x-okta-known-values:
- - ASSERTION
- - EMAIL
- - IWA
- - JWT
- - OAuth 2.0
- - OTP
- - PASSWORD
- - SMS
- LogDebugContext:
+ - BETA
+ - EA
+ - GA
+ - TEST
+ RequiredEnum:
+ type: string
+ x-okta-known-values:
+ - ALWAYS
+ - HIGH_RISK_ONLY
+ - NEVER
+ ResendUserFactor:
type: object
properties:
- debugData:
- type: object
- additionalProperties:
- type: object
- properties: {}
- readOnly: true
- LogEvent:
+ factorType:
+ description: Type of the Factor
+ type: string
+ enum:
+ - call
+ - email
+ - sms
+ discriminator:
+ propertyName: factorType
+ mapping:
+ call: '#/components/schemas/UserFactorCall'
+ email: '#/components/schemas/UserFactorEmail'
+ sms: '#/components/schemas/UserFactorSMS'
+ ResetPasswordToken:
type: object
properties:
- actor:
- $ref: '#/components/schemas/LogActor'
- authenticationContext:
- $ref: '#/components/schemas/LogAuthenticationContext'
- client:
- $ref: '#/components/schemas/LogClient'
- debugContext:
- $ref: '#/components/schemas/LogDebugContext'
- displayMessage:
- type: string
- readOnly: true
- eventType:
- type: string
- readOnly: true
- legacyEventType:
- type: string
- readOnly: true
- outcome:
- $ref: '#/components/schemas/LogOutcome'
- published:
- type: string
- format: date-time
- readOnly: true
- request:
- $ref: '#/components/schemas/LogRequest'
- securityContext:
- $ref: '#/components/schemas/LogSecurityContext'
- severity:
- $ref: '#/components/schemas/LogSeverity'
- target:
- type: array
- readOnly: true
- items:
- $ref: '#/components/schemas/LogTarget'
- transaction:
- $ref: '#/components/schemas/LogTransaction'
- uuid:
- type: string
- readOnly: true
- version:
+ resetPasswordUrl:
type: string
readOnly: true
- LogGeographicalContext:
+ example: https://{yourOktaDomain}/signin/reset-password/XE6wE17zmphl3KqAPFxO
+ ResourceSelectorCreateRequestSchema:
type: object
properties:
- city:
+ description:
type: string
- readOnly: true
- country:
+ description: Description of the Resource Selector
+ filter:
type: string
- readOnly: true
- geolocation:
- $ref: '#/components/schemas/LogGeolocation'
- postalCode:
+ description: SCIM filter of the Resource Selector
+ name:
type: string
- readOnly: true
- state:
+ description: Name of the Resource Selector
+ schema:
type: string
- readOnly: true
- LogGeolocation:
+ description: Schema of the Resource Selector
+ ResourceSelectorPatchRequestSchema:
type: object
properties:
- lat:
- type: number
- format: double
- readOnly: true
- lon:
- type: number
- format: double
- readOnly: true
- LogIpAddress:
- type: object
- properties:
- geographicalContext:
- $ref: '#/components/schemas/LogGeographicalContext'
- ip:
+ description:
type: string
- readOnly: true
- source:
+ description: Description of the Resource Selector
+ filter:
type: string
- readOnly: true
- version:
+ description: SCIM filter of the Resource Selector
+ name:
type: string
- readOnly: true
- LogIssuer:
+ description: Name of the Resource Selector
+ ResourceSelectorResponseSchema:
type: object
properties:
+ description:
+ type: string
+ description: Description of the Resource Selector
id:
type: string
- readOnly: true
- type:
+ description: Unique key for the Resource Selector
+ name:
type: string
- readOnly: true
- LogOutcome:
+ description: Name of the Resource Selector
+ orn:
+ type: string
+ description: An Okta resource name
+ _links:
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - properties:
+ resources:
+ $ref: '#/components/schemas/HrefObject'
+ ResourceSelectorResponseWithoutSelfLinkSchema:
type: object
properties:
- reason:
+ description:
type: string
- readOnly: true
- result:
+ description: Description of the Resource Selector
+ id:
type: string
- readOnly: true
- LogRequest:
+ description: Unique key for the Resource Selector
+ name:
+ type: string
+ description: Name of the Resource Selector
+ orn:
+ type: string
+ description: An Okta resource name
+ _links:
+ allOf:
+ - properties:
+ resources:
+ $ref: '#/components/schemas/HrefObject'
+ ResourceSelectorsSchema:
type: object
properties:
- ipChain:
+ resourceSelectors:
type: array
- readOnly: true
items:
- $ref: '#/components/schemas/LogIpAddress'
- LogSecurityContext:
- type: object
- properties:
- asNumber:
- type: integer
- readOnly: true
- asOrg:
- type: string
- readOnly: true
- domain:
- type: string
- readOnly: true
- isp:
- type: string
- readOnly: true
- isProxy:
- type: boolean
- readOnly: true
- LogSeverity:
- type: string
- x-okta-known-values:
- - DEBUG
- - ERROR
- - INFO
- - WARN
- LogTarget:
+ $ref: '#/components/schemas/ResourceSelectorResponseWithoutSelfLinkSchema'
+ _links:
+ $ref: '#/components/schemas/LinksNext'
+ ResourceSet:
type: object
properties:
- alternateId:
+ created:
type: string
+ format: date-time
+ description: Timestamp when the role was created
readOnly: true
- detailEntry:
- type: object
- additionalProperties:
- type: object
- properties: {}
- readOnly: true
- displayName:
+ description:
type: string
- readOnly: true
+ description: Description of the Resource Set
id:
type: string
+ description: Unique ID for the Resource Set object
readOnly: true
- type:
+ label:
+ type: string
+ description: Unique label for the Resource Set
+ lastUpdated:
type: string
+ format: date-time
+ description: Timestamp when the role was last updated
readOnly: true
- LogTransaction:
+ _links:
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - properties:
+ resources:
+ $ref: '#/components/schemas/HrefObject'
+ bindings:
+ $ref: '#/components/schemas/HrefObject'
+ ResourceSetBindingAddMembersRequest:
type: object
properties:
- detail:
- type: object
- additionalProperties:
- type: object
- properties: {}
- readOnly: true
- id:
- type: string
- readOnly: true
- type:
+ additions:
+ type: array
+ items:
+ type: string
+ ResourceSetBindingCreateRequest:
+ type: object
+ properties:
+ members:
+ type: array
+ items:
+ type: string
+ role:
type: string
- readOnly: true
- LogUserAgent:
+ description: Unique key for the role
+ ResourceSetBindingMember:
type: object
properties:
- browser:
+ created:
type: string
+ format: date-time
+ description: Timestamp when the role was created
readOnly: true
- os:
+ id:
type: string
+ description: Unique key for the role
readOnly: true
- rawUserAgent:
+ lastUpdated:
type: string
+ format: date-time
+ description: Timestamp when the role was last updated
readOnly: true
- MDMEnrollmentPolicyEnrollment:
- type: string
- x-okta-known-values:
- - ANY_OR_NONE
- - OMM
- MDMEnrollmentPolicyRuleCondition:
+ _links:
+ $ref: '#/components/schemas/LinksSelf'
+ ResourceSetBindingMembers:
type: object
properties:
- blockNonSafeAndroid:
- type: boolean
- enrollment:
- $ref: '#/components/schemas/MDMEnrollmentPolicyEnrollment'
- MultifactorEnrollmentPolicy:
- allOf:
- - $ref: '#/components/schemas/Policy'
- - type: object
- properties:
- conditions:
- $ref: '#/components/schemas/PolicyRuleConditions'
- settings:
- $ref: '#/components/schemas/MultifactorEnrollmentPolicySettings'
- MultifactorEnrollmentPolicyAuthenticatorSettings:
+ members:
+ type: array
+ items:
+ $ref: '#/components/schemas/ResourceSetBindingMember'
+ _links:
+ allOf:
+ - $ref: '#/components/schemas/LinksNext'
+ - properties:
+ binding:
+ $ref: '#/components/schemas/HrefObject'
+ ResourceSetBindingResponse:
type: object
properties:
- enroll:
- type: object
- properties:
- self:
- $ref: '#/components/schemas/MultifactorEnrollmentPolicyAuthenticatorStatus'
- key:
- $ref: '#/components/schemas/MultifactorEnrollmentPolicyAuthenticatorType'
- MultifactorEnrollmentPolicyAuthenticatorStatus:
- type: string
- x-okta-known-values:
- - NOT_ALLOWED
- - OPTIONAL
- - REQUIRED
- MultifactorEnrollmentPolicyAuthenticatorType:
- type: string
- x-okta-known-values:
- - custom_app
- - custom_otp
- - duo
- - external_idp
- - google_otp
- - okta_email
- - okta_password
- - okta_verify
- - onprem_mfa
- - phone_number
- - rsa_token
- - security_question
- - symantec_vip
- - webauthn
- - yubikey_token
- MultifactorEnrollmentPolicySettings:
+ id:
+ type: string
+ description: '`id` of the role'
+ _links:
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - properties:
+ bindings:
+ $ref: '#/components/schemas/HrefObject'
+ resource-set:
+ $ref: '#/components/schemas/HrefObject'
+ ResourceSetBindingRole:
type: object
properties:
- authenticators:
- items:
- $ref: '#/components/schemas/MultifactorEnrollmentPolicyAuthenticatorSettings'
- type: array
- type:
- $ref: '#/components/schemas/MultifactorEnrollmentPolicySettingsType'
- MultifactorEnrollmentPolicySettingsType:
- type: string
- x-okta-known-values:
- - AUTHENTICATORS
- NetworkZone:
+ id:
+ type: string
+ _links:
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - properties:
+ members:
+ $ref: '#/components/schemas/HrefObject'
+ ResourceSetBindings:
type: object
properties:
- asns:
+ roles:
type: array
items:
- type: string
+ $ref: '#/components/schemas/ResourceSetBindingRole'
+ _links:
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - properties:
+ bindings:
+ $ref: '#/components/schemas/HrefObject'
+ resource-set:
+ $ref: '#/components/schemas/HrefObject'
+ ResourceSetResource:
+ type: object
+ properties:
created:
type: string
format: date-time
+ description: Timestamp when the Resource Set Resource object was created
readOnly: true
- gateways:
- type: array
- items:
- $ref: '#/components/schemas/NetworkZoneAddress'
id:
type: string
+ description: Unique ID of the Resource Set Resource object
readOnly: true
lastUpdated:
type: string
format: date-time
+ description: Timestamp when this object was last updated
readOnly: true
- locations:
+ orn:
+ type: string
+ description: The Okta Resource Name (ORN) of the resource
+ _links:
+ description: Related discoverable resources
+ readOnly: true
+ properties:
+ self:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: The REST API URL of the related resource
+ resource:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to this Resource Set Resource object (self)
+ groups:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: If applicable, the REST API URL of the related Groups resource
+ users:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: If applicable, the REST API URL of the related Users resource
+ ResourceSetResourcePatchRequest:
+ type: object
+ properties:
+ additions:
type: array
+ description: A list of resources to add to the Resource Set
items:
- $ref: '#/components/schemas/NetworkZoneLocation'
- name:
+ type: string
+ description: Resource in ORN or REST API URL format
+ ResourceSetResourcePostRequest:
+ type: object
+ properties:
+ resourceOrnOrUrl:
type: string
- proxies:
+ description: Resource in ORN or REST API URL format
+ required:
+ - resourceOrnOrUrl
+ - conditions
+ ResourceSetResourcePutRequest:
+ type: object
+ ResourceSetResources:
+ type: object
+ properties:
+ resources:
type: array
items:
- $ref: '#/components/schemas/NetworkZoneAddress'
- proxyType:
- type: string
- status:
- $ref: '#/components/schemas/NetworkZoneStatus'
- system:
- type: boolean
- type:
- $ref: '#/components/schemas/NetworkZoneType'
- usage:
- $ref: '#/components/schemas/NetworkZoneUsage'
+ $ref: '#/components/schemas/ResourceSetResource'
_links:
- type: object
- additionalProperties:
- type: object
- properties: {}
- readOnly: true
- NetworkZoneAddress:
+ allOf:
+ - $ref: '#/components/schemas/LinksNext'
+ - properties:
+ resource-set:
+ $ref: '#/components/schemas/HrefObject'
+ ResourceSets:
type: object
properties:
- type:
- $ref: '#/components/schemas/NetworkZoneAddressType'
- value:
- type: string
- NetworkZoneAddressType:
- type: string
- x-okta-known-values:
- - CIDR
- - RANGE
- NetworkZoneLocation:
+ resource-sets:
+ type: array
+ items:
+ $ref: '#/components/schemas/ResourceSet'
+ _links:
+ $ref: '#/components/schemas/LinksNext'
+ ResponseLinks:
+ description: Link objects
type: object
properties:
- country:
- type: string
- region:
- type: string
- NetworkZoneStatus:
- type: string
- x-okta-known-values:
- - ACTIVE
- - INACTIVE
- NetworkZoneType:
+ _links:
+ $ref: '#/components/schemas/LinksSelf'
+ ResponseMode:
type: string
+ x-enumDescriptions:
+ fragment: Parameters are encoded in the URL fragment added to the `redirect_uri` when redirecting back to the client.
+ query: Parameters are encoded in the query string added to the `redirect_uri` when redirecting back to the client.
+ form_post: Parameters are encoded as HTML form values (`application/x-www-form-urlencoded` format) and are transmitted through the HTTP POST method to the client.
+ okta_post_message: |-
+ Uses [HTML5 Web Messaging](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage) (for example, `window.postMessage()`) instead of the redirect for the authorization response from the `/authorize` endpoint.
+
+ `okta_post_message` is an adaptation of the [Web Message Response Mode](https://tools.ietf.org/html/draft-sakimura-oauth-wmrm-00#section-4.1).
+ This value provides a secure way for a single-page application to perform a sign-in flow in a pop-up window or an iFrame and receive the ID token, access token, and/or authorization code back in the parent page without leaving the context of that page. The data object for the `postMessage` call is in the next section.
x-okta-known-values:
- - DYNAMIC
- - IP
- NetworkZoneUsage:
+ - form_post
+ - fragment
+ - okta_post_message
+ - query
+ ResponseType:
type: string
x-okta-known-values:
- - BLOCKLIST
- - POLICY
- NotificationType:
+ - code
+ - id_token
+ - none
+ - token
+ ResponseTypesSupported:
type: string
x-okta-known-values:
- - AD_AGENT
- - APP_IMPORT
- - CONNECTOR_AGENT
- - IWA_AGENT
- - LDAP_AGENT
- - OKTA_ANNOUNCEMENT
- - OKTA_ISSUE
- - OKTA_UPDATE
- - RATELIMIT_NOTIFICATION
- - REPORT_SUSPICIOUS_ACTIVITY
- - USER_DEPROVISION
- - USER_LOCKED_OUT
- OAuth2Actor:
+ - code
+ - code id_token
+ - code id_token token
+ - code token
+ - id_token
+ - id_token token
+ - token
+ RevokeRefreshTokenHrefObject:
type: object
properties:
- id:
- type: string
- readOnly: true
- type:
+ href:
type: string
- OAuth2Claim:
+ description: Link URI
+ example: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7/clients/0oabskvc6442nkvQO0h7/tokens/oar579Mcp7OUsNTlo0g3
+ RiscIdentifierChangedEvent:
+ description: The subject's identifier has changed, which is either an email address or a phone number change
type: object
properties:
- alwaysIncludeInToken:
- type: boolean
- claimType:
- $ref: '#/components/schemas/OAuth2ClaimType'
- conditions:
- $ref: '#/components/schemas/OAuth2ClaimConditions'
- group_filter_type:
- $ref: '#/components/schemas/OAuth2ClaimGroupFilterType'
- id:
- type: string
- readOnly: true
- name:
- type: string
- status:
- $ref: '#/components/schemas/LifecycleStatus'
- system:
- type: boolean
- value:
+ event_timestamp:
+ type: integer
+ format: int64
+ description: The time of the event (UNIX timestamp)
+ example: 1702448550
+ new-value:
type: string
- valueType:
- $ref: '#/components/schemas/OAuth2ClaimValueType'
- _links:
- type: object
- additionalProperties:
- type: object
- properties: {}
- readOnly: true
- OAuth2ClaimConditions:
+ description: The new identifier value
+ example: new.email@okta.example.com
+ subject:
+ $ref: '#/components/schemas/SecurityEventSubject'
+ required:
+ - event_timestamp
+ - subject
+ RiskDetectionTypesPolicyRuleCondition:
+ description: An object that references detected risk events. This object can have an `include` parameter or an `exclude` parameter, but not both.
type: object
properties:
- scopes:
+ exclude:
type: array
+ description: An array of detected risk events to exclude in the entity policy rule
items:
- type: string
- OAuth2ClaimGroupFilterType:
- type: string
- x-okta-known-values:
- - CONTAINS
- - EQUALS
- - REGEX
- - STARTS_WITH
- OAuth2ClaimType:
- type: string
- x-okta-known-values:
- - IDENTITY
- - RESOURCE
- OAuth2ClaimValueType:
- type: string
- x-okta-known-values:
- - EXPRESSION
- - GROUPS
- - SYSTEM
- OAuth2Client:
+ $ref: '#/components/schemas/DetectedRiskEvents'
+ include:
+ type: array
+ description: An array of detected risk events to include in the entity policy rule
+ items:
+ $ref: '#/components/schemas/DetectedRiskEvents'
+ required:
+ - exclude
+ - include
+ RiskEvent:
type: object
properties:
- client_id:
+ expiresAt:
type: string
- readOnly: true
- client_name:
+ format: date-time
+ description: 'Timestamp at which the event expires (expressed as a UTC time zone using ISO 8601 format: yyyy-MM-dd`T`HH:mm:ss.SSS`Z`). If this optional field is not included, Okta automatically expires the event 24 hours after the event is consumed.'
+ subjects:
+ type: array
+ description: List of Risk Event Subjects
+ items:
+ $ref: '#/components/schemas/RiskEventSubject'
+ timestamp:
type: string
- readOnly: true
- client_uri:
+ format: date-time
+ description: 'Timestamp of when the event is produced (expressed as a UTC time zone using ISO 8601 format: yyyy-MM-dd`T`HH:mm:ss.SSS`Z`)'
+ required:
+ - subjects
+ RiskEventSubject:
+ type: object
+ properties:
+ ip:
type: string
- readOnly: true
- logo_uri:
+ description: The risk event subject IP address (either an IPv4 or IPv6 address)
+ message:
type: string
- readOnly: true
- _links:
- type: object
- additionalProperties:
- type: object
- properties: {}
- readOnly: true
- OAuth2RefreshToken:
+ description: Additional reasons for the risk level of the IP
+ maxLength: 512
+ pattern: ^[a-zA-Z0-9 .\-_]*$
+ riskLevel:
+ $ref: '#/components/schemas/RiskEventSubjectRiskLevel'
+ required:
+ - ip
+ - riskLevel
+ RiskEventSubjectRiskLevel:
+ description: The risk level associated with the IP
+ type: string
+ x-okta-known-values:
+ - HIGH
+ - LOW
+ - MEDIUM
+ RiskPolicyRuleCondition:
+ type: object
+ properties:
+ behaviors:
+ uniqueItems: true
+ type: array
+ items:
+ type: string
+ RiskProvider:
type: object
properties:
+ action:
+ $ref: '#/components/schemas/RiskProviderAction'
clientId:
type: string
+ description: The ID of the [OAuth service app](https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/main/#create-a-service-app-and-grant-scopes) that is used to send risk events to Okta
+ example: 00cjkjjkkgjkdkjdkkljjsd
created:
type: string
format: date-time
+ description: Timestamp when the Risk Provider object was created
readOnly: true
- createdBy:
- $ref: '#/components/schemas/OAuth2Actor'
- expiresAt:
- type: string
- format: date-time
- readOnly: true
+ example: '2021-01-05 22:18:30'
id:
type: string
+ description: The ID of the Risk Provider object
readOnly: true
- issuer:
- type: string
+ example: 00rp12r4skkjkjgsn
lastUpdated:
type: string
format: date-time
+ description: Timestamp when the Risk Provider object was last updated
readOnly: true
- scopes:
- type: array
- items:
- type: string
- status:
- $ref: '#/components/schemas/GrantOrTokenStatus'
- userId:
- type: string
- _embedded:
- type: object
- additionalProperties:
- type: object
- properties: {}
- readOnly: true
- _links:
- type: object
- additionalProperties:
- type: object
- properties: {}
- readOnly: true
- OAuth2Scope:
- type: object
- properties:
- consent:
- $ref: '#/components/schemas/OAuth2ScopeConsentType'
- default:
- type: boolean
- description:
- type: string
- displayName:
- type: string
- id:
- type: string
- readOnly: true
- metadataPublish:
- $ref: '#/components/schemas/OAuth2ScopeMetadataPublish'
- name:
- type: string
- system:
- type: boolean
- OAuth2ScopeConsentGrant:
+ example: '2021-01-05 22:18:30'
+ name:
+ type: string
+ description: Name of the risk provider
+ maxLength: 50
+ example: Risk-Partner-X
+ _links:
+ $ref: '#/components/schemas/LinksSelf'
+ required:
+ - name
+ - clientId
+ - action
+ - id
+ - _links
+ RiskProviderAction:
+ description: Action taken by Okta during authentication attempts based on the risk events sent by this provider
+ default: log_only
+ type: string
+ x-enumDescriptions:
+ log_only: Include risk event information in the System Log
+ none: No action
+ enforce_and_log: Use risk event information to evaluate risks during authentication attempts and include risk event information in the System Log
+ x-okta-known-values:
+ - enforce_and_log
+ - log_only
+ - none
+ RiskScorePolicyRuleCondition:
+ description: Specifies a particular level of risk to match on
type: object
properties:
- clientId:
+ level:
type: string
+ description: The level to match
+ enum:
+ - ANY
+ - LOW
+ - MEDIUM
+ - HIGH
+ required:
+ - level
+ Role:
+ type: object
+ properties:
+ assignmentType:
+ $ref: '#/components/schemas/RoleAssignmentType'
created:
type: string
format: date-time
readOnly: true
- createdBy:
- $ref: '#/components/schemas/OAuth2Actor'
+ description:
+ type: string
id:
type: string
readOnly: true
- issuer:
+ label:
type: string
+ readOnly: true
lastUpdated:
type: string
format: date-time
readOnly: true
- scopeId:
- type: string
- source:
- $ref: '#/components/schemas/OAuth2ScopeConsentGrantSource'
status:
- $ref: '#/components/schemas/GrantOrTokenStatus'
- userId:
- type: string
+ $ref: '#/components/schemas/LifecycleStatus'
+ type:
+ $ref: '#/components/schemas/RoleType'
_embedded:
type: object
additionalProperties:
@@ -18225,2278 +62256,4573 @@ components:
properties: {}
readOnly: true
_links:
- type: object
- additionalProperties:
- type: object
- properties: {}
+ $ref: '#/components/schemas/LinksSelf'
+ RoleAssignedUser:
+ type: object
+ properties:
+ id:
+ type: string
readOnly: true
- OAuth2ScopeConsentGrantSource:
- type: string
- x-okta-known-values:
- - ADMIN
- - END_USER
- OAuth2ScopeConsentType:
- type: string
- x-okta-known-values:
- - ADMIN
- - IMPLICIT
- - REQUIRED
- OAuth2ScopeMetadataPublish:
+ description: The ID of the User
+ orn:
+ type: string
+ readOnly: true
+ description: ORN representing the assignee
+ _links:
+ $ref: '#/components/schemas/LinksSelfAndRoles'
+ RoleAssignedUsers:
+ type: object
+ properties:
+ value:
+ type: array
+ items:
+ $ref: '#/components/schemas/RoleAssignedUser'
+ _links:
+ $ref: '#/components/schemas/LinksNextForRoleAssignments'
+ RoleAssignmentType:
+ description: Role assignment type
type: string
+ x-enumDescriptions:
+ USER: The Role is assigned to a User
+ GROUP: The Role is assigned to a Group
+ CLIENT: The Role is assigned to a Client Application
x-okta-known-values:
- - ALL_CLIENTS
- - NO_CLIENTS
- OAuth2ScopesMediationPolicyRuleCondition:
+ - CLIENT
+ - GROUP
+ - USER
+ RoleGovernance:
+ description: List of all User Role Governance Sources
type: object
properties:
- include:
+ grants:
type: array
items:
- type: string
- OAuth2Token:
+ $ref: '#/components/schemas/RoleGovernanceSource'
+ _links:
+ $ref: '#/components/schemas/LinksGovernanceSources'
+ RoleGovernanceResource:
+ description: The resource of a grant
type: object
properties:
- clientId:
- type: string
- created:
+ label:
type: string
- format: date-time
- readOnly: true
- expiresAt:
+ description: The resource name
+ resource:
type: string
- format: date-time
- readOnly: true
- id:
+ description: The resources id
+ RoleGovernanceResources:
+ description: The resources of a grant
+ type: object
+ properties:
+ resources:
+ type: array
+ items:
+ $ref: '#/components/schemas/RoleGovernanceResource'
+ _links:
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - $ref: '#/components/schemas/LinksNext'
+ RoleGovernanceSource:
+ description: User Role Governance Source
+ type: object
+ properties:
+ bundleId:
type: string
readOnly: true
- issuer:
- type: string
- lastUpdated:
+ description: '`id` of the entitlement bundle'
+ expirationDate:
type: string
format: date-time
readOnly: true
- scopes:
- type: array
- items:
- type: string
- status:
- $ref: '#/components/schemas/GrantOrTokenStatus'
- userId:
+ description: The expiration date of the entitlement bundle
+ grantId:
type: string
- _embedded:
- type: object
- additionalProperties:
- type: object
- properties: {}
readOnly: true
+ description: '`id` of the grant'
+ type:
+ $ref: '#/components/schemas/GovernanceSourceType'
_links:
- type: object
- additionalProperties:
- type: object
- properties: {}
- readOnly: true
- OAuthApplicationCredentials:
- allOf:
- - $ref: '#/components/schemas/ApplicationCredentials'
- - type: object
- properties:
- oauthClient:
- $ref: '#/components/schemas/ApplicationCredentialsOAuthClient'
- OAuthEndpointAuthenticationMethod:
+ allOf:
+ - $ref: '#/components/schemas/LinksGovernanceResources'
+ - $ref: '#/components/schemas/LinksSelf'
+ required:
+ - type
+ - grantId
+ - resources
+ RolePermissionType:
+ description: Permission type
type: string
x-okta-known-values:
- - client_secret_basic
- - client_secret_jwt
- - client_secret_post
- - none
- - private_key_jwt
- OAuthGrantType:
+ - okta.apps.assignment.manage
+ - okta.apps.manage
+ - okta.apps.manageFirstPartyApps
+ - okta.apps.read
+ - okta.authzServers.manage
+ - okta.authzServers.read
+ - okta.customizations.manage
+ - okta.customizations.read
+ - okta.devices.lifecycle.activate
+ - okta.devices.lifecycle.deactivate
+ - okta.devices.lifecycle.delete
+ - okta.devices.lifecycle.manage
+ - okta.devices.lifecycle.suspend
+ - okta.devices.lifecycle.unsuspend
+ - okta.devices.manage
+ - okta.devices.read
+ - okta.governance.accessCertifications.manage
+ - okta.governance.accessRequests.manage
+ - okta.groups.appAssignment.manage
+ - okta.groups.create
+ - okta.groups.manage
+ - okta.groups.members.manage
+ - okta.groups.read
+ - okta.identityProviders.manage
+ - okta.identityProviders.read
+ - okta.profilesources.import.run
+ - okta.support.cases.manage
+ - okta.users.appAssignment.manage
+ - okta.users.create
+ - okta.users.credentials.expirePassword
+ - okta.users.credentials.manage
+ - okta.users.credentials.resetFactors
+ - okta.users.credentials.resetPassword
+ - okta.users.groupMembership.manage
+ - okta.users.lifecycle.activate
+ - okta.users.lifecycle.clearSessions
+ - okta.users.lifecycle.deactivate
+ - okta.users.lifecycle.delete
+ - okta.users.lifecycle.manage
+ - okta.users.lifecycle.suspend
+ - okta.users.lifecycle.unlock
+ - okta.users.lifecycle.unsuspend
+ - okta.users.manage
+ - okta.users.read
+ - okta.users.userprofile.manage
+ RoleType:
+ description: Standard role type
type: string
+ x-enumDescriptions:
+ API_ACCESS_MANAGEMENT_ADMIN: Access Management Administrator
+ API_ADMIN: Access Management Administrator
+ APP_ADMIN: Application Administrator
+ CUSTOM: Custom label specified by the client
+ GROUP_MEMBERSHIP_ADMIN: Group Membership Administrator
+ HELP_DESK_ADMIN: Help Desk Administrator
+ MOBILE_ADMIN: Mobile Administrator
+ ORG_ADMIN: Organizational Administrator
+ READ_ONLY_ADMIN: Read-Only Administrator
+ REPORT_ADMIN: Report Administrator
+ SUPER_ADMIN: Super Administrator
+ USER_ADMIN: Group Administrator
+ ACCESS_CERTIFICATIONS_ADMIN: Access Certifications Administrator (predefined Resource Sets)
+ ACCESS_REQUESTS_ADMIN: Access Requests Administrator (predefined Resource Sets)
x-okta-known-values:
- - authorization_code
- - client_credentials
- - implicit
- - interaction_code
+ - ACCESS_CERTIFICATIONS_ADMIN
+ - ACCESS_REQUESTS_ADMIN
+ - API_ACCESS_MANAGEMENT_ADMIN
+ - API_ADMIN
+ - APP_ADMIN
+ - CUSTOM
+ - GROUP_MEMBERSHIP_ADMIN
+ - HELP_DESK_ADMIN
+ - MOBILE_ADMIN
+ - ORG_ADMIN
+ - READ_ONLY_ADMIN
+ - REPORT_ADMIN
+ - SUPER_ADMIN
+ - USER_ADMIN
+ RotatePasswordRequest:
+ description: Rotate password request for the privileged account
+ type: object
+ properties:
+ password:
+ type: string
+ description: The password associated with the privileged resource
+ format: password
+ writeOnly: true
+ example: xf1bs9am2
+ secretVersionId:
+ type: string
+ description: The version ID of the password secret from the OPA vault
+ minLength: 1
+ maxLength: 36
+ example: 9f8400-e29b-41d4-a716-926655440034
+ required:
- password
- - refresh_token
- OAuthResponseType:
- type: string
- x-okta-known-values:
- - code
- - id_token
- - token
- OktaSignOnPolicy:
- allOf:
- - $ref: '#/components/schemas/Policy'
- - type: object
- properties:
- conditions:
- $ref: '#/components/schemas/OktaSignOnPolicyConditions'
- OktaSignOnPolicyConditions:
- allOf:
- - $ref: '#/components/schemas/PolicyRuleConditions'
- - type: object
- properties:
- people:
- $ref: '#/components/schemas/PolicyPeopleCondition'
- OktaSignOnPolicyFactorPromptMode:
- type: string
- x-okta-known-values:
- - ALWAYS
- - DEVICE
- - SESSION
- OktaSignOnPolicyRule:
- allOf:
- - $ref: '#/components/schemas/PolicyRule'
- - type: object
- properties:
- actions:
- $ref: '#/components/schemas/OktaSignOnPolicyRuleActions'
- conditions:
- $ref: '#/components/schemas/OktaSignOnPolicyRuleConditions'
- OktaSignOnPolicyRuleActions:
- allOf:
- - $ref: '#/components/schemas/PolicyRuleActions'
- - type: object
- properties:
- signon:
- $ref: '#/components/schemas/OktaSignOnPolicyRuleSignonActions'
- OktaSignOnPolicyRuleConditions:
- allOf:
- - $ref: '#/components/schemas/PolicyRuleConditions'
- - type: object
- properties:
- authContext:
- $ref: '#/components/schemas/PolicyRuleAuthContextCondition'
- network:
- $ref: '#/components/schemas/PolicyNetworkCondition'
- people:
- $ref: '#/components/schemas/PolicyPeopleCondition'
- OktaSignOnPolicyRuleSignonActions:
+ - secretVersionId
+ SAMLHookResponse:
type: object
properties:
- access:
- $ref: '#/components/schemas/PolicyAccess'
- factorLifetime:
- type: integer
- factorPromptMode:
- $ref: '#/components/schemas/OktaSignOnPolicyFactorPromptMode'
- rememberDeviceByDefault:
- type: boolean
- default: false
- requireFactor:
- type: boolean
- default: false
- session:
- $ref: '#/components/schemas/OktaSignOnPolicyRuleSignonSessionActions'
- OktaSignOnPolicyRuleSignonSessionActions:
+ commands:
+ description: |-
+ The `commands` object is where you tell Okta to add additional claims to the assertion or to modify the existing assertion statements.
+
+ `commands` is an array, allowing you to send multiple commands. In each array element, include a `type` property and a `value` property. The `type` property is where you specify which of the supported commands you want to execute, and `value` is where you supply an operand for that command.
+ In the case of the SAML assertion inline hook, the `value` property is itself a nested object, in which you specify a particular operation, a path to act on, and a value.
+ type: array
+ items:
+ type: object
+ properties:
+ type:
+ type: string
+ description: One of the supported commands `com.okta.assertion.patch`
+ value:
+ type: array
+ items:
+ type: object
+ properties:
+ op:
+ type: string
+ description: |-
+ The name of one of the supported ops:
+ `add`: Add a new claim to the assertion
+ `replace`: Modify any element of the assertion
+ > **Note:** If a response to the SAML assertion inline hook request isn't received from your external service within three seconds, a timeout occurs. In this scenario, the Okta process flow continues with the original SAML assertion returned.
+ path:
+ type: string
+ description: Location, within the assertion, to apply the operation
+ value:
+ oneOf:
+ - type: string
+ - type: integer
+ - type: object
+ description: |-
+ The value of the claim that you add or replace, and can also include other attributes. If adding to a claim, add another `value` attribute residing within an array called `attributeValues`.
+
+ See the following examples:
+
+ #### Simple value (integer or string)
+
+ `"value": 300` or `"value": "replacementString"`
+
+ #### Attribute value (object)
+
+ ` "value": {
+ "authContextClassRef": "replacementValue"
+ }`
+
+ #### AttributeValues array value (object)
+
+ ` "value": {
+ "attributes": {
+ "NameFormat": "urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
+ },
+ "attributeValues": [
+ {"attributes": {
+ "xsi:type": "xs:string"
+ },
+ "value": "4321"}
+ ]
+ }`
+ error:
+ description: |-
+ An object to return an error. Returning an error causes Okta to record a failure event in the Okta System Log.
+ The string supplied in the `errorSummary` property is recorded in the System Log event.
+ > **Note:** If the error object doesn't include the defined `errorSummary` property, the following common default message
+ is returned to the end user: `The callback service returned an error`.
+
+ > **Note:** If a response to a SAML inline hook request isn't received from your external service within three seconds, a timeout occurs. In this scenario, the Okta SAML inline hook process continues, and the user is created.
+ type: object
+ properties:
+ errorSummary:
+ description: A human-readable summary of the error
+ type: string
+ SAMLPayLoad:
type: object
properties:
- maxSessionIdleMinutes:
- type: integer
- maxSessionLifetimeMinutes:
- type: integer
- usePersistentCookie:
- type: boolean
- default: false
- OpenIdConnectApplication:
+ data:
+ type: object
+ properties:
+ context:
+ allOf:
+ - $ref: '#/components/schemas/BaseContext'
+ - type: object
+ properties:
+ protocol:
+ description: Details of the assertion protocol being used
+ type: object
+ properties:
+ type:
+ description: The type of authentication protocol being used for the assertion
+ type: string
+ example: SAML2.0
+ issuer:
+ type: object
+ properties:
+ id:
+ description: The unique identifier of the issuer that provided the SAML assertion
+ type: string
+ example: 0oath92zlO60urQOP0g3
+ name:
+ description: The name of the issuer that provided the SAML assertion
+ type: string
+ example: SAML 2.0 App
+ uri:
+ description: The base URI of the SAML endpoint that's used to assert the authorization
+ type: string
+ example: http://www.okta.com/exkth8lMzFm0HZOTU0g3
+ assertion:
+ description: Details of the SAML assertion that was generated
+ type: object
+ properties:
+ subject:
+ description: Provides a JSON representation of the `` element of the SAML assertion
+ type: object
+ properties:
+ nameId:
+ description: The unique identifier of the user
+ type: string
+ example: user@example.com
+ nameFormat:
+ description: Indicates how to interpret the attribute name
+ type: string
+ example: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+ confirmation:
+ type: object
+ properties:
+ method:
+ description: Used to indicate how the authorization server confirmed the SAML assertion
+ type: string
+ example: urn:oasis:names:tc:SAML:2.0:cm:bearer
+ data:
+ type: object
+ properties:
+ recipient:
+ description: The token endpoint URL of the authorization server
+ type: string
+ example: http://www.example.com:7070/saml/sso
+ authentication:
+ description: Provides a JSON representation of the `` element of the SAML assertion
+ type: object
+ properties:
+ sessionIndex:
+ description: The unique identifier describing the assertion statement
+ type: string
+ example: id1553800523546.312669168
+ authnContext:
+ description: Details of the authentication methods used for the SAML assertion
+ type: object
+ properties:
+ authnContextClassRef:
+ description: Describes the identity provider's supported authentication context classes
+ type: string
+ example: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+ conditions:
+ description: Provides a JSON representation of the `` element of the SAML assertion
+ type: object
+ properties:
+ audienceRestriction:
+ description: Describes which service providers the assertion is valid for
+ type: array
+ items:
+ type: string
+ example:
+ - urn:example:sp
+ claims:
+ description: Provides a JSON representation of the `` element contained in the generated SAML assertion. Contains any optional SAML attribute statements that you have defined for the app using the Admin Console's **SAML Settings**.
+ type: object
+ additionalProperties:
+ type: object
+ properties:
+ attributes:
+ type: object
+ properties:
+ NameFormat:
+ type: string
+ description: Indicates how to interpret the attribute name
+ attributeValues:
+ type: array
+ items:
+ type: object
+ properties:
+ attributes:
+ type: object
+ properties:
+ xsi:type:
+ type: string
+ description: Used to derive the type of the attribute
+ value:
+ type: string
+ description: The actual value of the attribute
+ lifetime:
+ description: Specifies the expiration time, in seconds, of the SAML assertion
+ type: object
+ properties:
+ expiration:
+ description: The expiration time in seconds
+ type: integer
+ example: 300
+ SAMLPayloadExecute:
+ description: SAML assertion inline hook request
+ allOf:
+ - $ref: '#/components/schemas/InlineHookBasePayload'
+ - $ref: '#/components/schemas/SAMLPayLoad'
+ SafeBrowsingProtectionLevel:
+ description: Represents the current value of the Safe Browsing protection level
+ example: ENHANCED_PROTECTION
+ type: string
+ x-enumDescriptions:
+ NO_SAFE_BROWSING: Safe Browsing is never active
+ STANDARD_PROTECTION: Safe Browsing is active in the standard mode
+ ENHANCED_PROTECTION: Safe Browsing is active in the enhanced mode
+ x-okta-known-values:
+ - ENHANCED_PROTECTION
+ - NO_SAFE_BROWSING
+ - STANDARD_PROTECTION
+ SalesforceApplication:
+ title: Salesforce
+ x-tags:
+ - Application
x-okta-defined-as:
- name: oidc_client
+ name: salesforce
+ example:
+ name: salesforce
+ label: Sample Salesforce App
+ signOnMode: SAML_2_0
+ settings:
+ app:
+ instanceType: SANDBOX
+ integrationType: STANDARD
+ description: |
+ Schema for the Salesforce app (key name: `salesforce`)
+
+ To create a Salesforce app, use the [Create an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) request with the following parameters in the request body.
+ > **Note:** The Salesforce app only supports `BROWSER_PLUGIN`, `BOOKMARK`, and `SAML_2_0` sign-on modes.
allOf:
- - $ref: '#/components/schemas/Application'
+ - $ref: '#/components/schemas/OINApplication'
- type: object
- properties:
- credentials:
- $ref: '#/components/schemas/OAuthApplicationCredentials'
+ - required:
+ - name
+ - label
+ - settings
+ properties:
name:
type: string
- default: oidc_client
+ enum:
+ - salesforce
+ example: salesforce
+ signOnMode:
+ enum:
+ - BROWSER_PLUGIN
+ - BOOKMARK
+ - SAML_2_0
+ example: BROWSER_PLUGIN
settings:
- $ref: '#/components/schemas/OpenIdConnectApplicationSettings'
- OpenIdConnectApplicationConsentMethod:
- type: string
- x-okta-known-values:
- - REQUIRED
- - TRUSTED
- OpenIdConnectApplicationIdpInitiatedLogin:
- type: object
- properties:
- default_scope:
- type: array
- items:
- type: string
- mode:
- type: string
- OpenIdConnectApplicationIssuerMode:
- type: string
- x-okta-known-values:
- - CUSTOM_URL
- - DYNAMIC
- - ORG_URL
- OpenIdConnectApplicationSettings:
+ $ref: '#/components/schemas/SalesforceApplicationSettings'
+ SalesforceApplicationSettings:
allOf:
- $ref: '#/components/schemas/ApplicationSettings'
- type: object
+ - required:
+ - app
properties:
- oauthClient:
- $ref: '#/components/schemas/OpenIdConnectApplicationSettingsClient'
- OpenIdConnectApplicationSettingsClient:
+ app:
+ $ref: '#/components/schemas/SalesforceApplicationSettingsApplication'
+ signOn:
+ $ref: '#/components/schemas/OINSaml20ApplicationSettingsSignOn'
+ SalesforceApplicationSettingsApplication:
+ description: Salesforce app instance properties
type: object
properties:
- application_type:
- $ref: '#/components/schemas/OpenIdConnectApplicationType'
- client_uri:
+ instanceType:
type: string
- consent_method:
- $ref: '#/components/schemas/OpenIdConnectApplicationConsentMethod'
- grant_types:
- type: array
- items:
- $ref: '#/components/schemas/OAuthGrantType'
- idp_initiated_login:
- $ref: '#/components/schemas/OpenIdConnectApplicationIdpInitiatedLogin'
- initiate_login_uri:
+ description: Salesforce instance that you want to connect to
+ enum:
+ - SANDBOX
+ - PRODUCTION
+ - GOVERNMENT
+ integrationType:
type: string
- issuer_mode:
- $ref: '#/components/schemas/OpenIdConnectApplicationIssuerMode'
- jwks:
- $ref: '#/components/schemas/OpenIdConnectApplicationSettingsClientKeys'
- logo_uri:
+ description: Salesforce integration type
+ enum:
+ - STANDARD
+ - PORTAL
+ - COMMUNITY
+ loginUrl:
type: string
- policy_uri:
+ description: The Login URL specified in your Salesforce Single Sign-On settings
+ logoutUrl:
type: string
- post_logout_redirect_uris:
- type: array
- items:
- type: string
- redirect_uris:
+ description: Salesforce Logout URL
+ required:
+ - integrationType
+ - instanceType
+ Saml:
+ description: SAML configuration details
+ type: object
+ properties:
+ acs:
type: array
+ minItems: 1
+ description: 'List of Assertion Consumer Service (ACS) URLs. The default ACS URL is required and is indicated by a null `index` value. You can use the org-level variables you defined in the `config` array in the URL. For example: `https://${org.subdomain}.example.com/saml/login`'
items:
- type: string
- refresh_token:
- $ref: '#/components/schemas/OpenIdConnectApplicationSettingsRefreshToken'
- response_types:
+ type: object
+ properties:
+ index:
+ type: number
+ minimum: 0
+ maximum: 65535
+ description: Index of ACS URL. You can't reuse the same index in the ACS URL array.
+ example: 0
+ url:
+ type: string
+ format: uri
+ maxLength: 1024
+ description: Assertion Consumer Service (ACS) URL
+ example: https://${org.subdomain}.example.com/saml/login
+ claims:
type: array
+ description: Attribute statements to appear in the Okta SAML assertion
items:
- $ref: '#/components/schemas/OAuthResponseType'
- tos_uri:
+ type: object
+ properties:
+ name:
+ type: string
+ description: The attribute name
+ example: Address
+ values:
+ type: array
+ description: The Okta values inserted in the attribute statement
+ items:
+ type: string
+ example: ${user.homeAddress}
+ doc:
type: string
- wildcard_redirect:
+ format: uri
+ description: The URL to your customer-facing instructions for configuring your SAML integration. See [Customer configuration document guidelines](https://developer.okta.com/docs/guides/submit-app-prereq/main/#customer-configuration-document-guidelines).
+ example: https://example.com/strawberry/help/samlSetup
+ entityId:
type: string
- OpenIdConnectApplicationSettingsClientKeys:
- type: object
- properties:
- keys:
+ description: Globally unique name for your SAML entity. For instance, your Identity Provider (IdP) or Service Provider (SP) URL.
+ example: https://${org.subdomain}.example.com
+ groups:
type: array
+ description: Defines the group attribute names for the SAML assertion statement. Okta inserts the list of Okta user groups into the attribute names in the statement.
items:
- $ref: '#/components/schemas/JsonWebKey'
- OpenIdConnectApplicationSettingsRefreshToken:
- type: object
- properties:
- leeway:
- type: integer
- rotation_type:
- $ref: '#/components/schemas/OpenIdConnectRefreshTokenRotationType'
- OpenIdConnectApplicationType:
- type: string
- x-okta-known-values:
- - browser
- - native
- - service
- - web
- OpenIdConnectRefreshTokenRotationType:
- type: string
- x-okta-known-values:
- - ROTATE
- - STATIC
- OperationalStatus:
- description: Operational status of a given agent
- type: string
- x-okta-known-values:
- - DEGRADED
- - DISRUPTED
- - INACTIVE
- - OPERATIONAL
- OrgContactType:
- type: string
- x-okta-known-values:
- - BILLING
- - TECHNICAL
- OrgContactTypeObj:
- type: object
- properties:
- contactType:
- $ref: '#/components/schemas/OrgContactType'
- _links:
- additionalProperties:
- type: object
- OrgContactUser:
+ type: string
+ description: A group attribute name in your SAML app
+ example: groups
+ required:
+ - acs
+ - entityId
+ - doc
+ Saml11Application:
+ allOf:
+ - $ref: '#/components/schemas/Application'
+ - type: object
+ properties:
+ credentials:
+ $ref: '#/components/schemas/ApplicationCredentials'
+ name:
+ type: string
+ description: The key name for the SAML 1.1 app definition. You can't create a custom SAML 1.1 app integration instance. Only existing OIN SAML 1.1 app integrations are supported.
+ settings:
+ $ref: '#/components/schemas/Saml11ApplicationSettings'
+ required:
+ - name
+ Saml11ApplicationSettings:
+ allOf:
+ - $ref: '#/components/schemas/ApplicationSettings'
+ - type: object
+ properties:
+ app:
+ type: object
+ additionalProperties: true
+ signOn:
+ $ref: '#/components/schemas/Saml11ApplicationSettingsSignOn'
+ Saml11ApplicationSettingsSignOn:
+ title: SAML 1.1 settings
+ description: SAML 1.1 sign-on mode attributes
type: object
properties:
- userId:
+ audienceOverride:
type: string
- _links:
- additionalProperties:
- type: object
- readOnly: true
- type: object
- OrgOktaCommunicationSetting:
+ description: The intended audience of the SAML assertion. This is usually the Entity ID of your application.
+ defaultRelayState:
+ type: string
+ description: The URL of the resource to direct users after they successfully sign in to the SP using SAML. See the SP documentation to check if you need to specify a RelayState. In most instances, you can leave this field blank.
+ recipientOverride:
+ type: string
+ description: The location where the application can present the SAML assertion. This is usually the Single Sign-On (SSO) URL.
+ ssoAcsUrlOverride:
+ type: string
+ description: Assertion Consumer Services (ACS) URL value for the Service Provider (SP). This URL is always used for Identity Provider (IdP) initiated sign-on requests.
+ SamlAcsEndpoint:
+ description: Okta's `SPSSODescriptor` endpoint where the IdP sends a `` message
type: object
properties:
- optOutEmailUsers:
- type: boolean
- readOnly: true
- _links:
- additionalProperties:
- type: object
- OrgOktaSupportSetting:
- type: string
- x-okta-known-values:
- - DISABLED
- - ENABLED
- OrgOktaSupportSettingsObj:
+ binding:
+ $ref: '#/components/schemas/ProtocolEndpointBinding'
+ type:
+ $ref: '#/components/schemas/SamlEndpointType'
+ SamlAlgorithms:
+ description: Settings for signing and verifying SAML messages
type: object
properties:
- expiration:
- format: date-time
- type: string
- readOnly: true
- support:
- $ref: '#/components/schemas/OrgOktaSupportSetting'
- _links:
- additionalProperties:
- type: object
- OrgPreferences:
+ request:
+ $ref: '#/components/schemas/SamlRequestAlgorithm'
+ response:
+ $ref: '#/components/schemas/SamlResponseAlgorithm'
+ SamlApplication:
+ allOf:
+ - $ref: '#/components/schemas/Application'
+ - type: object
+ properties:
+ credentials:
+ $ref: '#/components/schemas/ApplicationCredentials'
+ name:
+ type: string
+ description: A unique key is generated for the custom app instance when you use SAML_2_0 `signOnMode`.
+ readOnly: true
+ settings:
+ $ref: '#/components/schemas/SamlApplicationSettings'
+ SamlApplicationSettings:
+ allOf:
+ - $ref: '#/components/schemas/ApplicationSettings'
+ - type: object
+ properties:
+ signOn:
+ $ref: '#/components/schemas/SamlApplicationSettingsSignOn'
+ SamlApplicationSettingsSignOn:
+ description: |-
+ SAML 2.0 sign-on attributes.
+ > **Note:** Set either `destinationOverride` or `ssoAcsUrl` to configure any other SAML 2.0 attributes in this section.
type: object
properties:
- showEndUserFooter:
+ acsEndpoints:
+ type: array
+ description: An array of ACS endpoints. You can configure a maximum of 100 endpoints.
+ items:
+ $ref: '#/components/schemas/AcsEndpoint'
+ allowMultipleAcsEndpoints:
+ description: Determines whether the app allows you to configure multiple ACS URIs
type: boolean
- readOnly: true
- _links:
- additionalProperties:
- type: object
- OrgSetting:
- type: object
- properties:
- address1:
- type: string
- address2:
+ assertionSigned:
+ type: boolean
+ description: Determines whether the SAML assertion is digitally signed
+ attributeStatements:
+ type: array
+ description: |
+ A list of custom attribute statements for the app's SAML assertion. See [SAML 2.0 Technical Overview](https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0-cd-02.html).
+
+ There are two types of attribute statements:
+ | Type | Description |
+ | ---- | ----------- |
+ | EXPRESSION | Generic attribute statement that can be dynamic and supports [Okta Expression Language](https://developer.okta.com/docs/reference/okta-expression-language/) |
+ | GROUP | Group attribute statement |
+ items:
+ $ref: '#/components/schemas/SamlAttributeStatement'
+ audience:
type: string
- city:
+ description: The entity ID of the SP. Use the entity ID value exactly as provided by the SP.
+ audienceOverride:
type: string
- companyName:
+ description: Audience override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm).
+ authnContextClassRef:
type: string
- country:
+ description: Identifies the SAML authentication context class for the assertion's authentication statement
+ enum:
+ - urn:federation:authentication:windows
+ - oasis:names:tc:SAML:2.0:ac:classes:Kerberos
+ - urn:oasis:names:tc:SAML:2.0:ac:classes:Password
+ - urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+ - urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient
+ - urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
+ - urn:oasis:names:tc:SAML:2.0:ac:classes:X509
+ x-enumDescriptions:
+ urn:federation:authentication:windows: Integrated Windows Authentication
+ oasis:names:tc:SAML:2.0:ac:classes:Kerberos: Kerberos
+ urn:oasis:names:tc:SAML:2.0:ac:classes:Password: Password
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport: PasswordProtectedTransport
+ urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient: TLS Client
+ urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified: Unspecified
+ urn:oasis:names:tc:SAML:2.0:ac:classes:X509: X509 Certificate
+ configuredAttributeStatements:
+ type: array
+ description: |
+ The list of dynamic attribute statements for the SAML assertion inherited from app metadata (apps from the OIN) during app creation.
+
+ There are two types of attribute statements: `EXPRESSION` and `GROUP`.
+ items:
+ $ref: '#/components/schemas/SamlAttributeStatement'
+ defaultRelayState:
type: string
- created:
- format: date-time
- readOnly: true
+ description: Identifies a specific application resource in an IdP-initiated SSO scenario
+ destination:
type: string
- endUserSupportHelpURL:
+ description: Identifies the location inside the SAML assertion where the SAML response should be sent
+ destinationOverride:
type: string
- expiresAt:
- format: date-time
- readOnly: true
+ description: Destination override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm).
+ digestAlgorithm:
type: string
- id:
- readOnly: true
+ description: Determines the digest algorithm used to digitally sign the SAML assertion and response
+ enum:
+ - SHA1
+ - SHA256
+ honorForceAuthn:
+ type: boolean
+ description: Set to `true` to prompt users for their credentials when a SAML request has the `ForceAuthn` attribute set to `true`
+ idpIssuer:
type: string
- lastUpdated:
- format: date-time
- readOnly: true
+ description: SAML Issuer ID
+ inlineHooks:
+ description: Associates the app with SAML inline hooks. See [the SAML assertion inline hook reference](https://developer.okta.com/docs/reference/saml-hook/).
+ items:
+ $ref: '#/components/schemas/SignOnInlineHook'
+ type: array
+ participateSlo:
+ $ref: '#/components/schemas/SloParticipate'
+ recipient:
+ description: The location where the app may present the SAML assertion
type: string
- phoneNumber:
+ recipientOverride:
type: string
- postalCode:
+ description: Recipient override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm).
+ requestCompressed:
+ type: boolean
+ description: Determines whether the SAML request is expected to be compressed
+ responseSigned:
+ type: boolean
+ description: |-
+ Determines whether the SAML authentication response message is digitally signed by the IdP
+ > **Note:** Either (or both) `responseSigned` or `assertionSigned` must be `TRUE`.
+ samlAssertionLifetimeSeconds:
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ type: integer
+ description: Determines the SAML app session lifetimes with Okta
+ example: 3600
+ signatureAlgorithm:
type: string
- state:
+ description: Determines the signing algorithm used to digitally sign the SAML assertion and response
+ enum:
+ - RSA_SHA1
+ - RSA_SHA256
+ slo:
+ $ref: '#/components/schemas/SingleLogout'
+ spCertificate:
+ $ref: '#/components/schemas/SamlSpCertificate'
+ spIssuer:
type: string
- status:
- readOnly: true
+ description: The issuer ID for the Service Provider. This property appears when SLO is enabled.
+ ssoAcsUrl:
type: string
- subdomain:
- readOnly: true
+ description: Single Sign-On Assertion Consumer Service (ACS) URL
+ ssoAcsUrlOverride:
type: string
- supportPhoneNumber:
+ description: Assertion Consumer Service (ACS) URL override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm).
+ subjectNameIdFormat:
type: string
- website:
+ description: 'Identifies the SAML processing rules. Supported values:'
+ enum:
+ - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
+ - urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
+ - urn:oasis:names:tc:SAML:2.0:nameid-format:transient
+ - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+ - urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName
+ x-enumDescriptions:
+ urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress: Email Address
+ urn:oasis:names:tc:SAML:2.0:nameid-format:persistent: Persistent
+ urn:oasis:names:tc:SAML:2.0:nameid-format:transient: Transient
+ urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified: Unspecified
+ urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName: x509SubjectName
+ subjectNameIdTemplate:
type: string
- _links:
- additionalProperties:
- type: object
- PasswordCredential:
+ description: Template for app user's username when a user is assigned to the app
+ required:
+ - allowMultipleAcsEndpoints
+ - assertionSigned
+ - audience
+ - authnContextClassRef
+ - destination
+ - digestAlgorithm
+ - honorForceAuthn
+ - idpIssuer
+ - recipient
+ - requestCompressed
+ - responseSigned
+ - signatureAlgorithm
+ - ssoAcsUrl
+ - subjectNameIdFormat
+ - subjectNameIdTemplate
+ SamlAttributeStatement:
+ anyOf:
+ - $ref: '#/components/schemas/SamlAttributeStatementExpression'
+ - $ref: '#/components/schemas/SamlAttributeStatementGroup'
type: object
properties:
- hash:
- $ref: '#/components/schemas/PasswordCredentialHash'
- hook:
- $ref: '#/components/schemas/PasswordCredentialHook'
- value:
+ type:
type: string
- format: password
- PasswordCredentialHash:
+ description: The type of attribute statements object
+ enum:
+ - EXPRESSION
+ - GROUP
+ discriminator:
+ propertyName: type
+ mapping:
+ EXPRESSION: '#/components/schemas/SamlAttributeStatementExpression'
+ GROUP: '#/components/schemas/SamlAttributeStatementGroup'
+ SamlAttributeStatementExpression:
+ description: Generic `EXPRESSION` attribute statements
type: object
properties:
- algorithm:
- $ref: '#/components/schemas/PasswordCredentialHashAlgorithm'
- salt:
+ name:
type: string
- saltOrder:
+ description: The name of the attribute in your app. The attribute name must be unique across all user and group attribute statements.
+ example: attributeOne
+ namespace:
type: string
- value:
+ description: 'The name format of the attribute. Supported values:'
+ enum:
+ - urn:oasis:names:tc:SAML:2.0:attrname-format:basic
+ - urn:oasis:names:tc:SAML:2.0:attrname-format:uri
+ - urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
+ x-enumDescriptions:
+ urn:oasis:names:tc:SAML:2.0:attrname-format:basic: Basic
+ urn:oasis:names:tc:SAML:2.0:attrname-format:uri: URI reference
+ urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified: Unspecified
+ example: urn:oasis:names:tc:SAML:2.0:attrname-format:basic
+ type:
type: string
- workFactor:
- type: integer
- PasswordCredentialHashAlgorithm:
- type: string
- x-okta-known-values:
- - BCRYPT
- - MD5
- - SHA-1
- - SHA-256
- - SHA-512
- PasswordCredentialHook:
+ description: The type of attribute statements object
+ example: EXPRESSION
+ values:
+ type: array
+ description: The attribute values (supports [Okta Expression Language](https://developer.okta.com/docs/reference/okta-expression-language/))
+ items:
+ type: string
+ example: ValueOne
+ SamlAttributeStatementGroup:
+ description: '`GROUP` attribute statements'
type: object
properties:
+ filterType:
+ type: string
+ description: The operation to filter groups based on `filterValue`
+ enum:
+ - STARTS_WITH
+ - EQUALS
+ - CONTAINS
+ - REGEX
+ filterValue:
+ type: string
+ description: Filter the groups based on a specific value.
+ example: Team
+ name:
+ type: string
+ description: The name of the group attribute in your app. The attribute name must be unique across all user and group attribute statements.
+ namespace:
+ type: string
+ description: 'The name format of the group attribute. Supported values:'
+ enum:
+ - urn:oasis:names:tc:SAML:2.0:attrname-format:basic
+ - urn:oasis:names:tc:SAML:2.0:attrname-format:uri
+ - urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
+ x-enumDescriptions:
+ urn:oasis:names:tc:SAML:2.0:attrname-format:basic: Basic
+ urn:oasis:names:tc:SAML:2.0:attrname-format:uri: URI reference
+ urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified: Unspecified
+ example: urn:oasis:names:tc:SAML:2.0:attrname-format:basic
type:
type: string
- PasswordDictionary:
- type: object
- properties:
- common:
- $ref: '#/components/schemas/PasswordDictionaryCommon'
- PasswordDictionaryCommon:
+ description: The type of attribute statements object
+ example: GROUP
+ SamlCredentials:
+ description: Federation Trust Credentials for verifying assertions from the IdP and signing requests to the IdP
type: object
properties:
- exclude:
- type: boolean
- default: false
- PasswordExpirationPolicyRuleCondition:
+ signing:
+ $ref: '#/components/schemas/SamlSigningCredentials'
+ trust:
+ $ref: '#/components/schemas/SamlTrustCredentials'
+ SamlEndpointType:
+ description: Determines whether to publish an instance-specific (trust) or organization (shared) ACS endpoint in the SAML metadata
+ default: INSTANCE
+ type: string
+ x-okta-known-values:
+ - INSTANCE
+ - ORG
+ SamlEndpoints:
+ description: SAML 2.0 HTTP binding settings for IdP and SP (Okta)
type: object
properties:
- number:
- type: integer
- unit:
- type: string
- PasswordPolicy:
- allOf:
- - $ref: '#/components/schemas/Policy'
- - type: object
- properties:
- conditions:
- $ref: '#/components/schemas/PasswordPolicyConditions'
- settings:
- $ref: '#/components/schemas/PasswordPolicySettings'
- PasswordPolicyAuthenticationProviderCondition:
+ acs:
+ $ref: '#/components/schemas/SamlAcsEndpoint'
+ sso:
+ $ref: '#/components/schemas/SamlSsoEndpoint'
+ SamlNameIdFormat:
+ description: SAML 2.0 Name Identifier formats
+ default: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+ type: string
+ x-okta-known-values:
+ - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
+ - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+ - urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
+ - urn:oasis:names:tc:SAML:2.0:nameid-format:transient
+ SamlRelayState:
+ description: Relay state settings for IdP
type: object
properties:
- include:
- type: array
- items:
- type: string
- provider:
- $ref: '#/components/schemas/PasswordPolicyAuthenticationProviderType'
- PasswordPolicyAuthenticationProviderType:
+ format:
+ $ref: '#/components/schemas/SamlRelayStateFormat'
+ SamlRelayStateFormat:
+ description: The format used to generate the `relayState` in the SAML request. The `FROM_URL` format is used if this value is null.
type: string
x-okta-known-values:
- - ACTIVE_DIRECTORY
- - ANY
- - LDAP
- - OKTA
- PasswordPolicyConditions:
- allOf:
- - $ref: '#/components/schemas/PolicyRuleConditions'
- - type: object
- properties:
- authProvider:
- $ref: '#/components/schemas/PasswordPolicyAuthenticationProviderCondition'
- people:
- $ref: '#/components/schemas/PolicyPeopleCondition'
- PasswordPolicyDelegationSettings:
+ - FROM_URL
+ - OPAQUE
+ SamlRequestAlgorithm:
+ description: Algorithm settings used to secure an `` message
type: object
properties:
- options:
- $ref: '#/components/schemas/PasswordPolicyDelegationSettingsOptions'
- PasswordPolicyDelegationSettingsOptions:
+ signature:
+ $ref: '#/components/schemas/SamlRequestSignatureAlgorithm'
+ SamlRequestSignatureAlgorithm:
+ description: |-
+ XML digital Signature Algorithm settings for signing `` messages sent to the IdP
+ > **Note:** The `algorithm` property is ignored when you disable request signatures (`scope` set as `NONE`).
type: object
properties:
- skipUnlock:
- type: boolean
- PasswordPolicyPasswordSettings:
+ algorithm:
+ $ref: '#/components/schemas/SamlSigningAlgorithm'
+ scope:
+ $ref: '#/components/schemas/ProtocolAlgorithmRequestScope'
+ SamlResponseAlgorithm:
+ description: Algorithm settings for verifying `` messages and `` elements from the IdP
type: object
properties:
- age:
- $ref: '#/components/schemas/PasswordPolicyPasswordSettingsAge'
- complexity:
- $ref: '#/components/schemas/PasswordPolicyPasswordSettingsComplexity'
- lockout:
- $ref: '#/components/schemas/PasswordPolicyPasswordSettingsLockout'
- PasswordPolicyPasswordSettingsAge:
+ signature:
+ $ref: '#/components/schemas/SamlResponseSignatureAlgorithm'
+ SamlResponseSignatureAlgorithm:
+ description: XML digital Signature Algorithm settings for verifying `` messages and `` elements from the IdP
type: object
properties:
- expireWarnDays:
- type: integer
- historyCount:
- type: integer
- maxAgeDays:
- type: integer
- minAgeMinutes:
- type: integer
- PasswordPolicyPasswordSettingsComplexity:
+ algorithm:
+ $ref: '#/components/schemas/SamlSigningAlgorithm'
+ scope:
+ $ref: '#/components/schemas/ProtocolAlgorithmResponseScope'
+ SamlSettings:
+ description: Advanced settings for the SAML 2.0 protocol
type: object
properties:
- dictionary:
- $ref: '#/components/schemas/PasswordDictionary'
- excludeAttributes:
- type: array
- items:
- type: string
- excludeUsername:
+ honorPersistentNameId:
type: boolean
+ description: Determines if the IdP should persist account linking when the incoming assertion NameID format is `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent`
default: true
- minLength:
- type: integer
- minLowerCase:
- type: integer
- minNumber:
- type: integer
- minSymbol:
- type: integer
- minUpperCase:
- type: integer
- PasswordPolicyPasswordSettingsLockout:
+ nameFormat:
+ $ref: '#/components/schemas/SamlNameIdFormat'
+ SamlSigningAlgorithm:
+ example: SHA-256
+ type: string
+ x-okta-known-values:
+ - SHA-1
+ - SHA-256
+ SamlSigningCredentials:
+ description: Key used for signing requests to the IdP
type: object
properties:
- autoUnlockMinutes:
- type: integer
- maxAttempts:
- type: integer
- showLockoutFailures:
- type: boolean
- userLockoutNotificationChannels:
+ kid:
+ $ref: '#/components/schemas/ProtocolCredentialsKeyId'
+ SamlSpCertificate:
+ description: The certificate that Okta uses to validate Single Logout (SLO) requests and responses
+ type: object
+ properties:
+ x5c:
type: array
+ description: A list that contains exactly one x509 encoded certificate
items:
type: string
- PasswordPolicyRecoveryEmail:
- type: object
- properties:
- properties:
- $ref: '#/components/schemas/PasswordPolicyRecoveryEmailProperties'
- status:
- $ref: '#/components/schemas/LifecycleStatus'
- PasswordPolicyRecoveryEmailProperties:
- type: object
- properties:
- recoveryToken:
- $ref: '#/components/schemas/PasswordPolicyRecoveryEmailRecoveryToken'
- PasswordPolicyRecoveryEmailRecoveryToken:
- type: object
- properties:
- tokenLifetimeMinutes:
- type: integer
- PasswordPolicyRecoveryFactorSettings:
- type: object
- properties:
- status:
- $ref: '#/components/schemas/LifecycleStatus'
- PasswordPolicyRecoveryFactors:
+ SamlSsoEndpoint:
+ description: IdP's `SingleSignOnService` endpoint where Okta sends an `` message
type: object
properties:
- okta_call:
- $ref: '#/components/schemas/PasswordPolicyRecoveryFactorSettings'
- okta_email:
- $ref: '#/components/schemas/PasswordPolicyRecoveryEmail'
- okta_sms:
- $ref: '#/components/schemas/PasswordPolicyRecoveryFactorSettings'
- recovery_question:
- $ref: '#/components/schemas/PasswordPolicyRecoveryQuestion'
- PasswordPolicyRecoveryQuestion:
- type: object
- properties:
- properties:
- $ref: '#/components/schemas/PasswordPolicyRecoveryQuestionProperties'
- status:
- $ref: '#/components/schemas/LifecycleStatus'
- PasswordPolicyRecoveryQuestionComplexity:
- type: object
- properties:
- minLength:
- type: integer
- readOnly: true
- PasswordPolicyRecoveryQuestionProperties:
+ binding:
+ $ref: '#/components/schemas/ProtocolEndpointBinding'
+ destination:
+ type: string
+ description: |-
+ URI reference that indicates the address to which the `` message is sent.
+ The `destination` property is required if request signatures are specified. See [SAML 2.0 Request Algorithm object](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=protocol/0/algorithms/request&t=request).
+ maxLength: 512
+ example: https://idp.example.com/saml2/sso
+ url:
+ type: string
+ description: |-
+ URL of the binding-specific endpoint to send an `` message to the IdP.
+ The value of `url` defaults to the same value as the `sso` endpoint if omitted during creation of a new IdP instance.
+ The `url` should be the same value as the `Location` attribute for a published binding in the IdP's SAML Metadata `IDPSSODescriptor`.
+ maxLength: 1014
+ example: https://idp.example.com/saml2/sso
+ SamlTrustCredentials:
+ description: Federation Trust Credentials for verifying assertions from the IdP
type: object
- properties:
- complexity:
- $ref: '#/components/schemas/PasswordPolicyRecoveryQuestionComplexity'
- PasswordPolicyRecoverySettings:
+ properties:
+ audience:
+ type: string
+ description: URI that identifies the target Okta IdP instance (SP) for an ``
+ maxLength: 1024
+ example: https://www.okta.com/saml2/service-provider/spgv32vOnpdyeGSaiUpL
+ issuer:
+ type: string
+ description: URI that identifies the issuer (IdP) of a `` message `` element
+ maxLength: 1024
+ example: urn:example:idp
+ kid:
+ $ref: '#/components/schemas/ProtocolCredentialsKeyId'
+ ScheduledUserLifecycleAction:
type: object
properties:
- factors:
- $ref: '#/components/schemas/PasswordPolicyRecoveryFactors'
- PasswordPolicyRule:
+ status:
+ $ref: '#/components/schemas/PolicyUserStatus'
+ SchemeApplicationCredentials:
allOf:
- - $ref: '#/components/schemas/PolicyRule'
+ - $ref: '#/components/schemas/ApplicationCredentials'
- type: object
properties:
- actions:
- $ref: '#/components/schemas/PasswordPolicyRuleActions'
- conditions:
- $ref: '#/components/schemas/PasswordPolicyRuleConditions'
- PasswordPolicyRuleAction:
+ password:
+ $ref: '#/components/schemas/PasswordCredential'
+ revealPassword:
+ type: boolean
+ description: Allow users to securely see their password
+ scheme:
+ $ref: '#/components/schemas/ApplicationCredentialsScheme'
+ signing:
+ $ref: '#/components/schemas/ApplicationCredentialsSigning'
+ userName:
+ type: string
+ description: Shared username for the app
+ minLength: 1
+ maxLength: 100
+ Scope:
+ type: string
+ ScopeResourceHrefObject:
type: object
properties:
- access:
- $ref: '#/components/schemas/PolicyAccess'
- PasswordPolicyRuleActions:
+ href:
+ type: string
+ description: Link URI
+ example: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7/scopes/scpCmCCV1DpxVkCaye2X
+ title:
+ type: string
+ description: Link name
+ example: My phone
+ ScreenLockComplexity:
+ description: |
+ Indicates whether a device has a screen lock set, and the type or complexity of the screen lock
+
+ **Note:** This option requires a `screenLockType.include` value.
+ type: string
+ x-enumDescriptions:
+ LOW: A pattern or PIN is set
+ MEDIUM: A complex PIN, or alphabetic or alphanumeric screen lock with at least 4 digits is set
+ HIGH: A complex 8-digit PIN, or 6-character alphabetic or alphanumeric screen lock is set
+ x-okta-known-values:
+ - HIGH
+ - LOW
+ - MEDIUM
+ ScreenLockType:
+ type: string
+ x-okta-known-values:
+ - BIOMETRIC
+ - NONE
+ - PASSCODE
+ SecurePasswordStoreApplication:
+ x-okta-defined-as:
+ name: template_sps
allOf:
- - $ref: '#/components/schemas/PolicyRuleActions'
+ - $ref: '#/components/schemas/Application'
- type: object
properties:
- passwordChange:
- $ref: '#/components/schemas/PasswordPolicyRuleAction'
- selfServicePasswordReset:
- $ref: '#/components/schemas/PasswordPolicyRuleAction'
- selfServiceUnlock:
- $ref: '#/components/schemas/PasswordPolicyRuleAction'
- PasswordPolicyRuleConditions:
+ credentials:
+ $ref: '#/components/schemas/SchemeApplicationCredentials'
+ name:
+ type: string
+ description: '`template_sps` is the key name for a SWA app instance that uses HTTP POST and doesn''t require a browser plugin'
+ enum:
+ - template_sps
+ settings:
+ $ref: '#/components/schemas/SecurePasswordStoreApplicationSettings'
+ required:
+ - name
+ - settings
+ SecurePasswordStoreApplicationSettings:
allOf:
- - $ref: '#/components/schemas/PolicyRuleConditions'
+ - $ref: '#/components/schemas/ApplicationSettings'
- type: object
properties:
- network:
- $ref: '#/components/schemas/PolicyNetworkCondition'
- people:
- $ref: '#/components/schemas/PolicyPeopleCondition'
- PasswordPolicySettings:
+ app:
+ $ref: '#/components/schemas/SecurePasswordStoreApplicationSettingsApplication'
+ SecurePasswordStoreApplicationSettingsApplication:
type: object
properties:
- delegation:
- $ref: '#/components/schemas/PasswordPolicyDelegationSettings'
- password:
- $ref: '#/components/schemas/PasswordPolicyPasswordSettings'
- recovery:
- $ref: '#/components/schemas/PasswordPolicyRecoverySettings'
- PasswordSettingObject:
+ optionalField1:
+ type: string
+ description: Name of the optional parameter in the sign-in form
+ optionalField1Value:
+ type: string
+ description: Name of the optional value in the sign-in form
+ optionalField2:
+ type: string
+ description: Name of the optional parameter in the sign-in form
+ optionalField2Value:
+ type: string
+ description: Name of the optional value in the sign-in form
+ optionalField3:
+ type: string
+ description: Name of the optional parameter in the sign-in form
+ optionalField3Value:
+ type: string
+ description: Name of the optional value in the sign-in form
+ passwordField:
+ type: string
+ description: CSS selector for the **Password** field in the sign-in form
+ url:
+ type: string
+ description: The URL of the sign-in page for this app
+ usernameField:
+ type: string
+ description: CSS selector for the **Username** field in the sign-in form
+ required:
+ - passwordField
+ - url
+ - usernameField
+ SecurityEvent:
type: object
properties:
- change:
- $ref: '#/components/schemas/ChangeEnum'
- seed:
- $ref: '#/components/schemas/SeedEnum'
- status:
- $ref: '#/components/schemas/EnabledStatus'
- Platform:
- type: string
- x-okta-known-values:
- - ANDROID
- - IOS
- - MACOS
- - WINDOWS
- PlatformConditionEvaluatorPlatform:
+ event_timestamp:
+ type: integer
+ format: int64
+ description: The time of the event (UNIX timestamp)
+ example: 1702448550
+ subject:
+ $ref: '#/components/schemas/SecurityEventSubject'
+ required:
+ - event_timestamp
+ - subject
+ SecurityEventReason:
type: object
properties:
- os:
- $ref: '#/components/schemas/PlatformConditionEvaluatorPlatformOperatingSystem'
- type:
- $ref: '#/components/schemas/PolicyPlatformType'
- PlatformConditionEvaluatorPlatformOperatingSystem:
+ en:
+ type: string
+ description: The event reason in English
+ example: Event message example
+ required:
+ - en
+ SecurityEventSubject:
+ description: The event subjects
+ properties:
+ device:
+ type: object
+ description: The device involved with the event
+ tenant:
+ type: object
+ description: The tenant involved with the event
+ user:
+ type: object
+ description: The user involved with the event
+ SecurityEventTokenError:
+ title: Security Event Token Error
+ description: Error object thrown when parsing the Security Event Token
type: object
properties:
- expression:
+ description:
type: string
- type:
- $ref: '#/components/schemas/PolicyPlatformOperatingSystemType'
- version:
- $ref: '#/components/schemas/PlatformConditionEvaluatorPlatformOperatingSystemVersion'
- PlatformConditionEvaluatorPlatformOperatingSystemVersion:
+ description: |
+ Describes the error
+ > **Note:** SET claim fields with underscores (snake case) are presented in camelcase. For example, `previous_status` appears as `previousStatus`.
+ example: 'Failed claim validation in security event token. ''events.mediationDeviceComplianceChangeEvent.previousStatus'': The field cannot be left blank'
+ err:
+ type: string
+ description: A code that describes the category of the error
+ example: invalid_request
+ enum:
+ - authentication_failed
+ - invalid_audience
+ - invalid_issuer
+ - invalid_key
+ - invalid_request
+ SecurityEventTokenRequestJwtBody:
+ title: Security Event Token JWT body payload
+ x-tags:
+ - SSFSecurityEventToken
+ description: JSON Web Token body payload for a Security Event Token
type: object
properties:
- matchType:
- $ref: '#/components/schemas/PlatformConditionOperatingSystemVersionMatchType'
- value:
+ aud:
type: string
- PlatformConditionOperatingSystemVersionMatchType:
- type: string
- x-okta-known-values:
- - EXPRESSION
- - SEMVER
- PlatformPolicyRuleCondition:
+ description: Audience
+ example: https://receiverexample.okta.com/
+ events:
+ $ref: '#/components/schemas/SecurityEventTokenRequestJwtEvents'
+ iat:
+ type: integer
+ format: int64
+ description: Token issue time (UNIX timestamp)
+ example: 1702448550
+ iss:
+ type: string
+ description: Token issuer
+ example: https://transmitter.example.com
+ jti:
+ type: string
+ description: Token ID
+ example: 24c63fb56f ... a9fa24
+ required:
+ - iss
+ - aud
+ - jti
+ - iat
+ - events
+ SecurityEventTokenRequestJwtEvents:
+ description: A non-empty collection of events
type: object
properties:
- exclude:
- type: array
- items:
- $ref: '#/components/schemas/PlatformConditionEvaluatorPlatform'
- include:
- type: array
- items:
- $ref: '#/components/schemas/PlatformConditionEvaluatorPlatform'
- Policy:
+ https://schemas.okta.com/secevent/okta/event-type/device-risk-change:
+ $ref: '#/components/schemas/OktaDeviceRiskChangeEvent'
+ https://schemas.okta.com/secevent/okta/event-type/ip-change:
+ $ref: '#/components/schemas/OktaIpChangeEvent'
+ https://schemas.okta.com/secevent/okta/event-type/user-risk-change:
+ $ref: '#/components/schemas/OktaUserRiskChangeEvent'
+ https://schemas.openid.net/secevent/caep/event-type/device-compliance-change:
+ $ref: '#/components/schemas/CaepDeviceComplianceChangeEvent'
+ https://schemas.openid.net/secevent/caep/event-type/session-revoked:
+ $ref: '#/components/schemas/CaepSessionRevokedEvent'
+ https://schemas.openid.net/secevent/risc/event-type/identifier-changed:
+ $ref: '#/components/schemas/RiscIdentifierChangedEvent'
+ SecurityEventTokenRequestJwtHeader:
+ title: Security Event Token JWT header
+ x-tags:
+ - SSFSecurityEventToken
+ description: JSON Web Token header for a Security Event Token
type: object
properties:
- created:
+ alg:
type: string
- format: date-time
- readOnly: true
- description:
+ description: Algorithm used to sign or encrypt the JWT
+ example: RS256
+ kid:
type: string
- id:
+ description: Key ID used to sign or encrypt the JWT
+ typ:
type: string
- readOnly: true
- lastUpdated:
+ description: The type of content being signed or encrypted
+ example: secevent+jwt
+ required:
+ - kid
+ - typ
+ - alg
+ SecurityEventsProviderRequest:
+ title: Security Events Provider Request
+ description: The request schema for creating or updating a Security Events Provider. The `settings` must match one of the schemas.
+ type: object
+ properties:
+ name:
+ description: The name of the Security Events Provider instance
+ type: string
+ maxLength: 100
+ example: Target SSF Provider
+ settings:
+ type: object
+ description: Information about the Security Events Provider for signal ingestion
+ oneOf:
+ - $ref: '#/components/schemas/SecurityEventsProviderSettingsSSFCompliant'
+ - $ref: '#/components/schemas/SecurityEventsProviderSettingsNonSSFCompliant'
+ type:
+ description: The application type of the Security Events Provider
+ maxLength: 255
+ type: string
+ example: okta
+ required:
+ - name
+ - settings
+ - type
+ SecurityEventsProviderResponse:
+ title: Security Events Provider Response
+ description: The Security Events Provider response
+ type: object
+ properties:
+ id:
+ description: The unique identifier of this instance
type: string
- format: date-time
readOnly: true
+ example: sse1qg25RpusjUP6m0g5
name:
+ description: The name of the Security Events Provider instance
type: string
- priority:
- type: integer
+ maxLength: 100
+ example: Target SSF Provider
+ settings:
+ description: Information about the Security Events Provider for signal ingestion
+ $ref: '#/components/schemas/SecurityEventsProviderSettingsResponse'
status:
- $ref: '#/components/schemas/LifecycleStatus'
- system:
- type: boolean
- type:
- $ref: '#/components/schemas/PolicyType'
- _embedded:
- type: object
- additionalProperties:
- type: object
- properties: {}
+ description: Indicates whether the Security Events Provider is active or not
+ type: string
+ enum:
+ - ACTIVE
+ - INACTIVE
readOnly: true
+ type:
+ description: The application type of the Security Events Provider
+ maxLength: 255
+ type: string
+ example: okta
_links:
- type: object
- additionalProperties:
- type: object
- properties: {}
- readOnly: true
- discriminator:
- propertyName: type
- mapping:
- ACCESS_POLICY: '#/components/schemas/AccessPolicy'
- IDP_DISCOVERY: '#/components/schemas/IdentityProviderPolicy'
- MFA_ENROLL: '#/components/schemas/MultifactorEnrollmentPolicy'
- OAUTH_AUTHORIZATION_POLICY: '#/components/schemas/AuthorizationServerPolicy'
- OKTA_SIGN_ON: '#/components/schemas/OktaSignOnPolicy'
- PASSWORD: '#/components/schemas/PasswordPolicy'
- PROFILE_ENROLLMENT: '#/components/schemas/ProfileEnrollmentPolicy'
- PolicyAccess:
- type: string
- x-okta-known-values:
- - ALLOW
- - DENY
- PolicyAccountLink:
- type: object
- properties:
- action:
- $ref: '#/components/schemas/PolicyAccountLinkAction'
- filter:
- $ref: '#/components/schemas/PolicyAccountLinkFilter'
- PolicyAccountLinkAction:
- type: string
- x-okta-known-values:
- - AUTO
- - DISABLED
- PolicyAccountLinkFilter:
+ $ref: '#/components/schemas/LinksSelfAndLifecycle'
+ SecurityEventsProviderSettingsNonSSFCompliant:
+ title: Provider with issuer and JWKS settings
+ description: Security Events Provider with issuer and JWKS settings for signal ingestion
type: object
properties:
- groups:
- $ref: '#/components/schemas/PolicyAccountLinkFilterGroups'
- PolicyAccountLinkFilterGroups:
+ issuer:
+ type: string
+ description: Issuer URL
+ maxLength: 700
+ example: example.okta.com
+ jwks_url:
+ type: string
+ format: url
+ description: The public URL where the JWKS public key is uploaded
+ maxLength: 1000
+ example: https://example.okta.com/oauth2/v1/keys
+ required:
+ - jwks_url
+ - issuer
+ SecurityEventsProviderSettingsResponse:
+ title: Security Events Provider settings
+ description: Security Events Provider settings
type: object
properties:
- include:
- type: array
- items:
- type: string
- PolicyNetworkCondition:
+ issuer:
+ type: string
+ description: Issuer URL
+ maxLength: 700
+ example: example.okta.com
+ jwks_url:
+ type: string
+ format: url
+ description: The public URL where the JWKS public key is uploaded
+ maxLength: 1000
+ example: https://example.okta.com/oauth2/v1/keys
+ well_known_url:
+ type: string
+ format: url
+ description: The well-known URL of the Security Events Provider (the SSF transmitter)
+ nullable: true
+ maxLength: 1000
+ example: https://example.okta.com/.well-known/ssf-configuration
+ SecurityEventsProviderSettingsSSFCompliant:
+ title: Provider with well-known URL setting
+ description: Security Events Provider with well-known URL setting
type: object
properties:
- connection:
- $ref: '#/components/schemas/PolicyNetworkConnection'
- exclude:
- type: array
- items:
- type: string
- include:
- type: array
- items:
- type: string
- PolicyNetworkConnection:
+ well_known_url:
+ type: string
+ format: url
+ description: The published well-known URL of the Security Events Provider (the SSF transmitter)
+ maxLength: 1000
+ example: https://example.okta.com/.well-known/ssf-configuration
+ required:
+ - well_known_url
+ SeedEnum:
+ description: Determines whether the generated password is the user's Okta password or a randomly generated password
+ default: RANDOM
+ example: OKTA
type: string
x-okta-known-values:
- - ANYWHERE
- - ZONE
- PolicyPeopleCondition:
+ - OKTA
+ - RANDOM
+ SelfServicePasswordResetAction:
+ description: Enables or disables users to reset their own password and defines the authenticators and constraints needed to complete the reset
type: object
properties:
- groups:
- $ref: '#/components/schemas/GroupCondition'
- users:
- $ref: '#/components/schemas/UserCondition'
- PolicyPlatformOperatingSystemType:
- type: string
- x-okta-known-values:
- - ANDROID
- - ANY
- - IOS
- - OSX
- - OTHER
- - WINDOWS
- PolicyPlatformType:
- type: string
- x-okta-known-values:
- - ANY
- - DESKTOP
- - MOBILE
- - OTHER
- PolicyRule:
+ access:
+ $ref: '#/components/schemas/PolicyAccess'
+ requirement:
+ $ref: '#/components/schemas/SsprRequirement'
+ type:
+ type: string
+ description: The type of rule action
+ enum:
+ - selfServicePasswordReset
+ Session:
type: object
properties:
- created:
+ amr:
+ type: array
+ readOnly: true
+ description: Authentication method reference
+ items:
+ $ref: '#/components/schemas/SessionAuthenticationMethod'
+ createdAt:
+ type: string
+ format: date-time
+ readOnly: true
+ expiresAt:
type: string
format: date-time
readOnly: true
+ description: A timestamp when the Session expires
id:
type: string
- lastUpdated:
+ readOnly: true
+ description: A unique key for the Session
+ idp:
+ $ref: '#/components/schemas/SessionIdentityProvider'
+ lastFactorVerification:
type: string
format: date-time
readOnly: true
- name:
+ description: A timestamp when the user last performed multifactor authentication
+ lastPasswordVerification:
type: string
- priority:
- type: integer
+ format: date-time
+ readOnly: true
+ description: A timestamp when the user last performed the primary or step-up authentication with a password
+ login:
+ type: string
+ readOnly: true
+ description: A unique identifier for the user (username)
status:
- $ref: '#/components/schemas/LifecycleStatus'
- system:
- type: boolean
- default: false
- type:
- $ref: '#/components/schemas/PolicyRuleType'
- discriminator:
- propertyName: type
- mapping:
- ACCESS_POLICY: '#/components/schemas/AccessPolicyRule'
- PASSWORD: '#/components/schemas/PasswordPolicyRule'
- PROFILE_ENROLLMENT: '#/components/schemas/ProfileEnrollmentPolicyRule'
- RESOURCE_ACCESS: '#/components/schemas/AuthorizationServerPolicyRule'
- SIGN_ON: '#/components/schemas/OktaSignOnPolicyRule'
- PolicyRuleActions:
- type: object
- properties:
- enroll:
- $ref: '#/components/schemas/PolicyRuleActionsEnroll'
- idp:
- $ref: '#/components/schemas/IdpPolicyRuleAction'
- passwordChange:
- $ref: '#/components/schemas/PasswordPolicyRuleAction'
- selfServicePasswordReset:
- $ref: '#/components/schemas/PasswordPolicyRuleAction'
- selfServiceUnlock:
- $ref: '#/components/schemas/PasswordPolicyRuleAction'
- signon:
- $ref: '#/components/schemas/OktaSignOnPolicyRuleSignonActions'
- PolicyRuleActionsEnroll:
- type: object
- properties:
- self:
- $ref: '#/components/schemas/PolicyRuleActionsEnrollSelf'
- PolicyRuleActionsEnrollSelf:
+ $ref: '#/components/schemas/SessionStatus'
+ description: Current Session status
+ userId:
+ type: string
+ readOnly: true
+ description: A unique key for the user
+ _links:
+ $ref: '#/components/schemas/LinksSelf'
+ SessionAuthenticationMethod:
type: string
+ x-enumDescriptions:
+ pwd: Password authentication. **Inline hook value:** `PASSWORD` **Example:** Standard password-based sign-in
+ swk: Proof-of-possession (PoP) of a software key. **Inline hook value:** `POP_SOFTWARE_KEY` **Example:** Okta Verify with Push
+ hwk: Proof-of-possession (PoP) of a hardware key. **Inline hook value:** `POP_HARDWARE_KEY` **Example:** Yubikey factor
+ opt: One-time password. **Inline hook value:** `ONE_TIME_PASSWORD`. **Example:** Okta Verify, Google Authenticator
+ sms: SMS text message to the user at a registered number. **Inline hook value:** `SMS_MESSAGE`. **Example:** SMS factor
+ tel: Telephone call to the user at a registered number. **Inline hook value:** `TELEPHONE_CALL`. **Example:** Phone call factor
+ geo: Use of geo-location information. **Inline hook value:** `GEOLOCATION`. **Example:** IP Trust and Network Zone policy conditions
+ fpt: Fingerprint biometric authentication. **Inline hook value:** `BIO_FINGERPRINT`. **Example:** Okta Verify with Touch ID
+ kba: Knowledge-based authentication. **Inline hook value:** `KNOWLEDGE_BASED_AUTHENTICATION`. **Example:** Security Question factor
+ mfa: Multifactor authentication. **Inline hook value:** `MULTIFACTOR_AUTHENTICATION`. **Example:** This value is present whenever any MFA factor verification is performed.
+ mca: Multiple-channel authentication. **Inline hook value:** `MULTIPLE_CHANNEL_AUTHENTICATION`. **Example:** Authentication requires communication over more than one channel, such as Internet and mobile network
+ sc: Smart card authentication. **Inline hook value:** `SMART_CARD. **Example:** User authenticated using a smart card, such as a Personal Identity Verification (PIV) card or Common Access Card (CAC)
x-okta-known-values:
- - CHALLENGE
- - LOGIN
- - NEVER
- PolicyRuleAuthContextCondition:
+ - fpt
+ - geo
+ - hwk
+ - kba
+ - mca
+ - mfa
+ - otp
+ - pwd
+ - sc
+ - sms
+ - swk
+ - tel
+ SessionIdentityProvider:
type: object
properties:
- authType:
- $ref: '#/components/schemas/PolicyRuleAuthContextType'
- PolicyRuleAuthContextType:
+ id:
+ type: string
+ readOnly: true
+ description: Identity Provider ID. If the `type` is `OKTA`, then the `id` is the org ID.
+ type:
+ $ref: '#/components/schemas/SessionIdentityProviderType'
+ SessionIdentityProviderType:
type: string
x-okta-known-values:
- - ANY
- - RADIUS
- PolicyRuleConditions:
- type: object
- properties:
- app:
- $ref: '#/components/schemas/AppAndInstancePolicyRuleCondition'
- apps:
- $ref: '#/components/schemas/AppInstancePolicyRuleCondition'
- authContext:
- $ref: '#/components/schemas/PolicyRuleAuthContextCondition'
- authProvider:
- $ref: '#/components/schemas/PasswordPolicyAuthenticationProviderCondition'
- beforeScheduledAction:
- $ref: '#/components/schemas/BeforeScheduledActionPolicyRuleCondition'
- clients:
- $ref: '#/components/schemas/ClientPolicyCondition'
- context:
- $ref: '#/components/schemas/ContextPolicyRuleCondition'
- device:
- $ref: '#/components/schemas/DevicePolicyRuleCondition'
- grantTypes:
- $ref: '#/components/schemas/GrantTypePolicyRuleCondition'
- groups:
- $ref: '#/components/schemas/GroupPolicyRuleCondition'
- identityProvider:
- $ref: '#/components/schemas/IdentityProviderPolicyRuleCondition'
- mdmEnrollment:
- $ref: '#/components/schemas/MDMEnrollmentPolicyRuleCondition'
- network:
- $ref: '#/components/schemas/PolicyNetworkCondition'
- people:
- $ref: '#/components/schemas/PolicyPeopleCondition'
- platform:
- $ref: '#/components/schemas/PlatformPolicyRuleCondition'
- risk:
- $ref: '#/components/schemas/RiskPolicyRuleCondition'
- riskScore:
- $ref: '#/components/schemas/RiskScorePolicyRuleCondition'
- scopes:
- $ref: '#/components/schemas/OAuth2ScopesMediationPolicyRuleCondition'
- userIdentifier:
- $ref: '#/components/schemas/UserIdentifierPolicyRuleCondition'
- users:
- $ref: '#/components/schemas/UserPolicyRuleCondition'
- userStatus:
- $ref: '#/components/schemas/UserStatusPolicyRuleCondition'
- PolicyRuleType:
+ - ACTIVE_DIRECTORY
+ - FEDERATION
+ - LDAP
+ - OKTA
+ - SOCIAL
+ SessionStatus:
type: string
+ x-enumDescriptions:
+ ACTIVE: The Session is established and fully validated.
+ MFA_REQUIRED: The Session is established, but requires second factor verification.
+ MFA_ENROLL: The Session is established, but the user needs to enroll a second factor.
x-okta-known-values:
- - ACCESS_POLICY
- - IDP_DISCOVERY
+ - ACTIVE
- MFA_ENROLL
- - PASSWORD
- - PROFILE_ENROLLMENT
- - RESOURCE_ACCESS
- - SIGN_ON
- PolicySubject:
- type: object
- properties:
- filter:
- type: string
- format:
- type: array
- items:
- type: string
- matchAttribute:
- type: string
- matchType:
- $ref: '#/components/schemas/PolicySubjectMatchType'
- userNameTemplate:
- $ref: '#/components/schemas/PolicyUserNameTemplate'
- PolicySubjectMatchType:
+ - MFA_REQUIRED
+ ShowSignInWithOV:
+ description: Controls whether to show the Sign in with Okta Verify button on the Sign-In Widget
+ type: string
+ x-okta-known-values:
+ - ALWAYS
+ - NEVER
+ SignInPage:
+ allOf:
+ - $ref: '#/components/schemas/CustomizablePage'
+ - type: object
+ properties:
+ contentSecurityPolicySetting:
+ $ref: '#/components/schemas/ContentSecurityPolicySetting'
+ widgetCustomizations:
+ type: object
+ properties:
+ signInLabel:
+ type: string
+ description: The label for the sign in widget
+ usernameLabel:
+ type: string
+ description: The label for the username field
+ usernameInfoTip:
+ type: string
+ description: The label for the username information tip
+ passwordLabel:
+ type: string
+ description: The label for the password field
+ passwordInfoTip:
+ type: string
+ description: The label for the password information tip
+ showPasswordVisibilityToggle:
+ type: boolean
+ description: Allows users to see their passwords as they type
+ showUserIdentifier:
+ type: boolean
+ description: Allows the user's identifier to appear on authentication and enrollment pages
+ forgotPasswordLabel:
+ type: string
+ description: The label for the forgot password page
+ forgotPasswordUrl:
+ type: string
+ description: The forgot password URL
+ unlockAccountLabel:
+ type: string
+ description: The label for the unlock account link
+ unlockAccountUrl:
+ type: string
+ description: The unlock account URL
+ helpLabel:
+ type: string
+ description: The label for the help link
+ helpUrl:
+ type: string
+ description: The help link URL
+ customLink1Label:
+ type: string
+ description: The label for the first custom link
+ customLink1Url:
+ type: string
+ description: The URL for the first custom link
+ customLink2Label:
+ type: string
+ description: The label for the second custom link
+ customLink2Url:
+ type: string
+ description: The URL for the second custom link
+ authenticatorPageCustomLinkLabel:
+ type: string
+ description: The label for the authenticator page custom link
+ authenticatorPageCustomLinkUrl:
+ type: string
+ description: The URL for the authenticator page custom link
+ classicRecoveryFlowEmailOrUsernameLabel:
+ type: string
+ description: The label for the username field in the classic recovery flow
+ widgetGeneration:
+ $ref: '#/components/schemas/WidgetGeneration'
+ widgetVersion:
+ $ref: '#/components/schemas/Version'
+ SignInPageTouchPointVariant:
+ description: |
+ Variant for the Okta sign-in page. You can publish a theme for sign-in page with different combinations of assets. Variants are preset combinations of those assets.
+ > **Note:** For a non-`OKTA_DEFAULT` variant, `primaryColorHex` is used for button background color and `primaryColorContrastHex` is used to optimize the opacity for button text.
type: string
+ x-enumDescriptions:
+ BACKGROUND_IMAGE: Uses the logo, favicon, and background image from the Theme
+ BACKGROUND_SECONDARY_COLOR: Uses the logo and favicon from the Theme. Uses `secondaryColorHex` as the background color for the Okta sign-in page.
+ OKTA_DEFAULT: Uses the Okta logo and favicon with no background image. Uses the Okta colors on the Okta sign-in page.
x-okta-known-values:
- - CUSTOM_ATTRIBUTE
- - EMAIL
- - USERNAME
- - USERNAME_OR_EMAIL
- PolicyType:
+ - BACKGROUND_IMAGE
+ - BACKGROUND_SECONDARY_COLOR
+ - OKTA_DEFAULT
+ SignOnInlineHook:
+ properties:
+ id:
+ type: string
+ readOnly: false
+ SigningAlgorithm:
type: string
x-okta-known-values:
- - ACCESS_POLICY
- - IDP_DISCOVERY
- - MFA_ENROLL
- - OAUTH_AUTHORIZATION_POLICY
- - OKTA_SIGN_ON
- - PASSWORD
- - PROFILE_ENROLLMENT
- PolicyUserNameTemplate:
+ - ES256
+ - ES384
+ - ES512
+ - HS256
+ - HS384
+ - HS512
+ - RS256
+ - RS384
+ - RS512
+ SimulatePolicyBody:
+ description: The request body required for a simulate policy operation
type: object
properties:
- template:
+ appInstance:
type: string
- PolicyUserStatus:
- type: string
- x-okta-known-values:
- - ACTIVATING
- - ACTIVE
- - DELETED
- - DELETING
- - EXPIRED_PASSWORD
- - INACTIVE
- - PENDING
- - SUSPENDED
- PossessionConstraint:
- allOf:
- - $ref: '#/components/schemas/AccessPolicyConstraint'
- - type: object
+ description: The application instance ID for a simulate operation
+ policyContext:
+ $ref: '#/components/schemas/PolicyContext'
+ policyTypes:
+ type: array
+ description: Supported policy types for a simulate operation. The default value, `null`, returns all types.
+ items:
+ $ref: '#/components/schemas/PolicyTypeSimulation'
+ required:
+ - appInstance
+ SimulatePolicyEvaluations:
+ type: object
+ properties:
+ evaluated:
+ type: object
+ description: A list of evaluated but not matched policies and rules
properties:
- deviceBound:
- type: string
- hardwareProtection:
- type: string
- phishingResistant:
- type: string
- userPresence:
- type: string
- PreRegistrationInlineHook:
+ policies:
+ $ref: '#/components/schemas/SimulateResultPolicies'
+ policyType:
+ type: array
+ description: The policy type of the simulate operation
+ items:
+ $ref: '#/components/schemas/PolicyTypeSimulation'
+ result:
+ $ref: '#/components/schemas/SimulatePolicyResult'
+ status:
+ $ref: '#/components/schemas/SimulateResultStatus'
+ undefined:
+ type: object
+ description: A list of undefined but not matched policies and rules
+ properties:
+ policies:
+ $ref: '#/components/schemas/SimulateResultPolicies'
+ SimulatePolicyResponse:
+ description: The response body returned for a simulate policy operation. An array of `evaluations`.
+ items:
+ $ref: '#/components/schemas/SimulatePolicyEvaluations'
+ type: array
+ SimulatePolicyResult:
+ description: The result of the policy evaluation
type: object
properties:
- inlineHookId:
- type: string
- PrincipalRateLimitEntity:
- title: PrincipalRateLimitEntity
- description: ''
+ policies:
+ $ref: '#/components/schemas/SimulateResultPolicies'
+ SimulateResultConditions:
type: object
properties:
- createdBy:
- type: string
- readOnly: true
- createdDate:
+ status:
+ $ref: '#/components/schemas/SimulateResultStatus'
+ type:
type: string
- format: date-time
- readOnly: true
- defaultConcurrencyPercentage:
- type: integer
- readOnly: true
- defaultPercentage:
- type: integer
- readOnly: true
+ description: The type of condition
+ SimulateResultPolicies:
+ items:
+ $ref: '#/components/schemas/SimulateResultPoliciesItems'
+ type: array
+ SimulateResultPoliciesItems:
+ type: object
+ properties:
+ conditions:
+ type: array
+ description: List of all conditions involved for this policy evaluation
+ items:
+ $ref: '#/components/schemas/SimulateResultConditions'
id:
type: string
- readOnly: true
- lastUpdate:
- type: string
- format: date-time
- readOnly: true
- lastUpdatedBy:
+ description: ID of the specified policy type
+ name:
type: string
- readOnly: true
- orgId:
+ description: Policy name
+ rules:
+ type: array
+ items:
+ $ref: '#/components/schemas/SimulateResultRules'
+ status:
+ $ref: '#/components/schemas/SimulateResultStatus'
+ SimulateResultRules:
+ type: object
+ properties:
+ conditions:
+ type: array
+ description: List of all conditions involved for this rule evaluation
+ items:
+ $ref: '#/components/schemas/SimulateResultConditions'
+ id:
type: string
- readOnly: true
- principalId:
+ description: The unique ID number of the policy rule
+ name:
type: string
- principalType:
- $ref: '#/components/schemas/PrincipalType'
- required:
- - principalId
- - principalType
- PrincipalType:
+ description: The name of the policy rule
+ status:
+ $ref: '#/components/schemas/SimulateResultStatus'
+ SimulateResultStatus:
+ description: The result of this entity evaluation
type: string
x-okta-known-values:
- - SSWS_TOKEN
- ProfileEnrollmentPolicy:
+ - MATCH
+ - NOT_MATCH
+ - UNDEFINED
+ SingleLogout:
+ description: Determines if the app supports Single Logout (SLO)
+ type: object
+ properties:
+ enabled:
+ type: boolean
+ description: Whether the application supports SLO
+ issuer:
+ type: string
+ description: The issuer of the Service Provider that generates the SLO request
+ logoutUrl:
+ type: string
+ description: The location where the logout response is sent
+ SlackApplication:
+ title: Slack
+ x-tags:
+ - Application
+ x-okta-defined-as:
+ name: slack
+ example:
+ name: slack
+ label: Sample Slack App
+ signOnMode: SAML_2_0
+ settings:
+ app:
+ domain: my-company-domain
+ description: |
+ Schema for the Slack app (key name: `slack`)
+
+ To create a Slack app, use the [Create an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) request with the following parameters in the request body.
+ > **Note:** The Slack app only supports `BROWSER_PLUGIN` and `SAML_2_0` sign-on modes.
allOf:
- - $ref: '#/components/schemas/Policy'
+ - $ref: '#/components/schemas/OINApplication'
- type: object
+ - required:
+ - name
+ - label
+ - settings
properties:
- conditions:
- $ref: '#/components/schemas/PolicyRuleConditions'
- ProfileEnrollmentPolicyRule:
+ name:
+ type: string
+ enum:
+ - slack
+ example: slack
+ signOnMode:
+ enum:
+ - BROWSER_PLUGIN
+ - SAML_2_0
+ settings:
+ $ref: '#/components/schemas/SlackApplicationSettings'
+ SlackApplicationSettings:
allOf:
- - $ref: '#/components/schemas/PolicyRule'
+ - $ref: '#/components/schemas/ApplicationSettings'
- type: object
+ - required:
+ - app
properties:
- actions:
- $ref: '#/components/schemas/ProfileEnrollmentPolicyRuleActions'
- conditions:
- $ref: '#/components/schemas/PolicyRuleConditions'
- ProfileEnrollmentPolicyRuleAction:
+ app:
+ $ref: '#/components/schemas/SlackApplicationSettingsApplication'
+ signOn:
+ $ref: '#/components/schemas/OINSaml20ApplicationSettingsSignOn'
+ SlackApplicationSettingsApplication:
+ description: Slack app instance properties
type: object
properties:
- access:
+ domain:
type: string
- activationRequirements:
- $ref: '#/components/schemas/ProfileEnrollmentPolicyRuleActivationRequirement'
- preRegistrationInlineHooks:
- items:
- $ref: '#/components/schemas/PreRegistrationInlineHook'
- type: array
- profileAttributes:
- items:
- $ref: '#/components/schemas/ProfileEnrollmentPolicyRuleProfileAttribute'
- type: array
- targetGroupIds:
- items:
- type: string
- type: array
- unknownUserAction:
+ description: The Slack app domain name
+ userEmailValue:
type: string
- ProfileEnrollmentPolicyRuleActions:
- allOf:
- - $ref: '#/components/schemas/PolicyRuleActions'
- - type: object
- properties:
- profileEnrollment:
- $ref: '#/components/schemas/ProfileEnrollmentPolicyRuleAction'
- ProfileEnrollmentPolicyRuleActivationRequirement:
- type: object
- properties:
- emailVerification:
- type: boolean
- ProfileEnrollmentPolicyRuleProfileAttribute:
+ description: The `User.Email` attribute value
+ required:
+ - domain
+ SloParticipate:
+ description: Determines if the app participates in Single Logout (SLO)
type: object
properties:
- label:
+ bindingType:
type: string
- name:
+ description: Request binding type
+ enum:
+ - POST
+ - REDIRECT
+ enabled:
+ type: boolean
+ description: Indicates whether the app is allowed to participate in front-channel SLO
+ logoutRequestUrl:
type: string
- required:
+ description: URL where Okta sends the logout request
+ sessionIndexRequired:
type: boolean
- ProfileMapping:
+ description: Determines whether Okta sends the `SessionIndex` elements in the logout request
+ SmsTemplate:
type: object
properties:
- id:
+ created:
type: string
+ format: date-time
readOnly: true
- properties:
- type: object
- additionalProperties:
- $ref: '#/components/schemas/ProfileMappingProperty'
+ id:
+ type: string
readOnly: true
- source:
- $ref: '#/components/schemas/ProfileMappingSource'
- target:
- $ref: '#/components/schemas/ProfileMappingSource'
- _links:
- type: object
- additionalProperties:
- type: object
- properties: {}
+ lastUpdated:
+ type: string
+ format: date-time
readOnly: true
- ProfileMappingProperty:
- type: object
- properties:
- expression:
+ name:
type: string
- pushStatus:
- $ref: '#/components/schemas/ProfileMappingPropertyPushStatus'
- ProfileMappingPropertyPushStatus:
+ description: Human-readable name of the Template
+ maxLength: 50
+ minLength: 1
+ template:
+ type: string
+ description: Text of the Template, including any [macros](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Template/)
+ maxLength: 161
+ minLength: 1
+ translations:
+ $ref: '#/components/schemas/SmsTemplateTranslations'
+ type:
+ $ref: '#/components/schemas/SmsTemplateType'
+ SmsTemplateTranslations:
+ description: |
+ - Template translations are optionally provided when you want to localize the SMS messages. Translations are provided as an object that contains `key:value` pairs: the language and the translated Template text. The key portion is a two-letter country code that conforms to [ISO 639-1](https://www.loc.gov/standards/iso639-2/php/code_list.php). The value is the translated SMS Template.
+ - Just like with regular SMS Templates, the length of the SMS message can't exceed 160 characters.
+ type: object
+ x-okta-extensible: true
+ SmsTemplateType:
+ description: Type of the Template
+ maxLength: 50
+ minLength: 1
type: string
x-okta-known-values:
- - DONT_PUSH
- - PUSH
- ProfileMappingSource:
+ - SMS_VERIFY_CODE
+ SocialAuthToken:
+ description: The Social Authentication Token object provides the tokens and associated metadata provided by social providers during social authentication.
type: object
properties:
+ expiresAt:
+ $ref: '#/components/schemas/ExpiresAt'
id:
type: string
+ description: Unique identifier for the token
readOnly: true
- name:
+ example: NXp9GaX1eOA-XVF_H9fn2Q
+ scopes:
+ type: array
+ description: The scopes that the token is good for
+ readOnly: true
+ items:
+ type: string
+ example:
+ - openid
+ - foo
+ token:
type: string
+ description: The raw token
readOnly: true
- type:
+ example: JBTWGV22G4ZGKV3N
+ tokenAuthScheme:
type: string
readOnly: true
- _links:
- type: object
- additionalProperties:
- type: object
- properties: {}
+ description: The token authentication scheme as defined by the social provider
+ example: Bearer
+ tokenType:
+ type: string
readOnly: true
- ProfileSettingObject:
+ description: The type of token defined by the [OAuth Token Exchange Spec](https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-07#section-3)
+ example: urn:ietf:params:oauth:token-type:access_token
+ SourceLinks:
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - type: object
+ properties:
+ schema:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: The associated schema
+ SplunkEdition:
+ description: Edition of the Splunk Cloud instance
+ example: aws
+ type: string
+ x-okta-known-values:
+ - aws
+ - aws_govcloud
+ - gcp
+ SplunkHost:
+ description: 'The domain name for your Splunk Cloud instance. Don''t include `http` or `https` in the string. For example: `acme.splunkcloud.com`'
+ minLength: 17
+ maxLength: 116
+ example: acme.splunkcloud.com
+ type: string
+ SplunkToken:
+ description: The HEC token for your Splunk Cloud HTTP Event Collector. The token value is set at object creation, but isn't returned.
+ example: 11111111-1111-2222-2222-222222222222
+ writeOnly: true
+ type: string
+ pattern: (?i)^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$
+ Sso:
+ description: 'Supported SSO protocol configurations. You must configure at least one protocol: `oidc` or `saml`'
type: object
properties:
- status:
- $ref: '#/components/schemas/EnabledStatus'
- Protocol:
+ oidc:
+ $ref: '#/components/schemas/Oidc'
+ saml:
+ $ref: '#/components/schemas/Saml'
+ SsprPrimaryRequirement:
+ description: Defines the authenticators permitted for the initial authentication step of password recovery
type: object
properties:
- algorithms:
- $ref: '#/components/schemas/ProtocolAlgorithms'
- credentials:
- $ref: '#/components/schemas/IdentityProviderCredentials'
- endpoints:
- $ref: '#/components/schemas/ProtocolEndpoints'
- issuer:
- $ref: '#/components/schemas/ProtocolEndpoint'
- relayState:
- $ref: '#/components/schemas/ProtocolRelayState'
- scopes:
+ methodConstraints:
+ description: Constraints on the values specified in the `methods` array. Specifying a constraint limits methods to specific authenticator(s). Currently, Google OTP is the only accepted constraint.
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ type: array
+ items:
+ $ref: '#/components/schemas/AuthenticatorMethodConstraint'
+ methods:
type: array
+ description: Authenticator methods allowed for the initial authentication step of password recovery. Method `otp` requires a constraint limiting it to a Google authenticator.
items:
type: string
- settings:
- $ref: '#/components/schemas/ProtocolSettings'
- type:
- $ref: '#/components/schemas/ProtocolType'
- ProtocolAlgorithmType:
- type: object
- properties:
- signature:
- $ref: '#/components/schemas/ProtocolAlgorithmTypeSignature'
- ProtocolAlgorithmTypeSignature:
+ enum:
+ - push
+ - sms
+ - voice
+ - email
+ - otp
+ SsprRequirement:
+ description: Describes the initial and secondary authenticator requirements a user needs to reset their password
type: object
properties:
- algorithm:
+ accessControl:
+ description: Determines which authentication requirements a user needs to perform self-service operations. `AUTH_POLICY` defers conditions and authentication requirements to the [Okta account management policy](https://developer.okta.com/docs/guides/okta-account-management-policy/main/). `LEGACY` refers to the requirements described by this rule.
type: string
- scope:
- $ref: '#/components/schemas/ProtocolAlgorithmTypeSignatureScope'
- ProtocolAlgorithmTypeSignatureScope:
- type: string
- x-okta-known-values:
- - ANY
- - NONE
- - REQUEST
- - RESPONSE
- - TOKEN
- ProtocolAlgorithms:
+ enum:
+ - AUTH_POLICY
+ - LEGACY
+ primary:
+ $ref: '#/components/schemas/SsprPrimaryRequirement'
+ stepUp:
+ $ref: '#/components/schemas/SsprStepUpRequirement'
+ SsprStepUpRequirement:
+ description: |-
+ Defines the secondary authenticators needed for password reset if `required` is true. The following are three valid configurations:
+ * `required`=false
+ * `required`=true with no methods to use any SSO authenticator
+ * `required`=true with `security_question` as the method
type: object
properties:
- request:
- $ref: '#/components/schemas/ProtocolAlgorithmType'
- response:
- $ref: '#/components/schemas/ProtocolAlgorithmType'
- ProtocolEndpoint:
+ methods:
+ description: Authenticator methods required for secondary authentication step of password recovery. Specify this value only when `required` is true and `security_question` is permitted for the secondary authentication.
+ type: array
+ items:
+ type: string
+ enum:
+ - security_question
+ required:
+ type: boolean
+ StandardRole:
+ title: Standard Role Assignment
type: object
properties:
- binding:
- $ref: '#/components/schemas/ProtocolEndpointBinding'
- destination:
+ assignmentType:
+ $ref: '#/components/schemas/RoleAssignmentType'
+ created:
type: string
- type:
- $ref: '#/components/schemas/ProtocolEndpointType'
- url:
+ description: Timestamp when the object was created
+ format: date-time
+ readOnly: true
+ id:
type: string
- ProtocolEndpointBinding:
- type: string
- x-okta-known-values:
- - HTTP-POST
- - HTTP-REDIRECT
- ProtocolEndpointType:
- type: string
- x-okta-known-values:
- - INSTANCE
- - ORG
- ProtocolEndpoints:
+ description: Role Assignment ID
+ readOnly: true
+ label:
+ type: string
+ description: Label for the Role Assignment
+ readOnly: true
+ lastUpdated:
+ type: string
+ description: Timestamp when the object was last updated
+ format: date-time
+ readOnly: true
+ status:
+ allOf:
+ - $ref: '#/components/schemas/LifecycleStatus'
+ - description: Status of the Role Assignment
+ type:
+ $ref: '#/components/schemas/RoleType'
+ _embedded:
+ type: object
+ description: Optional embedded resources for the Role Assignment
+ properties:
+ targets:
+ type: object
+ description: Targets configured for the Role Assignment
+ properties:
+ groups:
+ type: array
+ description: Group targets
+ items:
+ $ref: '#/components/schemas/Group'
+ catalog:
+ description: App targets
+ properties:
+ apps:
+ type: array
+ items:
+ $ref: '#/components/schemas/CatalogApplication'
+ _links:
+ $ref: '#/components/schemas/LinksAssignee'
+ StandardRoleAssignmentSchema:
+ title: Standard Role
type: object
properties:
- acs:
- $ref: '#/components/schemas/ProtocolEndpoint'
- authorization:
- $ref: '#/components/schemas/ProtocolEndpoint'
- jwks:
- $ref: '#/components/schemas/ProtocolEndpoint'
- metadata:
- $ref: '#/components/schemas/ProtocolEndpoint'
- slo:
- $ref: '#/components/schemas/ProtocolEndpoint'
- sso:
- $ref: '#/components/schemas/ProtocolEndpoint'
- token:
- $ref: '#/components/schemas/ProtocolEndpoint'
- userInfo:
- $ref: '#/components/schemas/ProtocolEndpoint'
- ProtocolRelayState:
+ type:
+ type: string
+ description: Specify the standard or IAM-based role type. See [standard roles](/openapi/okta-management/guides/roles/#standard-roles).
+ StreamConfiguration:
+ title: Stream Configuration
type: object
properties:
+ aud:
+ oneOf:
+ - type: string
+ format: uri
+ example: https://example.com
+ - type: array
+ items:
+ type: string
+ format: uri
+ example: https://example.com
+ description: |-
+ The audience used in the SET. This value is set as `aud` in the claim.
+
+ A read-only parameter that is set by the transmitter. If this parameter is included in the request, the value must match the expected value from the transmitter.
+ example: https://example.com
+ delivery:
+ $ref: '#/components/schemas/StreamConfigurationDelivery'
+ events_delivered:
+ type: array
+ items:
+ type: string
+ format: uri
+ description: |-
+ The events (mapped by the array of event type URIs) that the transmitter actually delivers to the SSF Stream.
+
+ A read-only parameter that is set by the transmitter. If this parameter is included in the request, the value must match the expected value from the transmitter.
+ example:
+ - https://schemas.openid.net/secevent/caep/event-type/session-revoked
+ - https://schemas.openid.net/secevent/caep/event-type/credential-change
+ events_requested:
+ type: array
+ maxItems: 50
+ items:
+ type: string
+ format: uri
+ maxLength: 256
+ description: The events (mapped by the array of event type URIs) that the receiver wants to receive
+ example:
+ - https://schemas.openid.net/secevent/caep/event-type/session-revoked
+ - https://schemas.openid.net/secevent/caep/event-type/credential-change
+ events_supported:
+ type: array
+ items:
+ type: string
+ format: uri
+ description: |-
+ An array of event type URIs that the transmitter supports.
+
+ A read-only parameter that is set by the transmitter. If this parameter is included in the request, the value must match the expected value from the transmitter.
+ example:
+ - https://schemas.openid.net/secevent/caep/event-type/session-revoked
+ - https://schemas.openid.net/secevent/caep/event-type/credential-change
format:
- $ref: '#/components/schemas/ProtocolRelayStateFormat'
- ProtocolRelayStateFormat:
- type: string
- x-okta-known-values:
- - FROM_URL
- - OPAQUE
- ProtocolSettings:
+ type: string
+ description: The Subject Identifier format expected for any SET transmitted.
+ enum:
+ - iss_sub
+ iss:
+ type: string
+ description: |-
+ The issuer used in Security Event Tokens (SETs). This value is set as `iss` in the claim.
+
+ A read-only parameter that is set by the transmitter. If this parameter is included in the request, the value must match the expected value from the transmitter.
+ example: https://{yourOktaDomain}
+ min_verification_interval:
+ type: integer
+ nullable: true
+ example: 60
+ description: |-
+ The minimum amount of time, in seconds, between two verification requests.
+
+ A read-only parameter that is set by the transmitter. If this parameter is included in the request, the value must match the expected value from the transmitter.
+ stream_id:
+ type: string
+ description: The ID of the SSF Stream configuration
+ example: esc1k235GIIztAuGK0g5
+ required:
+ - events_requested
+ - delivery
+ StreamConfigurationCreateRequest:
+ title: Stream Configuration Create Request
type: object
properties:
- nameFormat:
+ delivery:
+ $ref: '#/components/schemas/StreamConfigurationDelivery'
+ events_requested:
+ type: array
+ maxItems: 50
+ items:
+ type: string
+ format: uri
+ maxLength: 256
+ description: The events (mapped by the array of event type URIs) that the receiver wants to receive
+ example:
+ - https://schemas.openid.net/secevent/caep/event-type/session-revoked
+ - https://schemas.openid.net/secevent/caep/event-type/credential-change
+ format:
type: string
- ProtocolType:
- type: string
- x-okta-known-values:
- - MTLS
- - OAUTH2
- - OIDC
- - SAML2
- ProviderType:
- type: string
- x-okta-known-values:
- - APNS
- - FCM
- Provisioning:
+ description: The Subject Identifier format expected for any SET transmitted.
+ enum:
+ - iss_sub
+ required:
+ - events_requested
+ - delivery
+ StreamConfigurationDelivery:
+ title: Stream Configuration Delivery
+ description: Contains information about the intended SET delivery method by the receiver
type: object
properties:
- action:
- $ref: '#/components/schemas/ProvisioningAction'
- conditions:
- $ref: '#/components/schemas/ProvisioningConditions'
- groups:
- $ref: '#/components/schemas/ProvisioningGroups'
- profileMaster:
- type: boolean
- ProvisioningAction:
+ authorization_header:
+ type: string
+ description: The HTTP Authorization header that is included for each HTTP POST request
+ example: '{authorizationHeaderValue}'
+ nullable: true
+ maxLength: 8192
+ endpoint_url:
+ type: string
+ format: uri
+ description: The target endpoint URL where the transmitter delivers the SET using HTTP POST requests
+ example: https://example.com/
+ maxLength: 2048
+ method:
+ type: string
+ description: The delivery method that the transmitter uses for delivering a SET
+ enum:
+ - https://schemas.openid.net/secevent/risc/delivery-method/push
+ - urn:ietf:rfc:8935
+ required:
+ - method
+ - endpoint_url
+ SubjectType:
type: string
x-okta-known-values:
- - AUTO
- - CALLOUT
- - DISABLED
- ProvisioningConditions:
+ - pairwise
+ - public
+ SubmissionRequest:
+ allOf:
+ - $ref: '#/components/schemas/SubmissionResponse'
+ required:
+ - name
+ - description
+ - logo
+ SubmissionResponse:
type: object
properties:
- deprovisioned:
- $ref: '#/components/schemas/ProvisioningDeprovisionedCondition'
- suspended:
- $ref: '#/components/schemas/ProvisioningSuspendedCondition'
- ProvisioningConnection:
+ config:
+ type: array
+ description: 'List of org-level variables for the customer per-tenant configuration. For example, a `subdomain` variable can be used in the ACS URL: `https://${org.subdomain}.example.com/saml/login`'
+ items:
+ type: object
+ properties:
+ label:
+ type: string
+ description: Display name of the variable in the Admin Console
+ example: Subdomain
+ name:
+ type: string
+ maxLength: 1024
+ minLength: 1
+ description: Name of the variable
+ example: subdomain
+ description:
+ type: string
+ maxLength: 1024
+ minLength: 1
+ description: A general description of your application and the benefits provided to your customers
+ example: Your one source for in-season strawberry deals. Okta's Strawberry Central integration allow users to securely access those sweet deals.
+ id:
+ type: string
+ description: OIN Integration ID
+ readOnly: true
+ example: acme_submissionapp_1
+ lastPublished:
+ type: string
+ description: Timestamp when the OIN Integration was last published
+ readOnly: true
+ example: '2023-08-24T14:15:22.000Z'
+ lastUpdated:
+ type: string
+ description: Timestamp when the OIN Integration instance was last updated
+ readOnly: true
+ example: '2023-08-24T14:15:22.000Z'
+ lastUpdatedBy:
+ type: string
+ description: ID of the user who made the last update
+ readOnly: true
+ example: 00ub0oNGTSWTBKOLGLNR
+ logo:
+ type: string
+ format: uri
+ description: URL to an uploaded application logo. This logo appears next to your app integration name in the OIN catalog. You must first [Upload an OIN Integration logo](/openapi/okta-management/management/tag/YourOinIntegrations/#tag/YourOinIntegrations/operation/uploadSubmissionLogo) to obtain the logo URL before you can specify this value.
+ example: https://acme.okta.com/bc/image/fileStoreRecord?id=fs03xxd3KmkDBwJU80g4
+ name:
+ type: string
+ maxLength: 64
+ minLength: 1
+ description: The app integration name. This is the main title used for your integration in the OIN catalog.
+ example: Strawberry Central
+ sso:
+ $ref: '#/components/schemas/Sso'
+ status:
+ type: string
+ description: Status of the OIN Integration submission
+ readOnly: true
+ example: New
+ Subscription:
type: object
properties:
- authScheme:
- $ref: '#/components/schemas/ProvisioningConnectionAuthScheme'
+ channels:
+ description: |-
+ An array of sources send notifications to users.
+ > **Note**: Currently, Okta only allows `email` channels.
+ items:
+ type: string
+ type: array
+ notificationType:
+ $ref: '#/components/schemas/NotificationType'
status:
- $ref: '#/components/schemas/ProvisioningConnectionStatus'
+ $ref: '#/components/schemas/SubscriptionStatus'
_links:
- additionalProperties:
- type: object
- readOnly: true
type: object
- ProvisioningConnectionAuthScheme:
+ description: Discoverable resources related to the subscription
+ properties:
+ self:
+ $ref: '#/components/schemas/HrefObject'
+ readOnly: true
+ SubscriptionStatus:
+ description: The status of the subscription
type: string
x-okta-known-values:
- - TOKEN
- - UNKNOWN
- ProvisioningConnectionProfile:
+ - subscribed
+ - unsubscribed
+ SupportedMethods:
+ description: The supported methods of an Authenticator
type: object
properties:
- authScheme:
- $ref: '#/components/schemas/ProvisioningConnectionAuthScheme'
- token:
+ settings:
+ type: object
+ properties:
+ keyProtection:
+ $ref: '#/components/schemas/PushMethodKeyProtection'
+ algorithms:
+ description: The encryption algorithm for this authenticator method
+ type: array
+ items:
+ $ref: '#/components/schemas/AuthenticatorMethodAlgorithm'
+ transactionTypes:
+ type: array
+ description: The transaction type for this authenticator method
+ items:
+ $ref: '#/components/schemas/AuthenticatorMethodTransactionType'
+ status:
+ description: The status of the authenticator method
+ $ref: '#/components/schemas/LifecycleStatus'
+ type:
type: string
- ProvisioningConnectionRequest:
+ description: The type of authenticator method
+ enum:
+ - push
+ SwaApplicationSettings:
+ allOf:
+ - $ref: '#/components/schemas/ApplicationSettings'
+ - type: object
+ properties:
+ app:
+ $ref: '#/components/schemas/SwaApplicationSettingsApplication'
+ SwaApplicationSettingsApplication:
type: object
properties:
- profile:
- $ref: '#/components/schemas/ProvisioningConnectionProfile'
- ProvisioningConnectionStatus:
- type: string
- x-okta-known-values:
- - DISABLED
- - ENABLED
- - UNKNOWN
- ProvisioningDeprovisionedAction:
- type: string
- x-okta-known-values:
- - NONE
- - REACTIVATE
- ProvisioningDeprovisionedCondition:
+ buttonField:
+ type: string
+ description: CSS selector for the **Sign-In** button in the sign-in form (for SWA apps with the `template_swa` app name definition)
+ buttonSelector:
+ type: string
+ description: CSS selector for the **Sign-In** button in the sign-in form (for three-field SWA apps with the `template_swa3field` app name definition)
+ extraFieldSelector:
+ type: string
+ description: Enter the CSS selector for the extra field (for three-field SWA apps with the `template_swa3field` app name definition).
+ extraFieldValue:
+ type: string
+ description: Enter the value for the extra field in the form (for three-field SWA apps with the `template_swa3field` app name definition).
+ loginUrlRegex:
+ type: string
+ description: A regular expression that further restricts targetURL to the specified regular expression
+ passwordField:
+ type: string
+ description: CSS selector for the **Password** field in the sign-in form (for SWA apps with the `template_swa` app name definition)
+ passwordSelector:
+ type: string
+ description: CSS selector for the **Password** field in the sign-in form (for three-field SWA apps with the `template_swa3field` app name definition)
+ targetURL:
+ type: string
+ description: The URL of the sign-in page for this app (for three-field SWA apps with the `template_swa3field` app name definition)
+ url:
+ type: string
+ description: The URL of the sign-in page for this app (for SWA apps with the `template_swa` app name definition)
+ usernameField:
+ type: string
+ description: CSS selector for the **Username** field in the sign-in form (for SWA apps with the `template_swa` app name definition)
+ userNameSelector:
+ type: string
+ description: CSS selector for the **Username** field in the sign-in form (for three-field SWA apps with the `template_swa3field` app name definition)
+ required:
+ - buttonField
+ - passwordField
+ - usernameField
+ - url
+ TelephonyRequest:
type: object
properties:
- action:
- $ref: '#/components/schemas/ProvisioningDeprovisionedAction'
- ProvisioningGroups:
+ data:
+ $ref: '#/components/schemas/TelephonyRequestData'
+ eventType:
+ type: string
+ description: The type of inline hook. The Telephony inline hook type is `com.okta.telephony.provider`.
+ requestType:
+ type: string
+ description: The type of inline hook request. For example, `com.okta.user.telephony.pre-enrollment`.
+ source:
+ description: The ID and URL of the Telephony inline hook
+ type: string
+ TelephonyRequestData:
type: object
properties:
- action:
- $ref: '#/components/schemas/ProvisioningGroupsAction'
- assignments:
- type: array
- items:
- type: string
- filter:
- type: array
- items:
- type: string
- sourceAttributeName:
- type: string
- ProvisioningGroupsAction:
- type: string
- x-okta-known-values:
- - APPEND
- - ASSIGN
- - NONE
- - SYNC
- ProvisioningSuspendedAction:
- type: string
- x-okta-known-values:
- - NONE
- - UNSUSPEND
- ProvisioningSuspendedCondition:
+ context:
+ type: object
+ properties:
+ request:
+ $ref: '#/components/schemas/InlineHookRequestObject'
+ messageProfile:
+ type: object
+ description: Message profile specifies information about the telephony (sms/voice) message to be sent to the Okta user
+ properties:
+ msgTemplate:
+ description: Default or Okta org configured sms or voice message template
+ type: string
+ phoneNumber:
+ description: The Okta's user's phone number
+ type: string
+ otpExpires:
+ description: The time when OTP expires
+ type: string
+ deliveryChannel:
+ description: The channel for OTP delivery - SMS or voice
+ type: string
+ otpCode:
+ description: The OTP code requested by the Okta user
+ type: string
+ locale:
+ description: The locale associated with the Okta user
+ type: string
+ userProfile:
+ type: object
+ description: User profile specifies information about the Okta user
+ properties:
+ firstName:
+ description: The user's first name
+ type: string
+ lastName:
+ description: The user's last name
+ type: string
+ login:
+ description: The user's Okta login
+ type: string
+ userId:
+ description: The user's Okta user ID
+ type: string
+ TelephonyRequestExecute:
+ description: Telephony inline hook request body
+ allOf:
+ - $ref: '#/components/schemas/InlineHookBasePayload'
+ - $ref: '#/components/schemas/TelephonyRequest'
+ TelephonyResponse:
+ description: Telephony inline hook response
type: object
properties:
- action:
- $ref: '#/components/schemas/ProvisioningSuspendedAction'
- PushProvider:
- title: PushProvider
+ commands:
+ description: The `commands` object specifies whether Okta accepts the end user's sign-in credentials as valid or not. For the Telephony inline hook, you typically only return one `commands` object with one array element in it.
+ type: array
+ items:
+ type: object
+ properties:
+ type:
+ description: The location where you specify the command. For the Telephony inline hook, there's only one command, `com.okta.telephony.action`.
+ type: string
+ value:
+ description: The status of the telephony operation along with optional additional information about the provider, transaction ID and any other transaction metadata.
+ type: array
+ items:
+ type: object
+ properties:
+ status:
+ type: string
+ description: Status of telephony callout
+ enum:
+ - SUCCESSFUL
+ - PENDING
+ - FAILED
+ x-enumDescriptions:
+ SUCCESSFUL: External web service was able to deliver the OTP to the Requester.
+ PENDING: External web service wasn't able to confirm delivery of the OTP to the Requester.
+ FAILED: External web service was unable to deliver the OTP to the Requester.
+ provider:
+ type: string
+ description: Telephony provider for sms/voice
+ transactionId:
+ type: string
+ description: Transaction ID for sms/voice
+ transactionMetadata:
+ type: string
+ description: Any relevant metadata for the telephony transaction
+ TempPassword:
type: object
properties:
- id:
- type: string
- readOnly: true
- lastUpdatedDate:
+ tempPassword:
type: string
readOnly: true
- name:
+ TestInfo:
+ description: Integration Testing Information
+ type: object
+ properties:
+ escalationSupportContact:
type: string
- description: Display name of the push provider
- providerType:
- $ref: '#/components/schemas/ProviderType'
- _links:
+ maxLength: 255
+ description: An email for Okta to contact your company about your integration. This email isn't shared with customers.
+ example: strawberry.support@example.com
+ oidcTestConfiguration:
type: object
+ description: OIDC test details
properties:
- self:
- $ref: '#/components/schemas/HrefObject'
- readOnly: true
- discriminator:
- propertyName: providerType
- mapping:
- APNS: '#/components/schemas/APNSPushProvider'
- FCM: '#/components/schemas/FCMPushProvider'
- PushUserFactor:
- allOf:
- - $ref: '#/components/schemas/UserFactor'
- - type: object
+ idp:
+ type: boolean
+ description: Read only.
Indicates if your integration supports IdP-initiated sign-in flows. If [`sso.oidc.initiateLoginUri`](/openapi/okta-management/management/tag/YourOinIntegrations/#tag/YourOinIntegrations/operation/createSubmission!path=sso/oidc/initiateLoginUri&t=request) is specified, this property is set to `true`. If [`sso.oidc.initiateLoginUri`](/openapi/okta-management/management/tag/YourOinIntegrations/#tag/YourOinIntegrations/operation/createSubmission!path=sso/oidc/initiateLoginUri&t=request) isn't set for the integration submission, this property is set to `false`
+ readOnly: true
+ sp:
+ type: boolean
+ description: Read only.
Indicates if your integration supports SP-initiated sign-in flows and is always set to `true` for OIDC SSO
+ readOnly: true
+ jit:
+ type: boolean
+ description: Indicates if your integration supports Just-In-Time (JIT) provisioning
+ spInitiateUrl:
+ type: string
+ format: uri
+ maxLength: 512
+ description: URL for SP-initiated sign-in flows (required if `sp = true`)
+ example: https://test.example.com/strawberry/oidc/sp-init
+ required:
+ - spInitiateUrl
+ samlTestConfiguration:
+ type: object
+ description: SAML test details
properties:
- expiresAt:
+ idp:
+ type: boolean
+ description: Indicates if your integration supports IdP-initiated sign-in
+ sp:
+ type: boolean
+ description: Indicates if your integration supports SP-initiated sign-in
+ jit:
+ type: boolean
+ description: Indicates if your integration supports Just-In-Time (JIT) provisioning
+ spInitiateUrl:
type: string
- format: date-time
- factorResult:
- $ref: '#/components/schemas/FactorResultType'
- profile:
- $ref: '#/components/schemas/PushUserFactorProfile'
- PushUserFactorProfile:
+ format: uri
+ maxLength: 512
+ description: URL for SP-initiated sign-in flows (required if `sp = true`)
+ example: https://test.example.com/strawberry/saml/sp-init
+ spInitiateDescription:
+ type: string
+ maxLength: 2048
+ description: Instructions on how to sign in to your app using the SP-initiated flow (required if `sp = true`)
+ example: Go to your app URL from a browser and enter your username
+ required:
+ - spInitiateUrl
+ testAccount:
+ type: object
+ description: An account on a test instance of your app with admin privileges. A test admin account is required by Okta for integration testing. During OIN QA testing, an Okta analyst uses this admin account to configure your app for the various test case flows.
+ properties:
+ url:
+ type: string
+ format: uri
+ maxLength: 512
+ description: The sign-in URL to a test instance of your app
+ example: https://example.com/strawberry/login
+ username:
+ type: string
+ maxLength: 255
+ description: The username for your app admin account
+ example: test@example.com
+ password:
+ type: string
+ maxLength: 255
+ description: The password for your app admin account
+ example: sUperP@ssw0rd
+ instructions:
+ type: string
+ maxLength: 2048
+ description: Additional instructions to test the app integration, including instructions for obtaining test accounts
+ example: Go to your app URL from a browser and enter your credentials
+ required:
+ - url
+ - username
+ - password
+ required:
+ - escalationSupportContact
+ ThemeResponse:
type: object
properties:
- credentialId:
+ backgroundImage:
+ readOnly: true
type: string
- deviceToken:
+ emailTemplateTouchPointVariant:
+ $ref: '#/components/schemas/EmailTemplateTouchPointVariant'
+ endUserDashboardTouchPointVariant:
+ $ref: '#/components/schemas/EndUserDashboardTouchPointVariant'
+ errorPageTouchPointVariant:
+ $ref: '#/components/schemas/ErrorPageTouchPointVariant'
+ favicon:
+ readOnly: true
type: string
- deviceType:
+ id:
+ readOnly: true
type: string
- name:
+ loadingPageTouchPointVariant:
+ $ref: '#/components/schemas/LoadingPageTouchPointVariant'
+ logo:
+ readOnly: true
type: string
- platform:
+ primaryColorContrastHex:
type: string
- version:
+ description: Primary color contrast hex code
+ primaryColorHex:
type: string
- RecoveryQuestionCredential:
+ description: Primary color hex code
+ secondaryColorContrastHex:
+ type: string
+ description: Secondary color contrast hex code
+ secondaryColorHex:
+ type: string
+ description: Secondary color hex code
+ signInPageTouchPointVariant:
+ $ref: '#/components/schemas/SignInPageTouchPointVariant'
+ _links:
+ $ref: '#/components/schemas/LinksSelf'
+ ThirdPartyAdminSetting:
+ description: The third-party admin setting
type: object
properties:
- answer:
+ thirdPartyAdmin:
+ type: boolean
+ description: Indicates if third-party admin is enabled
+ example: false
+ ThreatInsightConfiguration:
+ type: object
+ properties:
+ action:
type: string
- question:
+ description: Specifies how Okta responds to authentication requests from suspicious IP addresses
+ enum:
+ - none
+ - audit
+ - block
+ x-enumDescriptions:
+ none: Indicates that ThreatInsight is disabled
+ audit: Indicates that Okta logs suspicious requests to the System Log
+ block: Indicates that Okta logs suspicious requests to the System Log and blocks the requests
+ example: none
+ created:
type: string
- ReleaseChannel:
- description: Release channel for auto-update
- type: string
- x-okta-known-values:
- - BETA
- - EA
- - GA
- - TEST
- RequiredEnum:
+ format: date-time
+ description: Timestamp when the ThreatInsight Configuration object was created
+ example: '2020-08-05T22:18:30.629Z'
+ readOnly: true
+ excludeZones:
+ type: array
+ description: |-
+ Accepts a list of [Network Zone](/openapi/okta-management/management/tag/NetworkZone/) IDs.
+ IPs in the excluded network zones aren't logged or blocked.
+ This ensures that traffic from known, trusted IPs isn't accidentally logged or blocked.
+ items:
+ type: string
+ example: []
+ lastUpdated:
+ type: string
+ format: date-time
+ description: Timestamp when the ThreatInsight Configuration object was last updated
+ readOnly: true
+ example: '2020-09-08T20:53:20.882Z'
+ _links:
+ $ref: '#/components/schemas/LinksSelf'
+ required:
+ - action
+ TimeDuration:
+ description: A time duration specified as an [ISO-8601 duration](https://en.wikipedia.org/wiki/ISO_8601#Durations).
type: string
- x-okta-known-values:
- - ALWAYS
- - HIGH_RISK_ONLY
- - NEVER
- ResetPasswordToken:
+ pattern: ^P(?:$)(\d+Y)?(\d+M)?(\d+W)?(\d+D)?(T(?:\d)(\d+H)?(\d+M)?(\d+S)?)?$
+ TokenAuthorizationServerPolicyRuleAction:
type: object
properties:
- resetPasswordUrl:
- type: string
- readOnly: true
- ResponseLinks:
+ accessTokenLifetimeMinutes:
+ type: integer
+ description: Lifetime of the access token in minutes. The minimum is five minutes. The maximum is one day.
+ inlineHook:
+ $ref: '#/components/schemas/TokenAuthorizationServerPolicyRuleActionInlineHook'
+ refreshTokenLifetimeMinutes:
+ type: integer
+ description: Lifetime of the refresh token is the minimum access token lifetime.
+ refreshTokenWindowMinutes:
+ type: integer
+ description: Timeframe when the refresh token is valid. The minimum is 10 minutes. The maximum is five years (2,628,000 minutes).
+ TokenAuthorizationServerPolicyRuleActionInlineHook:
type: object
- RiskPolicyRuleCondition:
+ properties:
+ id:
+ type: string
+ readOnly: false
+ TokenDeliveryMode:
+ type: string
+ x-okta-known-values:
+ - poll
+ TokenHookResponse:
+ description: |-
+ For the token inline hook, the `commands` and `error` objects that you can return in the JSON payload of your response are defined in the following sections.
+ > **Note:** The size of your response payload must be less than 256 KB.
type: object
properties:
- behaviors:
- uniqueItems: true
+ commands:
+ description: |-
+ You can use the `commands` object to provide commands to Okta. It's where you can tell Okta to add more claims to the token.
+ The `commands` object is an array, allowing you to send multiple commands. In each array element, there needs to be a `type` property and `value` property. The `type` property is where you specify which of the supported commands you want to execute, and `value` is where you supply an operand for that command.
+ In the case of the token hook type, the `value` property is itself a nested object in which you specify a particular operation, a path to act on, and a value.
type: array
items:
- type: string
- RiskScorePolicyRuleCondition:
+ type: object
+ properties:
+ type:
+ description: |-
+ One of the supported commands:
+ `com.okta.identity.patch`: Modify an ID token
+ `com.okta.access.patch`: Modify an access token
+ > **Note:** The `commands` array should only contain commands that can be applied to the requested tokens. For example, if only an ID token is requested, the `commands` array shouldn't contain commands of the type `com.okta.access.patch`.
+ type: string
+ value:
+ description: The `value` object is where you specify the operation to perform. It's an array, which allows you to request more than one operation.
+ type: array
+ items:
+ type: object
+ properties:
+ op:
+ description: |-
+ The name of one of the supported ops: `add`: Add a claim. `replace`: Modify an existing claim and update the token lifetime. `remove`: Remove an existing claim.
+ #### `op: add` notes
+
+
+ Add a claim
+
+ Add a claim
+
+ **Existing JSON**
+
+ ```
+ {
+ "employeeId": "00u12345678"
+ }
+ ```
+
+ **Operation**
+
+ ```
+ {
+ "commands": [
+ {
+ "type": "com.okta.assertion.patch",
+ "value": [
+ {
+ "op": "add",
+ "path": "/claims/extPatientId",
+ "value": "1234"
+ }
+ ]
+ },
+ {
+ "type": "com.okta.assertion.patch",
+ "value": [
+ {
+ "op": "add",
+ "path": "/claims/external_guid",
+ "value": "F0384685-F87D-474B-848D-2058AC5655A7"
+ }
+ ]
+ }
+ ]
+ }
+ ```
+
+ **Updated JSON**
+
+ ```
+ {
+ "employeeId": "00u12345678",
+ "extPatientId": 1234,
+ "external_guid": "F0384685-F87D-474B-848D-2058AC5655A7"
+ }
+ ```
+
+ > **Note:** If you use the `add` operation and include an existing claim in your response with a different value, that value is replaced. Use the `replace` operation instead. If you attempt to remove a system-specific claim or use an invalid operation, the entire PATCH fails and errors are logged in the token hooks events. See `op: replace` notes.
+
+
+
+ Add new members to existing JSON objects
+
+ If you have a JSON object in a claim called `employee_profile`, and you want to add the `department_id` member to the claim, the existing JSON is updated by specifying the claim in the path, followed by the name of the object member.
+
+ **Existing JSON**
+
+ ```
+ {
+ "employee_profile": {
+ "employee_id": "1234",
+ "name": "Anna"
+ }
+ }
+ ```
+
+ **Operation**
+
+ ```
+ {
+ "commands": [
+ {
+ "type": "com.okta.identity.patch",
+ "value": [
+ {
+ "op": "add",
+ "path": "/claims/employee_profile/department_id",
+ "value": "4947"
+ }
+ ]
+ }
+ ]
+ }
+ ```
+
+ **Updated JSON**
+
+ ```
+ {
+ "employee_profile": {
+ "employee_id": "1234",
+ "name": "Anna",
+ "department_id": "4947"
+ }
+ }
+ ```
+
+ > **Note:** If you attempt to add a member within a JSON object that doesn't exist or using an invalid operation, the entire PATCH fails and errors are logged in the token hooks events.
+
+
+
+ Add new elements to existing arrays
+
+ Append an element to an array by specifying the name of the array, followed by the index where you want to insert the element in the path. Alternatively, you can specify the array name followed by a hyphen (-) in the path to append an element at the end of the array. For example, you have an array that contains the user's preferred airports, and you want to add a new airport to the array. The existing target JSON object is updated by specifying the claim in the path, followed by the index of where to insert the claim.
+
+ **Existing JSON**
+
+ ```
+ {
+ "preferred_airports":[
+ "sjc",
+ "sfo",
+ "oak"
+ ]
+ }
+ ```
+
+ **Operation**
+
+ ```
+ {
+ "commands": [
+ {
+ "type": "com.okta.identity.patch",
+ "value": [
+ {
+ "op": "add",
+ "path": "/claims/preferred_airports/3",
+ "value": "lax"
+ }
+ ]
+ }
+ ]
+ }
+ ```
+
+ **Updated JSON**
+
+ ```
+ {
+ "preferred_airports":[
+ "sjc",
+ "sfo",
+ "oak",
+ "lax"
+ ]
+ }
+ ```
+
+ > **Note:** If you attempt to add an element within an array that doesn't exist or specify an invalid index, the entire PATCH fails and errors are logged in the token hooks events.
+
+
+ #### `op: replace` notes
+
+
+ Modify an existing claim
+
+ You can modify (`replace`) existing custom claims or OIDC standard profile claims, such as `birthdate` and `locale`. You can't, however, modify any system-specific claims, such as `iss` or `ver`. Also, you can't modify a claim that isn't currently part of the token in the request payload. Attempting to modify a system-specific claim or using an invalid operation results in the entire PATCH failing and errors logged in the token hooks events.
+
+ See [Access Tokens Scopes and Claims](/openapi/okta-oauth/guides/overview/#access-token-scopes-and-claims) for the list of access token-reserved claims that you can't modify.
+
+ > **Note:** Although the `aud` and `sub` claims are listed as reserved claims, you can modify those claims in access tokens. You can't modify these claims in ID tokens.
+
+ See [ID Token Claims](/openapi/okta-oauth/guides/overview/#id-token-claims) for a list of ID token-reserved claims that you can't modify.
+
+ **Existing target JSON object**
+
+ ```
+ {
+ "employeeId": "00u12345678",
+ "extPatientId": 1234,
+ "external_guid": "F0384685-F87D-474B-848D-2058AC5655A7"
+ }
+ ```
+
+ **Operation**
+
+ ```
+ {
+ "commands": [
+ {
+ "type": "com.okta.identity.patch",
+ "value": [
+ {
+ "op": "replace",
+ "path": "/claims/extPatientId",
+ "value": "12345"
+ },
+ {
+ "op": "replace",
+ "path": "/claims/external_guid",
+ "value": "D1495796-G98E-585C-959E-1269CD6766B8"
+ }
+ ]
+ }
+ ]
+ }
+ ```
+
+ **Updated JSON***
+
+ ```
+ {
+ "employeeId": "00u12345678",
+ "extPatientId": 12345,
+ "external_guid": "D1495796-G98E-585C-959E-1269CD6766B8"
+ }
+ ```
+
+
+
+
+ Modify members within existing JSON objects and arrays
+
+ Use the `replace` operation to modify members within JSON objects and elements within arrays. For example, you have a JSON object in a claim called `employee_profile`, and you want to update the email address of the employee. The existing target JSON object is updated by specifying the claim in the path, followed by the name of the object member that you want to modify.
+
+ **Existing target JSON object**
+
+ ```
+ {
+ "employee_profile": {
+ "employee_id":"1234",
+ "name":"Anna",
+ "email":"anna.v@company.com"
+ }
+ }
+ ```
+
+ **Operation**
+
+ ```
+ {
+ "commands": [
+ {
+ "type": "com.okta.identity.patch",
+ "value": [
+ {
+ "op": "replace",
+ "path": "/claims/employee_profile/email",
+ "value": "anna@company.com"
+ }
+ ]
+ }
+ ]
+ }
+ ```
+
+ **Updated JSON**
+
+ ```
+ {
+ "employee_profile": {
+ "employee_id":"1234",
+ "name":"Anna",
+ "email":"anna@company.com"
+ }
+ }
+ ```
+
+ > **Note:** If you attempt to modify a member within a JSON object that doesn't exist or use an invalid operation, the entire PATCH fails and errors are logged in the token hooks events.
+
+ Similarly, you can replace elements in an array by specifying the array name and the valid index of the element that you want to replace in the path.
+
+
+
+ Modify token lifetimes
+ You can modify how long the access and ID tokens are valid by specifying the `lifetime` in seconds. The `lifetime` value must be a minimum of five minutes (300 seconds) and a maximum of 24 hours (86,400 seconds).
+
+ **Operation**
+
+ ```
+ {
+ "commands": [
+ {
+ "type": "com.okta.identity.patch",
+ "value": [
+ {
+ "op": "replace",
+ "path": "/token/lifetime/expiration",
+ "value": 36000
+ }
+ ]
+ },
+ {
+ "type": "com.okta.access.patch",
+ "value": [
+ {
+ "op": "replace",
+ "path": "/token/lifetime/expiration",
+ "value": 36000
+ }
+ ]
+ }
+ ]
+ }
+ ```
+
+
+
+ #### `op: remove` notes
+
+
+ Remove a claim
+
+ You can remove existing custom claims or OIDC standard profile claims, such as `birthdate` or `locale`. You can't, however, remove any system-specific claims, such as `iss` or `ver`. You also can't remove a claim that isn't currently part of the token in the request payload. If you attempt to remove a system-specific claim or use an invalid operation, the entire PATCH fails and errors are logged in the token hooks events.
+
+ See [Access Tokens Scopes and Claims](/openapi/okta-oauth/guides/overview/#access-token-scopes-and-claims) for the list of access token-reserved claims that you can't modify.
+
+ See [ID Token Claims](/openapi/okta-oauth/guides/overview/#id-token-claims) for a list of ID token-reserved claims that you can't modify.
+
+ **Operation**
+
+ ```
+ {
+ "commands": [
+ {
+ "type": "com.okta.identity.patch",
+ "value": [
+ {
+ "op": "remove",
+ "path": "/claims/birthdate",
+ "value": null
+ }
+ ]
+ },
+ {
+ "type": "com.okta.access.patch",
+ "value": [
+ {
+ "op": "remove",
+ "path": "/claims/external_guid"
+ }
+ ]
+ }
+ ]
+ }
+ ```
+
+ > **Note:** The `value` property for the `remove` operation isn't required. If you provide it in the response, it should be set to `null`. Providing any other value fails the entire PATCH response.
+
+
+
+
+ Remove members from existing arrays
+
+ Use the `remove` operation to remove members from existing arrays. For example, you have an array that contains the user's preferred airports, and you want to remove an airport from the array. The existing target JSON object is updated by specifying the array name followed by the index of the element that you want to remove. You don't need to specify a value for the remove operation, but you can specify `null` as the value if you want.
+
+ **Existing target JSON object**
+
+ ```
+ {
+ "preferred_airports": [
+ "sjc",
+ "lax",
+ "sfo",
+ "oak"
+ ]
+ }
+ ```
+
+ **Operation**
+
+ ```
+ {
+ "commands": [
+ {
+ "type": "com.okta.identity.patch",
+ "value": [
+ {
+ "op": "remove",
+ "path": "/claims/preferred_airports/1"
+ }
+ ]
+ }
+ ]
+ }
+ ```
+
+ **Updated JSON**
+
+ ```
+ {
+ "preferred_airports": [
+ "sjc",
+ "sfo",
+ "oak"
+ ]
+ }
+ ```
+
+
+
+
+ Remove members from existing JSON objects
+
+ Use the `remove` operation to remove members from existing JSON objects. Do this by specifying the JSON object in the path, followed by the claim member that you would like to remove. For example, you have an `employee_profile` claim, and you want to remove `email` from it.
+
+ **Existing target JSON object**
+
+ ```
+ {
+ "employee_profile": {
+ "employee_id":"1234",
+ "name":"Anna",
+ "email":"anna.v@company.com"
+ }
+ }
+ ```
+
+ **Operation**
+
+ ```
+ {
+ "commands": [
+ {
+ "type": "com.okta.identity.patch",
+ "value": [
+ {
+ "op": "remove",
+ "path": "/claims/employee_profile/email"
+ }
+ ]
+ }
+ ]
+ }
+ ```
+
+ **Updated JSON**
+ ```
+ {
+ "employee_profile": {
+ "employee_id":"1234",
+ "name":"Anna",
+ }
+ }
+ ```
+
+
+ type: string
+ path:
+ description: Location within the token to apply the operation, specified as a slash-delimited path. When you add, replace, or remove a claim, this path always begins with `/claims/` and is followed by the name of the new claim that you're adding. When you replace a token lifetime, the path should always be `/token/lifetime/expiration`.
+ type: string
+ value:
+ description: Value to set the claim to.
+ oneOf:
+ - type: string
+ - type: integer
+ - type: object
+ error:
+ description: When an error object is returned, it causes Okta to return an OAuth 2.0 error to the requester of the token. In the error response, the value of `error` is `server_error`, and the value of `error_description` is the string that you supplied in the `errorSummary` property of the `error` object that you returned.
+ type: object
+ properties:
+ errorSummary:
+ description: 'Human-readable summary of the error. If the error object doesn''t include the `errorSummary` property defined, the following common default message is returned to the end user: `The callback service returned an error`.'
+ type: string
+ TokenPayLoad:
type: object
properties:
- level:
+ data:
+ type: object
+ properties:
+ context:
+ allOf:
+ - $ref: '#/components/schemas/BaseContext'
+ - type: object
+ properties:
+ protocol:
+ description: Details of the authentication protocol
+ type: object
+ properties:
+ type:
+ description: The type of authentication protocol used
+ type: string
+ example: OAUTH2.0
+ request:
+ $ref: '#/components/schemas/TokenProtocolRequest'
+ OriginalGrant:
+ description: Information about the original token request used to get the refresh token being used, when in a refresh token request
+ type: object
+ properties:
+ request:
+ $ref: '#/components/schemas/TokenProtocolRequest'
+ refresh_token:
+ $ref: '#/components/schemas/RefreshToken'
+ issuer:
+ description: The authorization server's issuer identifier
+ type: object
+ properties:
+ uri:
+ description: The authorization server's issuer identifier
+ type: string
+ format: uri
+ client:
+ description: The client making the token request
+ type: object
+ properties:
+ id:
+ description: The unique identifier of the client
+ type: string
+ name:
+ description: The name of the client
+ type: string
+ type:
+ description: The type of client
+ type: string
+ example: PUBLIC
+ policy:
+ description: The authorization server policy used to mint the token
+ type: object
+ properties:
+ id:
+ description: The unique identifier for the policy
+ type: string
+ example: 00p4ktaq2ryOYtsHC0g7
+ rule:
+ description: The authorization server policy rule used to mint the token
+ type: object
+ properties:
+ id:
+ description: The unique identifier for the policy rule
+ type: string
+ example: 0pr4ktb7elD3ZvrMy0g7
+ identity:
+ allOf:
+ - description: Provides information on the properties of the ID token that Okta has generated, including the existing claims that it contains
+ - $ref: '#/components/schemas/BaseToken'
+ access:
+ allOf:
+ - description: Provides information on the properties of the access token that Okta has generated, including the existing claims that it contains
+ - $ref: '#/components/schemas/BaseToken'
+ - type: object
+ properties:
+ scopes:
+ description: The scopes contained in the token. For descriptions of the scopes that you can include, see the Okta [OpenID Connect and OAuth 2.0 API reference](/openapi/okta-oauth/guides/overview/#scopes).
+ type: object
+ refresh_token:
+ $ref: '#/components/schemas/RefreshToken'
+ TokenProtocolRequest:
+ description: Details of the token request
+ type: object
+ properties:
+ client_id:
+ description: The ID of the client associated with the token
type: string
- Role:
+ grant_type:
+ $ref: '#/components/schemas/GrantType'
+ redirect_uri:
+ description: Specifies the callback location where the authorization was sent
+ type: string
+ format: uri
+ response_mode:
+ description: The authorization response mode
+ type: string
+ enum:
+ - form_post
+ - fragment
+ - okta_post_message
+ - query
+ response_type:
+ description: The authorization response type
+ type: string
+ enum:
+ - code
+ - id_token
+ - token
+ - none
+ scope:
+ description: The scopes requested
+ type: string
+ state:
+ type: string
+ TokenRequest:
+ description: Token inline hook request
+ allOf:
+ - $ref: '#/components/schemas/InlineHookBasePayload'
+ - $ref: '#/components/schemas/TokenPayLoad'
+ TokenResourcesHrefObject:
type: object
properties:
- assignmentType:
- $ref: '#/components/schemas/RoleAssignmentType'
- created:
+ href:
type: string
- format: date-time
- readOnly: true
- description:
+ description: Link URI
+ example: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7/clients/0oabskvc6442nkvQO0h7/tokens
+ TokenResponse:
+ type: object
+ properties:
+ access_token:
type: string
- id:
+ description: An access token.
+ device_secret:
type: string
- readOnly: true
- label:
+ description: An opaque device secret. This is returned if the `device_sso` scope is granted.
+ expires_in:
+ type: integer
+ description: The expiration time of the access token in seconds.
+ id_token:
type: string
- readOnly: true
- lastUpdated:
+ description: An ID token. This is returned if the `openid` scope is granted.
+ issued_token_type:
+ $ref: '#/components/schemas/TokenType'
+ refresh_token:
+ type: string
+ description: An opaque refresh token. This is returned if the `offline_access` scope is granted.
+ scope:
type: string
- format: date-time
- readOnly: true
- status:
- $ref: '#/components/schemas/LifecycleStatus'
- type:
- $ref: '#/components/schemas/RoleType'
- _embedded:
- type: object
- additionalProperties:
- type: object
- properties: {}
- readOnly: true
- _links:
- type: object
- additionalProperties:
- type: object
- properties: {}
- readOnly: true
- RoleAssignmentType:
+ description: The scopes contained in the access token.
+ token_type:
+ $ref: '#/components/schemas/TokenResponseTokenType'
+ TokenResponseTokenType:
+ description: The token type in a `/token` response. The value is generally `Bearer` except for a few instances of token exchange.
type: string
x-okta-known-values:
- - GROUP
- - USER
- RoleType:
+ - Bearer
+ - N_A
+ TokenType:
+ description: The type of token for token exchange.
type: string
x-okta-known-values:
- - API_ACCESS_MANAGEMENT_ADMIN
- - APP_ADMIN
- - GROUP_MEMBERSHIP_ADMIN
- - HELP_DESK_ADMIN
- - MOBILE_ADMIN
- - ORG_ADMIN
- - READ_ONLY_ADMIN
- - REPORT_ADMIN
- - SUPER_ADMIN
- - USER_ADMIN
- SamlApplication:
+ - urn:ietf:params:oauth:token-type:access_token
+ - urn:ietf:params:oauth:token-type:id_token
+ - urn:ietf:params:oauth:token-type:jwt
+ - urn:ietf:params:oauth:token-type:refresh_token
+ - urn:ietf:params:oauth:token-type:saml1
+ - urn:ietf:params:oauth:token-type:saml2
+ - urn:okta:oauth:token-type:web_sso_token
+ - urn:x-oath:params:oauth:token-type:device-secret
+ TrendMicroApexOneServiceApplication:
+ title: Trend Micro Apex One Service
+ x-tags:
+ - Application
+ x-okta-defined-as:
+ name: trendmicroapexoneservice
+ example:
+ name: trendmicroapexoneservice
+ label: Sample Trend Micro Apex One as a Service App
+ signOnMode: SAML_2_0
+ settings:
+ app:
+ baseURL: https://acme.trendmicro.com
+ description: |
+ Schema for Trend Micro Apex One as a Service app (key name: `trendmicroapexoneservice`)
+
+ To create a Trend Micro Apex One as a Service app, use the [Create an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) request with the following parameters in the request body.
+ > **Note:** The Trend Micro Apex One as a Service app only supports `SAML_2_0` sign-on mode.
allOf:
- - $ref: '#/components/schemas/Application'
+ - $ref: '#/components/schemas/OINApplication'
- type: object
+ - required:
+ - name
+ - label
+ - settings
properties:
- credentials:
- $ref: '#/components/schemas/ApplicationCredentials'
name:
type: string
+ enum:
+ - trendmicroapexoneservice
+ example: trendmicroapexoneservice
+ signOnMode:
+ enum:
+ - SAML_2_0
settings:
- $ref: '#/components/schemas/SamlApplicationSettings'
- SamlApplicationSettings:
+ $ref: '#/components/schemas/TrendMicroApexOneServiceApplicationSettings'
+ TrendMicroApexOneServiceApplicationSettings:
allOf:
- $ref: '#/components/schemas/ApplicationSettings'
- type: object
+ - required:
+ - app
properties:
app:
- $ref: '#/components/schemas/SamlApplicationSettingsApplication'
+ $ref: '#/components/schemas/TrendMicroApexOneServiceApplicationSettingsApplication'
signOn:
- $ref: '#/components/schemas/SamlApplicationSettingsSignOn'
- SamlApplicationSettingsApplication:
+ $ref: '#/components/schemas/OINSaml20ApplicationSettingsSignOn'
+ TrendMicroApexOneServiceApplicationSettingsApplication:
+ description: Trend Micro Apex One as a Service app instance properties
type: object
properties:
- acsUrl:
- type: string
- audRestriction:
- type: string
- baseUrl:
+ baseURL:
type: string
- SamlApplicationSettingsSignOn:
+ description: Base Trend Micro Apex One Service URL
+ required:
+ - baseURL
+ TrustedOrigin:
type: object
properties:
- acsEndpoints:
- type: array
- items:
- $ref: '#/components/schemas/AcsEndpoint'
- allowMultipleAcsEndpoints:
- type: boolean
- assertionSigned:
- type: boolean
- attributeStatements:
- type: array
- items:
- $ref: '#/components/schemas/SamlAttributeStatement'
- audience:
- type: string
- audienceOverride:
- type: string
- authnContextClassRef:
- type: string
- defaultRelayState:
+ created:
+ description: Timestamp when the Trusted Origin was created
type: string
- destination:
+ format: date-time
+ readOnly: true
+ createdBy:
+ description: The ID of the user who created the Trusted Origin
type: string
- destinationOverride:
+ id:
+ description: Unique identifier for the Trusted Origin
type: string
- digestAlgorithm:
+ readOnly: true
+ lastUpdated:
+ description: Timestamp when the Trusted Origin was last updated
type: string
- honorForceAuthn:
- type: boolean
- idpIssuer:
+ format: date-time
+ readOnly: true
+ lastUpdatedBy:
+ description: The ID of the user who last updated the Trusted Origin
type: string
- inlineHooks:
- items:
- $ref: '#/components/schemas/SignOnInlineHook'
+ name:
+ $ref: '#/components/schemas/TrustedOriginName'
+ origin:
+ $ref: '#/components/schemas/TrustedOriginOrigin'
+ scopes:
+ $ref: '#/components/schemas/TrustedOriginScopes'
+ status:
+ $ref: '#/components/schemas/LifecycleStatus'
+ _links:
+ $ref: '#/components/schemas/LinksSelfAndLifecycle'
+ TrustedOriginName:
+ maximum: 255
+ description: Unique name for the Trusted Origin
+ type: string
+ TrustedOriginOrigin:
+ maximum: 255
+ description: Unique origin URL for the Trusted Origin. The supported schemes for this attribute are HTTP, HTTPS, FTP, Ionic 2, and Capacitor.
+ type: string
+ TrustedOriginScope:
+ type: object
+ properties:
+ allowedOktaApps:
type: array
- recipient:
- type: string
- recipientOverride:
- type: string
- requestCompressed:
- type: boolean
- responseSigned:
- type: boolean
- signatureAlgorithm:
+ description: The allowed Okta apps for the Trusted Origin scope
+ items:
+ $ref: '#/components/schemas/IframeEmbedScopeAllowedApps'
+ type:
+ $ref: '#/components/schemas/TrustedOriginScopeType'
+ TrustedOriginScopeType:
+ description: |
+ The scope type. Supported values: When you use `IFRAME_EMBED` as the scope type, leave the allowedOktaApps property
+ empty to allow iFrame embedding of only Okta sign-in pages. Include `OKTA_ENDUSER` as a value for the allowedOktaApps
+ property to allow iFrame embedding of both Okta sign-in pages and the Okta End-User Dashboard.
+ type: string
+ x-okta-known-values:
+ - CORS
+ - IFRAME_EMBED
+ - REDIRECT
+ TrustedOriginScopes:
+ maximum: 3
+ description: Array of Scope types that this Trusted Origin is used for
+ items:
+ $ref: '#/components/schemas/TrustedOriginScope'
+ type: array
+ TrustedOriginWrite:
+ type: object
+ properties:
+ name:
+ $ref: '#/components/schemas/TrustedOriginName'
+ origin:
+ $ref: '#/components/schemas/TrustedOriginOrigin'
+ scopes:
+ $ref: '#/components/schemas/TrustedOriginScopes'
+ UIElement:
+ description: Specifies the configuration of an input field on an enrollment form
+ type: object
+ properties:
+ label:
type: string
- slo:
- $ref: '#/components/schemas/SingleLogout'
- spCertificate:
- $ref: '#/components/schemas/SpCertificate'
- spIssuer:
+ description: Label name for the UI element
+ options:
+ type: object
+ description: UI Schema element options object
+ properties:
+ format:
+ type: string
+ description: Specifies how the input appears
+ enum:
+ - text
+ - radio
+ - select
+ - checkbox
+ - radio_yes_no
+ - radio_true_false
+ x-enumDescriptions:
+ text: The default format for the majority of property types
+ radio: Radio button options. This option is only available for `string` data types with an `enum` or `one of` constraint.
+ select: Displays input as a dropdown list. This option is only available for the `country-code` data type or a string data type with an enum or one of constraint.
+ checkbox: Displays input as a checkbox. This option is only available for Boolean data types.
+ radio_yes_no: Displays input as two radio buttons, one with the option `yes` and the other `no`. This option is only available for Boolean data types.
+ radio_true_false: Displays input as two radio buttons, one with the option `true` and the other `false`. This option is only available for Boolean data types.
+ scope:
type: string
- ssoAcsUrl:
+ description: Specifies the property bound to the input field. It must follow the format `#/properties/PROPERTY_NAME` where `PROPERTY_NAME` is a variable name for an attribute in `profile editor`.
+ type:
type: string
- ssoAcsUrlOverride:
+ description: Specifies the relationship between this input element and `scope`. The `Control` value specifies that this input controls the value represented by `scope`.
+ UISchemaObject:
+ description: Properties of the UI schema
+ type: object
+ properties:
+ buttonLabel:
type: string
- subjectNameIdFormat:
+ description: Specifies the button label for the `Submit` button at the bottom of the enrollment form
+ default: Submit
+ elements:
+ $ref: '#/components/schemas/UIElement'
+ label:
type: string
- subjectNameIdTemplate:
+ description: Specifies the label at the top of the enrollment form under the logo
+ default: Sign in
+ type:
type: string
- SamlAttributeStatement:
+ description: Specifies the type of layout
+ UISchemasResponseObject:
type: object
properties:
- filterType:
- type: string
- filterValue:
- type: string
- name:
+ created:
type: string
- namespace:
+ format: date-time
+ description: Timestamp when the UI Schema was created (ISO-86001)
+ readOnly: true
+ id:
type: string
- type:
+ description: Unique identifier for the UI Schema
+ readOnly: true
+ lastUpdated:
type: string
- values:
- type: array
- items:
- type: string
- ScheduledUserLifecycleAction:
+ format: date-time
+ description: Timestamp when the UI Schema was last modified (ISO-86001)
+ readOnly: true
+ uiSchema:
+ $ref: '#/components/schemas/UISchemaObject'
+ _links:
+ $ref: '#/components/schemas/LinksSelf'
+ required:
+ - id
+ - uiSchema
+ - created
+ - lastUpdated
+ - _links
+ UpdateDomain:
type: object
properties:
- status:
- $ref: '#/components/schemas/PolicyUserStatus'
- SchemeApplicationCredentials:
- allOf:
- - $ref: '#/components/schemas/ApplicationCredentials'
- - type: object
- properties:
- password:
- $ref: '#/components/schemas/PasswordCredential'
- revealPassword:
- type: boolean
- scheme:
- $ref: '#/components/schemas/ApplicationCredentialsScheme'
- signing:
- $ref: '#/components/schemas/ApplicationCredentialsSigning'
- userName:
- type: string
- ScreenLockType:
- type: string
- x-okta-known-values:
- - BIOMETRIC
- - PASSCODE
- SecurePasswordStoreApplication:
- x-okta-defined-as:
- name: template_sps
- allOf:
- - $ref: '#/components/schemas/Application'
- - type: object
- properties:
- credentials:
- $ref: '#/components/schemas/SchemeApplicationCredentials'
- name:
- type: string
- default: template_sps
- settings:
- $ref: '#/components/schemas/SecurePasswordStoreApplicationSettings'
- SecurePasswordStoreApplicationSettings:
+ brandId:
+ description: The `id` of the brand used to replace the existing brand.
+ type: string
+ example: bndul904tTZ6kWVhP0g3
+ required:
+ - brandId
+ UpdateEmailDomain:
allOf:
- - $ref: '#/components/schemas/ApplicationSettings'
- - type: object
- properties:
- app:
- $ref: '#/components/schemas/SecurePasswordStoreApplicationSettingsApplication'
- SecurePasswordStoreApplicationSettingsApplication:
+ - $ref: '#/components/schemas/BaseEmailDomain'
+ UpdateIamRoleRequest:
type: object
properties:
- optionalField1:
- type: string
- optionalField1Value:
- type: string
- optionalField2:
+ description:
type: string
- optionalField2Value:
+ description: Description of the role
+ label:
type: string
- optionalField3:
+ description: Unique label for the role
+ required:
+ - label
+ - description
+ UpdateRealmAssignmentRequest:
+ type: object
+ properties:
+ actions:
+ $ref: '#/components/schemas/Actions'
+ conditions:
+ $ref: '#/components/schemas/Conditions'
+ name:
type: string
- optionalField3Value:
+ priority:
+ type: integer
+ UpdateRealmRequest:
+ type: object
+ properties:
+ profile:
+ $ref: '#/components/schemas/RealmProfile'
+ UpdateThemeRequest:
+ type: object
+ properties:
+ emailTemplateTouchPointVariant:
+ $ref: '#/components/schemas/EmailTemplateTouchPointVariant'
+ endUserDashboardTouchPointVariant:
+ $ref: '#/components/schemas/EndUserDashboardTouchPointVariant'
+ errorPageTouchPointVariant:
+ $ref: '#/components/schemas/ErrorPageTouchPointVariant'
+ loadingPageTouchPointVariant:
+ $ref: '#/components/schemas/LoadingPageTouchPointVariant'
+ primaryColorContrastHex:
type: string
- passwordField:
+ description: Primary color contrast hex code
+ default: null
+ primaryColorHex:
type: string
- url:
+ description: Primary color hex code
+ default: null
+ secondaryColorContrastHex:
type: string
- usernameField:
+ description: Secondary color contrast hex code
+ default: null
+ secondaryColorHex:
type: string
- SecurityQuestion:
+ description: Secondary color hex code
+ default: null
+ signInPageTouchPointVariant:
+ $ref: '#/components/schemas/SignInPageTouchPointVariant'
+ _links:
+ $ref: '#/components/schemas/LinksSelf'
+ required:
+ - primaryColorHex
+ - secondaryColorHex
+ - signInPageTouchPointVariant
+ - endUserDashboardTouchPointVariant
+ - errorPageTouchPointVariant
+ - emailTemplateTouchPointVariant
+ UpdateUISchema:
+ description: The updated request body properties
type: object
properties:
- answer:
- type: string
- question:
- type: string
- questionText:
- type: string
- SecurityQuestionUserFactor:
- allOf:
- - $ref: '#/components/schemas/UserFactor'
- - type: object
- properties:
- profile:
- $ref: '#/components/schemas/SecurityQuestionUserFactorProfile'
- SecurityQuestionUserFactorProfile:
+ uiSchema:
+ $ref: '#/components/schemas/UISchemaObject'
+ UpdateUserRequest:
type: object
properties:
- answer:
- type: string
- question:
- type: string
- questionText:
- type: string
- SeedEnum:
- type: string
- x-okta-known-values:
- - OKTA
- - RANDOM
- Session:
+ credentials:
+ $ref: '#/components/schemas/UserCredentials'
+ profile:
+ $ref: '#/components/schemas/UserProfile'
+ realmId:
+ type: string
+ description:
The ID of the realm in which the user is residing
+ example: guo1bfiNtSnZYILxO0g4
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
+ User:
type: object
properties:
- amr:
- type: array
- readOnly: true
- items:
- $ref: '#/components/schemas/SessionAuthenticationMethod'
- createdAt:
+ activated:
type: string
+ description: The timestamp when the user status transitioned to `ACTIVE`
format: date-time
readOnly: true
- expiresAt:
+ nullable: true
+ created:
type: string
+ description: The timestamp when the user was created
format: date-time
readOnly: true
+ credentials:
+ $ref: '#/components/schemas/UserCredentials'
id:
type: string
+ description: The unique key for the user
readOnly: true
- idp:
- $ref: '#/components/schemas/SessionIdentityProvider'
- lastFactorVerification:
+ lastLogin:
type: string
+ description: The timestamp of the last login
format: date-time
readOnly: true
- lastPasswordVerification:
+ nullable: true
+ lastUpdated:
type: string
+ description: The timestamp when the user was last updated
format: date-time
readOnly: true
- login:
+ passwordChanged:
type: string
+ description: The timestamp when the user's password was last updated
+ format: date-time
+ readOnly: true
+ nullable: true
+ profile:
+ $ref: '#/components/schemas/UserProfile'
+ realmId:
+ type: string
+ description:
The ID of the realm in which the user is residing
+ example: guo1bfiNtSnZYILxO0g4
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
readOnly: true
status:
- $ref: '#/components/schemas/SessionStatus'
- userId:
+ $ref: '#/components/schemas/UserStatus'
+ statusChanged:
type: string
+ description: The timestamp when the status of the user last changed
+ format: date-time
readOnly: true
- _links:
+ nullable: true
+ transitioningToStatus:
+ type: string
+ description: The target status of an in-progress asynchronous status transition. This property is only returned if the user's state is transitioning.
+ readOnly: true
+ nullable: true
+ enum:
+ - ACTIVE
+ - DEPROVISIONED
+ - PROVISIONED
+ type:
+ type: object
+ description: |-
+ The user type that determines the schema for the user's profile. The `type` property is a map that identifies the [User Types](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/#tag/UserType).
+
+ Currently it contains a single element, `id`. It can be specified when creating a new user, and ca be updated by an admin on a full replace of an existing user (but not a partial update).
+ properties:
+ id:
+ type: string
+ description: The ID of the user type
+ _embedded:
type: object
+ description: Embedded resources related to the user using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification
additionalProperties:
type: object
properties: {}
readOnly: true
- SessionAuthenticationMethod:
- type: string
- x-okta-known-values:
- - fpt
- - geo
- - hwk
- - kba
- - mca
- - mfa
- - otp
- - pwd
- - sc
- - sms
- - swk
- - tel
- SessionIdentityProvider:
+ _links:
+ description: |-
+ Specifies link relations (see [Web Linking](https://datatracker.ietf.org/doc/html/rfc8288) available for the current status of a user.
+ The links object is used for dynamic discovery of related resources, lifecycle operations, and credential operations. The links object is read-only.
+
+ For an individual user result, the links object contains a full set of link relations available for that user as determined by your policies.
+ For a collection of users, the links object contains only the `self` link. Operations that return a collection of users include List users and List group Members.
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - type: object
+ properties:
+ self:
+ description: URL to the individual user
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ activate:
+ description: URL to activate the user
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ resetPassword:
+ description: URL to reset the user's password
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ resetFactors:
+ description: URL to reset the user's factors
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ expirePassword:
+ description: URL to expire the user's password
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ forgotPassword:
+ description: URL to initiate a forgot password operation
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ changeRecoveryQuestion:
+ description: URL to change the user's recovery question
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ deactivate:
+ description: URL to deactivate a user
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ reactivate:
+ description: URL to reactivate the user
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ changePassword:
+ description: URL to change the user's password
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ schema:
+ description: URL to the user's profile schema
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ suspend:
+ description: URL to suspend the user
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ unsuspend:
+ description: URL to unsuspend the user
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ unlock:
+ description: URL to unlock the locked-out user
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ type:
+ description: URL to the user type
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - readOnly: true
+ UserActivationToken:
type: object
properties:
- id:
+ activationToken:
type: string
readOnly: true
- type:
- $ref: '#/components/schemas/SessionIdentityProviderType'
- SessionIdentityProviderType:
- type: string
- x-okta-known-values:
- - ACTIVE_DIRECTORY
- - FEDERATION
- - LDAP
- - OKTA
- - SOCIAL
- SessionStatus:
- type: string
- x-okta-known-values:
- - ACTIVE
- - MFA_ENROLL
- - MFA_REQUIRED
- SignInPage:
- allOf:
- - $ref: '#/components/schemas/CustomizablePage'
- - type: object
- properties:
- type:
- $ref: '#/components/schemas/HostedPageType'
- url:
- type: string
- widgetCustomizations:
- type: object
- properties:
- signInLabel:
- type: string
- usernameLabel:
- type: string
- usernameInfoTip:
- type: string
- passwordLabel:
- type: string
- passwordInfoTip:
- type: string
- showPasswordVisibilityToggle:
- type: boolean
- showUserIdentifier:
- type: boolean
- forgotPasswordLabel:
- type: string
- forgotPasswordUrl:
- type: string
- unlockAccountLabel:
- type: string
- unlockAccountUrl:
- type: string
- helpLabel:
- type: string
- helpUrl:
- type: string
- customLink1Label:
- type: string
- customLink1Url:
- type: string
- customLink2Label:
- type: string
- customLink2Url:
- type: string
- authenticatorPageCustomLinkLabel:
- type: string
- authenticatorPageCustomLinkUrl:
- type: string
- classicRecoveryFlowEmailOrUsernameLabel:
- type: string
- widgetVersion:
- $ref: '#/components/schemas/Version'
- required:
- - type
- SignInPageTouchPointVariant:
- type: string
- x-okta-known-values:
- - BACKGROUND_IMAGE
- - BACKGROUND_SECONDARY_COLOR
- - OKTA_DEFAULT
- SignOnInlineHook:
- properties:
- id:
+ example: XE6wE17zmphl3KqAPFxO
+ description: |-
+ Token received as part of an activation user request. If a password was set before the user was activated, then user must sign in with their password or the `activationToken` and not the activation link. More information about using the `activationToken`
+ to login can be found in the [Authentication API](https://developer.okta.com/docs/reference/api/authn/#primary-authentication-with-activation-token).
+ activationUrl:
type: string
- readOnly: false
- SingleLogout:
+ readOnly: true
+ example: https://{yourOktaDomain}/welcome/XE6wE17zmphl3KqAPFxO
+ description: If `sendEmail` is `false`, returns an activation link for the user to set up their account. The activation token can be used to create a custom activation link.
+ UserBlock:
+ description: Describes how the account is blocked from access. If `appliesTo` is `ANY_DEVICES`, then the account is blocked for all devices. If `appliesTo` is `UNKNOWN_DEVICES`, then the account is only blocked for unknown devices.
type: object
properties:
- enabled:
- type: boolean
- issuer:
+ appliesTo:
type: string
- logoutUrl:
+ readOnly: true
+ description: The devices that the block applies to
+ enum:
+ - ANY_DEVICES
+ - UNKNOWN_DEVICES
+ x-enumDescriptions:
+ ANY_DEVICES: The account is blocked for all devices
+ UNKNOWN_DEVICES: The account is only blocked for unknown devices
+ type:
type: string
- SmsTemplate:
+ readOnly: true
+ description: Type of access block
+ enum:
+ - DEVICE_BASED
+ UserCondition:
+ description: Specifies a set of Users to be included or excluded
+ type: object
+ properties:
+ exclude:
+ description: Users to be excluded
+ type: array
+ items:
+ type: string
+ include:
+ description: Users to be included
+ type: array
+ items:
+ type: string
+ required:
+ - exclude
+ - include
+ UserCredentials:
+ description: Specifies primary authentication and recovery credentials for a user. Credential types and requirements vary depending on the provider and security policy of the org.
+ type: object
+ properties:
+ password:
+ $ref: '#/components/schemas/PasswordCredential'
+ provider:
+ $ref: '#/components/schemas/AuthenticationProvider'
+ recovery_question:
+ $ref: '#/components/schemas/RecoveryQuestionCredential'
+ UserFactor:
type: object
properties:
created:
+ description: Timestamp when the Factor was enrolled
type: string
format: date-time
+ example: '2022-08-25T00:31:00.000Z'
readOnly: true
+ factorType:
+ $ref: '#/components/schemas/UserFactorType'
id:
+ description: ID of the Factor
type: string
+ example: caf8m6jbcvUH8mAep1d7
readOnly: true
lastUpdated:
+ description: Timestamp when the Factor was last updated
type: string
format: date-time
+ example: '2022-08-25T00:31:00.000Z'
readOnly: true
- name:
+ profile:
+ type: object
+ description: Specific attributes related to the Factor
+ provider:
+ $ref: '#/components/schemas/UserFactorProvider'
+ status:
+ $ref: '#/components/schemas/UserFactorStatus'
+ vendorName:
+ description: Name of the Factor vendor. This is usually the same as the provider except for On-Prem MFA where it depends on administrator settings.
type: string
- template:
+ example: OKTA
+ readOnly: true
+ _embedded:
+ type: object
+ additionalProperties:
+ type: object
+ properties: {}
+ readOnly: true
+ _links:
+ $ref: '#/components/schemas/UserFactorLinks'
+ discriminator:
+ propertyName: factorType
+ mapping:
+ call: '#/components/schemas/UserFactorCall'
+ email: '#/components/schemas/UserFactorEmail'
+ push: '#/components/schemas/UserFactorPush'
+ question: '#/components/schemas/UserFactorSecurityQuestion'
+ sms: '#/components/schemas/UserFactorSMS'
+ token: '#/components/schemas/UserFactorToken'
+ token:hardware: '#/components/schemas/UserFactorTokenHardware'
+ token:hotp: '#/components/schemas/UserFactorTokenHOTP'
+ token:software:totp: '#/components/schemas/UserFactorTokenSoftwareTOTP'
+ u2f: '#/components/schemas/UserFactorU2F'
+ web: '#/components/schemas/UserFactorWeb'
+ webauthn: '#/components/schemas/UserFactorWebAuthn'
+ hotp: '#/components/schemas/UserFactorTokenHOTP'
+ UserFactorActivatePush:
+ description: Activation requests have a short lifetime and expire if the activation isn't completed before the indicated timestamp. If the activation expires, use the returned `activate` link to restart the process.
+ type: object
+ properties:
+ expiresAt:
+ description: Timestamp when the Factor verification attempt expires
type: string
- translations:
- $ref: '#/components/schemas/SmsTemplateTranslations'
- type:
- $ref: '#/components/schemas/SmsTemplateType'
- SmsTemplateTranslations:
+ format: date-time
+ example: '2022-08-25T00:31:00.000Z'
+ readOnly: true
+ factorResult:
+ $ref: '#/components/schemas/UserFactorActivatePushResult'
+ readOnly: true
+ UserFactorActivatePushResult:
+ description: Result of a Factor activation
+ type: string
+ x-okta-known-values:
+ - CANCELLED
+ - ERROR
+ - TIMEOUT
+ - WAITING
+ UserFactorActivateRequest:
+ oneOf:
+ - title: call
+ description: Attempts to activate a `call` Factor with the specified passcode
+ properties:
+ passCode:
+ $ref: '#/components/schemas/UserFactorPassCode'
+ - title: email
+ description: Attempts to activate an `email` Factor with the specified passcode
+ properties:
+ passCode:
+ $ref: '#/components/schemas/UserFactorPassCode'
+ - title: push
+ type: object
+ nullable: true
+ description: |-
+ Sends an asynchronous push notification to the device for approval by the user. You must poll the transaction to determine the state of the activation. See [Retrieve a Factor transaction status](./#tag/UserFactor/operation/getFactorTransactionStatus).
+
+ No request body is required for `push` Factors.
+
+ Activations have a short lifetime of several minutes and return a `TIMEOUT` if not completed before the timestamp specified in the `expiresAt` param. Use the published activate link to restart the activation process if the activation expires.
+ - title: sms
+ description: Attempts to activate an `sms` Factor with the specified passcode
+ properties:
+ passCode:
+ $ref: '#/components/schemas/UserFactorPassCode'
+ - title: token:software:totp
+ description: Attempts to activate a `token:software:totp` Factor with the specified passcode
+ properties:
+ passCode:
+ $ref: '#/components/schemas/UserFactorPassCode'
+ - title: u2f
+ description: Activates a `u2f` Factor with the specified client and registration information from the U2F token
+ properties:
+ clientData:
+ type: string
+ description: Base64-encoded client data from the U2F token
+ example: eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZmluaXNoRW5yb2xsbWVudCIsImNoYWxsZW5nZSI6IlhxR0h0RTBoUkxuVEoxYUF5U1oyIiwib3JpZ2luIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6MzAwMCIsImNpZF9wdWJrZXkiOiJ1bnVzZWQifQ
+ registrationData:
+ type: string
+ description: Base64-encoded registration data from the U2F token
+ example: BQTEMUyOM8h1TiZG4DL-RdMr-tYgTYSf62Y52AmwEFTiSYWIRVO5L-MwWdRJOthmV3J3JrqpmGfmFb820-awx1YIQFlTvkMhxItHlpkzahEqicpw7SIH9yMfTn2kaDcC6JaLKPfV5ds0vzuxF1JJj3gCM01bRC-HWI4nCVgc-zaaoRgwggEcMIHDoAMCAQICCwD52fCSMoNczORdMAoGCCqGSM49BAMCMBUxEzARBgNVBAMTClUyRiBJc3N1ZXIwGhcLMDAwMTAxMDAwMFoXCzAwMDEwMTAwMDBaMBUxEzARBgNVBAMTClUyRiBEZXZpY2UwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQFKJupuUgPQcRHUphaW5JPfLvkkwlEwlHKk_ntSp7MS4aTHJyGnpziqncrjiTC_oUVtb-wN-y_t_IMIjueGkhxMAoGCCqGSM49BAMCA0gAMEUCIQDBo6aOLxanIUYnBX9iu3KMngPnobpi0EZSTkVtLC8_cwIgC1945RGqGBKfbyNtkhMifZK05n7fU-gW37Bdnci5D94wRQIhAJv3VvclbRkHAQhaUR8rr8qFTg9iF-GtHoXU95vWaQdyAiAbEr-440U4dQAZF-Sj8G2fxgh5DkgkkWpyUHZhz7N9ew
+ - title: webauthn
+ description: Activates a `webauthn` Factor with the specified attestation and registration information from the WebAuthn authenticator
+ properties:
+ attestation:
+ type: string
+ description: Base64-encoded attestation from the WebAuthn authenticator
+ example: o2NmbXRmcGFja2VkZ2F0dFN0bXSiY2FsZyZjc2lnWEgwRgIhAMvf2+dzXlHZN1um38Y8aFzrKvX0k5dt/hnDu9lahbR4AiEAuwtMg3IoaElWMp00QrP/+3Po/6LwXfmYQVfsnsQ+da1oYXV0aERhdGFYxkgb9OHGifjS2dG03qLRqvXrDIRyfGAuc+GzF1z20/eVRV2wvl6tzgACNbzGCmSLCyXx8FUDAEIBvWNHOcE3QDUkDP/HB1kRbrIOoZ1dR874ZaGbMuvaSVHVWN2kfNiO4D+HlAzUEFaqlNi5FPqKw+mF8f0XwdpEBlClAQIDJiABIVgg0a6oo3W0JdYPu6+eBrbr0WyB3uJLI3ODVgDfQnpgafgiWCB4fFo/5iiVrFhB8pNH2tbBtKewyAHuDkRolcCnVaCcmQ==
+ clientData:
+ type: string
+ description: Base64-encoded client data from the WebAuthn authenticator
+ example: eyJjaGFsbGVuZ2UiOiJVSk5wYW9sVWt0dF9vcEZPNXJMYyIsIm9yaWdpbiI6Imh0dHBzOi8vcmFpbi5va3RhMS5jb20iLCJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIn0
type: object
- x-okta-extensible: true
- SmsTemplateType:
- type: string
- x-okta-known-values:
- - SMS_VERIFY_CODE
- SmsUserFactor:
+ UserFactorActivateResponse:
+ type: object
+ properties:
+ factorType:
+ description: Type of the Factor
+ type: string
+ enum:
+ - call
+ - email
+ - sms
+ - push
+ - token:software:totp
+ - u2f
+ - webauthn
+ _links:
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - $ref: '#/components/schemas/LinksUser'
+ - $ref: '#/components/schemas/LinksVerify'
+ discriminator:
+ propertyName: factorType
+ mapping:
+ call: '#/components/schemas/UserFactorCall'
+ email: '#/components/schemas/UserFactorEmail'
+ sms: '#/components/schemas/UserFactorSMS'
+ push: '#/components/schemas/UserFactorPush'
+ token:software:totp: '#/components/schemas/UserFactorTokenSoftwareTOTP'
+ u2f: '#/components/schemas/UserFactorU2F'
+ webauthn: '#/components/schemas/UserFactorWebAuthn'
+ UserFactorCall:
+ title: call
allOf:
- $ref: '#/components/schemas/UserFactor'
- type: object
properties:
+ factorType:
+ example: call
profile:
- $ref: '#/components/schemas/SmsUserFactorProfile'
- SmsUserFactorProfile:
+ $ref: '#/components/schemas/UserFactorCallProfile'
+ provider:
+ enum:
+ - OKTA
+ UserFactorCallProfile:
type: object
properties:
+ phoneExtension:
+ description: Extension of the associated `phoneNumber`
+ type: string
+ example: 1234
+ nullable: true
+ maxLength: 15
phoneNumber:
+ description: Phone number of the Factor. Format phone numbers to use the [E.164 standard](https://www.itu.int/rec/T-REC-E.164/).
+ example: '+15554151337'
type: string
- SocialAuthToken:
+ pattern: ^\+[1-9]\d{1,14}$
+ maxLength: 15
+ UserFactorEmail:
+ title: email
+ allOf:
+ - $ref: '#/components/schemas/UserFactor'
+ - type: object
+ properties:
+ factorType:
+ example: email
+ profile:
+ $ref: '#/components/schemas/UserFactorEmailProfile'
+ provider:
+ enum:
+ - OKTA
+ UserFactorEmailProfile:
type: object
properties:
- expiresAt:
- type: string
- format: date-time
- readOnly: true
- id:
- type: string
- readOnly: true
- scopes:
- type: array
- items:
- type: string
- token:
- type: string
- tokenAuthScheme:
- type: string
- tokenType:
+ email:
+ description: Email address of the user. This must be either the primary or secondary email address associated with the Okta user account.
+ maxLength: 100
+ example: z.cool@example.com
type: string
- SpCertificate:
- type: object
- properties:
- x5c:
- type: array
- items:
- type: string
- Subscription:
- type: object
- properties:
- channels:
- items:
- type: string
- type: array
- notificationType:
- $ref: '#/components/schemas/NotificationType'
- status:
- $ref: '#/components/schemas/SubscriptionStatus'
- _links:
- additionalProperties:
- type: object
- readOnly: true
- type: object
- SubscriptionStatus:
+ UserFactorLinks:
+ allOf:
+ - $ref: '#/components/schemas/LinksActivate'
+ - $ref: '#/components/schemas/LinksCancel'
+ - $ref: '#/components/schemas/LinksDeactivate'
+ - $ref: '#/components/schemas/LinksEnroll'
+ - $ref: '#/components/schemas/LinksFactor'
+ - $ref: '#/components/schemas/LinksPoll'
+ - $ref: '#/components/schemas/LinksQrcode'
+ - $ref: '#/components/schemas/LinksQuestions'
+ - $ref: '#/components/schemas/LinksResend'
+ - $ref: '#/components/schemas/LinksSend'
+ - $ref: '#/components/schemas/LinksSelf'
+ - $ref: '#/components/schemas/LinksUser'
+ - $ref: '#/components/schemas/LinksVerify'
+ readOnly: true
+ UserFactorPassCode:
+ description: OTP for the current time window
+ example: 1234567890
+ type: string
+ UserFactorProvider:
+ description: Provider for the Factor
type: string
x-okta-known-values:
- - subscribed
- - unsubscribed
- SwaApplicationSettings:
+ - CUSTOM
+ - DUO
+ - FIDO
+ - GOOGLE
+ - OKTA
+ - RSA
+ - SYMANTEC
+ - YUBICO
+ UserFactorPush:
+ title: push
allOf:
- - $ref: '#/components/schemas/ApplicationSettings'
+ - $ref: '#/components/schemas/UserFactor'
- type: object
properties:
- app:
- $ref: '#/components/schemas/SwaApplicationSettingsApplication'
- SwaApplicationSettingsApplication:
+ profile:
+ $ref: '#/components/schemas/UserFactorPushProfile'
+ provider:
+ enum:
+ - OKTA
+ UserFactorPushProfile:
type: object
properties:
- buttonField:
- type: string
- buttonSelector:
- type: string
- checkbox:
- type: string
- extraFieldSelector:
- type: string
- extraFieldValue:
- type: string
- loginUrlRegex:
- type: string
- passwordField:
- type: string
- passwordSelector:
+ credentialId:
+ description: ID for the Factor credential
+ example: dade.murphy@example.com
type: string
- redirectUrl:
+ deviceToken:
+ description: Token used to identify the device
+ example: fwf7ku6bsiSCieh6y1d7
type: string
- targetURL:
+ deviceType:
+ description: Type of device
+ example: SmartPhone_IPhone
type: string
- url:
+ name:
+ description: Name of the device
+ example: My Phone
type: string
- usernameField:
+ platform:
+ description: OS version of the associated device
+ example: IOS
type: string
- userNameSelector:
+ version:
+ description: Installed version of Okta Verify
+ example: '9.0'
type: string
- TempPassword:
+ UserFactorPushTransaction:
type: object
properties:
- tempPassword:
+ factorResult:
+ description: Result of the verification transaction
type: string
- readOnly: true
- Theme:
+ enum:
+ - WAITING
+ - SUCCESS
+ - REJECTED
+ - TIMEOUT
+ discriminator:
+ propertyName: factorResult
+ mapping:
+ WAITING: '#/components/schemas/UserFactorPushTransactionWaiting'
+ SUCCESS: '#/components/schemas/UserFactorPushTransaction'
+ REJECTED: '#/components/schemas/UserFactorPushTransactionRejected'
+ TIMEOUT: '#/components/schemas/UserFactorPushTransactionTimeout'
+ UserFactorPushTransactionRejected:
+ allOf:
+ - $ref: '#/components/schemas/UserFactorPushTransaction'
+ - type: object
+ properties:
+ profile:
+ type: object
+ properties:
+ credentialId:
+ description: ID for the Factor credential
+ example: dade.murphy@example.com
+ type: string
+ _links:
+ allOf:
+ - $ref: '#/components/schemas/LinksVerify'
+ - type: object
+ properties:
+ factor:
+ $ref: '#/components/schemas/UserFactor'
+ UserFactorPushTransactionSuccess:
+ $ref: '#/components/schemas/UserFactorPushTransaction'
+ UserFactorPushTransactionTimeout:
+ allOf:
+ - $ref: '#/components/schemas/UserFactorPushTransaction'
+ - type: object
+ properties:
+ profile:
+ type: object
+ properties:
+ credentialId:
+ description: ID for the Factor credential
+ example: dade.murphy@example.com
+ type: string
+ _links:
+ allOf:
+ - $ref: '#/components/schemas/LinksVerify'
+ - type: object
+ properties:
+ factor:
+ $ref: '#/components/schemas/UserFactor'
+ UserFactorPushTransactionWaiting:
+ allOf:
+ - $ref: '#/components/schemas/UserFactorPushTransaction'
+ - type: object
+ properties:
+ profile:
+ type: object
+ properties:
+ credentialId:
+ description: ID for the Factor credential
+ example: dade.murphy@example.com
+ type: string
+ _links:
+ allOf:
+ - $ref: '#/components/schemas/LinksPoll'
+ - $ref: '#/components/schemas/LinksCancel'
+ UserFactorResultType:
+ description: Result of a Factor verification attempt
+ type: string
+ readOnly: true
+ x-okta-known-values:
+ - CANCELLED
+ - CHALLENGE
+ - ERROR
+ - FAILED
+ - PASSCODE_REPLAYED
+ - REJECTED
+ - SUCCESS
+ - TIMEOUT
+ - TIME_WINDOW_EXCEEDED
+ - WAITING
+ UserFactorSMS:
+ title: sms
+ allOf:
+ - $ref: '#/components/schemas/UserFactor'
+ - type: object
+ properties:
+ factorType:
+ example: sms
+ profile:
+ $ref: '#/components/schemas/UserFactorSMSProfile'
+ provider:
+ enum:
+ - OKTA
+ UserFactorSMSProfile:
type: object
properties:
- backgroundImage:
- readOnly: true
- type: string
- emailTemplateTouchPointVariant:
- $ref: '#/components/schemas/EmailTemplateTouchPointVariant'
- endUserDashboardTouchPointVariant:
- $ref: '#/components/schemas/EndUserDashboardTouchPointVariant'
- errorPageTouchPointVariant:
- $ref: '#/components/schemas/ErrorPageTouchPointVariant'
- primaryColorContrastHex:
- type: string
- primaryColorHex:
- type: string
- secondaryColorContrastHex:
- type: string
- secondaryColorHex:
+ phoneNumber:
+ description: Phone number of the Factor. You should format phone numbers to use the [E.164 standard](https://www.itu.int/rec/T-REC-E.164/).
+ example: '+15554151337'
type: string
- signInPageTouchPointVariant:
- $ref: '#/components/schemas/SignInPageTouchPointVariant'
- _links:
- additionalProperties:
- type: object
- readOnly: true
- type: object
- ThemeResponse:
+ pattern: ^\+[1-9]\d{1,14}$
+ maxLength: 15
+ UserFactorSecurityQuestion:
+ title: question
+ allOf:
+ - $ref: '#/components/schemas/UserFactor'
+ - type: object
+ properties:
+ factorType:
+ example: question
+ profile:
+ $ref: '#/components/schemas/UserFactorSecurityQuestionProfile'
+ provider:
+ enum:
+ - OKTA
+ UserFactorSecurityQuestionProfile:
type: object
properties:
- backgroundImage:
- readOnly: true
- type: string
- emailTemplateTouchPointVariant:
- $ref: '#/components/schemas/EmailTemplateTouchPointVariant'
- endUserDashboardTouchPointVariant:
- $ref: '#/components/schemas/EndUserDashboardTouchPointVariant'
- errorPageTouchPointVariant:
- $ref: '#/components/schemas/ErrorPageTouchPointVariant'
- favicon:
- readOnly: true
- type: string
- id:
- readOnly: true
- type: string
- logo:
- readOnly: true
- type: string
- primaryColorContrastHex:
- type: string
- primaryColorHex:
- type: string
- secondaryColorContrastHex:
- type: string
- secondaryColorHex:
+ answer:
+ description: Answer to the question
+ minLength: 4
type: string
- signInPageTouchPointVariant:
- $ref: '#/components/schemas/SignInPageTouchPointVariant'
- _links:
- additionalProperties:
- type: object
- readOnly: true
- type: object
- ThreatInsightConfiguration:
- type: object
- properties:
- action:
+ writeOnly: true
+ question:
+ description: Unique key for the question
+ example: disliked_food
+ enum:
+ - disliked_food
+ - name_of_first_plush_toy
+ - first_award
+ - favorite_security_question
+ - favorite_toy
+ - first_computer_game
+ - favorite_movie_quote
+ - first_sports_team_mascot
+ - first_music_purchase
+ - favorite_art_piece
+ - grandmother_favorite_desert
+ - first_thing_cooked
+ - childhood_dream_job
+ - first_kiss_location
+ - place_where_significant_other_was_met
+ - favorite_vacation_location
+ - new_years_two_thousand
+ - favorite_speaker_actor
+ - favorite_book_movie_character
+ - favorite_sports_player
type: string
- created:
+ questionText:
+ description: Human-readable text that's displayed to the user
+ example: What is the food you least liked as a child?
type: string
- format: date-time
readOnly: true
- excludeZones:
- type: array
- items:
- type: string
- lastUpdated:
+ UserFactorSignatureData:
+ description: Base64-encoded signature data from the WebAuthn authenticator
+ type: string
+ UserFactorStatus:
+ example: ACTIVE
+ description: Status of the Factor
+ type: string
+ readOnly: true
+ x-okta-known-values:
+ - ACTIVE
+ - DISABLED
+ - ENROLLED
+ - EXPIRED
+ - INACTIVE
+ - NOT_SETUP
+ - PENDING_ACTIVATION
+ UserFactorSupported:
+ type: object
+ properties:
+ enrollment:
type: string
- format: date-time
+ description: Indicates if the Factor is required for the specified user
+ example: OPTIONAL
+ enum:
+ - OPTIONAL
+ - REQUIRED
+ factorType:
+ $ref: '#/components/schemas/UserFactorType'
+ provider:
+ $ref: '#/components/schemas/UserFactorProvider'
+ status:
+ $ref: '#/components/schemas/UserFactorStatus'
+ vendorName:
+ description: Name of the Factor vendor. This is usually the same as the provider except for On-Prem MFA where it depends on administrator settings.
+ type: string
+ example: OKTA
readOnly: true
- _links:
+ _embedded:
type: object
+ description: Embedded resources related to the Factor
additionalProperties:
type: object
properties: {}
readOnly: true
- TimeDuration:
- description: A time duration specified as an [ISO-8601 duration](https://en.wikipedia.org/wiki/ISO_8601#Durations).
- type: string
- pattern: ^P(?!$)(\d+Y)?(\d+M)?(\d+W)?(\d+D)?(T(?=\d)(\d+H)?(\d+M)?(\d+S)?)?$
- TokenAuthorizationServerPolicyRuleAction:
- type: object
- properties:
- accessTokenLifetimeMinutes:
- type: integer
- inlineHook:
- $ref: '#/components/schemas/TokenAuthorizationServerPolicyRuleActionInlineHook'
- refreshTokenLifetimeMinutes:
- type: integer
- refreshTokenWindowMinutes:
- type: integer
- TokenAuthorizationServerPolicyRuleActionInlineHook:
+ _links:
+ $ref: '#/components/schemas/UserFactorLinks'
+ UserFactorToken:
+ title: token
+ allOf:
+ - $ref: '#/components/schemas/UserFactor'
+ - type: object
+ properties:
+ factorType:
+ example: token
+ profile:
+ $ref: '#/components/schemas/UserFactorTokenProfile'
+ provider:
+ enum:
+ - RSA
+ - SYMANTEC
+ verify:
+ oneOf:
+ - $ref: '#/components/schemas/UserFactorTokenVerifyRSA'
+ - $ref: '#/components/schemas/UserFactorTokenVerifySymantec'
+ UserFactorTokenFactorVerificationObject:
type: object
properties:
- id:
+ nextPassCode:
+ description: OTP for the next time window
type: string
- readOnly: false
- TokenUserFactor:
+ example: 678195
+ passCode:
+ description: OTP for the current time window
+ type: string
+ example: 875498
+ UserFactorTokenHOTP:
+ title: token:hotp
allOf:
- $ref: '#/components/schemas/UserFactor'
- type: object
properties:
+ factorProfileId:
+ description: ID of an existing Custom TOTP Factor profile. To create this, see [Custom TOTP Factor](https://help.okta.com/okta_help.htm?id=ext-mfa-totp).
+ type: string
+ factorType:
+ example: token:hotp
profile:
- $ref: '#/components/schemas/TokenUserFactorProfile'
- TokenUserFactorProfile:
+ $ref: '#/components/schemas/UserFactorTokenHOTPProfile'
+ provider:
+ enum:
+ - CUSTOM
+ UserFactorTokenHOTPProfile:
type: object
properties:
- credentialId:
+ sharedSecret:
+ description: Unique secret key used to generate the OTP
type: string
- TotpUserFactor:
+ example: 484f97be3213b117e3a20438e291540a
+ UserFactorTokenHardware:
+ title: token:hardware
allOf:
- $ref: '#/components/schemas/UserFactor'
- type: object
properties:
+ factorType:
+ example: token:hardware
profile:
- $ref: '#/components/schemas/TotpUserFactorProfile'
- TotpUserFactorProfile:
+ $ref: '#/components/schemas/UserFactorTokenProfile'
+ provider:
+ enum:
+ - YUBICO
+ verify:
+ type: object
+ properties:
+ passCode:
+ description: OTP for the current time window
+ type: string
+ example: cccccceukngdfgkukfctkcvfidnetljjiknckkcjulji
+ UserFactorTokenProfile:
type: object
properties:
credentialId:
+ description: ID for the Factor credential
+ example: dade.murphy@example.com
type: string
- TrustedOrigin:
+ UserFactorTokenSoftwareTOTP:
+ title: token:software:totp
+ allOf:
+ - $ref: '#/components/schemas/UserFactor'
+ - type: object
+ properties:
+ factorType:
+ example: token:software:totp
+ profile:
+ $ref: '#/components/schemas/UserFactorTokenProfile'
+ provider:
+ enum:
+ - OKTA
+ - GOOGLE
+ UserFactorTokenVerifyRSA:
+ title: RSA SecurID
type: object
properties:
- created:
- type: string
- format: date-time
- readOnly: true
- createdBy:
- type: string
- id:
- type: string
- readOnly: true
- lastUpdated:
- type: string
- format: date-time
- readOnly: true
- lastUpdatedBy:
- type: string
- name:
- type: string
- origin:
- type: string
- scopes:
- type: array
- items:
- $ref: '#/components/schemas/TrustedOriginScope'
- status:
+ passCode:
+ description: OTP for the current time window
type: string
- _links:
- type: object
- additionalProperties:
- type: object
- properties: {}
- readOnly: true
- TrustedOriginScope:
+ example: 5275875498
+ UserFactorTokenVerifySymantec:
+ title: Symantec VIP
type: object
properties:
- allowedOktaApps:
- type: array
- items:
- $ref: '#/components/schemas/IframeEmbedScopeAllowedApps'
- type:
- $ref: '#/components/schemas/TrustedOriginScopeType'
- TrustedOriginScopeType:
+ nextPassCode:
+ description: OTP for the next time window
+ type: integer
+ example: 3956685498
+ passCode:
+ description: OTP for the current time window
+ type: string
+ example: 5275875498
+ UserFactorType:
+ description: Type of Factor
type: string
x-okta-known-values:
- - CORS
- - IFRAME_EMBED
- - REDIRECT
- U2fUserFactor:
+ - call
+ - email
+ - push
+ - question
+ - signed_nonce
+ - sms
+ - token
+ - token:hardware
+ - token:hotp
+ - token:software:totp
+ - u2f
+ - web
+ - webauthn
+ UserFactorU2F:
+ title: u2f
allOf:
- $ref: '#/components/schemas/UserFactor'
- type: object
properties:
+ factorType:
+ example: u2f
profile:
- $ref: '#/components/schemas/U2fUserFactorProfile'
- U2fUserFactorProfile:
+ $ref: '#/components/schemas/UserFactorU2FProfile'
+ provider:
+ enum:
+ - FIDO
+ UserFactorU2FProfile:
type: object
properties:
credentialId:
+ description: ID for the Factor credential
+ example: dade.murphy@example.com
type: string
- UpdateEmailDomain:
- allOf:
- - $ref: '#/components/schemas/BaseEmailDomain'
- UpdateUserRequest:
- type: object
- properties:
- credentials:
- $ref: '#/components/schemas/UserCredentials'
- profile:
- $ref: '#/components/schemas/UserProfile'
- User:
+ UserFactorVerifyRequest:
+ oneOf:
+ - title: call
+ description: Verifies an OTP sent by a `call` Factor challenge. If you omit `passCode` in the request, a new OTP is sent to the phone.
+ properties:
+ passCode:
+ $ref: '#/components/schemas/UserFactorPassCode'
+ - title: sms
+ description: Verifies an OTP sent by an `sms` Factor challenge. If you omit `passCode` in the request, a new OTP is sent to the phone.
+ properties:
+ passCode:
+ $ref: '#/components/schemas/UserFactorPassCode'
+ - title: push
+ type: object
+ nullable: true
+ description: Sends an asynchronous push notification to the device for approval by the user. You must poll the transaction to determine the state of the verification. See [Retrieve a Factor transaction status](./#tag/UserFactor/operation/getFactorTransactionStatus).
+ - title: email
+ description: Verifies an OTP sent by an `email` Factor challenge. If you omit `passCode` in the request, a new OTP is sent to the phone.
+ properties:
+ passCode:
+ $ref: '#/components/schemas/UserFactorPassCode'
+ - title: question
+ description: Verifies an answer to a `question` Factor
+ properties:
+ answer:
+ description: Answer to the question
+ minLength: 4
+ type: string
+ writeOnly: true
+ - title: token:software:totp
+ description: Verifies an OTP for a `token:software:totp` Factor
+ properties:
+ passCode:
+ $ref: '#/components/schemas/UserFactorPassCode'
+ - title: token:hotp
+ description: Verifies an OTP for a `token:hotp` Factor
+ properties:
+ passCode:
+ $ref: '#/components/schemas/UserFactorPassCode'
+ - title: token:hardware
+ description: Verifies an OTP for a `token:hardware` Factor
+ properties:
+ passCode:
+ $ref: '#/components/schemas/UserFactorPassCode'
+ - title: token
+ description: Verifies an OTP for a `token` Factor
+ properties:
+ passCode:
+ $ref: '#/components/schemas/UserFactorPassCode'
+ - title: u2f
+ description: Verifies a `u2f` Factor challenge by posting a signed assertion using the challenge `nonce`
+ properties:
+ clientData:
+ type: string
+ description: Base64-encoded client data from the U2F token
+ example: eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZmluaXNoRW5yb2xsbWVudCIsImNoYWxsZW5nZSI6IlhxR0h0RTBoUkxuVEoxYUF5U1oyIiwib3JpZ2luIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6MzAwMCIsImNpZF9wdWJrZXkiOiJ1bnVzZWQifQ
+ signatureData:
+ description: Base64-encoded signature data from the U2F token
+ - title: webauthn
+ description: Verifies a `webauthn` Factor challenge by posting a signed assertion using the challenge `nonce`
+ properties:
+ authenticatorData:
+ description: Base64-encoded authenticator data from the WebAuthn authenticator
+ type: string
+ clientData:
+ type: string
+ description: Base64-encoded client data from the WebAuthn authenticator
+ example: eyJjaGFsbGVuZ2UiOiJVSk5wYW9sVWt0dF9vcEZPNXJMYyIsIm9yaWdpbiI6Imh0dHBzOi8vcmFpbi5va3RhMS5jb20iLCJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIn0
+ signatureData:
+ type: string
+ description: Base64-encoded signature data from the WebAuthn authenticator
+ UserFactorVerifyResponse:
type: object
properties:
- activated:
- type: string
- format: date-time
- readOnly: true
- nullable: true
- created:
- type: string
- format: date-time
- readOnly: true
- credentials:
- $ref: '#/components/schemas/UserCredentials'
- id:
- type: string
- readOnly: true
- lastLogin:
- type: string
- format: date-time
- readOnly: true
- nullable: true
- lastUpdated:
+ expiresAt:
+ description: Timestamp when the verification expires
type: string
format: date-time
+ example: '2022-08-25T00:31:00.000Z'
readOnly: true
- passwordChanged:
+ factorMessage:
+ description: Optional display message for Factor verification
type: string
- format: date-time
readOnly: true
nullable: true
- profile:
- $ref: '#/components/schemas/UserProfile'
- status:
- $ref: '#/components/schemas/UserStatus'
- statusChanged:
- type: string
- format: date-time
+ factorResult:
+ $ref: '#/components/schemas/UserFactorVerifyResult'
readOnly: true
- nullable: true
- transitioningToStatus:
- $ref: '#/components/schemas/UserStatus'
- type:
- $ref: '#/components/schemas/UserType'
_embedded:
type: object
additionalProperties:
@@ -20504,98 +66830,154 @@ components:
properties: {}
readOnly: true
_links:
- type: object
- additionalProperties:
- type: object
- properties: {}
- readOnly: true
- UserActivationToken:
+ $ref: '#/components/schemas/UserFactorLinks'
+ UserFactorVerifyResult:
+ description: Result of a Factor verification
+ type: string
+ x-enumDescriptions:
+ CANCELED: User cancelled the verification
+ CHALLENGE: Okta issued a verification challenge
+ ERROR: Verification encountered an unexpected server error
+ EXPIRED: User didn't complete the verification within the allowed time window
+ FAILED: Verification failed
+ PASSCODE_REPLAYED: User previously verified the Factor within the same time window. Another verification is required during another time window.
+ REJECTED: User rejected the verification
+ SUCCESS: User completed the verification
+ TIMEOUT: Okta didn't complete the verification within the allowed time window
+ TIME_WINDOW_EXCEEDED: User completed the verification outside of the allowed time window. Another verification is required.
+ WAITING: Verification is in progress
+ x-okta-known-values:
+ - CHALLENGE
+ - ERROR
+ - EXPIRED
+ - FAILED
+ - PASSCODE_REPLAYED
+ - REJECTED
+ - SUCCESS
+ - TIMEOUT
+ - TIME_WINDOW_EXCEEDED
+ - WAITING
+ UserFactorWeb:
+ title: web
+ allOf:
+ - $ref: '#/components/schemas/UserFactor'
+ - type: object
+ properties:
+ factorType:
+ example: web
+ profile:
+ $ref: '#/components/schemas/UserFactorWebProfile'
+ provider:
+ enum:
+ - DUO
+ UserFactorWebAuthn:
+ title: webauthn
+ allOf:
+ - $ref: '#/components/schemas/UserFactor'
+ - type: object
+ properties:
+ factorType:
+ example: webauthn
+ profile:
+ $ref: '#/components/schemas/UserFactorWebAuthnProfile'
+ provider:
+ enum:
+ - FIDO
+ UserFactorWebAuthnProfile:
type: object
properties:
- activationToken:
+ authenticatorName:
+ description: Human-readable name of the authenticator
+ example: MacBook Touch ID
type: string
- readOnly: true
- activationUrl:
+ credentialId:
+ description: ID for the Factor credential
+ example: AHoOEhwvYiMv6SSwLp7KYRNttXtg_kYgQoQiEIWPFH_T3Ztp5Vj3bQ5H0LypIFR8ka8kfiCJ3I5qVpxrsd6JTMWKcE3xNh_U2QVF0Kwlan8Fiw
type: string
- readOnly: true
- UserCondition:
- type: object
- properties:
- exclude:
- type: array
- items:
- type: string
- include:
- type: array
- items:
- type: string
- UserCredentials:
+ UserFactorWebProfile:
type: object
properties:
- password:
- $ref: '#/components/schemas/PasswordCredential'
- provider:
- $ref: '#/components/schemas/AuthenticationProvider'
- recovery_question:
- $ref: '#/components/schemas/RecoveryQuestionCredential'
- UserFactor:
+ credentialId:
+ description: ID for the Factor credential
+ example: dade.murphy@example.com
+ type: string
+ UserFactorYubikeyOtpToken:
type: object
properties:
created:
+ description: Timestamp when the Token was created
type: string
format: date-time
+ example: '2022-08-25T00:31:00.000Z'
readOnly: true
- factorType:
- $ref: '#/components/schemas/FactorType'
id:
+ description: ID of the Token
type: string
+ example: ykkwcx13nrDq8g4oy0g3
readOnly: true
lastUpdated:
+ description: Timestamp when the Token was last updated
type: string
format: date-time
+ example: '2022-08-25T00:31:00.000Z'
readOnly: true
- provider:
- $ref: '#/components/schemas/FactorProvider'
- status:
- $ref: '#/components/schemas/FactorStatus'
- verify:
- $ref: '#/components/schemas/VerifyFactorRequest'
- _embedded:
+ lastVerified:
+ description: Timestamp when the Token was last verified
+ type: string
+ format: date-time
+ example: '2022-08-25T00:31:00.000Z'
+ readOnly: true
+ profile:
type: object
+ description: Specified profile information for token
additionalProperties:
type: object
properties: {}
- readOnly: true
- _links:
+ status:
+ description: Token status
+ type: string
+ enum:
+ - BLOCKED
+ - UNASSIGNED
+ - ACTIVE
+ - REVOKED
+ - DELETED
+ - INACTIVE
+ _embedded:
type: object
additionalProperties:
type: object
properties: {}
- readOnly: true
- discriminator:
- propertyName: factorType
- mapping:
- call: '#/components/schemas/CallUserFactor'
- email: '#/components/schemas/EmailUserFactor'
- push: '#/components/schemas/PushUserFactor'
- question: '#/components/schemas/SecurityQuestionUserFactor'
- sms: '#/components/schemas/SmsUserFactor'
- token: '#/components/schemas/TokenUserFactor'
- token:hardware: '#/components/schemas/HardwareUserFactor'
- token:hotp: '#/components/schemas/CustomHotpUserFactor'
- token:software:totp: '#/components/schemas/TotpUserFactor'
- u2f: '#/components/schemas/U2fUserFactor'
- web: '#/components/schemas/WebUserFactor'
- webauthn: '#/components/schemas/WebAuthnUserFactor'
- hotp: '#/components/schemas/CustomHotpUserFactor'
+ _links:
+ $ref: '#/components/schemas/UserFactorLinks'
+ UserGetSingleton:
+ allOf:
+ - $ref: '#/components/schemas/User'
+ - type: object
+ properties:
+ _embedded:
+ type: object
+ description: The embedded resources related to the object if the `expand` query parameter is specified
+ properties:
+ blocks:
+ type: array
+ description: A list of access block details for the user account
+ items:
+ $ref: '#/components/schemas/UserBlock'
UserIdentifierConditionEvaluatorPattern:
+ description: Used in the User Identifier Condition object. Specifies the details of the patterns to match against.
type: object
properties:
matchType:
$ref: '#/components/schemas/UserIdentifierMatchType'
value:
type: string
+ description: The regular expression or simple match string
+ required:
+ - matchType
+ - value
UserIdentifierMatchType:
+ description: The type of pattern. For regex, use `EXPRESSION`.
type: string
x-okta-known-values:
- CONTAINS
@@ -20604,17 +66986,23 @@ components:
- STARTS_WITH
- SUFFIX
UserIdentifierPolicyRuleCondition:
+ description: Specifies a user identifier condition to match on
type: object
properties:
attribute:
type: string
+ description: The name of the profile attribute to match against. Only used when type is `ATTRIBUTE`.
patterns:
type: array
items:
$ref: '#/components/schemas/UserIdentifierConditionEvaluatorPattern'
type:
$ref: '#/components/schemas/UserIdentifierType'
+ required:
+ - patterns
+ - type
UserIdentifierType:
+ description: What to match against, either user ID or an attribute in the user's Okta profile.
type: string
x-okta-known-values:
- ATTRIBUTE
@@ -20624,6 +67012,164 @@ components:
properties:
externalId:
type: string
+ description: Unique IdP-specific identifier for a User
+ example: '121749775026145'
+ UserImportRequest:
+ type: object
+ properties:
+ data:
+ $ref: '#/components/schemas/UserImportRequestData'
+ eventType:
+ type: string
+ description: The type of inline hook. The user import inline hook type is `com.okta.import.transform`.
+ source:
+ description: The ID of the user import inline hook
+ type: string
+ UserImportRequestData:
+ type: object
+ properties:
+ action:
+ type: object
+ description: The object that specifies the default action Okta is set to take
+ properties:
+ result:
+ description: |-
+ The current default action that results when Okta imports a user. The two possible values are `CREATE_USER` and `LINK_USER`. You
+ can change the action that is taken by means of the commands object you return.
+ type: string
+ enum:
+ - CREATE_USER
+ - LINK_USER
+ x-enumDescriptions:
+ CREATE_USER: A new Okta user profile is created for the user
+ LINK_USER: The user is treated as a match for the existing Okta user identified by the value of `data.user.id`
+ appUser:
+ type: object
+ description: The app user profile being imported
+ properties:
+ profile:
+ type: object
+ description: |-
+ Provides the name-value pairs of the attributes contained in the app user profile of the user who is being imported. You can change
+ the values of attributes in the user's app profile by means of the `commands` object you return. If you change attributes in the app
+ profile, they then flow through to the Okta user profile, based on matching and mapping rules.
+ additionalProperties:
+ type: string
+ context:
+ type: object
+ properties:
+ conflicts:
+ description: An array of user profile attributes that are in conflict
+ type: array
+ items:
+ additionalProperties: true
+ type: string
+ application:
+ type: object
+ description: Details of the app from which the user is being imported
+ properties:
+ name:
+ type: string
+ description: The app name
+ id:
+ type: string
+ description: The app ID
+ label:
+ type: string
+ description: The user-defined display name for the app
+ status:
+ type: string
+ description: The status of the app
+ enum:
+ - ACTIVE
+ - INACTIVE
+ job:
+ type: object
+ description: The details of the running import job
+ properties:
+ id:
+ type: string
+ description: The ID number of the import job
+ type:
+ type: string
+ description: The type of import job
+ matches:
+ type: array
+ description: The list of Okta users currently matched to the app user based on import matching. There can be more than one match.
+ items:
+ additionalProperties: true
+ type: string
+ policy:
+ type: array
+ description: The list of any policies that apply to the import matching
+ items:
+ additionalProperties: true
+ type: string
+ user:
+ type: object
+ description: |-
+ Provides information on the Okta user profile currently set to be used for the user who is being imported, based on the matching
+ rules and attribute mappings that were applied.
+ properties:
+ profile:
+ description: |-
+ The `data.user.profile` contains the name-value pairs of the attributes in the user profile. If the user has been matched to an existing
+ Okta user, a `data.user.id` object is included, containing the unique identifier of the Okta user profile.
+
+ You can change the values of the attributes by means of the `commands` object you return.
+ type: object
+ additionalProperties:
+ type: string
+ UserImportRequestExecute:
+ description: User import inline hook request
+ allOf:
+ - $ref: '#/components/schemas/InlineHookBasePayload'
+ - $ref: '#/components/schemas/UserImportRequest'
+ UserImportResponse:
+ type: object
+ properties:
+ commands:
+ description: |-
+ The `commands` object is where you can provide commands to Okta. It is an array that allows you to send multiple commands.
+ Each array element needs to consist of a type-value pair.
+ type: array
+ items:
+ type: object
+ properties:
+ type:
+ description: |-
+ The command types supported for the import inline hook.
+ When using the `com.okta.action.update` command to specify that the user should be treated as a match, you need to also provide a `com.okta.user.update` command that sets the ID of the Okta user.
+ type: string
+ enum:
+ - com.okta.appUser.profile.update
+ - com.okta.user.profile.update
+ - com.okta.action.update
+ - com.okta.user.update
+ x-enumDescriptions:
+ com.okta.appUser.profile.update: Change values of attributes in the user's app user profile
+ com.okta.user.profile.update: Change values of attributes in the user's Okta user profile
+ com.okta.action.update: Specify whether to create a new Okta user for the user being imported or treat them as a match of an existing Okta user
+ com.okta.user.update: Specify the existing Okta user that the imported user should be treated as a match of.
+ value:
+ description: |-
+ The `value` object is the parameter to pass to the command. In the case of the `com.okta.appUser.profile.update` and `com.okta.user.profile.update` commands,
+ the parameter should be a list of one or more profile attributes and the values you wish to set them to. In the case of the `com.okta.action.update` command,
+ the parameter should be a `result` property set to either `CREATE_USER` or `LINK_USER`.
+ type: object
+ additionalProperties:
+ type: string
+ error:
+ description: |-
+ An object to return an error. Returning an error causes Okta to record a failure event in the Okta System Log.
+ The string supplied in the `errorSummary` property is recorded in the System Log event.
+
+ >**Note:** If a response to an import inline hook request is not received from your external service within three seconds, a timeout occurs. In this scenario, the Okta import process continues and the user is created.
+ type: object
+ properties:
+ errorSummary:
+ description: A human-readable summary of the error
+ type: string
UserLifecycleAttributePolicyRuleCondition:
type: object
properties:
@@ -20631,21 +67177,31 @@ components:
type: string
matchingValue:
type: string
+ UserLockoutSettings:
+ type: object
+ properties:
+ preventBruteForceLockoutFromUnknownDevices:
+ type: boolean
+ description: Prevents brute-force lockout from unknown devices for the password authenticator.
+ default: false
UserNextLogin:
type: string
x-okta-known-values:
- changePassword
UserPolicyRuleCondition:
+ description: Specifies a set of Users to be included or excluded
type: object
properties:
exclude:
type: array
+ description: Users to be excluded
items:
type: string
inactivity:
$ref: '#/components/schemas/InactivityPolicyRuleCondition'
include:
type: array
+ description: Users to be included
items:
type: string
lifecycleExpiration:
@@ -20655,179 +67211,401 @@ components:
userLifecycleAttribute:
$ref: '#/components/schemas/UserLifecycleAttributePolicyRuleCondition'
UserProfile:
- type: object
additionalProperties: true
+ description: |-
+ Specifies the default and custom profile properties for a user.
+
+ The default user profile is based on the [System for Cross-domain Identity Management: Core Schema](https://datatracker.ietf.org/doc/html/rfc7643).
+
+ The only permitted customizations of the default profile are to update permissions, change whether the `firstName` and `lastName` properties are nullable, and specify a [pattern](https://developer.okta.com/docs/reference/api/schemas/#login-pattern-validation) for `login`. You can use the Profile Editor in the Admin Console or the [Schemas API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UISchema/#tag/UISchema) to make schema modifications.
+
+ You can extend user profiles with custom properties. You must first add the custom property to the user profile schema before you reference it.
+ You can use the Profile Editor in the Admin Console or the [Schemas API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UISchema/#tag/UISchema) to manage schema extensions.
+
+ Custom attributes can contain HTML tags. It's the client's responsibility to escape or encode this data before displaying it. Use [best-practices](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) to prevent cross-site scripting.
+ type: object
properties:
city:
type: string
+ description: The city or locality of the user's address (`locality`)
maxLength: 128
nullable: true
costCenter:
type: string
+ description: Name of the cost center assigned to a user
+ nullable: true
countryCode:
+ description: The country name component of the user's address (`country`). For validation, see [ISO 3166-1 alpha 2 "short" code format](https://datatracker.ietf.org/doc/html/draft-ietf-scim-core-schema-22#ref-ISO3166).
type: string
maxLength: 2
nullable: true
department:
type: string
+ description: Name of the user's department
displayName:
type: string
+ description: Name of the user suitable for display to end users
+ nullable: true
division:
type: string
+ description: Name of the user's division
+ nullable: true
email:
type: string
+ description: The primary email address of the user. For validation, see [RFC 5322 Section 3.2.3](https://datatracker.ietf.org/doc/html/rfc5322#section-3.2.3).
format: email
minLength: 5
maxLength: 100
employeeNumber:
+ description: The organization or company assigned unique identifier for the user
type: string
firstName:
type: string
+ description: Given name of the user (`givenName`)
minLength: 1
maxLength: 50
nullable: true
honorificPrefix:
type: string
+ description: Honorific prefix(es) of the user, or title in most Western languages
+ nullable: true
honorificSuffix:
type: string
+ description: Honorific suffix(es) of the user
+ nullable: true
lastName:
type: string
+ description: The family name of the user (`familyName`)
minLength: 1
maxLength: 50
nullable: true
locale:
- $ref: '#/components/schemas/Language'
+ type: string
+ description: |-
+ The user's default location for purposes of localizing items such as currency, date time format, numerical representations, and so on.
+ A locale value is a concatenation of the ISO 639-1 two-letter language code, an underscore, and the ISO 3166-1 two-letter country code. For example, en_US specifies the language English and country US. This value is `en_US` by default.
login:
type: string
- maxLength: 100
+ description: |-
+ The unique identifier for the user (`username`). For validation, see [Login pattern validation](https://developer.okta.com/docs/reference/api/schemas/#login-pattern-validation).
+
+ Every user within your Okta org must have a unique identifier for a login. This constraint applies to all users you import from other systems or applications such as Active Directory. Your organization is the top-level namespace to mix and match logins from all your connected applications or directories. Careful consideration of naming conventions for your login identifier will make it easier to onboard new applications in the future.
+
+ Logins are not considered unique if they differ only in case and/or diacritical marks. If one of your users has a login of Isaac.Brock@example.com, there cannot be another user whose login is isaac.brock@example.com, nor isáà c.bröck@example.com.
+
+ Okta has a default ambiguous name resolution policy for usernames that include @-signs. (By default, usernames must be formatted as email addresses and thus always include @-signs. You can remove that restriction using either the Admin Console or the Schemas API (opens new window).) Users can sign in with their non-qualified short name (for example: isaac.brock with username isaac.brock@example.com) as long as the short name is still unique within the organization.
+ maxLength: 100
+ minLength: 5
manager:
type: string
+ description: The `displayName` of the user's manager
+ nullable: true
managerId:
type: string
+ description: The `id` of the user's manager
+ nullable: true
middleName:
type: string
+ description: The middle name of the user
+ nullable: true
mobilePhone:
type: string
+ description: The mobile phone number of the user
maxLength: 100
+ minLength: 0
nullable: true
nickName:
type: string
+ description: The casual way to address the user in real life
+ nullable: true
organization:
type: string
+ description: Name of the the user's organization
+ nullable: true
postalAddress:
type: string
+ description: Mailing address component of the user's address
maxLength: 4096
nullable: true
preferredLanguage:
type: string
+ description: The user's preferred written or spoken language. For validation, see [RFC 7231 Section 5.3.5](https://datatracker.ietf.org/doc/html/rfc7231#section-5.3.5).
+ nullable: true
primaryPhone:
type: string
+ description: The primary phone number of the user such as a home number
maxLength: 100
+ minLength: 0
nullable: true
profileUrl:
type: string
+ description: The URL of the user's online profile. For example, a web page. See [URL](https://datatracker.ietf.org/doc/html/rfc1808).
+ nullable: true
secondEmail:
type: string
format: email
+ description: The secondary email address of the user typically used for account recovery. For validation, see [RFC 5322 Section 3.2.3](https://datatracker.ietf.org/doc/html/rfc5322#section-3.2.3).
minLength: 5
maxLength: 100
nullable: true
state:
type: string
+ description: The state or region component of the user's address (`region`)
maxLength: 128
nullable: true
streetAddress:
type: string
+ description: The full street address component of the user's address
maxLength: 1024
nullable: true
timezone:
type: string
+ description: The user's time zone
+ nullable: true
title:
type: string
+ description: The user's title, such as Vice President
+ nullable: true
userType:
type: string
+ description: The property used to describe the organization-to-user relationship, such as employee or contractor
+ nullable: true
zipCode:
type: string
+ description: The ZIP code or postal code component of the user's address (`postalCode`)
maxLength: 50
nullable: true
+ UserProvisioningApplicationFeature:
+ allOf:
+ - $ref: '#/components/schemas/ApplicationFeature'
+ - type: object
+ - properties:
+ capabilities:
+ $ref: '#/components/schemas/CapabilitiesObject'
+ UserResourceHrefObject:
+ type: object
+ properties:
+ href:
+ type: string
+ description: Link URI
+ example: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7
+ title:
+ type: string
+ description: Link name
+ example: SAML Jackson
+ UserRiskGetResponse:
+ type: object
+ properties:
+ riskLevel:
+ $ref: '#/components/schemas/UserRiskLevelAll'
+ _links:
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - $ref: '#/components/schemas/LinksUserRef'
+ discriminator:
+ propertyName: riskLevel
+ mapping:
+ HIGH: '#/components/schemas/UserRiskLevelExists'
+ MEDIUM: '#/components/schemas/UserRiskLevelExists'
+ LOW: '#/components/schemas/UserRiskLevelExists'
+ NONE: '#/components/schemas/UserRiskLevelNone'
+ UserRiskLevelAll:
+ description: The risk level associated with the user
+ type: string
+ x-okta-known-values:
+ - HIGH
+ - LOW
+ - MEDIUM
+ - NONE
+ UserRiskLevelExists:
+ allOf:
+ - $ref: '#/components/schemas/UserRiskGetResponse'
+ - type: object
+ properties:
+ reason:
+ $ref: '#/components/schemas/UserRiskReason'
+ UserRiskLevelNone:
+ allOf:
+ - $ref: '#/components/schemas/UserRiskGetResponse'
+ UserRiskLevelPut:
+ description: The risk level associated with the user
+ type: string
+ x-okta-known-values:
+ - HIGH
+ - LOW
+ UserRiskPutResponse:
+ type: object
+ properties:
+ reason:
+ $ref: '#/components/schemas/UserRiskReason'
+ riskLevel:
+ $ref: '#/components/schemas/UserRiskLevelPut'
+ _links:
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - $ref: '#/components/schemas/LinksUserRef'
+ UserRiskReason:
+ description: Describes the risk level for the user
+ example: Admin override risk
+ type: string
+ UserRiskRequest:
+ type: object
+ properties:
+ riskLevel:
+ type: string
+ description: The risk level associated with the user
+ enum:
+ - HIGH
+ - LOW
UserSchema:
type: object
properties:
$schema:
type: string
readOnly: true
+ description: JSON Schema version identifier
created:
type: string
readOnly: true
+ description: Timestamp when the Schema was created
definitions:
- $ref: '#/components/schemas/UserSchemaDefinitions'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaDefinitions'
+ description: |-
+ User Profile subschemas
+
+ The Profile object for a User is defined by a composite Schema of base and custom properties using a JSON path to reference subschemas. The `#base` properties are defined and versioned by Okta, while `#custom` properties are extensible. Custom property names for the Profile object must be unique and can't conflict with a property name defined in the `#base` subschema.
id:
type: string
readOnly: true
+ description: URI of User Schema
lastUpdated:
type: string
readOnly: true
+ description: Timestamp when the Schema was last updated
name:
type: string
readOnly: true
+ description: Name of the Schema
properties:
- $ref: '#/components/schemas/UserSchemaProperties'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaProperties'
+ description: User Object Properties
title:
type: string
+ description: User-defined display name for the Schema
type:
type: string
readOnly: true
+ description: Type of [root Schema](https://tools.ietf.org/html/draft-zyp-json-schema-04#section-3.4)
_links:
- type: object
- additionalProperties:
- type: object
- properties: {}
- readOnly: true
+ $ref: '#/components/schemas/LinksSelf'
UserSchemaAttribute:
type: object
properties:
description:
type: string
+ description: Description of the property
enum:
type: array
+ nullable: true
+ description: |-
+ Enumerated value of the property.
+
+ The value of the property is limited to one of the values specified in the enum definition. The list of values for the enum must consist of unique elements.
items:
- type: string
+ anyOf:
+ - type: string
+ - type: integer
externalName:
type: string
+ description: |-
+ Name of the property as it exists in an external application
+
+ **NOTE**: When you add a custom property, only Identity Provider app user schemas require `externalName` to be
+ included in the request body. If an existing custom Identity Provider app user schema property has an empty
+ `externalName`, requests aren't allowed to update other properties until the `externalName` is defined.
externalNamespace:
type: string
- items:
- $ref: '#/components/schemas/UserSchemaAttributeItems'
+ description: Namespace from the external application
+ format:
+ description: Identifies the type of data represented by the string
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttributeFormat'
master:
- $ref: '#/components/schemas/UserSchemaAttributeMaster'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttributeMaster'
+ description: Identifies where the property is mastered
maxLength:
type: integer
+ description: Maximum character length of a string property
+ nullable: true
minLength:
type: integer
+ description: Minimum character length of a string property
+ nullable: true
mutability:
- type: string
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttributeMutabilityString'
+ description: Defines the mutability of the property
oneOf:
type: array
+ nullable: true
+ description: |-
+ Non-empty array of valid JSON schemas.
+
+ Okta only supports `oneOf` for specifying display names for an `enum`. Each schema has the following format:
+
+ ```
+ {
+ "const": "enumValue",
+ "title": "display name"
+ }
+ ```json
+
+ When `enum` is used in conjunction with `oneOf`, you must keep the set of enumerated values and their order.
+
+ ```
+ {"enum": ["S","M","L","XL"],
+ "oneOf": [
+ {"const": "S", "title": "Small"},
+ {"const": "M", "title": "Medium"},
+ {"const": "L", "title": "Large"},
+ {"const": "XL", "title": "Extra Large"}
+ ]
+ }
+ ```json
+
+ The `oneOf` key is only supported in conjunction with `enum` and provides a mechanism to return a display name for the `enum` value.
items:
$ref: '#/components/schemas/UserSchemaAttributeEnum'
pattern:
type: string
+ description: For `string` property types, specifies the regular expression used to validate the property
permissions:
type: array
+ nullable: true
+ description: Access control permissions for the property
items:
$ref: '#/components/schemas/UserSchemaAttributePermission'
required:
type: boolean
+ nullable: true
+ description: Determines whether the property is required
scope:
$ref: '#/components/schemas/UserSchemaAttributeScope'
title:
type: string
+ minLength: 1
+ description: User-defined display name for the property
type:
- $ref: '#/components/schemas/UserSchemaAttributeType'
- union:
- $ref: '#/components/schemas/UserSchemaAttributeUnion'
+ description: Type of property
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttributeType'
unique:
- type: string
+ description: Determines whether property values must be unique
+ type: boolean
+ nullable: true
x-okta-allow-null-property-value-for-updates: true
UserSchemaAttributeEnum:
type: object
@@ -20836,6 +67614,19 @@ components:
type: string
title:
type: string
+ UserSchemaAttributeFormat:
+ type: string
+ x-okta-known-values:
+ - country-code
+ - date-time
+ - email
+ - encrypted
+ - hashed
+ - language-code
+ - locale
+ - ref-id
+ - timezone
+ - uri
UserSchemaAttributeItems:
type: object
properties:
@@ -20850,6 +67641,7 @@ components:
type:
type: string
UserSchemaAttributeMaster:
+ nullable: true
type: object
properties:
priority:
@@ -20871,13 +67663,22 @@ components:
- OKTA
- OVERRIDE
- PROFILE_MASTER
+ UserSchemaAttributeMutabilityString:
+ type: string
+ x-okta-known-values:
+ - IMMUTABLE
+ - READ_ONLY
+ - READ_WRITE
+ - WRITE_ONLY
UserSchemaAttributePermission:
type: object
properties:
action:
type: string
+ description: Determines whether the principal can view or modify the property
principal:
type: string
+ description: Security principal
UserSchemaAttributeScope:
type: string
x-okta-known-values:
@@ -20891,89 +67692,169 @@ components:
- integer
- number
- string
- UserSchemaAttributeUnion:
- type: string
- x-okta-known-values:
- - DISABLE
- - ENABLE
UserSchemaBase:
+ description: |-
+ All Okta-defined Profile properties are defined in a Profile subschema with the resolution scope `#base`. You can't modify these properties, except to update permissions, to change the nullability of `firstName` and `lastName`, or to specify a pattern for `login`. They can't be removed.
+
+ The base User Profile is based on the [System for Cross-domain Identity Management: Core Schema](https://tools.ietf.org/html/draft-ietf-scim-core-schema-22#section-4.1.1) and has the standard properties detailed below.
type: object
properties:
id:
type: string
+ description: The subschema name
+ readOnly: true
properties:
- $ref: '#/components/schemas/UserSchemaBaseProperties'
+ description: The `#base` object properties
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaBaseProperties'
required:
type: array
+ description: A collection indicating required property names
+ readOnly: true
items:
type: string
type:
type: string
+ description: The object type
+ readOnly: true
UserSchemaBaseProperties:
type: object
properties:
city:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: City or locality component of the User's address (`locality`)
costCenter:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: Name of a cost center assigned to the User
countryCode:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: Country name component of the User's address (`country`.) This property uses [ISO 3166-1 alpha 2 "short" code format](https://tools.ietf.org/html/draft-ietf-scim-core-schema-22#ref-ISO3166).
department:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: Name of the User's department
displayName:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: Name of the User, suitable for display to end Users
division:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: Name of the User's division
email:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: Primary email address of the User. This property is formatted according to [RFC 5322 Section 3.2.3](https://datatracker.ietf.org/doc/html/rfc5322#section-3.2.3).
employeeNumber:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: Organization or company assigned unique identifier for the User
firstName:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: Given name of the User (`givenName`)
honorificPrefix:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: Honorific prefix(es) of the User or title in most Western languages
honorificSuffix:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: Honorific suffix(es) of the User
lastName:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: Family name of the User (`familyName`)
locale:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: |-
+ User's default location for purposes of localizing items such as currency, date time format, numerical representations, and so on.
+
+ A locale value is a concatenation of the ISO 639-1 two-letter language code, an underscore, and the ISO 3166-1 two-letter country code. For example: `en_US` specifies the language English and country US. This value is `en_US` by default.
login:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: |-
+ Unique identifier for the User (`username`)
+
+ The login property is validated according to its pattern attribute, which is a string. By default, the attribute is null. When the attribute is null, the username is required to be formatted as an email address as defined by [RFC 6531 Section 3.3](http://tools.ietf.org/html/rfc6531#section-3.3). The pattern can be set through the API to one of the following forms. (The Admin Console provides access to the same forms.)
+ * A login pattern of `".+"` indicates that there is no restriction on usernames. Any non-empty, unique value is permitted, and the minimum length of five isn't enforced. In this case, usernames don't need to include the `@` character. If a name does include `@`, the portion ahead of the `@` can be used for logging in, provided it identifies a unique User within the org.
+ * A login pattern of the form `"[...]+"` indicates that usernames must only contain characters from the set given between the brackets. The enclosing brackets and final `+` are required for this form. Character ranges can be indicated using hyphens. To include the hyphen itself in the allowed set, the hyphen must appear first. Any characters in the set except the hyphen, a-z, A-Z, and 0-9 must be preceded by a backslash (`\`). For example, `"[a-z13579\.]+"` would restrict usernames to lowercase letters, odd digits, and periods, while `"[-a-zA-Z0-9]+"` would allow basic alphanumeric characters and hyphens.
manager:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: The `displayName` of the User's manager
managerId:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: The `id` of the User's manager
middleName:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: Middle name(s) of the User
mobilePhone:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: Mobile phone number of the User
nickName:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: Casual way to address the User in real life
organization:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: Name of the User's organization
postalAddress:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: Mailing address component of the User's address
preferredLanguage:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: User's preferred written or spoken languages. This property is formatted according to [RFC 7231 Section 5.3.5](https://tools.ietf.org/html/rfc7231#section-5.3.5).
primaryPhone:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: Primary phone number of the User, such as home number
profileUrl:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: URL of the User's online Profile (for example, a web page.) This property is formatted according to the [Relative Uniform Resource Locators specification](https://tools.ietf.org/html/draft-ietf-scim-core-schema-22#ref-ISO3166).
secondEmail:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: Secondary email address of the User typically used for account recovery. This property is formatted according to [RFC 5322 Section 3.2.3](https://datatracker.ietf.org/doc/html/rfc5322#section-3.2.3).
state:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: State or region component of the User's address (`region`)
streetAddress:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: Full street address component of the User's address
timezone:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: User's time zone. This property is formatted according to the [IANA Time Zone database format](https://tools.ietf.org/html/rfc6557).
title:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: User's title, such as "Vice President"
userType:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: |-
+ Used to describe the organization to the User relationship such as "Employee" or "Contractor".
+
+ **Note:** The `userType` field is an arbitrary string value and isn't related to the newer [User Types](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/) feature.
zipCode:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: ZIP code or postal code component of the User's address (`postalCode`)
UserSchemaDefinitions:
type: object
properties:
@@ -20999,22 +67880,35 @@ components:
$ref:
type: string
UserSchemaPublic:
+ description: All custom Profile properties are defined in a Profile subschema with the resolution scope `#custom`
type: object
properties:
id:
type: string
+ description: The subschema name
+ readOnly: true
properties:
type: object
+ description: The `#custom` object properties
additionalProperties:
$ref: '#/components/schemas/UserSchemaAttribute'
required:
type: array
+ description: A collection indicating required property names
+ readOnly: true
items:
type: string
type:
type: string
+ description: The object type
+ readOnly: true
UserStatus:
+ description: |-
+ The current status of the user.
+
+ The status of a user changes in response to explicit events, such as admin-driven lifecycle changes, user login, or self-service password recovery. Okta doesn't asynchronously sweep through users and update their password expiry state, for example. Instead, Okta evaluates password policy at login time, notices the password has expired, and moves the user to the expired state. When running reports, remember that the data is valid as of the last login or lifecycle event for that user.
type: string
+ readOnly: true
x-okta-known-values:
- ACTIVE
- DEPROVISIONED
@@ -21035,152 +67929,287 @@ components:
created:
type: string
format: date-time
+ description: A timestamp from when the User Type was created
readOnly: true
createdBy:
type: string
+ description: The user ID of the account that created the User Type
readOnly: true
default:
type: boolean
+ description: A boolean value to indicate if this is the default User Type
readOnly: true
description:
type: string
+ description: The human-readable description of the User Type
displayName:
type: string
+ description: The human-readable name of the User Type
id:
type: string
+ description: The unique key for the User Type
+ readOnly: true
lastUpdated:
type: string
format: date-time
+ description: A timestamp from when the User Type was most recently updated
readOnly: true
lastUpdatedBy:
type: string
+ description: The user ID of the most recent account to edit the User Type
readOnly: true
name:
type: string
+ description: The name of the User Type. The name must start with A-Z or a-z and contain only A-Z, a-z, 0-9, or underscore (_) characters. This value becomes read-only after creation and can't be updated.
_links:
- type: object
- additionalProperties:
- type: object
- properties: {}
- readOnly: true
+ $ref: '#/components/schemas/UserTypeLinks'
+ required:
+ - name
+ - displayName
UserTypeCondition:
+ description: Specifies which User Types to include and/or exclude
properties:
exclude:
items:
type: string
type: array
+ description: The User Types to exclude
include:
items:
type: string
type: array
+ description: The User Types to include
+ required:
+ - exclude
+ - include
+ UserTypeLinks:
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - type: object
+ properties:
+ schema:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: The associated schema
+ UserTypePostRequest:
+ type: object
+ properties:
+ description:
+ type: string
+ description: The updated human-readable description of the User Type
+ displayName:
+ type: string
+ description: The updated human-readable display name for the User Type
+ UserTypePutRequest:
+ type: object
+ properties:
+ description:
+ type: string
+ description: The human-readable description of the User Type
+ displayName:
+ type: string
+ description: The human-readable name of the User Type
+ name:
+ type: string
+ description: The name of the existing type
+ required:
+ - name
+ - displayName
+ - description
UserVerificationEnum:
+ description: User verification setting. Possible values `DISCOURAGED` (the authenticator isn't asked to perform user verification, but may do so at its discretion), `PREFERRED` (the client uses an authenticator capable of user verification if possible), or `REQUIRED`(the client uses only an authenticator capable of user verification)
type: string
x-okta-known-values:
+ - DISCOURAGED
- PREFERRED
- REQUIRED
+ UsersLink:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the [Application Users](/openapi/okta-management/management/tag/ApplicationUsers/#tag/ApplicationUsers/operation/listApplicationUsers) resource
VerificationMethod:
+ description: |-
+ Describes the method for verifying the user. The supported method types are `ASSURANCE` and `AUTH_METHOD_CHAIN`.
+
+ The method type `AUTH_METHOD_CHAIN` is an [Early Access](https://developer.okta.com/docs/api/openapi/okta-management/guides/release-lifecycle/#early-access-ea) (Self-Service) feature. You can
+ enable the feature for your org from the **Settings** > **Features** page in the Admin Console.
type: object
properties:
- constraints:
- items:
- $ref: '#/components/schemas/AccessPolicyConstraints'
- type: array
- factorMode:
- type: string
- reauthenticateIn:
- type: string
type:
- type: string
- VerifyFactorRequest:
+ $ref: '#/components/schemas/PolicyRuleVerificationMethodType'
+ discriminator:
+ propertyName: type
+ mapping:
+ ASSURANCE: '#/components/schemas/AssuranceMethod'
+ AUTH_METHOD_CHAIN: '#/components/schemas/AuthenticationMethodChainMethod'
+ Version:
+ description: The version specified as a [Semantic Version](https://semver.org/).
+ type: string
+ pattern: ^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$
+ WebAuthnAttachment:
+ description: Method attachment
+ type: string
+ x-okta-known-values:
+ - ANY
+ - BUILT_IN
+ - ROAMING
+ WebAuthnCredRequest:
+ description: Credential request object for the initialized credential, along with the enrollment and key identifiers to associate with the credential
type: object
properties:
- activationToken:
- type: string
- answer:
+ authenticatorEnrollmentId:
+ description: ID for a WebAuthn Preregistration Factor in Okta
type: string
- attestation:
+ credRequestJwe:
+ description: Encrypted JWE of credential request for the fulfillment provider
type: string
- clientData:
- type: string
- nextPassCode:
- type: string
- passCode:
+ keyId:
+ description: ID for the Okta response key-pair used to encrypt and decrypt credential requests and responses
type: string
- registrationData:
+ WebAuthnCredResponse:
+ description: Credential response object for enrolled credential details, along with enrollment and key identifiers to associate the credential
+ type: object
+ properties:
+ authenticatorEnrollmentId:
+ description: ID for a WebAuthn Preregistration Factor in Okta
type: string
- stateToken:
+ credResponseJWE:
+ description: Encrypted JWE of credential response from the fulfillment provider
type: string
- VerifyUserFactorResponse:
+ WebAuthnPreregistrationFactor:
+ description: User Factor variant used for WebAuthn Preregistration Factors
type: object
properties:
- expiresAt:
+ created:
+ description: Timestamp indicating when the Factor was enrolled
type: string
format: date-time
readOnly: true
- factorResult:
- $ref: '#/components/schemas/VerifyUserFactorResult'
- factorResultMessage:
+ factorType:
+ $ref: '#/components/schemas/UserFactorType'
+ id:
+ description: ID of the Factor
type: string
- _embedded:
- type: object
- additionalProperties:
- type: object
- properties: {}
readOnly: true
- _links:
- type: object
- additionalProperties:
- type: object
- properties: {}
+ lastUpdated:
+ description: Timestamp indicating when the Factor was last updated
+ type: string
+ format: date-time
readOnly: true
- VerifyUserFactorResult:
- type: string
- x-okta-known-values:
- - CHALLENGE
- - ERROR
- - EXPIRED
- - FAILED
- - PASSCODE_REPLAYED
- - REJECTED
- - SUCCESS
- - TIMEOUT
- - TIME_WINDOW_EXCEEDED
- - WAITING
- Version:
- description: The version specified as a [Semantic Version](https://semver.org/).
- type: string
- pattern: ^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$
- VersionObject:
+ profile:
+ type: object
+ description: Specific attributes related to the Factor
+ provider:
+ $ref: '#/components/schemas/UserFactorProvider'
+ status:
+ $ref: '#/components/schemas/UserFactorStatus'
+ vendorName:
+ description: Name of the Factor vendor. This is usually the same as the provider.
+ type: string
+ example: OKTA
+ readOnly: true
+ _links:
+ $ref: '#/components/schemas/LinksSelf'
+ WellKnownAppAuthenticatorConfiguration:
type: object
properties:
- minimum:
+ appAuthenticatorEnrollEndpoint:
type: string
- WebAuthnUserFactor:
- allOf:
- - $ref: '#/components/schemas/UserFactor'
- - type: object
+ description: The authenticator enrollment endpoint
+ authenticatorId:
+ type: string
+ description: The unique identifier of the app authenticator
+ createdDate:
+ type: string
+ description: Timestamp when the Authenticator was created
+ format: date-time
+ key:
+ $ref: '#/components/schemas/AuthenticatorKeyEnum'
+ lastUpdated:
+ type: string
+ description: Timestamp when the Authenticator was last modified
+ format: date-time
+ name:
+ type: string
+ description: The authenticator display name
+ orgId:
+ type: string
+ description: The `id` of the Okta Org
+ settings:
+ type: object
properties:
- profile:
- $ref: '#/components/schemas/WebAuthnUserFactorProfile'
- WebAuthnUserFactorProfile:
+ userVerification:
+ $ref: '#/components/schemas/CustomAppUserVerificationEnum'
+ supportedMethods:
+ type: array
+ items:
+ $ref: '#/components/schemas/SupportedMethods'
+ type:
+ type: string
+ description: The type of Authenticator
+ enum:
+ - app
+ WellKnownOrgMetadata:
type: object
properties:
- authenticatorName:
- type: string
- credentialId:
+ id:
type: string
- WebUserFactor:
- allOf:
- - $ref: '#/components/schemas/UserFactor'
- - type: object
+ description: The unique identifier of the Org
+ pipeline:
+ $ref: '#/components/schemas/PipelineType'
+ settings:
+ $ref: '#/components/schemas/WellKnownOrgMetadataSettings'
+ _links:
+ type: object
properties:
- profile:
- $ref: '#/components/schemas/WebUserFactorProfile'
- WebUserFactorProfile:
+ alternate:
+ $ref: '#/components/schemas/HrefObject'
+ organization:
+ $ref: '#/components/schemas/HrefObject'
+ WellKnownOrgMetadataSettings:
type: object
properties:
- credentialId:
+ analyticsCollectionEnabled:
+ type: boolean
+ bugReportingEnabled:
+ type: boolean
+ omEnabled:
+ type: boolean
+ description: Whether the legacy Okta Mobile application is enabled for the org
+ WellKnownSSFMetadata:
+ title: Shared Signals Framework Metadata
+ description: Metadata about Okta as a transmitter and relevant information for configuration.
+ type: object
+ properties:
+ configuration_endpoint:
+ type: string
+ format: uri
+ description: The URL of the SSF Stream configuration endpoint
+ example: https://{yourOktaDomain}/api/v1/ssf/stream
+ delivery_methods_supported:
+ type: array
+ items:
+ type: string
+ format: uri
+ description: An array of supported SET delivery methods
+ example:
+ - https://schemas.openid.net/secevent/risc/delivery-method/push
+ - urn:ietf:rfc:8935
+ issuer:
type: string
+ description: The issuer used in Security Event Tokens. This value is set as `iss` in the claim.
+ example: https://{yourOktaDomain}
+ jwks_uri:
+ type: string
+ description: The URL of the JSON Web Key Set (JWKS) that contains the signing keys for validating the signatures of Security Event Tokens (SETs)
+ format: uri
+ example: https://{yourOktaDomain}/oauth2/v1/keys
+ WidgetGeneration:
+ description: The generation of the Sign-in Widget
+ type: string
+ x-okta-known-values:
+ - G2
+ - G3
WsFederationApplication:
x-okta-defined-as:
name: template_wsfed
@@ -21188,11 +68217,18 @@ components:
- $ref: '#/components/schemas/Application'
- type: object
properties:
+ credentials:
+ $ref: '#/components/schemas/ApplicationCredentials'
name:
type: string
- default: template_wsfed
+ description: '`template_wsfed` is the key name for a WS-Federated app instance with a SAML 2.0 token'
+ enum:
+ - template_wsfed
settings:
$ref: '#/components/schemas/WsFederationApplicationSettings'
+ required:
+ - name
+ - settings
WsFederationApplicationSettings:
allOf:
- $ref: '#/components/schemas/ApplicationSettings'
@@ -21205,62 +68241,531 @@ components:
properties:
attributeStatements:
type: string
+ description: You can federate user attributes such as Okta profile fields, LDAP, Active Directory, and Workday values. The SP uses the federated WS-Fed attribute values accordingly.
audienceRestriction:
type: string
+ description: The entity ID of the SP. Use the entity ID value exactly as provided by the SP.
authnContextClassRef:
type: string
+ description: Identifies the SAML authentication context class for the assertion's authentication statement
groupFilter:
type: string
+ description: A regular expression that filters for the User Groups you want included with the `groupName` attribute. If the matching User Group has a corresponding AD group, then the attribute statement includes the value of the attribute specified by `groupValueFormat`. If the matching User Group doesn't contain a corresponding AD group, then the `groupName` is used in the attribute statement.
groupName:
type: string
+ description: The group name to include in the WS-Fed response attribute statement. This property is used in conjunction with the `groupFilter` property. Groups that are filtered through the `groupFilter` expression are included with the `groupName` in the attribute statement. Any users that belong to the group you've filtered are included in the WS-Fed response attribute statement.
groupValueFormat:
type: string
+ description: Specifies the WS-Fed assertion attribute value for filtered groups. This attribute is only applied to Active Directory groups.
+ enum:
+ - windowsDomainQualifiedName
+ - samAccountName
+ - dn
nameIDFormat:
type: string
+ description: The username format that you send in the WS-Fed response
realm:
type: string
+ description: The uniform resource identifier (URI) of the WS-Fed app that's used to share resources securely within a domain. It's the identity that's sent to the Okta IdP when signing in. See [Realm name](https://help.okta.com/okta_help.htm?type=oie&id=ext_Apps_Configure_Okta_Template_WS_Federation#Realm).
siteURL:
type: string
+ description: Launch URL for the web app
usernameAttribute:
type: string
+ description: Specifies additional username attribute statements to include in the WS-Fed assertion
+ enum:
+ - username
+ - upn
+ - upnAndUsername
+ - none
wReplyOverride:
type: boolean
+ description: Enables a web app to override the `wReplyURL` URL with a reply parameter.
wReplyURL:
type: string
- responses:
- ErrorApiValidationFailed400:
- description: Bad Request
- content:
- application/json:
- schema:
- $ref: '#/components/schemas/Error'
- examples:
- API Validation Failed:
- $ref: '#/components/examples/ErrorApiValidationFailed'
- ErrorAccessDenied403:
- description: Forbidden
- content:
- application/json:
- schema:
- $ref: '#/components/schemas/Error'
- examples:
- Access Denied:
- $ref: '#/components/examples/ErrorAccessDenied'
- ErrorResourceNotFound404:
- description: Not Found
- content:
- application/json:
- schema:
- $ref: '#/components/schemas/Error'
- examples:
- Resource Not Found:
- $ref: '#/components/examples/ErrorResourceNotFound'
- ErrorTooManyRequests429:
- description: Too Many Requests
- content:
- application/json:
- schema:
- $ref: '#/components/schemas/Error'
- examples:
- Resource Not Found:
- $ref: '#/components/examples/ErrorTooManyRequests'
+ description: The WS-Fed SP endpoint where your users sign in
+ example: http://test.acme.com/example-post-sign/
+ required:
+ - audienceRestriction
+ - groupValueFormat
+ - wReplyURL
+ - nameIDFormat
+ - authnContextClassRef
+ - siteURL
+ - usernameAttribute
+ X5c:
+ description: Base64-encoded X.509 certificate chain with DER encoding
+ items:
+ type: string
+ example: MIIDnjCCAoagAwIBAgIGAVG3MN+PMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB2V4YW1wbGUxHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMTUxMjE4MjIyMjMyWhcNMjUxMjE4MjIyMzMyWjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdleGFtcGxlMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtcnyvuVCrsFEKCwHDenS3Ocjed8eWDv3zLtD2K/iZfE8BMj2wpTfn6Ry8zCYey3mWlKdxIybnV9amrujGRnE0ab6Q16v9D6RlFQLOG6dwqoRKuZy33Uyg8PGdEudZjGbWuKCqqXEp+UKALJHV+k4wWeVH8g5d1n3KyR2TVajVJpCrPhLFmq1Il4G/IUnPe4MvjXqB6CpKkog1+ThWsItPRJPAM+RweFHXq7KfChXsYE7Mmfuly8sDQlvBmQyxZnFHVuiPfCvGHJjpvHy11YlHdOjfgqHRvZbmo30+y0X/oY/yV4YEJ00LL6eJWU4wi7ViY3HP6/VCdRjHoRdr5L/DwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCzzhOFkvyYLNFj2WDcq1YqD4sBy1iCia9QpRH3rjQvMKDwQDYWbi6EdOX0TQ/IYR7UWGj+2pXd6v0t33lYtoKocp/4lUvT3tfBnWZ5KnObi+J2uY2teUqoYkASN7F+GRPVOuMVoVgm05ss8tuMb2dLc9vsx93sDt+XlMTv/2qi5VPwaDtqduKkzwW9lUfn4xIMkTiVvCpe0X2HneD2Bpuao3/U8Rk0uiPfq6TooWaoW3kjsmErhEAs9bA7xuqo1KKY9CdHcFhkSsMhoeaZylZHtzbnoipUlQKSLMdJQiiYZQ0bYL83/Ta9fulr1EERICMFt3GUmtYaZZKHpWSfdJp9
+ type: array
+ ZoomUsApplication:
+ title: Zoom
+ x-tags:
+ - Application
+ x-okta-defined-as:
+ name: zoomus
+ example:
+ name: zoomus
+ label: Sample Zoom App
+ signOnMode: SAML_2_0
+ settings:
+ app:
+ subDomain: my-zoom-subdomain
+ description: |
+ Schema for the Zoom app (key name: `zoomus`)
+
+ To create a Zoom app, use the [Create an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) request with the following parameters in the request body.
+ > **Note:** The Zoom app only supports `SAML_2_0` sign-on mode.
+ allOf:
+ - $ref: '#/components/schemas/OINApplication'
+ - type: object
+ - required:
+ - name
+ - label
+ - settings
+ properties:
+ name:
+ type: string
+ enum:
+ - zoomus
+ example: zoomus
+ signOnMode:
+ enum:
+ - SAML_2_0
+ settings:
+ $ref: '#/components/schemas/ZoomUsApplicationSettings'
+ ZoomUsApplicationSettings:
+ allOf:
+ - $ref: '#/components/schemas/ApplicationSettings'
+ - type: object
+ - required:
+ - app
+ properties:
+ app:
+ $ref: '#/components/schemas/ZoomUsApplicationSettingsApplication'
+ signOn:
+ $ref: '#/components/schemas/OINSaml20ApplicationSettingsSignOn'
+ ZoomUsApplicationSettingsApplication:
+ description: Zoom app instance properties
+ type: object
+ properties:
+ subDomain:
+ type: string
+ description: Your Zoom subdomain
+ required:
+ - subDomain
+ ZscalerbyzApplication:
+ title: Zscaler 2.0
+ x-tags:
+ - Application
+ x-okta-defined-as:
+ name: zscalerbyz
+ example:
+ name: zscalerbyz
+ label: Sample Zscaler 2.0 App
+ signOnMode: SAML_2_0
+ description: |
+ Schema for the Zscaler 2.0 app (key name: `zscalerbyz`)
+
+ To create a Zscaler 2.0 app, use the [Create an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) request with the following parameters in the request body.
+ > **Note:** The Zscaler 2.0 app only supports `BROWSER_PLUGIN` and `SAML_2_0` sign-on modes.
+ allOf:
+ - $ref: '#/components/schemas/OINApplication'
+ - type: object
+ - required:
+ - name
+ - label
+ - settings
+ properties:
+ name:
+ type: string
+ enum:
+ - zscalerbyz
+ example: zscalerbyz
+ signOnMode:
+ enum:
+ - BROWSER_PLUGIN
+ - SAML_2_0
+ settings:
+ $ref: '#/components/schemas/ZscalerbyzApplicationSettings'
+ ZscalerbyzApplicationSettings:
+ allOf:
+ - $ref: '#/components/schemas/ApplicationSettings'
+ - type: object
+ - required:
+ - app
+ properties:
+ app:
+ $ref: '#/components/schemas/ZscalerbyzApplicationSettingsApplication'
+ signOn:
+ $ref: '#/components/schemas/OINSaml20ApplicationSettingsSignOn'
+ ZscalerbyzApplicationSettingsApplication:
+ description: Zscaler app instance properties
+ type: object
+ properties:
+ siteDomain:
+ type: string
+ description: Your Zscaler domain
+ _embedded:
+ description: The Public Key Details are defined in the `_embedded` property of the Key object.
+ type: object
+ properties:
+ alg:
+ description: Algorithm used in the key
+ type: string
+ nullable: false
+ readOnly: true
+ e:
+ description: RSA key value (exponent) for key binding
+ type: string
+ nullable: false
+ readOnly: true
+ kid:
+ description: Unique identifier for the certificate
+ type: string
+ uniqueItems: true
+ nullable: false
+ readOnly: true
+ kty:
+ description: Cryptographic algorithm family for the certificate's keypair
+ type: string
+ nullable: false
+ readOnly: true
+ 'n':
+ description: RSA key value (modulus) for key binding
+ type: string
+ nullable: false
+ readOnly: true
+ use:
+ description: Acceptable use of the certificate
+ type: string
+ nullable: true
+ readOnly: true
+ appLink:
+ type: object
+ properties:
+ login:
+ $ref: '#/components/schemas/HrefObjectAppLink'
+ logo:
+ $ref: '#/components/schemas/HrefObjectLogoLink'
+ readOnly: true
+ createdProperty:
+ description: Timestamp when the object was created
+ format: date-time
+ example: '2017-03-28T01:11:10.000Z'
+ type: string
+ readOnly: true
+ enabledPagesType:
+ title: enabledPages
+ type: string
+ x-enumDescriptions:
+ SIGN_IN: User sign-in page
+ SSPR: Self-service Password Recovery page
+ SSR: Self-service Registration page
+ x-okta-known-values:
+ - SIGN_IN
+ - SSPR
+ - SSR
+ lastUpdatedProperty:
+ format: date-time
+ description: Timestamp when the object was last updated
+ type: string
+ readOnly: true
+ orgBillingContactType:
+ description: Org billing contact
+ type: object
+ properties:
+ contactType:
+ $ref: '#/components/schemas/OrgContactType'
+ _links:
+ type: object
+ description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the org billing Contact Type object using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification
+ readOnly: true
+ properties:
+ billing:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the org billing [Contact Type User](/openapi/okta-management/management/tag/OrgSettingContact/#tag/OrgSettingContact/operation/getOrgContactUser) resource
+ orgGeneralSettingLinks:
+ description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the org using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification
+ type: object
+ properties:
+ contacts:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the [Org Contacts](/openapi/okta-management/management/tag/OrgSettingContact/) resource
+ logo:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the org logo
+ oktaCommunication:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the [Org Communication Settings](/openapi/okta-management/management/tag/OrgSettingCommunication/) resource
+ oktaSupport:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the [Org Support Settings](/openapi/okta-management/management/tag/OrgSettingSupport/) resource
+ preferences:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the [Org Preferences](/openapi/okta-management/management/tag/OrgSettingCustomization/#tag/OrgSettingCustomization/operation/getOrgPreferences) resource
+ uploadLogo:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the [Upload Org Logo](/openapi/okta-management/management/tag/OrgSettingCustomization/#tag/OrgSettingCustomization/operation/uploadOrgLogo) resource
+ readOnly: true
+ orgTechnicalContactType:
+ description: Org technical contact
+ type: object
+ properties:
+ contactType:
+ $ref: '#/components/schemas/OrgContactType'
+ _links:
+ type: object
+ description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the org technical Contact Type object using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification
+ readOnly: true
+ properties:
+ technical:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the org technical [Contact Type User](/openapi/okta-management/management/tag/OrgSettingContact/#tag/OrgSettingContact/operation/getOrgContactUser) resource
+ postAPIServiceIntegrationInstance:
+ allOf:
+ - $ref: '#/components/schemas/APIServiceIntegrationInstance'
+ - type: object
+ properties:
+ clientSecret:
+ type: string
+ description: The client secret for the API Service Integration instance. This property is only returned in a POST response.
+ readOnly: true
+ postAPIServiceIntegrationInstanceRequest:
+ type: object
+ properties:
+ grantedScopes:
+ type: array
+ description: The list of Okta management scopes granted to the API Service Integration instance. See [Okta management OAuth 2.0 scopes](/oauth2/#okta-admin-management).
+ items:
+ type: string
+ example:
+ - okta.logs.read
+ type:
+ type: string
+ description: The type of the API service integration. This string is an underscore-concatenated, lowercased API service integration name. For example, `my_api_log_integration`.
+ example: my_app_cie
+ required:
+ - type
+ - grantedScopes
+ profile:
+ description: Specific profile properties for the privileged account
+ additionalProperties:
+ type: object
+ properties: {}
+ type: object
+ readOnly: true
+ subject:
+ nullable: false
+ type: object
+ properties:
+ format:
+ type: string
+ description: The user identifier
+ nullable: false
+ writeOnly: true
+ enum:
+ - opaque
+ id:
+ type: string
+ description: ID of the user
+ writeOnly: true
+ nullable: false
+ userLink:
+ type: object
+ properties:
+ user:
+ $ref: '#/components/schemas/HrefObjectUserLink'
+ schemas-JsonWebKey:
+ description: A [JSON Web Key (JWK)](https://tools.ietf.org/html/rfc7517) is a JSON representation of a cryptographic key. Okta can use these keys to verify the signature of a JWT when provided for the `private_key_jwt` client authentication method or for a signed authorize request object. Okta supports both RSA and Elliptic Curve (EC) keys.
+ type: object
+ properties:
+ alg:
+ $ref: '#/components/schemas/SigningAlgorithm'
+ kid:
+ type: string
+ description: The unique identifier of the key
+ kty:
+ $ref: '#/components/schemas/JsonWebKeyType'
+ status:
+ $ref: '#/components/schemas/JsonWebKeyStatus'
+ use:
+ $ref: '#/components/schemas/JsonWebKeyUse'
+ discriminator:
+ propertyName: kty
+ mapping:
+ EC: '#/components/schemas/JsonWebKeyEC'
+ RSA: '#/components/schemas/JsonWebKeyRsa'
+ JsonWebKeyEC:
+ allOf:
+ - $ref: '#/components/schemas/schemas-JsonWebKey'
+ - type: object
+ properties:
+ x:
+ type: string
+ description: The public x coordinate for the elliptic curve point
+ 'y':
+ type: string
+ description: The public y coordinate for the elliptic curve point
+ JsonWebKeyRsa:
+ allOf:
+ - $ref: '#/components/schemas/schemas-JsonWebKey'
+ - type: object
+ properties:
+ e:
+ type: string
+ description: The key exponent of a RSA key
+ 'n':
+ type: string
+ description: The modulus of the RSA key
+ JsonWebKeyType:
+ description: The type of public key
+ type: string
+ x-okta-known-values:
+ - EC
+ - RSA
+ JsonWebKeyStatus:
+ description: The status of the public key
+ type: string
+ x-okta-known-values:
+ - ACTIVE
+ - INACTIVE
+ JsonWebKeyUse:
+ description: The intended use of the public key
+ type: string
+ x-okta-known-values:
+ - enc
+ - sig
+ securitySchemes:
+ apiToken:
+ description: 'Pass the API token as the Authorization header value prefixed with SSWS: `Authorization: SSWS {API Token}`'
+ name: Authorization
+ type: apiKey
+ in: header
+ oauth2:
+ type: oauth2
+ description: 'Pass the access_token as the value of the Authorization header: `Authorization: Bearer {access_token}`'
+ flows:
+ authorizationCode:
+ authorizationUrl: /oauth2/v1/authorize
+ tokenUrl: /oauth2/v1/token
+ scopes:
+ okta.agentPools.manage: Allows the app to create and manage agent pools in your Okta organization
+ okta.agentPools.read: Allows the app to read agent pools in your Okta organization
+ okta.apiTokens.manage: Allows the app to manage API Tokens in your Okta organization
+ okta.apiTokens.read: Allows the app to read API Tokens in your Okta organization
+ okta.appGrants.manage: Allows the app to create and manage grants in your Okta organization
+ okta.appGrants.read: Allows the app to read grants in your Okta organization
+ okta.apps.manage: Allows the app to create and manage Apps in your Okta organization
+ okta.apps.read: Allows the app to read information about Apps in your Okta organization
+ okta.authenticators.manage: Allows the app to manage all authenticators. For example, enrollments or resets.
+ okta.authenticators.manage.self: Allows the app to manage a user's own authenticators. For example, enrollments or resets.
+ okta.authenticators.read: Allows the app to read org authenticators information
+ okta.authorizationServers.manage: Allows the app to create and manage Authorization Servers in your Okta organization
+ okta.authorizationServers.read: Allows the app to read information about Authorization Servers in your Okta organization
+ okta.behaviors.manage: Allows the app to create and manage behavior detection rules in your Okta organization
+ okta.behaviors.read: Allows the app to read behavior detection rules in your Okta organization
+ okta.brands.manage: Allows the app to create and manage Brands and Themes in your Okta organization
+ okta.brands.read: Allows the app to read information about Brands and Themes in your Okta organization
+ okta.captchas.manage: Allows the app to create and manage CAPTCHAs in your Okta organization
+ okta.captchas.read: Allows the app to read information about CAPTCHAs in your Okta organization
+ okta.deviceAssurance.manage: Allows the app to manage device assurances
+ okta.deviceAssurance.read: Allows the app to read device assurances
+ okta.deviceChecks.manage: Allows the app to manage device checks
+ okta.deviceChecks.read: Allows the app to read device checks
+ okta.devices.manage: Allows the app to manage device status transitions and delete a device
+ okta.devices.read: Allows the app to read the existing device's profile and search devices
+ okta.directories.groups.manage: Allows the app to manage AD/LDAP Groups for your Okta organization
+ okta.domains.manage: Allows the app to manage custom Domains for your Okta organization
+ okta.domains.read: Allows the app to read information about custom Domains for your Okta organization
+ okta.dr.manage: Allows the app to manage disaster recovery
+ okta.dr.read: Allows the app to read the disaster recovery status
+ okta.emailDomains.manage: Allows the app to manage Email Domains for your Okta organization
+ okta.emailDomains.read: Allows the app to read information about Email Domains for your Okta organization
+ okta.emailServers.manage: Allows the app to manage Email Servers for your Okta organization
+ okta.emailServers.read: Allows the app to read information about Email Servers for your Okta organization
+ okta.eventHooks.manage: Allows the app to create and manage Event Hooks in your Okta organization
+ okta.eventHooks.read: Allows the app to read information about Event Hooks in your Okta organization
+ okta.features.manage: Allows the app to create and manage Features in your Okta organization
+ okta.features.read: Allows the app to read information about Features in your Okta organization
+ okta.groups.manage: Allows the app to manage existing groups in your Okta organization
+ okta.groups.read: Allows the app to read information about groups and their members in your Okta organization
+ okta.identitySources.manage: Allows the custom identity sources to manage user entities in your Okta organization
+ okta.identitySources.read: Allows to read session information for custom identity sources in your Okta organization
+ okta.idps.manage: Allows the app to create and manage Identity Providers in your Okta organization
+ okta.idps.read: Allows the app to read information about Identity Providers in your Okta organization
+ okta.inlineHooks.manage: Allows the app to create and manage Inline Hooks in your Okta organization
+ okta.inlineHooks.read: Allows the app to read information about Inline Hooks in your Okta organization
+ okta.linkedObjects.manage: Allows the app to manage linked object definitions in your Okta organization
+ okta.linkedObjects.read: Allows the app to read linked object definitions in your Okta organization
+ okta.logStreams.manage: Allows the app to create and manage log streams in your Okta organization
+ okta.logStreams.read: Allows the app to read information about log streams in your Okta organization
+ okta.logs.read: Allows the app to read information about System Log entries in your Okta organization
+ okta.manifests.manage: Allows the app to manage OIN submissions in your Okta organization
+ okta.manifests.read: Allows the app to read OIN submissions in your Okta organization
+ okta.networkZones.manage: Allows the app to create and manage Network Zones in your Okta organization
+ okta.networkZones.read: Allows the app to read Network Zones in your Okta organization
+ okta.oauthIntegrations.manage: Allows the app to create and manage API service Integration instances in your Okta organization
+ okta.oauthIntegrations.read: Allows the app to read API service Integration instances in your Okta organization
+ okta.orgs.manage: Allows the app to manage organization-specific details for your Okta organization
+ okta.orgs.read: Allows the app to read organization-specific details about your Okta organization
+ okta.personal.adminSettings.manage: Allows the app to manage the personal admin settings for the signed-in user
+ okta.personal.adminSettings.read: Allows the app to read the personal admin settings for the signed-in user
+ okta.policies.manage: Allows the app to manage policies in your Okta organization
+ okta.policies.read: Allows the app to read information about policies in your Okta organization
+ okta.principalRateLimits.manage: Allows the app to create and manage Principal Rate Limits in your Okta organization
+ okta.principalRateLimits.read: Allows the app to read information about Principal Rate Limits in your Okta organization
+ okta.privilegedAccounts.manage: Allows the app to create and manage Privileged Accounts in your Okta organization
+ okta.privilegedAccounts.read: Allows the app to read Privileged Accounts in your Okta organization
+ okta.privilegedResources.manage: Allows the app to create privileged resources and manage their details
+ okta.privilegedResources.read: Allows the app to read the details of existing privileged resources
+ okta.profileMappings.manage: Allows the app to manage user profile mappings in your Okta organization
+ okta.profileMappings.read: Allows the app to read user profile mappings in your Okta organization
+ okta.pushProviders.manage: Allows the app to create and manage push notification providers such as APNs and FCM
+ okta.pushProviders.read: Allows the app to read push notification providers such as APNs and FCM
+ okta.rateLimits.manage: Allows the app to create and manage rate limits in your Okta organization
+ okta.rateLimits.read: Allows the app to read information about rate limits in your Okta organization
+ okta.realmAssignments.manage: Allows a user to manage realm assignments
+ okta.realmAssignments.read: Allows a user to read realm assignments
+ okta.realms.manage: Allows the app to create new realms and to manage their details
+ okta.realms.read: Allows the app to read the existing realms and their details
+ okta.resourceSelectors.manage: Allows the app to manage resource selectors in your Okta org
+ okta.resourceSelectors.read: Allows the app to read resource selectors in your Okta org
+ okta.riskEvents.manage: Allows the app to publish risk events to your Okta organization
+ okta.riskProviders.manage: Allows the app to create and manage risk provider integrations in your Okta organization
+ okta.riskProviders.read: Allows the app to read all risk provider integrations in your Okta organization
+ okta.roles.manage: Allows the app to manage administrative role assignments for users in your Okta organization. Delegated admins with this permission can only manage user credential fields and not the credential values themselves.
+ okta.roles.read: Allows the app to read administrative role assignments for users in your Okta organization. Delegated admins with this permission can only manage user credential fields and not the credential values themselves.
+ okta.schemas.manage: Allows the app to create and manage Schemas in your Okta organization
+ okta.schemas.read: Allows the app to read information about Schemas in your Okta organization
+ okta.securityEventsProviders.manage: Allows the app to create and manage Security Events Providers in your Okta organization
+ okta.securityEventsProviders.read: Allows the app to read information about Security Events Providers in your Okta organization
+ okta.sessions.manage: Allows the app to manage all sessions in your Okta organization
+ okta.sessions.read: Allows the app to read all sessions in your Okta organization
+ okta.templates.manage: Allows the app to manage all custom templates in your Okta organization
+ okta.templates.read: Allows the app to read all custom templates in your Okta organization
+ okta.threatInsights.manage: Allows the app to manage all ThreatInsight configurations in your Okta organization
+ okta.threatInsights.read: Allows the app to read all ThreatInsight configurations in your Okta organization
+ okta.trustedOrigins.manage: Allows the app to manage all Trusted Origins in your Okta organization
+ okta.trustedOrigins.read: Allows the app to read all Trusted Origins in your Okta organization
+ okta.uischemas.manage: Allows the app to manage all the UI Schemas in your Okta organization
+ okta.uischemas.read: Allows the app to read all the UI Schemas in your Okta organization
+ okta.userRisk.manage: Allows the app to manage a user's risk in your Okta org
+ okta.userRisk.read: Allows the app to read a user's risk in your Okta org
+ okta.userTypes.manage: Allows the app to manage user types in your Okta org
+ okta.userTypes.read: Allows the app to read user types in your Okta org
+ okta.users.manage: Allows the app to create new users and to manage all users' profile and credentials information
+ okta.users.manage.self: Allows the app to manage the signed-in user's profile and credentials
+ okta.users.read: Allows the app to read the existing users' profiles and credentials
+ okta.users.read.self: Allows the app to read the signed-in user's profile and credentials
+ ssf.manage: Allows the app to create and manage Shared Signals Framework (SSF) in your Okta organization
+ ssf.read: Allows the app to read information about Shared Signals Framework (SSF) in your Okta organization
diff --git a/openapi3/management.yaml b/openapi3/management.yaml
index 752afcbd..fac07bd6 100644
--- a/openapi3/management.yaml
+++ b/openapi3/management.yaml
@@ -15,9 +15,6 @@ info:
url: logo.svg
backgroundColor: transparent
altText: Okta Developer
-externalDocs:
- description: Find more info here
- url: https://developer.okta.com/docs/reference/core-okta-api/#design-principles
servers:
- url: https://{yourOktaDomain}
variables:
@@ -42,36 +39,42 @@ tags:
description: The API Tokens API provides operations to manage SSWS API tokens for your organization.
- name: Application
x-displayName: Applications
- description: The Applications API provides operations to manage applications and/or assignments to users or groups for your organization.
+ description: |-
+ The Applications API provides operations to manage apps in your org.
+
+ To create a custom app integration instance, use the [Create an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) operation with the schema provided in the request payload.
+
+ To create an app instance from the Okta Integration Network (OIN), use the [Create an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication)
+ operation with the corresponding OIN app schema in the request body.
- name: ApplicationConnections
x-displayName: Application Connections
description: |
The Application Connections API provides operations for configuring connections to an app.
- Currently, only the Okta Org2Org app provisioning connection is supported in this API.
- - name: ApplicationCredentials
- x-displayName: Application Credentials
- description: |
- Specifies credentials and scheme for the application's `signOnMode`
+ Okta supports token-based and OAuth 2.0-based provisioning connections for supported apps.
+ The following available provisioning connections are supported by the indicated apps:
- ### Application Key Credential
- The application Key Credential object defines a [JSON Web Key](https://datatracker.ietf.org/doc/html/rfc7517) for a signature or encryption credential for an application.
+ | Connection
| Description | Apps supported
|
+ | -------------------------------- | -------------- | ----------- |
+ | Token | The provisioning API connection is based on bearer token authentication. | - Okta Org2Org (`okta_org2org`)
- Zscaler 2.0 (`zscalerbyz`)
|
+ | OAuth 2.0 | The provisioning API connection is based on OAuth 2.0 authentication. | - Google Workspace (`google`)
- Microsoft Office 365 (`office365`)
- Okta Org2Org (`okta_org2org`)
- Slack (`slack`)
- Zoom (`zoomus`)
|
- > **Notes:**
- > * To update the app, you can provide just the Signing Credential object instead of the entire Application Credential object.
- > * Currently only the X.509 JWK format is supported for applications with the `SAML_2_0` sign-on mode.
+ > **Note:** The Okta Org2Org (`okta_org2org`) app isn't available in Okta Developer Edition orgs. If you need to test this feature in your Developer Edition org, contact your Okta account team.
- name: ApplicationFeatures
x-displayName: Application Features
description: |
- The Feature object is used to configure feature settings for the application.
-
- The only feature this API currently supports is `USER_PROVISIONING` for the Org2Org application type.
- The `USER_PROVISIONING` feature is the same as the **To App** provisioning setting in the Admin Console.
- Enable this feature to:
- * Create Users
- * Update User Attributes
- * Deactivate Users
- * Sync Password
+ The Application Features API supports operations to configure app provisioning feature settings.
+
+ You must have app provisioning enabled to configure provisioning features. See [Update the default Provisioning Connection](/openapi/okta-management/management/tag/ApplicationConnections/#tag/ApplicationConnections/operation/updateDefaultProvisioningConnectionForApplication).
+
+ The following available provisioning features are supported by the indicated apps:
+
+ | Feature
| Description | Apps supported
|
+ | -------------------- | -------------- | ----------- |
+ | `USER_PROVISIONING` | Similar to the app **Provisioning** > **To App** setting in the Admin Console, user profiles are pushed from Okta to the third-party app. You can configure rules for creating users, deactivating users, and syncing passwords. | - Google Workspace (`google`)
- Microsoft Office 365 (`office365`)
- Okta Org2Org (`okta_org2org`)
- Slack (`slack`)
- Zoom (`zoomus`)
- Zscaler 2.0 (`zscalerbyz`)
|
+ | `INBOUND_PROVISIONING` | Similar to the app **Provisioning** > **To Okta** provisioning setting in the Admin Console, user profiles are imported from the third-party app into Okta. You can schedule user import and configure rules for user creation and matching. | - Google Workspace (`google`)
- Microsoft Office 365 (`office365`)
- Okta Org2Org (`okta_org2org`)
- Slack (`slack`)
- Zoom (`zoomus`)
|
+
+ > **Note:** The Okta Org2Org (`okta_org2org`) app isn't available in Okta Developer Edition orgs. If you need to test this feature in your Developer Edition org, contact your Okta account team.
- name: ApplicationGrants
x-displayName: Application Grants
description: |
@@ -81,52 +84,117 @@ tags:
If the app doesn't have permission to grant consent for a particular Okta scope, token requests that contain the scope are denied.
- name: ApplicationGroups
x-displayName: Application Groups
- description: Groups assigned to an application
+ description: The Application Groups API provides a set of operations to manage group assignment for an app.
- name: ApplicationLogos
x-displayName: Application Logos
description: Provides a resource to manage the application instance logo
- name: ApplicationPolicies
x-displayName: Application Policies
- description: Provides a resource to manage authentication policies associated with an application
+ description: The Application Policies API provides a resource to manage authentication policies associated with an app.
- name: ApplicationSSO
x-displayName: Application SSO
description: Provides a Single Sign-On (SSO) resource for an application
+ - name: ApplicationSSOCredentialKey
+ x-displayName: Application Key Credentials
+ description: |
+ The Application Key Credentials API provides a set of operations to manage an app's key store credentials.
+ - name: ApplicationSSOCredentialOAuth2ClientAuth
+ x-displayName: Application Client Auth Credentials
+ description: |
+ The Application Client Authentication Credentials API provides a set of operations to manage credentials used for OAuth 2.0 client authentication as described in [Client authentication methods](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/client-auth/).
- name: ApplicationTokens
x-displayName: Application Tokens
- description: Application OAuth 2.0 token operations
+ description: |
+ Resource to manage OAuth 2.0 tokens for an app
+ > **Note:** To configure refresh tokens for an app, see
+ > [grant_types](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication!path=4/settings/oauthClient/grant_types&t=request)
+ > and [refresh_token](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication!path=4/settings/oauthClient/refresh_token&t=request).
- name: ApplicationUsers
x-displayName: Application Users
- description: Application user operations
+ description: |
+ The Application Users API provides operations to manage app users and their assignments.
+ The object returned from assigning a user to an app is known as the Application User.
+
+ You can assign users to apps for:
+ * SSO only
+ * SSO and provisioning
- name: AttackProtection
x-displayName: Attack Protection
- description: The Attack Protection API provides operations to configure the User Lockout Settings in your org to prevent brute-force attacks.
+ description: The Attack Protection API provides operations to configure the User Lockout Settings and the Authenticator Settings in your org to protect against password abuse.
- name: Authenticator
x-displayName: Authenticators
description: |-
- The Authenticators Administration API provides operations to configure which Authenticators are available to end users for use when signing in to applications.
+ The Authenticators Administration API provides operations to configure which Authenticators are available to end users for use when they sign in to applications.
- End users are required to use one or more Authenticators depending on the security requirements of the authentication policy.
+ End users are required to use one or more Authenticators based on the security requirements of the authentication policy.
Okta Identity Engine currently supports Authenticators for the following factors:
**Knowledge-based:**
-
* Password
* Security Question
**Possession-based:**
-
- * Phone (SMS, Voice Call)
+ * Phone (SMS, voice call)
* Email
* WebAuthn
* Duo
- * Custom App
+ * Custom app
- name: AuthorizationServer
x-displayName: Authorization Servers
- description: Authorization Servers generate OAuth 2.0 and OpenID Connect tokens, including access tokens and ID tokens. The Okta Management API gives you the ability to configure and manage Authorization Servers and the security policies that are attached to them.
+ description: |-
+ Authorization Servers generate OAuth 2.0 and OpenID Connect tokens, including access tokens and ID tokens. The Okta Management API gives you the ability to configure and manage Authorization Servers and the security policies that are attached to them.
+
+ **Work with the Default Authorization Server**
+
+ Okta provides a pre-configured Custom Authorization Server with the name `default`. This Default Authorization Server includes a basic access policy and rule, which you can edit to control access. It allows you to specify `default` instead of the `authorizationServerId` in requests to it:
+
+ `https://${yourOktaDomain}/api/v1/authorizationServers/default`
+
+ vs
+
+ `https://${yourOktaDomain}/api/v1/authorizationServers/${authorizationServerId}` for other Custom Authorization Servers
+ - name: AuthorizationServerAssoc
+ x-displayName: Authorization Server Associated Servers
+ description: Associated authorization servers allow you to designate a trusted authorization server that you associate with another authorization server. This type of association provides a way to configure [token exchange](https://developer.okta.com/docs/guides/set-up-token-exchange/main/#trusted-servers) between other authorization servers under the same Okta tenant.
+ - name: AuthorizationServerClaims
+ x-displayName: Authorization Server Claims
+ description: Provides operations to manage custom token claims for the given `authServerId` and `claimId`
+ - name: AuthorizationServerClients
+ x-displayName: Authorization Server Clients
+ description: |-
+ These endpoints allow you to manage tokens issued by an authorization server for a particular client. For example, you can revoke every active refresh token for a specific client. You can also revoke specific tokens or manage tokens at the User level.
+
+ Read [Validate access tokens](https://developer.okta.com/docs/guides/validate-access-tokens/dotnet/main/) and [Validate ID tokens](https://developer.okta.com/docs/guides/validate-id-tokens/main/) to understand more about how OAuth 2.0 tokens work.
+ - name: AuthorizationServerKeys
+ x-displayName: Authorization Server Keys
+ description: |-
+ Provides operations to manage [JSON Web Key](https://datatracker.ietf.org/doc/html/rfc7517) credentials for the given `authServerId`.
+
+ > **Note:** Looking for how to obtain the jwks_uri for your org or custom authorization server? See the [well-known OpenID metadata endpoint](https://developer.okta.com/docs/api/openapi/okta-oauth/oauth/tag/CustomAS/#tag/CustomAS/operation/getWellKnownOpenIDConfigurationCustomAS) and the [well-known OAuth 2.0 metadata endpoint](https://developer.okta.com/docs/api/openapi/okta-oauth/oauth/tag/CustomAS/#tag/CustomAS/operation/getWellKnownOAuthConfigurationCustomAS).
+ - name: AuthorizationServerPolicies
+ x-displayName: Authorization Server Policies
+ description: Provides operations to manage policies for the given `authServerId`.
+ - name: AuthorizationServerRules
+ x-displayName: Authorization Server Rules
+ description: Provides operations to manage policy rules for the given `authServerId`, `policyId`, and `ruleId`.
+ - name: AuthorizationServerScopes
+ x-displayName: Authorization Server Scopes
+ description: Provides operations to manage custom token scopes for the given `authServerId` and `scopeId`. See [scope properties](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/#scope-properties).
- name: Behavior
x-displayName: Behavior Rules
description: The Behavior Rules API provides operations to manage the behavior detection rules for your organization.
+ - name: Brands
+ x-displayName: Brands
+ description: |-
+ These endpoints allow you to manage Brands, and their metadata, in your orgs. With Brands, you can customize the following:
+ * [The Okta-hosted sign-in page](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/CustomPages/)
+ * [The sign-out page](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/CustomPages/)
+ * [Error pages](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/CustomPages/)
+ * [Email templates](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/CustomTemplates/)
+ * [The Okta End-User Dashboard](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Themes/)
+
+ > **Note:** Some of the curl code examples on this page include SSWS API token authentication. However, Okta recommends using scoped OAuth 2.0 and OIDC access tokens to authenticate with Okta management APIs. OAuth 2.0 and OIDC access tokens provide fine-grain control over the bearer's actions on specific endpoints. See [Okta API authentication methods](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/).
- name: CAPTCHA
x-displayName: CAPTCHAs
description: |-
@@ -138,12 +206,45 @@ tags:
- name: CustomDomain
x-displayName: Custom Domains
description: The Custom Domains API provides operations to manage custom domains for your organization.
- - name: Customization
- x-displayName: Customizations
+ - name: CustomPages
+ x-displayName: Custom Pages
description: |-
- The Brands API allows you to customize the look and feel of pages and templates, such as the Okta-hosted sign-in page, error pages, email templates, and the Okta End-User Dashboard.
+ These endpoints allow you to customize the contents of various pages, including:
+ * The Okta-hosted sign-in page
+ * Error pages
+ * The sign-out page
+
+ > **Note:** Some of the curl code examples on this page include SSWS API token authentication. However, Okta recommends using scoped OAuth 2.0 and OIDC access tokens to authenticate with Okta management APIs. OAuth 2.0 and OIDC access tokens provide fine-grain control over the bearer's actions on specific endpoints. See [Okta API authentication methods](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/).
+ - name: CustomTemplates
+ x-displayName: Custom Email Templates
+ description: |-
+ These endpoints allow you to programmatically manage email customizations.
+
+ Okta provides many customizable email templates. For example, the `UserActivation` email template allows users to activate their account. Use email customizations to override a template's default content. See the [list of email templates](https://developer.okta.com/docs/guides/custom-email/main/#use-customizable-email-templates).
+
+ Each template has default content that Okta translates to any one of the supported languages. The following settings determine the language for emails sent from Okta to a user, if the user hasn't selected a specific display language:
+ * The user's locale property value (if specified)
+ * The org's display language
+
+ See [Supported languages](https://developer.okta.com/docs/guides/custom-email/main/#supported-languages).
+
+ The following constraints apply to email customizations:
+ * If an email template has any customizations at all, exactly one of them must be the default (where `isDefault` is `true`). Okta uses the default customization when no other customization applies to the user's language settings.
+ * Each email template can have only one customization for each supported language.
+
+ ### Enable other locales
+
- Each new org contains Okta default branding. You can upload your own assets (colors, background image, logo, and favicon) to replace the default assets and publish these assets directly to your pages and templates.
+ Use the [BCP 47 format](https://www.rfc-editor.org/info/bcp47) to enable more locales than Okta's 27 default languages.
+
+ Once you create a customization with the new locale, the locale appears in the Admin Console along with the default-supported locales.
+
+ Include `null` in the subject or body of the email customization. Okta replaces `null` with a default value based on the following order of priority:
+
+ - An existing default email customization, if one exists
+ - Okta-provided translated content for the specified language, if one exists
+ - Okta-provided translated content for the brand locale, if it's set
+ - Okta-provided content in English
- name: Device
x-displayName: Devices
description: |-
@@ -164,15 +265,27 @@ tags:
> **Note:** End users with a new enrollment in Okta Verify on an Okta Identity Engine org have a device record created in the device inventory by default.
See [Device Registration](https://help.okta.com/okta_help.htm?type=oie&id=csh-device-registration), [Login Using Okta Verify](https://help.okta.com/okta_help.htm?type=eu&id=ext-ov-user-overview).
+ - name: DeviceAccess
+ x-displayName: Device Access
+ description: The Device Access API provides operations to configure device access settings.
- name: DeviceAssurance
x-displayName: Device Assurance Policies
description: The Device Assurance Policies API provides operations to manage device assurance policies in your organization.
+ - name: DirectoriesIntegration
+ x-displayName: Directories Integration
+ description: |-
+ > **Note:** Your Okta org needs to have the AD bidirectional group management feature enabled. Contact your Okta account team to enable this feature.
+
+ The Directories Integration API provides operations to manage Active Directory objects in a connected on-premises directory through Okta.
+ - name: EmailCustomization
+ x-displayName: Email Customization
+ description: The Email Customization API provides operations to modify the email bounce list for your Okta org.
- name: EmailDomain
x-displayName: Email Domains
description: The Email Domains API provides operations to manage email domains for your organization.
- name: EmailServer
x-displayName: Email Servers
- description: The Okta Email Servers API provides operations to manage custom email SMTP servers for your organization.
+ description: The Email Servers API allows you to configure a custom external email provider to send email notifications. By default, notifications such as the welcome email or an account recovery email are sent through an Okta-managed SMTP server. Adding a custom email provider gives you more control over your email delivery.
- name: EventHook
x-displayName: Event Hooks
description: |-
@@ -181,21 +294,51 @@ tags:
For general information on event hooks and how to create and use them, see [Event hooks](https://developer.okta.com/docs/concepts/event-hooks/). The following documentation is only for the management API, which provides a CRUD interface for registering event hooks.
For a step-by-step guide on implementing an example event hook, see the [Event hook](https://developer.okta.com/docs/guides/event-hook-implementation/) guide.
+
+ When you create an event hook, you need to specify which events you want to subscribe to. To see the list of event types currently eligible for use in event hooks, use the [Event Types](https://developer.okta.com/docs/reference/api/event-types/#catalog) catalog and search with the parameter `event-hook-eligible`.
- name: Feature
x-displayName: Features
description: |-
The Okta Features API provides operations to manage self-service Early Access (EA) and Beta features in your org.
> **Note:** Important background information for this API is available on the [Feature Lifecycle Management](https://developer.okta.com/docs/concepts/feature-lifecycle-management/) page.
+ - name: GovernanceBundle
+ x-displayName: IAM Governance Bundles
+ description: |-
+ These APIs allow you to manage governance bundles for the Admin Console, and manage roles and resources associated with the bundles.
+ For details on how governance bundles are supported from the Resource Management Access Platform (RAMP), see [Entitlement Management](https://help.okta.com/oie/en-us/content/topics/identity-governance/em/entitlement-mgt.htm).
- name: Group
x-displayName: Groups
- description: The Groups API provides operations to manage Okta Groups and their user members for your organization.
+ description: The Groups API provides operations to manage Okta Groups and their user members for your org.
+ - name: GroupOwner
+ x-displayName: Group Owners
+ description: |-
+ The Group Owners API provides operations to manage owners of Okta Groups for your organization.
+
+ > **Note**: This API is only available if you're subscribed to [Okta Identity Governance](https://www.okta.com/products/identity-governance/). Contact your Customer Success Manager or Account Executive for more information.
+ - name: GroupRule
+ x-displayName: Group Rules
+ description: The Group Rules API provides operations to manage rules for Okta Groups in your org.
- name: HookKey
x-displayName: Hook Keys
- description: The Hook Keys API provides operations to manage hook keys for your organization.
+ description: |-
+ The Okta Key Management API provides a CRUD interface for JSON Web Keys (JWK) used with other parts of the application, such as inline hooks. For information on how to create inline hooks, see [inline hooks](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/).
+
+ > **Note:** Some of the curl code examples on this page include SSWS API token authentication. However, Okta recommends using scoped OAuth 2.0 and OIDC access tokens to authenticate with Okta management APIs. OAuth 2.0 and OIDC access tokens provide fine-grain control over the bearer's actions on specific endpoints. See [Okta API authentication methods](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/).
- name: IdentityProvider
x-displayName: Identity Providers
description: The Identity Providers API provides operations to manage federations with external Identity Providers (IdP). For example, your app can support signing in with credentials from Apple, Facebook, Google, LinkedIn, Microsoft, an enterprise IdP using SAML 2.0, or an IdP using the OpenID Connect (`OIDC`) protocol.
+ - name: IdentityProviderKeys
+ x-displayName: Identity Provider Keys
+ description: The Identity Provider Keys API provides operations to manage Key Credentials for Identity Providers.
+ - name: IdentityProviderSigningKeys
+ x-displayName: Identity Provider Signing Keys
+ description: |-
+ The Identity Provider Signing Keys API provides operations to manage signing Key Credentials and Certificate Signing Requests for Identity Providers.
+ > **Note:** Okta currently uses the same key for both request signing and the decryption of SAML assertions that the IdP encrypts. Changing your signing key also changes your decryption key.
+ - name: IdentityProviderUsers
+ x-displayName: Identity Provider Users
+ description: The Identity Provider Users API provides operations to manage Identity Provider Users.
- name: IdentitySource
x-displayName: Identity Sources
description: The Okta Identity Source API provides a mechanism to synchronize an HR source (the custom identity source) with Okta user profiles in an org.
@@ -252,21 +395,76 @@ tags:
To represent a relationship, create a Linked Object definition that specifies a `primary` (parent) relationship and an `associated` (child) relationship, and then add a link in which the appropriate user is assigned to each side of that link type.
- ## Links between User Types
+ ## Links between user types
+
+ If you created multiple user types (see [User Types](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/)), they all share the same Linked Object definitions. For example, if you have separate user types for employees and contractors, a link could designate an employee as the manager for a contractor, with the contractor being a subordinate of that employee.
+
+ ## Link definition operations
+
+ Link definition operations allow you to manage the creation and removal of the link definitions. If you remove a link definition, links based on that definition are unavailable.
- If you created multiple User Types, they all share the same Linked Object definitions. For example, if you have separate User Types for employees and contractors, a link could designate an employee as the manager for a contractor, with the contractor being a subordinate of that employee.
+ > **Note:** Links reappear if you recreate the definition. However, Okta is likely to change this behavior so that links don't reappear. Don't rely on this behavior in production environments.
- name: LogStream
x-displayName: Log Streaming
- description: The Log Streaming API provides operations to manage log stream configurations for an org. You can configure up to two log stream integrations per org.
+ description: The Log Streaming API provides operations to manage Log Stream configurations for an org. You can configure up to two Log Stream integrations per org.
- name: NetworkZone
x-displayName: Network Zones
description: |-
- The Okta Network Zones API provides operations to manage Zones in your organization. There are two usage Zone types: Policy Network Zones and Blocklist Network Zones. Policy Network Zones are used to guide policy decisions. Blocklist Network Zones are used to deny access from certain IP addresses, locations, proxy types, or Autonomous System Numbers (ASNs) before policy evaluation.
+ The Network Zones API provides operations to manage system default and custom zones in your Okta org.
+ Network Zones are configurable boundaries that you can use to grant or restrict access to resources in your organization.
+ They're used for two purposes:
+ * `POLICY`: Network Zones used to guide policy decisions
+ * `BLOCKLIST`: Network Zones used to deny access from certain IP addresses, locations, Autonomous System Numbers (ASNs), proxy types, or IP service categories before policy evaluation
+ > **Note:** The Network Zone blocklist applies to all URLs for the org.
+
+ See [Network zones](https://help.okta.com/okta_help.htm?id=ext_Security_Network) in the Okta product documentation.
+
+ Your Okta org provides the following default system Network Zones that you can modify and use:
+ * `LegacyIpZone`: The system default IP Network Zone
+ * `BlockedIpZone`: The system default IP Blocklist Network Zone
+ * `DefaultEnhancedDynamicZone`: The system default Enhanced Dynamic Network Zone
+
+ You can create and use the following custom Network Zones:
+ * IP Network Zone (`IP`): Allows you to define network perimeters around a set of IPs
+ * Dynamic Network Zone (`DYNAMIC`): Allows you to define network perimeters around location, IP type, or ASNs
+ * Enhanced Dynamic Network Zone (`DYNAMIC_V2`): Extends the Dynamic Network Zone and allows you to include or exclude specific locations, ASNs, or IP service categories
+
+ > **Notes:**
+ > * To create multiple Network Zones, you must have Adaptive MFA enabled in your Okta org.
+ > * Enhanced Dynamic Network Zones is a [self-service Early Access (EA)](/openapi/okta-management/guides/release-lifecycle/#early-access-ea) feature. You must enable **Enhanced Dynamic Network Zones** in your Org settings to access this API. See [Manage Early Access and Beta features](https://help.okta.com/okta_help.htm?id=ext_secur_manage_ea_bata).
+ - name: OktaApplicationSettings
+ x-displayName: Okta Application Settings
+ description: The Okta Application Settings API provides operations to manage settings for Okta apps in your org.
+ - name: OktaPersonalSettings
+ x-displayName: Okta Personal Settings
+ description: The Okta Personal Settings API provides operations to manage the [Okta Personal](https://www.okta.com/products/okta-personal/workforce) settings of your Okta org.
+ - name: OrgCreator
+ x-displayName: Org Creator
+ description: |-
+ > **Note:** You need to have the **Platform—Multi-org Deployment** product to enable the **Org Creator API** feature. Contact your Okta account team for more information.
- A default system Policy Network Zone is provided in your Okta org. You can use the Network Zones API to modify the default Policy Network Zone or to create a custom Policy or Blocklist Network Zone. When you create your custom Zone, you can specify if the Zone is an IP Zone or a Dynamic Zone. An IP Zone allows you to define network perimeters around a set of IPs, whereas a Dynamic Zone allows you to define network perimeters around location, IP type, and ASNs.
- - name: OrgSetting
- x-displayName: Org Settings
- description: The Org Settings API provides operations to manage your org account settings such as contact information, granting Okta Support access, and more.
+ The Org Creator API provides an operation to create Okta orgs (child orgs) based on features from your current org (the parent org). See [Org Creator](https://developer.okta.com/docs/concepts/org-creator/).
+ - name: OrgSettingAdmin
+ x-displayName: Org Admin Settings
+ description: The Org Admin Settings API provides operations to manage the admin settings for your Okta org.
+ - name: OrgSettingCommunication
+ x-displayName: Org Communication Settings
+ description: The Org Communication Settings API provides operations to manage the communication settings for your Okta org. For example, opt users in or out of communication emails.
+ - name: OrgSettingContact
+ x-displayName: Org Contacts
+ description: The Org Contacts API provides operations to manage the contact types of your Okta org.
+ - name: OrgSettingCustomization
+ x-displayName: Org Customization
+ description: The Org Customization API provides operations to retrieve and modify custom settings for your Okta org.
+ - name: OrgSettingGeneral
+ x-displayName: Org General Settings
+ description: The Org General Settings API provides operations to manage the general settings of your Okta org.
+ - name: OrgSettingMetadata
+ x-displayName: Org Metadata
+ description: The Org Metadata API provides operation to fetch metadata for your Okta org.
+ - name: OrgSettingSupport
+ x-displayName: Org Support Settings
+ description: The Org Support Settings API provides operations to manage the support settings for your Okta org.
- name: Policy
x-displayName: Policies
description: |-
@@ -281,44 +479,124 @@ tags:
description: The Mappings API provides operations to manage the mapping of Profile properties between an Okta User and an App User using [Okta Expression Language](https://developer.okta.com/docs/reference/okta-expression-language). More information on Okta User and App User Profiles can be found in Okta's [User profiles](https://developer.okta.com/docs/concepts/user-profiles/#what-is-the-okta-universal-directory).
- name: PushProvider
x-displayName: Push Providers
- description: The Push Providers API provides operations to manage Push Providers for your organization.
x-okta-lifecycle:
- features:
- - CUSTOM_PUSH_AUTHENTICATOR
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
+ description: |-
+ The Okta Push Providers API provides a centralized integration platform to fetch and manage push provider configurations. Okta administrators can use these APIs to provide their push provider credentials, for example from APNs and FCM, so that Okta can send push notifications to their own custom app authenticator applications.
+
+ The Push Providers API supports the following **Authorization Schemes**:
+ * SSWS - [API tokens](https://developer.okta.com/docs/reference/core-okta-api/#authentication)
+ * Bearer - [OAuth2.0 and OpenID Connect](https://developer.okta.com/docs/concepts/oauth-openid/)
+
+ > **Notes:**
+ > * Some of the curl code examples on this page include SSWS API token authentication. However, Okta recommends using scoped OAuth 2.0 and OIDC access tokens to authenticate with Okta management APIs. OAuth 2.0 and OIDC access tokens provide fine-grain control over the bearer's actions on specific endpoints. See [Okta API authentication methods](https://developer.okta.com/docs/reference/core-okta-api/#authentication).
+ > * You can use the Push Providers API as part of the "Create a custom authenticator" flow. See the [Custom authenticator integration guide](https://developer.okta.com/docs/guides/authenticators-custom-authenticator/android/main/).
- name: RateLimitSettings
x-displayName: Rate Limit Settings
description: The Rate Limit Settings APIs provide operations to manage settings and configurations surrounding rate limiting in your Okta organization.
- name: Realm
x-displayName: Realms
- description: The realm API provides operations to manage realms
- - name: ResourceSet
- x-displayName: Resource Sets
- description: The Resource Sets API provides operations to manage Resource Sets as custom collections of resources. You can use Resource Sets to assign Custom Roles to administrators who are scoped to the designated resources. See [Supported Resources](https://developer.okta.com/docs/concepts/role-assignment/#supported-resources).
+ description: The Realms API provides operations to manage realms
+ - name: RealmAssignment
+ x-displayName: Realm Assignments
+ description: The Realm Assignments API provides operations to manage Realm Assignments
- name: RiskEvent
x-displayName: Risk Events
description: The Risk Events API provides the ability for third-party risk providers to send risk events to Okta. See [Third-party risk provider integration](https://developer.okta.com/docs/guides/third-party-risk-integration/) for guidance on integrating third-party risk providers with Okta.
- name: RiskProvider
x-displayName: Risk Providers
- description: The Risk Providers API provides the ability to manage the Risk Providers within Okta. See [Third-party risk provider integration](https://developer.okta.com/docs/guides/third-party-risk-integration/) for guidance on integrating third-party risk providers with Okta.
- - name: Role
- x-displayName: Roles
+ description: The Risk Providers API enables you to manage the Risk Providers within Okta. See [Third-party risk provider integration](https://developer.okta.com/docs/guides/third-party-risk-integration/) for guidance on integrating third-party risk providers with Okta.
+ - name: RoleAssignmentAUser
+ x-displayName: User Role Assignments
+ description: The User Role Assignments APIs allow you to assign roles and designate third-party admin status to Users.
+ - name: RoleAssignmentBGroup
+ x-displayName: Group Role Assignments
+ description: The Group Role Assignments APIs allow you to assign roles and designate third-party admin status to Groups.
+ - name: RoleAssignmentClient
+ x-displayName: Client Role Assignments
+ description: The Client Role Assignments APIs allow you to assign roles and designate third-party admin status to public client apps.
+ - name: RoleBTargetAdmin
+ x-displayName: User Role Targets
description: |-
- The Roles API provides operations to manage administrative Role assignments for a User.
-
- Role listing APIs provide a union of both standard and Custom Roles assigned to a User or Group.
- - name: RoleAssignment
- x-displayName: Role Assignments
- description: These APIs allow you to assign custom roles to user and groups, as well as designate Third-Party Administrator status to a user or group.
- - name: RoleTarget
- x-displayName: Role Targets
+ User role targets are a way of limiting the app or group resources for a [standard role](/openapi/okta-management/guides/roles/#standard-roles) that's assigned to an admin User within your org.
+ You can define admin roles to target Groups, Applications, and Application Instances.
+
+ * **Group targets:** Grant an admin permission to manage only a specified Group. For example, an admin role may be assigned to manage only the IT Group.
+ * **App targets:** Grant an admin permission to manage all instances of an OIN-cataloged app integration. For example, an admin role can manage all customer instances of an OIN-cataloged app, such as Salesforce or Facebook.
+ * **App instance targets:** Grant an admin permission to manage an instance of an OIN-catalog app. For example, there may be a few Salesforce app instances configured for each sales region of an org. You can configure an admin to manage two Salesforce instances in a specific region and not the other regional Salesforce instances.
+
+ > **Note:** You can only use the User Role Targets API with [standard roles](/openapi/okta-management/guides/roles/#standard-roles). You can define specific targets for custom roles with [Resource Set Resources](/openapi/okta-management/management/tag/RoleCResourceSet/). See the [Role Assignments concept](https://developer.okta.com/docs/concepts/role-assignment/).
+ - name: RoleBTargetBGroup
+ x-displayName: Group Role Targets
description: |-
- Role targets are a way of defining permissions for admin roles into a smaller subset of Groups or Apps within your org. Targets limit an admin's permissions to a targeted area of the org. You can define admin roles to target Groups, Applications, and Application Instances.
+ Group role targets allow you to limit the app or group resources for a [standard role](/openapi/okta-management/guides/roles/#standard-roles) that's assigned to a Group within your org.
+ You can define admin roles to target Groups, Applications, and Application Instances.
* **Group targets:** Grant an admin permission to manage only a specified Group. For example, an admin role may be assigned to manage only the IT Group.
- * **App targets:** Grant an admin permission to manage all instances of the specified Apps. Target Apps are Okta catalog Apps. For example, you can have multiple configurations of an Okta catalog App, such as Salesforce or Facebook. When you add a Salesforce or Facebook App as a target, that grants the admin permission to manage all the instances of those Apps and create new instances of them.
- * **App Instance targets:** Grant an admin permission to manage an instance of one App or instances of multiple Apps. App Instances are specific Apps that admins have created in their org. For example, there may be a Salesforce App configured differently for each sales region of a company. When you create an App Instance target, you can assign an admin to manage only two instances of the configured Salesforce Apps and then also to manage an instance of another configured App such as Workday.
+ * **App targets:** Grant an admin permission to manage all instances of an OIN-cataloged app integration. For example, an admin role can manage all customer instances of an OIN-cataloged app, such as Salesforce or Facebook.
+ * **App instance targets:** Grant an admin permission to manage an instance of an OIN-catalog app. For example, there may be a few Salesforce app instances configured for each sales region of an org. You can configure an admin to manage two Salesforce instances in a specific region and not the other regional Salesforce instances.
+
+ > **Note:** You can only use the User Role Targets API with [standard roles](/openapi/okta-management/guides/roles/#standard-roles). You can define specific targets for custom roles with [Resource Set Resources](/openapi/okta-management/management/tag/RoleCResourceSet/). See the [Role Assignments concept](https://developer.okta.com/docs/concepts/role-assignment/).
+ - name: RoleBTargetClient
+ x-displayName: Client Role Targets
+ description: |-
+ Client role targets allow you to limit the app or group resources for a [standard role](/openapi/okta-management/guides/roles/#standard-roles) that's assigned to a client (Application) within your org.
+ You can define admin roles to target Groups, Applications, and Application Instances.
+
+ * **Group targets:** Grant an admin permission to manage only a specified Group. For example, an admin role may be assigned to manage only the IT Group.
+ * **App targets:** Grant an admin permission to manage all instances of an OIN-cataloged app integration. For example, an admin role can manage all customer instances of an OIN-cataloged app, such as Salesforce or Facebook.
+ * **App instance targets:** Grant an admin permission to manage an instance of an OIN-catalog app. For example, there may be a few Salesforce app instances configured for each sales region of an org. You can configure an admin to manage two Salesforce instances in a specific region and not the other regional Salesforce instances.
+
+ > **Note:** You can only use the User Role Targets API with [standard roles](/openapi/okta-management/guides/roles/#standard-roles). You can define specific targets for custom roles with [Resource Sets](/openapi/okta-management/management/tag/RoleCResourceSet/). See the [Role Assignments concept](https://developer.okta.com/docs/concepts/role-assignment/).
+ - name: RoleCResourceSet
+ x-displayName: Resource Sets
+ description: The Resource Sets API provides operations to manage Resource Sets as a custom set of resources. See [Supported Resources](/openapi/okta-management/guides/roles/#supported-resources).
+ - name: RoleCResourceSetResource
+ x-displayName: Resource Set Resources
+ description: The Resource Set Resources API provides operations to manage Resources within a Resource Set. You can add or remove Resources in Resource Sets. See [Supported Resources](/openapi/okta-management/guides/roles/#supported-resources).
+ - name: RoleDResourceSetBinding
+ x-displayName: Role Resource Set Bindings
+ description: The Role Resource Set Bindings API provides operations to assign members to a [Custom Role](/openapi/okta-management/management/tag/RoleECustom/) that targets resources in a [Resource Set](/openapi/okta-management/management/tag/RoleCResourceSet/). The returned Role Resource Set Binding is a single unique combination of a principal, a resource set, and a custom role. You can assign custom roles to admins who are scoped to the designated resources in a resource set.
+ - name: RoleDResourceSetBindingMember
+ x-displayName: Role Resource Set Binding Members
+ description: The Role Resource Set Binding Members API provides operations to manage members in a [Role Resource Set Binding](/openapi/okta-management/management/tag/RoleDResourceSetBinding/).
+ - name: RoleECustom
+ x-displayName: Custom Roles
+ description: The Custom Roles API provides operations to manage custom roles that limit an admin's access to a subset of permissions and resources.
+ - name: RoleECustomPermission
+ x-displayName: Custom Role Permissions
+ description: The Custom Role Permissions API provides operations to manage the permissions assigned to a Custom Role.
+ - name: SSFReceiver
+ x-displayName: SSF Receiver
+ description: |-
+
+ > This feature is only available with Identity Threat Protection in Identity Engine.
- > **Note:** Don't use these operations with a Custom Role ID. Custom Role assignments always require a target Resource Set. See [Role Assignments](https://developer.okta.com/docs/concepts/role-assignment/) for more information.
+ Okta uses the [Shared Signals Framework (SSF)](https://sharedsignals.guide/) to receive security-related events and other data-subject signals from third-party security vendors. In this scenario, commonly used terms for third-party vendors that send signals are "transmitters", Okta is the "receiver", and the connection between the two entities is referred to as a "stream."
+
+ The SSF Receiver API allows you to manage SSF vendor stream configurations between the transmitter and Okta. A stream is configured by [creating a Security Events Provider](/openapi/okta-management/management/tag/SSFReceiver/#tag/SSFReceiver/operation/createSecurityEventsProviderInstance) object in your Okta org. You can create a Security Events Provider object in Okta with a published well-known URL or an issuer-and-JWKS combination.
+
+ After the Security Events Provider object is created for a transmitter, the provider can use the [SSF Security Event Tokens](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/SSFSecurityEventToken/) API to publish events to Okta. While the SSF allows ingestion through push and poll-based operations, Okta currently supports only push-based operations.
+ - name: SSFSecurityEventToken
+ x-displayName: SSF Security Event Tokens
+ description: |-
+
+ > This feature is only available with Identity Threat Protection in Identity Engine.
+
+ The Shared Signals Framework (SSF) Security Event Tokens API allows third-party security event providers to send Security Event Tokens (SETs) to Okta. The provider must be configured in Okta as a Security Events Provider instance before transmitting a SET to Okta. See [Create a Security Events Provider](/openapi/okta-management/management/tag/SSFReceiver/#tag/SSFReceiver/operation/createSecurityEventsProviderInstance). After the token is verified, any appropriate action is performed upon ingestion.
+
+ Okta uses the Shared Signals Framework (SSF) defined by the [OpenID Shared Signals and Events Framework specification](https://openid.net/specs/openid-sse-framework-1_0.html). A risk signal is ingested as a Security Event Token (SET), a type of JSON Web Token (JWT) that must comply with the SET standard: [RFC 8417 - Security Event Token(SET)](https://datatracker.ietf.org/doc/html/rfc8417). The `security.events.provider.receive_event` System Log event is created when a SET is published to Okta successfully.
+ - name: SSFTransmitter
+ x-displayName: SSF Transmitter
+ description: |-
+
+ > **Note:** The SSF Transmitter API is a [self-service Early Access (EA)](/openapi/okta-management/guides/release-lifecycle/#early-access-ea) feature. You must enable the **Enable Managed Apple ID federation and provisioning** feature in your Org settings to access this feature. See [Manage Early Access and Beta features](https://help.okta.com/okta_help.htm?id=ext_secur_manage_ea_bata).
+
+ Okta uses the [Shared Signals Framework (SSF)](https://sharedsignals.guide) to send security-related events and other data-subject signals to third-party security vendors. In this scenario, commonly used terms for third-party vendors that receive signals are "receivers", Okta is the "transmitter", and the connection between the two entities is referred to as a "stream."
+
+ The SSF Transmitter API allows you to manage SSF stream configurations between the receiver that receives signals transmitted by Okta. Okta sends signals in the form of [Security Event Tokens (SETs)](https://datatracker.ietf.org/doc/html/rfc8417) to a third-party SSF receiver. To enable the transmission of signals from Okta, you must create an SSF Stream using the SSF Transmitter API and configure the third-party receiver to accept signals from Okta.
- name: Schema
x-displayName: Schemas
description: |-
@@ -330,14 +608,45 @@ tags:
[JSON Schema](http://json-schema.org/) is a lightweight declarative format for describing the structure, constraints, and validation of JSON documents.
> **Note:** Okta implements only a subset of [JSON Schema Draft 4](https://tools.ietf.org/html/draft-zyp-json-schema-04) and [JSON Schema Draft 2020-12](https://json-schema.org/specification.html). This document describes which parts apply to Okta, and any extensions Okta has made to [JSON Schema Draft 4](https://tools.ietf.org/html/draft-zyp-json-schema-04) and [JSON Schema Draft 2020-12](https://json-schema.org/specification.html).
+
+ ### Unique Attributes
+ You can enforce uniqueness for custom properties in Okta user profiles or the Okta group profile, such as an employee identification number. You can declare a maximum of five unique properties for each user type and five unique properties in the Okta group profile. Different user types can have the same or different unique properties (up to the limit of five per type).
+
+ Unique properties in Okta user profiles share a single namespace across all [user types](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/) in an org. If user types A and B both contain the property `ice cream` and you identify it as unique in both profiles, then if a user of type A has the value `chocolate`, no other users of type A or B (or any other user type that declares `ice cream` as unique) can have that value.
+
+ Properties that aren't unique also aren't tracked for uniqueness. Suppose the property `candy` is unique in type E and not unique in type F. If a user of type E has the value `caramel` for the `candy` property, no other users of type E can also have the value `caramel`, but any number of users of type F can already have or later be assigned the value `caramel`. Furthermore, because `candy` is not unique in type F, any values users of type F may have are not considered when enforcing uniqueness for users of type E. No matter how many users of type F already have the value `cotton`, it might be assigned to a user of type E as long as no other such user already has that value.
+
+ If you attempt to create or update a user with a duplicate value for a custom user property with a uniqueness restriction, the user creation or update operation fails. The user isn't created or updated until you enter a unique value. Similarly, creating or updating a group fails when the request contains a value for a unique custom group property that is duplicated by another group.
+
+ `null` values don't enter into the uniqueness calculation. If the unique property isn't also specified as being required, you can also omit the value entirely. Multiple users or groups can omit the property and not violate uniqueness.
+
+ To enforce uniqueness for custom properties, you can either add new unique custom properties or update existing custom properties to be unique.
+
+ #### Add new unique custom property
+
+ You can use the [add property to user profile schema](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/#tag/Schema/operation/updateUserProfile) request or the [add property to group profile schema](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/#tag/Schema/operation/updateGroupSchema) request to add one or more unique custom user or group properties. Specify `"unique": true` on the properties to be marked as unique. The response shows the properties with `"unique": "UNIQUE_VALIDATED"` and uniqueness is then enforced on those properties.
+
+ #### Update existing custom property to be unique
+
+ You can use the [update user profile schema property](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/#tag/Schema/operation/updateUserProfile) request or the [update group profile schema property](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/#tag/Schema/operation/updateGroupSchema) request to mark existing custom user or group properties as unique by specifying `"unique": true` on the properties to be marked as unique.
+
+ After the request to mark existing custom properties as unique is submitted, an asynchronous validation check is performed to make sure that there are no existing duplicate entries. If you have a significant number of users or groups, the validation can take some time.
+
+ A uniqueness status of `"unique": "PENDING_UNIQUENESS"` indicates that the validation check is still in progress. Use the Universal Directory page in the Admin Console (**Directory** > **Directory Integrations**) to track the status of the validation check. After the validation completes, if you submit a retrieve user schema request or a retreive group schema request, the property's uniqueness status changes to `UNIQUE_VALIDATED` if no duplicate records are found, and uniqueness is then enforced on that property. Otherwise, if duplicate records are found, the `unique` attribute of the schema property isn't shown in the get schema request and uniqueness isn't enforced on the schema property.
+
+ #### Update existing unique custom property to be non-unique
+
+ You can use the [update user profile schema property](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/#tag/Schema/operation/updateUserProfile) request or the [update group profile schema property](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/#tag/Schema/operation/updateGroupSchema) request to change existing unique custom user or group properties to be non-unique by specifying `"unique": false` on the properties to be changed to non-unique. The response shows the properties without the `unique` attribute and the uniqueness constraint is then removed on those properties.
+
+ **Note:** If multiple user types declare a property as unique and you remove the uniqueness constraint on one type, there may be a delay before users of other types that declare the property as unique can be assigned values formerly held by users of the first type.
- name: Session
x-displayName: Sessions
description: |-
Okta uses a cookie-based authentication mechanism to maintain a user's authentication Session across web requests. The Okta Sessions API provides operations to create and manage authentication Sessions for users in your Okta organization.
- >**Note:** Some browsers block third-party cookies by default, which disrupts Okta functionality in certain flows. See [FAQ: How Blocked Third Party Cookies Can Potentially Impact Your Okta Environment](https://support.okta.com/help/s/article/FAQ-How-Blocking-Third-Party-Cookies-Can-Potentially-Impact-Your-Okta-Environment).
-
- >**Note:** The Sessions API doesn't support direct authentication. Direct authentication is supported through the [Authentication API](https://developer.okta.com/docs/reference/api/authn/#authentication-operations) or through OIDC using the [Resource Owner Password flow](https://developer.okta.com/docs/guides/implement-grant-type/ropassword/main/).
+ >**Notes:**
+ > * Some browsers block third-party cookies by default, which disrupts Okta functionality in certain flows. See [Mitigate the impact of third-party cookie deprecation](https://help.okta.com/okta_help.htm?type=oie&id=ext-third-party-cookies).
+ > * The Sessions API doesn't support direct authentication. Direct authentication is supported through the [Authentication API](https://developer.okta.com/docs/reference/api/authn/#authentication-operations) or through OIDC using the [Resource Owner Password flow](https://developer.okta.com/docs/guides/implement-grant-type/ropassword/main/).
### Session cookie
@@ -360,9 +669,9 @@ tags:
- name: SystemLog
x-displayName: System Log
description: |-
- The System Log records system events that are related to your organization in order to provide an audit trail that can be used to understand platform activity and to diagnose problems.
+ The Okta System Log records system events that are related to your organization in order to provide an audit trail that can be used to understand platform activity and to diagnose problems.
- The System Log API provides near real-time, read-only access to your organization's system log and is the programmatic counterpart of the [System Log UI](https://help.okta.com/okta_help.htm?id=ext_Reports_SysLog).
+ The Okta System Log API provides near real-time, read-only access to your organization's system log and is the programmatic counterpart of the [System Log UI](https://help.okta.com/okta_help.htm?id=ext_Reports_SysLog).
The terms "event" and "log event" are often used interchangeably. In the context of this API, an "event" is an occurrence of interest within the system, and a "log" or "log event" is the recorded fact.
@@ -372,9 +681,7 @@ tags:
* Development debugging
* Event introspection and audit
- The System Log API isn't intended for use as a Database as a Service (DBaaS) or to serve data directly to downstream consumers without an intermediate data store.
-
- See [Events API Migration](https://developer.okta.com/docs/concepts/events-api-migration/) for information on migrating from the Events API to the System Log API.
+ > **Note:** Some of the curl code examples on this page include SSWS API token authentication. However, Okta recommends using scoped OAuth 2.0 and OIDC access tokens to authenticate with Okta management APIs. OAuth 2.0 and OIDC access tokens provide fine-grain control over the bearer's actions on specific endpoints. See [Okta API authentication methods](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/).
- name: Template
x-displayName: SMS Templates
description: |-
@@ -383,6 +690,33 @@ tags:
> **Note:** Only SMS custom Templates are available through the API.
SMS Templates customize the SMS message that is sent to users. One default SMS Template is provided. All custom Templates must have the variable `${code}` as part of the text. The `${code}` variable is replaced with the actual SMS code when the message is sent. Optionally, you can also use the variable `${org.name}`. If a Template contains `${org.name}`, it is replaced with the organization name before the SMS message is sent.
+
+ ### SMS Template macros
+
+ Only two macros are supported for SMS Templates:
+
+ | Type
| Description |
+ | -------------------- | ----------- |
+ | ${code} | The one-time verification code that's required for a user to sign in. |
+ | ${org.name} | The Okta org name that the user is trying to authenticate into. |
+
+ >**Note:** The length of your SMS message can't exceed 160 characters. If the verification code portion of the message falls outside of the 160-character limit, your message isn't sent.
+ - name: Themes
+ x-displayName: Themes
+ description: |-
+ These endpoints allow you to customize the look and feel of pages and templates, including the following:
+ * The Okta-hosted sign-in page
+ * The sign-out page
+ * Error pages
+ * Email templates
+ * The Okta End-User Dashboard
+
+ Each new org contains Okta default branding. You can upload your own assets (colors, background image, logo, and favicon) to replace the default assets. Then you can publish these assets directly to your pages and templates.
+
+ > **Notes:**
+ > * Some of the curl code examples on this page include SSWS API token authentication. However, Okta recommends scoped OAuth 2.0 and OIDC access tokens to authenticate with Okta management APIs. OAuth 2.0 and OIDC access tokens provide fine-grain control over the bearer's actions on specific endpoints. See [Okta API authentication methods](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/).
+ > * Okta optimizes the `primaryColorContrastHex` and `secondaryColorContrastHex` properties for the highest contrast between the font color and the background or button color. To disable or override the contrast auto-detection, update either contrast value with an accepted contrast hex code. Any update disables future automatic optimizations for the contrast hex.
+ > * Contrast color is used by pages to optimize the opacity of text color when primary or secondary color is used as the background.
- name: ThreatInsight
x-displayName: ThreatInsight
description: |-
@@ -402,32 +736,109 @@ tags:
When external URLs are requested during sign-in, sign-out, or recovery operations, Okta checks those URLs against the allowed list of Trusted Origins. Trusted Origins also enable browser-based applications to access Okta APIs from JavaScript (CORS). If the origins aren't specified, the related operation (redirect or Okta API access) isn't permitted.
- You can also configure Trusted Origins to allow iFrame embedding of Okta resources, such as Okta sign-in pages and the Okta End-User Dashboard, within that origin. This is an Early Access feature. To enable it, contact [Okta Support](https://support.okta.com/help/s/).
+ You can also configure Trusted Origins to allow iFrame embedding of Okta resources, such as Okta sign-in pages and the Okta End-User Dashboard, within that origin.
- > **Note:** This Early Access feature is supported for Okta domains only. It isn't currently supported for custom domains.
+ > **Notes:**
+ > * This feature is supported for Okta domains only. It isn't currently supported for custom domains.
+ > * Some of the curl code examples on this page include SSWS API token authentication. However, Okta recommends using scoped OAuth 2.0 and OIDC access tokens to authenticate with Okta management APIs. OAuth 2.0 and OIDC access tokens provide fine-grain control over the bearer's actions on specific endpoints. See [Okta API authentication methods](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/).
- name: UISchema
x-displayName: UI Schema
description: |-
The Okta UI Schema API allows you to control how inputs appear on an enrollment form. The UI Schema API is only available as a part of Okta Identity Engine.
- If you’re not sure which solution you’re using, check the footer on any page of the Admin Console. The version number is appended with E for Identity Engine orgs and C for Classic Engine orgs.
+ If you're not sure which solution you're using, check the footer on any page of the Admin Console. The version number is appended with E for Identity Engine orgs and C for Classic Engine orgs.
- name: User
x-displayName: Users
- description: The User API provides operations to manage users in your organization.
+ description: "The Users API provides operations to manage users in your organization.\n> **Note:** Some of the curl code examples on this page include SSWS API token authentication. However, Okta recommends using scoped OAuth 2.0 and OIDC access tokens to authenticate with Okta management APIs.\n> OAuth 2.0 and OIDC access tokens provide fine-grain control over the bearer's actions on specific endpoints. See [Okta API authentication methods](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/).\n\n### User status\nThe following diagram shows the flow of user status:\n![STAGED, PROVISIONED, ACTIVE, RECOVERY, LOCKED_OUT, PASSWORD_EXPIRED, or DEPROVISIONED](../../../../../images/users/okta-user-status.png)\n\n### User creation scenarios\n\n The following table describes the user experience and expectation of user status and welcome screen, depending on which options (security question and answer, password, and activate query) are defined during user creation.\n\n **User creation details and outcomes**\n\n | Security Q & A | Password | Activate Query Parameter | User Status | Login Credential | Welcome Screen |\n | ----- | -------- | ------------------------ | ------------- | ---------------------- | -------------- |\n | | | FALSE | `STAGED` | | |\n | | | TRUE | `PROVISIONED` or `ACTIVE` | One-Time Token (Email) or Email | X |\n | X | | FALSE | `STAGED` | | |\n | X | | TRUE | `PROVISIONED` or `ACTIVE` | One-Time Token (Email) or Email | X |\n | | X | FALSE | `STAGED` | | |\n | | X | TRUE | `ACTIVE` | Password | X |\n | X | X | FALSE | `STAGED` | | |\n | X | X | TRUE | `ACTIVE` | Password | |\n\nCreating users with a `FEDERATION` or `SOCIAL` provider sets the user status to either `ACTIVE` or `STAGED` based on the `activate` query parameter since these two providers don't support a `password` or `recovery_question` credential.\n\nMore information about the use cases are in the following sections and in the examples for [Create a user](/openapi/okta-management/management/tag/User/#tag/User/operation/createUser).\n\n#### Create user with Optional Password enabled\n\nWhen Optional Password is enabled, the user status following user creation can be affected by the enrollment policy. See [Create an authenticator enrollment policy](https://help.okta.com/okta_help.htm?type=oie&id=ext-create-mfa-policy).\nBased on the group memberships that are specified when the user is created, a password may or may not be required to make the user's status `ACTIVE`.\n\nIf the enrollment policy that applies to the user (as determined by the groups assigned to the user) specifies that the Password authenticator is `required`, then in the case where the user is created without a password, the user is in the `PROVISIONED` status and\na One-Time Token is sent to the user through email. If the user is created with a password, then their status is set to ACTIVE, and they can immediately sign in using their Password authenticator.\n\nIf the enrollment policy that applies to the groups specified for the newly created user indicates that password is `optional` or `disabled`, then the Administrator can't specify a password for the user. Instead, the user status is set to `ACTIVE` and the user can immediately sign in using their Email authenticator. If policy permits, and the user so chooses, they can enroll a password after they sign in.\n\n#### Create user without credentials\n\nCreates a user without a `password` or a `recovery question & answer`.\n\nIf appropriate, when the user is activated, an email is sent to the user with an activation token that the user can use to complete the activation process.\nThis is the default flow for new user registration using the administrator UI.\n\n#### Create user with recovery question\n\nCreates a user without a `password`.\n\nWhen the user is activated, an email is sent to the user with an activation token that can be used to complete the activation process.\nThis flow is useful if migrating users from an existing user store.\n\n#### Create user with password\n\nCreates a user without a `recovery question & answer`.\n\nThe new user is able to sign in after activation with the assigned password. This flow is common when developing a custom user registration experience.\n> **Important:** Do not generate or send a one-time activation token when activating users with an assigned password. Users should sign in with their assigned password.\n\n#### Create User with imported hashed password\n\nCreates a user with a specified `hashed password`.\n\nThe new user is able to sign in after activation with the specified password.\n\nThis flow is common when migrating users from another data store in cases where we want to allow the users to retain their current passwords.\n> **Important:** Do not generate or send a one-time activation token when activating users with an imported password. Users should login with their imported password.\n\n#### Create user with password import inline hook\n\nCreates a user with a `Password Hook` object specifying that a password inline hook should be used to handle password verification.\n\nThe password inline hook is triggered to handle verification of the end user's password the first time the user tries to sign in, with Okta calling the password inline hook to check that the password the user supplied is valid. If the password is valid, Okta stores the hash of the password that was provided and can authenticate the user independently from then on. See [Password import inline hook](https://developer.okta.com/docs/reference/password-hook/) for more details.\n\nThe new user is able to sign in after activation with the valid password. This flow supports migrating users from another data store in cases where we wish to allow the users to retain their current passwords.\n> **Important:** Don't generate or send a one-time activation token when activating users with an password inline hook. Users should sign in with their existing password to be imported using the password import inline hook.\n\n#### Create user with password & recovery question\n\nCreates a new user with a `password` and `recovery question & answer`.\n\nThe new user is able to log in with the assigned password after activation. This flow is common when developing a custom user-registration experience.\n> **Important:** Don't generate or send a one-time activation token when activating users with an assigned password. Users should login with their assigned password.\n\n#### Create user with authentication provider\n\nCreates a new passwordless user with a `SOCIAL` or `FEDERATION` authentication provider that must be authenticated via a trusted Identity Provider.\n\n#### Create user in Group\n\nCreates a user that is added to the specified groups upon creation.\n\nUse this in conjunction with other create operations for a Group Administrator that is scoped to create users only in specified groups. The request may specify up to 20 group ids. (This limit applies only when creating a user. The user may later be added to more groups.)\n\n#### Create user with non-default user type\n\nCreates a user with a specified user type (see [User Types](https://developer.okta.com/docs/reference/api/user-types)). The type specification may be included with any of the above Create user operations; this example demonstrates creating a user without credentials.\nThe user type determines which [Schema](/openapi/okta-management/management/tag/Schema/) applies to that user. After a user has been created, the user can be assigned a different user type only by an admin via a full replacement [PUT operation](https://developer.okta.com/docs/reference/api/user-types/#update-user-type).\n\n### Links object\n\nThe links object specifies link relations. See [`_links`](/openapi/okta-management/management/tag/User/#tag/User/operation/listUsers!c=200&path=_links&t=response).\n\n> **Note:** This links object is different from [Linked Objects](/openapi/okta-management/management/tag/LinkedObject/).\n\n#### Individual users versus collection of users\n\nFor an individual user result, the links object contains a full set of link relations available for that user as determined by your policies. For a collection of users, the links object contains only the `self` link. Operations that return a collection of users include [List all users](/openapi/okta-management/management/tag/User/#tag/User/operation/listUsers) and [List all member users](openapi/okta-management/management/tag/Group/#tag/Group/operation/listGroupUsers).\n\nThe following table shows some links that may be available on a user, as determined by your policies:\n\n| Link Relation Type | Description |\n|------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n|self\t | A self-referential link to this user |\n|activate\t | Lifecycle action to [activate the user](/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/activateUser) |\n|deactivate |\tLifecycle action to [deactivate the user](/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/deactivateUser) |\n|suspend |\tLifecycle action to [suspend the user](/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/suspendUser) |\n|unsuspend |\tLifecycle action to [unsuspend the user](/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/unsuspendUser) |\n|resetPassword |\tLifecycle action to [trigger a password reset](/openapi/okta-management/management/tag/UserCred/#tag/UserCred/operation/resetPassword) |\n|expirePassword |\tLifecycle action to [expire the user's password](/openapi/okta-management/management/tag/UserCred/#tag/UserCred/operation/expirePassword) |\n|resetFactors |\tLifecycle action to [reset all MFA factors](/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/resetFactors) |\n|unlock |\tLifecycle action to [unlock a locked-out user](/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/unlockUser) |\n|forgotPassword |\t[Resets a user's password](/openapi/okta-management/management/tag/UserCred/#tag/UserCred/operation/forgotPassword) by validating the user's recovery credential. |\n|changePassword |\t[Changes a user's password](/openapi/okta-management/management/tag/UserCred/#tag/UserCred/operation/changePassword) validating the user's current password |\n|changeRecoveryQuestion |\t[Changes a user's recovery credential](/openapi/okta-management/management/tag/UserCred/#tag/UserCred/operation/changeRecoveryQuestion) by validating the user's current password |"
+ - name: UserCred
+ x-displayName: User Credentials
+ description: The User Credentials API provides operations to manage user credentials in your org.
- name: UserFactor
x-displayName: User Factors
- description: The Factors API provides operations to enroll, manage, and verify factors for multifactor authentication (MFA). Manage both administration and end-user accounts, or verify an individual factor at any time.
+ description: |-
+ The Factors API provides operations to enroll, manage, and verify factors for multifactor authentication (MFA). Generally, authentication involves verifying a different one-time passcode (OTP). Manage both administration and end-user accounts, or verify an individual factor at any time.
+ Okta supports several different types of Factors:
+
+ | Factor Type | Description |
+ |-----------------------|-------------|
+ | `call` | Software OTP sent using a voice call to a registered phone number |
+ | `sms` | Software OTP sent using SMS to a registered phone number |
+ | `email` | Software OTP sent using email |
+ | `question` | Additional knowledge-based security question |
+ | `push` | Out-of-band verification using a push notification to a device and transaction verification with digital signature |
+ | `token` | Software or hardware OTP sent to a device |
+ | `token:hardware` | Hardware OTP sent to a device |
+ | `token:hotp` | Custom [TOTP](https://www.ietf.org/rfc/rfc6238.txt) factor that uses an extension of the HMAC-based one-time passcode (HOTP) algorithm |
+ | `token:software:totp` | Software time-based one-time passcode (TOTP) |
+ | `u2f` | Hardware Universal 2nd Factor (U2F) device |
+ | `web` | HTML inline frame (iframe) for embedding verification from a third party |
+ | `webauthn` | Hardware WebAuthn device |
+ | `signed_nonce` | Okta Fastpass (device-bound authentication). This is available for OIE orgs if the org has users that have enrolled with Okta Verify after the org started using OIE. |
+ - name: UserGrant
+ x-displayName: User Grants
+ description: |-
+ The User Grants API provides operations to manage user consent Grants in your org.
+
+ A consent represents a user's explicit permission to allow an app to access resources protected by scopes. Consent grants are different from tokens because a consent can outlast a token, and there can be multiple tokens with varying sets of scopes derived from a single consent. When an application comes back and needs to get a new access token, it may not need to prompt the user for consent if they've already consented to the specified scopes. Consent grants remain valid until the user manually revokes them, or until the user, application, authorization server or scope is deactivated or deleted.
+
+ > **Hint:** For all grant operations, you can use `me` instead of the `userId` in an endpoint that contains `/users`, in an active session with no SSWS token (API token). For example: `https://${yourOktaDomain}/api/v1/users/me/grants` returns all the grants for the active session user.
+
+ > **Note:** Some browsers have begun blocking third-party cookies by default, disrupting Okta functionality in certain flows. For more information, see [FAQ: How Blocking Third Party Cookies Can Potentially Impact Your Okta Environment](https://support.okta.com/help/s/article/FAQ-How-Blocking-Third-Party-Cookies-Can-Potentially-Impact-Your-Okta-Environment).
+ - name: UserLifecycle
+ x-displayName: User Lifecycle
+ description: |-
+ The User Lifecycle API provides lifecycle operations, which are non-idempotent operations that initiate a state transition for a user's status. Some operations are asynchronous while others are synchronous.
+ The user's current status limits what operations are allowed.
+ - name: UserLinkedObject
+ x-displayName: User Linked Objects
+ description: |-
+ The User Linked Objects API provides operations to manage User Linked Objects in your org.
+ Use link value operations to assign Users to a relationship, represented by a pair of `primary` and `associated` links. See also the [Linked Objects API](/openapi/okta-management/management/tag/LinkedObject/).
+
+ For these operations, the examples use consistent IDs so that you can follow the operations more easily:
+ * `manager` is the `primary` relationship and is assigned `00u5t60iloOHN9pBi0h7`
+ * `subordinate` is the `associated` relationship and is assigned to IDs `00u5zex6ztMbOZhF50h7` and `00u1tsf0nQKavLDUh0g5`
+ - name: UserOAuth
+ x-displayName: User OAuth 2.0 Token Management
+ description: |-
+ The User OAuth 2.0 Token Management API provides operations to manage tokens issued by an Authorization Server for a particular User and Client in your org. For example, you can revoke every active refresh token for a User in the context of a specific Client. You can also [revoke specific tokens](https://developer.okta.com/docs/guides/revoke-tokens/main/) or [manage tokens at the authorization server level](/openapi/okta-management/management/tag/AuthorizationServer/).
+
+ Read [Validate Access Tokens](https://developer.okta.com/docs/guides/validate-access-tokens/) to understand more about how OAuth 2.0 tokens work.
+ - name: UserResources
+ x-displayName: User Resources
+ description: The User Resources API provides operations related to User resources.
+ - name: UserRisk
+ x-displayName: User Risk
+ description: |-
+
+ > This feature is only available with Identity Threat Protection in Identity Engine.
+
+ The User Risk API enables you to manage a user's risk level within Okta.
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
+ - name: UserSessions
+ x-displayName: User Sessions
+ description: The User Sessions API provides operations to manage User sessions in your org.
- name: UserType
x-displayName: User Types
- description: The User Types API provides operations to manage User Types.
+ description: The User Types API provides operations to manage user types.
+ - name: WebAuthnPreregistration
+ x-displayName: WebAuthn Preregistration
+ description: The WebAuthn Preregistration API provides a flow to initiate and set up WebAuthn Preregistration authenticator enrollments through third-party fulfillment providers.
+externalDocs:
+ description: Find more info here
+ url: https://developer.okta.com/docs/reference/core-okta-api/#design-principles
paths:
/.well-known/app-authenticator-configuration:
get:
x-okta-lifecycle:
- features:
- - CUSTOM_PUSH_AUTHENTICATOR
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
summary: Retrieve the Well-Known App Authenticator Configuration
- description: Retrieves the well-known app authenticator configuration, which includes an app authenticator's settings, supported methods and various other configuration details
+ description: Retrieves the well-known app authenticator configuration. Includes an app authenticator's settings, supported methods, and other details.
operationId: getWellKnownAppAuthenticatorConfiguration
parameters:
- name: oauthClientId
@@ -445,6 +856,9 @@ paths:
type: array
items:
$ref: '#/components/schemas/WellKnownAppAuthenticatorConfiguration'
+ examples:
+ AuthenticatorConfiguration:
+ $ref: '#/components/examples/WellKnownAppAuthenticatorConfigurationCustomApp'
'400':
$ref: '#/components/responses/ErrorMissingRequiredParameter400'
'429':
@@ -455,7 +869,7 @@ paths:
/.well-known/okta-organization:
get:
summary: Retrieve the Well-Known Org Metadata
- description: Retrieves the well-known org metadata, which includes the id, configured custom domains, authentication pipeline, and various other org settings
+ description: Retrieves the well-known org metadata, which includes the org ID, configured custom domains, authentication pipeline, and various other org settings
operationId: getWellknownOrgMetadata
responses:
'200':
@@ -473,7 +887,42 @@ paths:
$ref: '#/components/responses/ErrorTooManyRequests429'
security: []
tags:
- - OrgSetting
+ - OrgSettingMetadata
+ x-okta-lifecycle:
+ isCorsEnabled: true
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /.well-known/ssf-configuration:
+ get:
+ summary: Retrieve the SSF Transmitter metadata
+ description: Retrieves SSF Transmitter configuration metadata. This includes all supported endpoints and key information about certain properties of the Okta org as the transmitter, such as `delivery_methods_supported`, `issuer`, and `jwks_uri`.
+ operationId: getWellknownSsfMetadata
+ responses:
+ '200':
+ description: OK
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/WellKnownSSFMetadata'
+ examples:
+ wellKnownSSFMetadataExample:
+ $ref: '#/components/examples/wellKnownSSFMetadataExample'
+ '401':
+ $ref: '#/components/responses/ErrorInvalidToken401'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security: []
+ tags:
+ - SSFTransmitter
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
/api/v1/agentPools:
get:
summary: List all Agent Pools
@@ -502,6 +951,9 @@ paths:
- okta.agentPools.read
tags:
- AgentPools
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/agentPools/{poolId}/updates:
parameters:
- $ref: '#/components/parameters/pathPoolId'
@@ -532,6 +984,9 @@ paths:
- okta.agentPools.read
tags:
- AgentPools
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
post:
summary: Create an Agent Pool update
description: Creates an Agent pool update \n For user flow 2 manual update, starts the update immediately. \n For user flow 3, schedules the update based on the configured update window and delay.
@@ -563,6 +1018,9 @@ paths:
- okta.agentPools.manage
tags:
- AgentPools
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/agentPools/{poolId}/updates/settings:
parameters:
- $ref: '#/components/parameters/pathPoolId'
@@ -589,6 +1047,9 @@ paths:
- okta.agentPools.read
tags:
- AgentPools
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
post:
summary: Update an Agent Pool update settings
description: Updates an agent pool update settings
@@ -620,6 +1081,9 @@ paths:
- okta.agentPools.manage
tags:
- AgentPools
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/agentPools/{poolId}/updates/{updateId}:
parameters:
- $ref: '#/components/parameters/pathPoolId'
@@ -647,6 +1111,9 @@ paths:
- okta.agentPools.read
tags:
- AgentPools
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
post:
summary: Update an Agent Pool update by id
description: Updates Agent pool update and return latest agent pool update
@@ -678,6 +1145,9 @@ paths:
- okta.agentPools.manage
tags:
- AgentPools
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
summary: Delete an Agent Pool update
description: Deletes Agent pool update
@@ -697,6 +1167,9 @@ paths:
- okta.agentPools.manage
tags:
- AgentPools
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/agentPools/{poolId}/updates/{updateId}/activate:
parameters:
- $ref: '#/components/parameters/pathPoolId'
@@ -724,6 +1197,9 @@ paths:
- okta.agentPools.manage
tags:
- AgentPools
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/agentPools/{poolId}/updates/{updateId}/deactivate:
parameters:
- $ref: '#/components/parameters/pathPoolId'
@@ -751,6 +1227,9 @@ paths:
- okta.agentPools.manage
tags:
- AgentPools
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/agentPools/{poolId}/updates/{updateId}/pause:
parameters:
- $ref: '#/components/parameters/pathPoolId'
@@ -778,6 +1257,9 @@ paths:
- okta.agentPools.manage
tags:
- AgentPools
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/agentPools/{poolId}/updates/{updateId}/resume:
parameters:
- $ref: '#/components/parameters/pathPoolId'
@@ -805,6 +1287,9 @@ paths:
- okta.agentPools.manage
tags:
- AgentPools
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/agentPools/{poolId}/updates/{updateId}/retry:
parameters:
- $ref: '#/components/parameters/pathPoolId'
@@ -832,6 +1317,9 @@ paths:
- okta.agentPools.manage
tags:
- AgentPools
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/agentPools/{poolId}/updates/{updateId}/stop:
parameters:
- $ref: '#/components/parameters/pathPoolId'
@@ -859,19 +1347,14 @@ paths:
- okta.agentPools.manage
tags:
- AgentPools
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/api-tokens:
get:
summary: List all API Token Metadata
description: Lists all the metadata of the active API tokens
operationId: listApiTokens
- parameters:
- - $ref: '#/components/parameters/queryAfter'
- - $ref: '#/components/parameters/queryLimit'
- - name: q
- in: query
- description: Finds a token that matches the name or clientName.
- schema:
- type: string
responses:
'200':
description: OK
@@ -894,6 +1377,9 @@ paths:
- okta.apiTokens.read
tags:
- ApiToken
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/api-tokens/current:
delete:
summary: Revoke the Current API Token
@@ -910,12 +1396,15 @@ paths:
- apiToken: []
tags:
- ApiToken
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/api-tokens/{apiTokenId}:
parameters:
- $ref: '#/components/parameters/pathApiTokenId'
get:
summary: Retrieve an API Token's Metadata
- description: Retrieves the metadata for an active API token by id
+ description: Retrieves the metadata for an active API token by `apiTokenId`
operationId: getApiToken
responses:
'200':
@@ -939,6 +1428,53 @@ paths:
- okta.apiTokens.read
tags:
- ApiToken
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ put:
+ summary: Upsert an API Token Network Condition
+ description: Upserts an API Token Network Condition by `apiTokenId`
+ operationId: upsertApiToken
+ requestBody:
+ content:
+ application/json:
+ example:
+ name: api_token_name
+ clientName: client_name
+ userId: 00uabcdefg1234567890
+ network:
+ connection: ANYWHERE
+ created: '2021-11-09T20:38:10.000Z'
+ schema:
+ $ref: '#/components/schemas/ApiTokenUpdate'
+ required: true
+ responses:
+ '200':
+ description: OK
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/ApiToken'
+ examples:
+ HCaptcha:
+ $ref: '#/components/examples/ApiTokenMetadataResponse'
+ '400':
+ $ref: '#/components/responses/ErrorApiValidationFailed400'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.apiTokens.manage
+ tags:
+ - ApiToken
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
summary: Revoke an API Token
description: Revokes an API token by `apiTokenId`
@@ -958,39 +1494,59 @@ paths:
- okta.apiTokens.manage
tags:
- ApiToken
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/apps:
get:
summary: List all Applications
- description: Lists all applications with pagination. A subset of apps can be returned that match a supported filter expression or query.
+ description: Lists all apps in the org with pagination. A subset of apps can be returned that match a supported filter expression or query. The results are [paginated](/#pagination) according to the `limit` parameter. If there are multiple pages of results, the header contains a `next` link. Treat the link as an opaque value (follow it, don't parse it).
operationId: listApplications
parameters:
- name: q
in: query
+ description: Searches for apps with `name` or `label` properties that starts with the `q` value using the `startsWith` operation
schema:
type: string
+ example: Okta
- name: after
in: query
- description: Specifies the pagination cursor for the next page of apps
+ description: Specifies the [pagination](/#pagination) cursor for the next page of results. Treat this as an opaque value obtained through the `next` link relationship.
schema:
type: string
+ example: 16278919418571
+ - name: useOptimization
+ in: query
+ description: Specifies whether to use query optimization. If you specify `useOptimization=true` in the request query, the response contains a subset of app instance properties.
+ schema:
+ type: boolean
+ default: false
- name: limit
in: query
- description: Specifies the number of results for a page
+ description: Specifies the number of results per page
schema:
type: integer
format: int32
default: -1
+ maximum: 200
- name: filter
in: query
- description: Filters apps by status, user.id, group.id or credentials.signing.kid expression
- schema:
- type: string
- - name: expand
- in: query
- description: Traverses users link relationship and optionally embeds Application User resource
+ description: Filters apps by `status`, `user.id`, `group.id`, `credentials.signing.kid` or `name` expression that supports the `eq` operator
schema:
type: string
+ examples:
+ ActiveStatusEx:
+ value: status eq "ACTIVE"
+ summary: Filter for active apps
+ NameFilterEx:
+ value: name eq "okta_org2org"
+ summary: Filter for apps with `okta_org2org` name
+ CredKidEx:
+ value: credentials.signing.kid eq "SIMcCQNY3uwXoW3y0vf6VxiBb5n9pf8L2fK8d-F1bm4"
+ summary: Filter for apps using a specific key
+ - $ref: '#/components/parameters/queryAppsExpand'
- name: includeNonDeleted
+ description: Specifies whether to include non-active, but not deleted apps in the results
in: query
schema:
type: boolean
@@ -1004,6 +1560,15 @@ paths:
type: array
items:
$ref: '#/components/schemas/Application'
+ examples:
+ ResponseExample1:
+ $ref: '#/components/examples/GetApplicationsByUserResponseEx'
+ ResponseExample2:
+ $ref: '#/components/examples/GetApplicationsByGroupResponseEx'
+ ResponseExample3:
+ $ref: '#/components/examples/GetApplicationsByKeyResponseEx'
+ ResponseExample4:
+ $ref: '#/components/examples/GetApplicationsByNameResponseEx'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'429':
@@ -1014,9 +1579,17 @@ paths:
- okta.apps.read
tags:
- Application
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
post:
summary: Create an Application
- description: Creates a new application to your Okta organization
+ description: |
+ Creates an app instance in your Okta org.
+
+ You can either create an OIN app instance or a custom app instance:
+ * OIN app instances have prescribed `name` (key app definition) and `signOnMode` options. See the [OIN schemas](/openapi/okta-management/management/tag/Application/#tag/Application/schema/GoogleApplication) for the request body.
+ * For custom app instances, select the [signOnMode](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication!path=0/signOnMode&t=request) that pertains to your app and specify the required parameters in the request body.
operationId: createApplication
parameters:
- name: activate
@@ -1035,6 +1608,25 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/Application'
+ examples:
+ BOOKMARK:
+ $ref: '#/components/examples/BookmarkEx'
+ AUTO_LOGIN:
+ $ref: '#/components/examples/AutoLoginEx'
+ BASIC_AUTH:
+ $ref: '#/components/examples/BasicAuthEx'
+ SECURE_PASSWORD_STORE:
+ $ref: '#/components/examples/SecurePasswordStoreEx'
+ WS_FEDERATION:
+ $ref: '#/components/examples/WSFederationEx'
+ BROWSER_PLUGIN:
+ $ref: '#/components/examples/BrowserPluginEx'
+ BROWSER_PLUGIN_SWA_3FIELD:
+ $ref: '#/components/examples/BrowserPluginSwa3FieldEx'
+ SAML_2_0:
+ $ref: '#/components/examples/Saml2.0Ex'
+ OPENID_CONNECT:
+ $ref: '#/components/examples/OpenidConnectEx'
required: true
responses:
'200':
@@ -1043,6 +1635,25 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/Application'
+ examples:
+ BOOKMARK:
+ $ref: '#/components/examples/BookmarkAppResponseEx'
+ AUTO_LOGIN:
+ $ref: '#/components/examples/AutoLoginAppResponseEx'
+ BASIC_AUTH:
+ $ref: '#/components/examples/BasicAuthResponseEx'
+ SECURE_PASSWORD_STORE:
+ $ref: '#/components/examples/SecurePasswordStoreResponseEx'
+ WS_FEDERATION:
+ $ref: '#/components/examples/WSFederationResponseEx'
+ BROWSER_PLUGIN:
+ $ref: '#/components/examples/BrowserPluginResponseEx'
+ BROWSER_PLUGIN_SWA_3FIELD:
+ $ref: '#/components/examples/BrowserPluginSwa3FieldResponseEx'
+ SAML_2_0:
+ $ref: '#/components/examples/Saml2.0ResponseEx'
+ OPENID_CONNECT:
+ $ref: '#/components/examples/OpenidConnectResponseEx'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -1055,70 +1666,15 @@ paths:
- okta.apps.manage
tags:
- Application
- /api/v1/apps/${appId}/sso/saml/metadata:
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/apps/google/{appId}/oauth2/callback:
+ parameters:
+ - $ref: '#/components/parameters/pathAppId'
+ /api/v1/apps/office365/{appId}/oauth2/callback:
parameters:
- $ref: '#/components/parameters/pathAppId'
- get:
- summary: Preview the application SAML metadata
- description: Previews the SSO SAML metadata for an application
- operationId: previewSAMLmetadataForApplication
- responses:
- '200':
- description: OK
- content:
- text/xml:
- schema:
- type: string
- description: SAML metadata in XML
- format: xml
- examples:
- previewSAML:
- summary: SAML metadata example
- value: |
-
-
-
-
-
-
- MIIDqDCCApCgAwIBAgIGAVGNO4qeMA0GCSqGSIb3DQEBBQUAMIGUMQswCQYDVQQGEwJVUzETMBEG
- A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
- MBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJ
- ARYNaW5mb0Bva3RhLmNvbTAeFw0xNTEyMTAxODUwMDhaFw0xNzEyMTAxODUxMDdaMIGUMQswCQYD
- VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsG
- A1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEc
- MBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
- ggEBALAakG48bgcTWHdwmVLHig0mkiRejxIVm3wbzrNSJcBruTq2zCYZ1rGfVxTYON8kJqvkXPmv
- kzWKhpEkvhubL+mx29XpXY0AsNIfgcm5xIV56yhXSvlMdqzGo3ciRwoACaF+ClNLxmXK9UTZD89B
- bVVGCG5AEvja0eCQ0GYsO5i9aSI5aTroab8Aew31PuWl/RGQWmjVy8+7P4wwkKKJNKCpxMYDlhfa
- WRp0zwUSbUCO0qEyeAYdZx6CLES4FGrDi/7D6G+ewWC+kbz1tL1XpF2Dcg3+IOlHrV6VWzz3rG39
- v9zFIncjvoQJFDGWhpqGqcmXvgH0Ze3SVcVF01T+bK0CAwEAATANBgkqhkiG9w0BAQUFAAOCAQEA
- AHmnSZ4imjNrIf9wxfQIcqHXEBoJ+oJtd59cw1Ur/YQY9pKXxoglqCQ54ZmlIf4GghlcZhslLO+m
- NdkQVwSmWMh6KLxVM18/xAkq8zyKbMbvQnTjFB7x45bgokwbjhivWqrB5LYHHCVN7k/8mKlS4eCK
- Ci6RGEmErjojr4QN2xV0qAqP6CcGANgpepsQJCzlWucMFKAh0x9Kl8fmiQodfyLXyrebYsVnLrMf
- jxE1b6dg4jKvv975tf5wreQSYZ7m//g3/+NnuDKkN/03HqhV7hTNi1fyctXk8I5Nwgyr+pT5LT2k
- YoEdncuy+GQGzE9yLOhC4HNfHQXpqp2tMPdRlw==
-
-
-
- urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
- urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
-
-
-
-
- '403':
- $ref: '#/components/responses/ErrorAccessDenied403'
- '404':
- $ref: '#/components/responses/ErrorResourceNotFound404'
- '429':
- $ref: '#/components/responses/ErrorTooManyRequests429'
- security:
- - apiToken: []
- - oauth2:
- - okta.apps.read
- tags:
- - ApplicationSSO
/api/v1/apps/{appId}:
parameters:
- $ref: '#/components/parameters/pathAppId'
@@ -1129,8 +1685,12 @@ paths:
parameters:
- name: expand
in: query
+ description: |-
+ An optional query parameter to return the specified [Application User](/openapi/okta-management/management/tag/ApplicationUsers/) in the `_embedded` property.
+ Valid value: `expand=user/{userId}`
schema:
type: string
+ example: user/0oa1gjh63g214q0Hq0g4
responses:
'200':
description: Success
@@ -1138,6 +1698,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/Application'
+ examples:
+ RetrieveEx1:
+ $ref: '#/components/examples/GetApplicationsResponseEx'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -1150,9 +1713,16 @@ paths:
- okta.apps.read
tags:
- Application
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
put:
summary: Replace an Application
- description: Replaces an application
+ description: |
+ Replaces properties for an application
+ > **Notes:**
+ > * All required properties must be specified in the request body
+ > * You can't modify system-assigned properties, such as `id`, `name`, `status`, `created`, and `lastUpdated`. The values for these properties in the PUT request body are ignored.
operationId: replaceApplication
x-codegen-request-body-name: application
requestBody:
@@ -1160,6 +1730,25 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/Application'
+ examples:
+ BOOKMARK:
+ $ref: '#/components/examples/BookmarkPutEx'
+ AUTO_LOGIN:
+ $ref: '#/components/examples/AutoLoginPutEx'
+ BASIC_AUTH:
+ $ref: '#/components/examples/BasicAuthPutEx'
+ SECURE_PASSWORD_STORE:
+ $ref: '#/components/examples/SecurePasswordStorePutEx'
+ WS_FEDERATION:
+ $ref: '#/components/examples/WSFederationPutEx'
+ BROWSER_PLUGIN:
+ $ref: '#/components/examples/BrowserPluginPutEx'
+ BROWSER_PLUGIN_SWA_3FIELD:
+ $ref: '#/components/examples/BrowserPluginSwa3FieldPutEx'
+ SAML_2_0:
+ $ref: '#/components/examples/Saml2.0PutEx'
+ OPENID_CONNECT:
+ $ref: '#/components/examples/OpenidConnectPutEx'
required: true
responses:
'200':
@@ -1168,6 +1757,25 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/Application'
+ examples:
+ BOOKMARK:
+ $ref: '#/components/examples/BookmarkPutResponseEx'
+ AUTO_LOGIN:
+ $ref: '#/components/examples/AutoLoginPutResponseEx'
+ BASIC_AUTH:
+ $ref: '#/components/examples/BasicAuthPutResponseEx'
+ SECURE_PASSWORD_STORE:
+ $ref: '#/components/examples/SecurePasswordStorePutResponseEx'
+ WS_FEDERATION:
+ $ref: '#/components/examples/WSFederationPutResponseEx'
+ BROWSER_PLUGIN:
+ $ref: '#/components/examples/BrowserPluginPutResponseEx'
+ BROWSER_PLUGIN_SWA_3FIELD:
+ $ref: '#/components/examples/BrowserPluginSwa3FieldPutResponseEx'
+ SAML_2_0:
+ $ref: '#/components/examples/Saml2.0PutResponseEx'
+ OPENID_CONNECT:
+ $ref: '#/components/examples/OpenidConnectPutResponseEx'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -1182,6 +1790,9 @@ paths:
- okta.apps.manage
tags:
- Application
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
summary: Delete an Application
description: Deletes an inactive application
@@ -1202,6 +1813,9 @@ paths:
- okta.apps.manage
tags:
- Application
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/apps/{appId}/connections/default:
parameters:
- $ref: '#/components/parameters/pathAppId'
@@ -1215,10 +1829,14 @@ paths:
content:
application/json:
schema:
- $ref: '#/components/schemas/ProvisioningConnection'
+ $ref: '#/components/schemas/ProvisioningConnectionResponse'
examples:
- ProvisioningConnectionResponseExample:
- $ref: '#/components/examples/ProvisioningConnectionTokenResponseEx'
+ ProvisioningConnectionTokenZscalerEx:
+ $ref: '#/components/examples/ProvisioningConnectionTokenResponseWithProfileZscalerEx'
+ ProvisioningConnectionTokenOrg2OrgEx:
+ $ref: '#/components/examples/ProvisioningConnectionTokenResponseWithProfileOrg2OrgEx'
+ ProvisioningConnectionOauthO365Ex:
+ $ref: '#/components/examples/ProvisioningConnectionOauthResponseEx'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -1231,6 +1849,9 @@ paths:
- okta.apps.read
tags:
- ApplicationConnections
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
post:
summary: Update the default Provisioning Connection
description: Updates the default Provisioning Connection for an app
@@ -1245,24 +1866,36 @@ paths:
content:
application/json:
schema:
- $ref: '#/components/schemas/ProvisioningConnectionRequest'
+ oneOf:
+ - $ref: '#/components/schemas/ProvisioningConnectionTokenRequest'
+ - $ref: '#/components/schemas/ProvisioningConnectionOauthRequest'
examples:
- ProvisioningConnectionTokenExample:
+ ProvisioningConnectionTokenZscalerEx:
$ref: '#/components/examples/ProvisioningConnectionTokenRequestEx'
- ProvisioningConnectionOauthExample:
- $ref: '#/components/examples/ProvisioningConnectionOauthRequestEx'
+ ProvisioningConnectionTokenOrg2OrgEx:
+ $ref: '#/components/examples/ProvisioningConnectionTokenOrg2OrgRequestEx'
+ ProvisioningConnectionOauthO365Ex:
+ $ref: '#/components/examples/ProvisioningConnectionOauthO365RequestEx'
required: true
responses:
+ '200':
+ description: OK
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/ProvisioningConnectionResponse'
'201':
description: Created
content:
application/json:
schema:
- $ref: '#/components/schemas/ProvisioningConnection'
+ $ref: '#/components/schemas/ProvisioningConnectionResponse'
examples:
- ProvisioningConnectionTokenExample:
- $ref: '#/components/examples/ProvisioningConnectionTokenResponseEx'
- ProvisioningConnectionOauthExample:
+ ProvisioningConnectionTokenZscalerEx:
+ $ref: '#/components/examples/ProvisioningConnectionTokenResponseWithProfileZscalerEx'
+ ProvisioningConnectionTokenOrg2OrgEx:
+ $ref: '#/components/examples/ProvisioningConnectionTokenResponseWithProfileOrg2OrgEx'
+ ProvisioningConnectionOauthO365Ex:
$ref: '#/components/examples/ProvisioningConnectionOauthResponseEx'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
@@ -1278,6 +1911,9 @@ paths:
- okta.apps.manage
tags:
- ApplicationConnections
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/apps/{appId}/connections/default/lifecycle/activate:
parameters:
- $ref: '#/components/parameters/pathAppId'
@@ -1300,6 +1936,9 @@ paths:
- okta.apps.manage
tags:
- ApplicationConnections
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/apps/{appId}/connections/default/lifecycle/deactivate:
parameters:
- $ref: '#/components/parameters/pathAppId'
@@ -1322,6 +1961,9 @@ paths:
- okta.apps.manage
tags:
- ApplicationConnections
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/apps/{appId}/credentials/csrs:
parameters:
- $ref: '#/components/parameters/pathAppId'
@@ -1349,10 +1991,17 @@ paths:
- oauth2:
- okta.apps.read
tags:
- - ApplicationCredentials
+ - ApplicationSSOCredentialKey
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
post:
summary: Generate a Certificate Signing Request
- description: Generates a new key pair and returns the Certificate Signing Request for it
+ description: |-
+ Generates a new key pair and returns the Certificate Signing Request(CSR) for it. The information in a CSR is used by the Certificate Authority (CA) to verify and create your certificate. It also contains the public key that is included in your certificate.
+
+ Returns CSR in `pkcs#10` format if the `Accept` media type is `application/pkcs10` or a CSR object if the `Accept` media type is `application/json`.
+ > **Note:** The key pair isn't listed in the Key Credentials for the app until it's published.
operationId: generateCsrForApplication
x-codegen-request-body-name: metadata
requestBody:
@@ -1364,10 +2013,36 @@ paths:
responses:
'201':
description: Created
+ headers:
+ Content-Type:
+ schema:
+ type: string
+ description: The Content-Type of the response
+ examples:
+ pkcs10Header:
+ summary: application/pkcs10 Content-Type header
+ value: application/pkcs10; filename=okta.p10
+ json:
+ summary: application/json Content-Type header
+ value: application/json
+ Content-Transfer-Encoding:
+ schema:
+ type: string
+ description: Encoding of the response
+ example: base64
content:
+ application/pkcs10:
+ schema:
+ $ref: '#/components/schemas/AppCsrPkcs10'
+ examples:
+ CsrPkcs10Response:
+ $ref: '#/components/examples/AppCsrPkcs10Response'
application/json:
schema:
$ref: '#/components/schemas/Csr'
+ examples:
+ CsrJsonResponse:
+ $ref: '#/components/examples/AppCsrJsonResponse'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -1381,22 +2056,54 @@ paths:
- oauth2:
- okta.apps.manage
tags:
- - ApplicationCredentials
+ - ApplicationSSOCredentialKey
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/apps/{appId}/credentials/csrs/{csrId}:
parameters:
- $ref: '#/components/parameters/pathAppId'
- $ref: '#/components/parameters/pathCsrId'
get:
summary: Retrieve a Certificate Signing Request
- description: Retrieves a certificate signing request for the app by `id`
+ description: |-
+ Retrieves a Certificate Signing Request (CSR) for the app by `csrId`.
+
+ Returns a Base64-encoded CSR in DER format if the `Accept` media type is `application/pkcs10` or a CSR object if the `Accept` media type is `application/json`.
operationId: getCsrForApplication
responses:
'200':
description: Success
+ headers:
+ Content-Type:
+ schema:
+ type: string
+ description: The Content-Type of the response
+ examples:
+ pkcs10Header:
+ summary: application/pkcs10 Content-Type header
+ value: application/pkcs10; filename=okta.p10
+ json:
+ summary: application/json Content-Type header
+ value: application/json
+ Content-Transfer-Encoding:
+ schema:
+ type: string
+ description: Encoding of the response
+ example: base64
content:
application/json:
schema:
$ref: '#/components/schemas/Csr'
+ examples:
+ CsrJsonResponse:
+ $ref: '#/components/examples/AppCsrJsonResponse'
+ application/pkcs10:
+ schema:
+ $ref: '#/components/schemas/AppCsrPkcs10'
+ examples:
+ CsrPkcs10Response:
+ $ref: '#/components/examples/AppCsrPkcs10Response'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -1408,10 +2115,13 @@ paths:
- oauth2:
- okta.apps.read
tags:
- - ApplicationCredentials
+ - ApplicationSSOCredentialKey
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
summary: Revoke a Certificate Signing Request
- description: Revokes a certificate signing request and deletes the key pair from the application
+ description: Revokes a Certificate Signing Request and deletes the key pair from the app
operationId: revokeCsrFromApplication
responses:
'204':
@@ -1428,14 +2138,19 @@ paths:
- oauth2:
- okta.apps.manage
tags:
- - ApplicationCredentials
+ - ApplicationSSOCredentialKey
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/apps/{appId}/credentials/csrs/{csrId}/lifecycle/publish:
parameters:
- $ref: '#/components/parameters/pathAppId'
- $ref: '#/components/parameters/pathCsrId'
post:
summary: Publish a Certificate Signing Request
- description: Publishes a certificate signing request for the app with a signed X.509 certificate and adds it into the application key credentials
+ description: |-
+ Publishes a Certificate Signing Request (CSR) for the app with a signed X.509 certificate and adds it into the Application Key Credentials.
+ > **Note:** Publishing a certificate completes the lifecycle of the CSR and it's no longer accessible.
operationId: publishCsrFromApplication
requestBody:
required: true
@@ -1444,16 +2159,26 @@ paths:
schema:
type: string
format: binary
+ description: |-
+ X.509 certificate in `CER` format.
+ The client can either post in binary or Base64URL-encoded. If the post is Base64URL-encoded, set the `Content-Transfer-Encoding` header to `base64`.
+ example: '@certificate.pem'
x-okta-operationId: publishBinaryCerCert
application/pkix-cert:
schema:
type: string
format: binary
+ description: |-
+ X.509 certificate in `DER` format.
+ The client can either post in binary or Base64URL-encoded. If the post is Base64URL-encoded, set the `Content-Transfer-Encoding` header to `base64`.
+ example: MIIFgjCCA2qgAwIBAgICEAcwDQYJKoZIhvcNAQELBQAwXjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARPa3RhMQwwCgYDVQQLDANFbmcxDTALBgNVBAMMBFJvb3QwHhcNMTcwMzI3MjEyMDQ3WhcNMTgwNDA2MjEyMDQ3WjB4MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzETMBEGA1UECgwKT2t0YSwgSW5jLjEQMA4GA1UECwwHSmFua3lDbzEVMBMGA1UEAwwMSWRQIElzc3VlciA3MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmkC6yAJVvFwUlmM9gKjb2d+YK5qHFt+mXSsbjWKKs4EfNm+BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL/q7n0f/SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH+bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQIDAQABo4IBLjCCASowCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAwMwYJYIZIAYb4QgENBCYWJE9wZW5TU0wgR2VuZXJhdGVkIFNlcnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUVqJukDmyENw/2pTApbxc/HRKbngwgZAGA1UdIwSBiDCBhYAUFx245ZZXqWTTbARfMlFWN77L9EahYqRgMF4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEMMAoGA1UECwwDRW5nMQ0wCwYDVQQDDARSb290ggkAlIfpwZjO5o8wDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4ICAQCcoBSRtY+9cJY00hLvq6AloYZcdn/kUQupfmyz4n3lKE3wV2FB0swKnK0QDi8iNuQJFdag/19vDHC4/LhoSuv1Q+KXM61pPZVRXXPyC1+e7Y6hj93tEI5HcqLPcDRH1AIG2l8tE7LBn+MQB5Vh6oxjG2IdoWxg6abMfISU+MauPWql4vMDUWo9iNShAo44Z5fd+nuz+hlAinU9Xn9Jf2QsfKvcbMRq7iuqgkabgdmObmWb9KK0Vm7TDkxCH0pB0onPr6epVUP8Obg/pT1Oj/1hOLbfR8CHHWdAWzUBGGvp2TIy2A8LUaEoFnwkxZfdL7Bnd0RH/ClBtAjzLOxmUo7NbZmEnYCcD5pZz7BdZI0db/eBXFqfOlA88rEe+9Sv+NndIq0/WNIIsJi2RgjJnxsxvB5MjhhzmItpFIUl5yqoO3C9jcCp6HDBJxtCGbvAr5ALPn5RCJeBIr67WpAiTd7L3Ebu9SQZlXnoHX8kP04EA6ylR3W0EFbh7KUtq8M2H2vo0wjMj7ysl/3tT7cEZ97s1ygO5iJx3GfMDyrDhtLXSBJ20uSxTJeptRw8SDiwTqunIh1WyKlcQz1WGauSbW4eXdj/r9KYMJ3qMMkdP/9THQUtTcOYx51r8RV9pdzqF2HPnZZNziBa+wXJZHEWp70NyoakNthgYwtypqiDHs2f3Q==
x-okta-operationId: publishBinaryDerCert
application/x-pem-file:
schema:
type: string
format: binary
+ description: X.509 certificate in `PEM` format
+ example: '@certificate.pem'
x-okta-operationId: publishBinaryPemCert
responses:
'201':
@@ -1462,8 +2187,261 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/JsonWebKey'
+ examples:
+ PublishCSR:
+ $ref: '#/components/examples/KeyCredentialExample'
'400':
- $ref: '#/components/responses/ErrorApiValidationFailed400'
+ description: Bad Request
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Error'
+ examples:
+ ErrorPublishCSRCertDoesNotMatchCSR:
+ $ref: '#/components/examples/ErrorPublishCSRCertDoesNotMatchCSR'
+ ErrorPublishCSRCertValidityLessThan90Days:
+ $ref: '#/components/examples/ErrorPublishCSRCertValidityLessThan90Days'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.apps.manage
+ tags:
+ - ApplicationSSOCredentialKey
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/apps/{appId}/credentials/jwks:
+ parameters:
+ - $ref: '#/components/parameters/pathAppId'
+ get:
+ summary: List all the OAuth 2.0 Client JSON Web Keys
+ description: Lists all JSON Web Keys for an OAuth 2.0 client app
+ operationId: listJwk
+ responses:
+ '200':
+ description: OK
+ content:
+ application/json:
+ schema:
+ type: array
+ items:
+ $ref: '#/components/schemas/OAuth2ClientJsonWebKey'
+ examples:
+ OAuthClientJsonWebKeyListResponseExample:
+ $ref: '#/components/examples/oAuthClientJsonWebKeyListResponse'
+ '401':
+ $ref: '#/components/responses/ErrorInvalidToken401'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.apps.read
+ tags:
+ - ApplicationSSOCredentialOAuth2ClientAuth
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ post:
+ summary: Add a JSON Web Key
+ description: |-
+ Adds a new JSON Web Key to the client’s JSON Web Keys.
+ > **Note:** This API doesn't allow you to add a key if the existing key doesn't have a `kid`. This is also consistent with how the [Dynamic Client Registration](/openapi/okta-oauth/oauth/tag/Client/) or [Applications](/openapi/okta-management/management/tag/Application/) APIs behave, as they don't allow the creation of multiple keys without `kids`. Use the [Replace an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/replaceApplication) or the [Replace a Client Application](/openapi/okta-oauth/oauth/tag/Client/#tag/Client/operation/replaceClient) operation to update the JWKS or [Delete an OAuth 2.0 Client JSON Web Key](/openapi/okta-management/management/tag/ApplicationSSOCredentialOAuth2ClientAuth/#tag/ApplicationSSOCredentialOAuth2ClientAuth/operation/deletejwk) and re-add the key with a `kid`.
+ operationId: addJwk
+ requestBody:
+ required: true
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/OAuth2ClientJsonWebKeyRequestBody'
+ examples:
+ createOAuth2ClientJsonWebKeyRequestBody:
+ $ref: '#/components/examples/oAuthClientJsonWebKeyRequest'
+ responses:
+ '201':
+ description: Created
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/OAuth2ClientJsonWebKey'
+ examples:
+ newOAuth2ClientSecretResponse:
+ $ref: '#/components/examples/oAuthClientJsonWebKey'
+ '400':
+ description: Bad Request
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Error'
+ examples:
+ ErrorClientJsonWebKeyNonUniqueKid:
+ $ref: '#/components/examples/ErrorClientJsonWebKeyNonUniqueKid'
+ ErrorClientJsonWebKeyDuplicateKid:
+ $ref: '#/components/examples/ErrorClientJsonWebKeyDuplicateKid'
+ ErrorClientJsonWebKeyKidLengthTooShort:
+ $ref: '#/components/examples/ErrorClientJsonWebKeyKidLengthTooShort'
+ ErrorClientJsonWebKeyTooManyKids:
+ $ref: '#/components/examples/ErrorClientJsonWebKeyTooManyKids'
+ '401':
+ $ref: '#/components/responses/ErrorInvalidToken401'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.apps.manage
+ tags:
+ - ApplicationSSOCredentialOAuth2ClientAuth
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/apps/{appId}/credentials/jwks/{keyId}:
+ parameters:
+ - $ref: '#/components/parameters/pathAppId'
+ - $ref: '#/components/parameters/pathJsonWebKeyId'
+ get:
+ summary: Retrieve an OAuth 2.0 Client JSON Web Key
+ description: Retrieves an OAuth 2.0 Client JSON Web Key by `keyId`.
+ operationId: getJwk
+ responses:
+ '200':
+ description: OK
+ content:
+ application/json:
+ schema:
+ type: object
+ $ref: '#/components/schemas/OAuth2ClientJsonWebKey'
+ examples:
+ OAuthClientJsonWebKeyResponseExample:
+ $ref: '#/components/examples/oAuthClientJsonWebKey'
+ '401':
+ $ref: '#/components/responses/ErrorInvalidToken401'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.apps.read
+ tags:
+ - ApplicationSSOCredentialOAuth2ClientAuth
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ delete:
+ summary: Delete an OAuth 2.0 Client JSON Web Key
+ description: Deletes an OAuth 2.0 Client JSON Web Key by `keyId`. You can only delete an inactive key.
+ operationId: deletejwk
+ responses:
+ '204':
+ description: No Content
+ '400':
+ description: Bad Request
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Error'
+ examples:
+ ErrorDeleteActiveJsonWebKey:
+ $ref: '#/components/examples/ErrorDeleteActiveJsonWebKey'
+ '401':
+ $ref: '#/components/responses/ErrorInvalidToken401'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.apps.manage
+ tags:
+ - ApplicationSSOCredentialOAuth2ClientAuth
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/apps/{appId}/credentials/jwks/{keyId}/lifecycle/activate:
+ parameters:
+ - $ref: '#/components/parameters/pathAppId'
+ - $ref: '#/components/parameters/pathJsonWebKeyId'
+ post:
+ summary: Activate an OAuth 2.0 Client JSON Web Key
+ description: Activates an OAuth 2.0 Client JSON Web Key by `keyId`
+ operationId: activateOAuth2ClientJsonWebKey
+ responses:
+ '200':
+ description: OK
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/OAuth2ClientJsonWebKey'
+ examples:
+ activateOAuth2ClientJsonWebKeyResponse:
+ $ref: '#/components/examples/oAuthClientJsonWebKey'
+ '401':
+ $ref: '#/components/responses/ErrorInvalidToken401'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.apps.manage
+ tags:
+ - ApplicationSSOCredentialOAuth2ClientAuth
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/apps/{appId}/credentials/jwks/{keyId}/lifecycle/deactivate:
+ parameters:
+ - $ref: '#/components/parameters/pathAppId'
+ - $ref: '#/components/parameters/pathJsonWebKeyId'
+ post:
+ summary: Deactivate an OAuth 2.0 Client JSON Web Key
+ description: Deactivates an OAuth 2.0 Client JSON Web Key by `keyId`.
+ operationId: deactivateOAuth2ClientJsonWebKey
+ responses:
+ '200':
+ description: OK
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/OAuth2ClientJsonWebKey'
+ examples:
+ deactivateOAuth2ClientJsonWebKeyResponse:
+ $ref: '#/components/examples/deactivateOAuth2ClientJsonWebKeyResponse'
+ '400':
+ description: Bad Request
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Error'
+ examples:
+ ErrorDeactivateTheOnlyKeyWithPrivateKeyJwtAuthMethod:
+ $ref: '#/components/examples/ErrorDeactivateTheOnlyKeyWithPrivateKeyJwtAuthMethod'
+ ErrorDeactivateTheOnlyKeyWithRequestObjectSignAlgorithm:
+ $ref: '#/components/examples/ErrorDeactivateTheOnlyKeyWithRequestObjectSignAlgorithm'
+ '401':
+ $ref: '#/components/responses/ErrorInvalidToken401'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -1475,13 +2453,16 @@ paths:
- oauth2:
- okta.apps.manage
tags:
- - ApplicationCredentials
+ - ApplicationSSOCredentialOAuth2ClientAuth
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/apps/{appId}/credentials/keys:
parameters:
- $ref: '#/components/parameters/pathAppId'
get:
summary: List all Key Credentials
- description: Lists all key credentials for an application
+ description: Lists all key credentials for an app
operationId: listApplicationKeys
responses:
'200':
@@ -1492,6 +2473,9 @@ paths:
type: array
items:
$ref: '#/components/schemas/JsonWebKey'
+ examples:
+ ListAllKeyCredentialsExample:
+ $ref: '#/components/examples/ListAllKeyCredentialsExample'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -1503,19 +2487,27 @@ paths:
- oauth2:
- okta.apps.read
tags:
- - ApplicationCredentials
+ - ApplicationSSOCredentialKey
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/apps/{appId}/credentials/keys/generate:
parameters:
- $ref: '#/components/parameters/pathAppId'
post:
summary: Generate a Key Credential
- description: Generates a new X.509 certificate for an application key credential
+ description: |-
+ Generates a new X.509 certificate for an app key credential
+ > **Note:** To update an Application with the newly generated key credential, use the [Replace an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/replaceApplication) request with the new [credentials.signing.kid](/openapi/okta-management/management/tag/Application/#tag/Application/operation/replaceApplication!path=4/credentials/signing/kid&t=request) value in the request body. You can provide just the [Signing Credential object](/openapi/okta-management/management/tag/Application/#tag/Application/operation/replaceApplication!path=4/credentials/signing&t=request) instead of the entire [Application Credential object](/openapi/okta-management/management/tag/Application/#tag/Application/operation/replaceApplication!path=4/credentials&t=request).
operationId: generateApplicationKey
parameters:
- name: validityYears
+ description: Expiry years of the Application Key Credential
in: query
+ required: true
schema:
type: integer
+ example: 5
responses:
'201':
description: Created
@@ -1523,6 +2515,18 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/JsonWebKey'
+ examples:
+ KeyCredentialExample:
+ $ref: '#/components/examples/KeyCredentialExample'
+ '400':
+ description: Bad Request
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Error'
+ examples:
+ ErrorKeyCredentialInvalidValidity:
+ $ref: '#/components/examples/ErrorKeyCredentialInvalidValidity'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -1534,14 +2538,17 @@ paths:
- oauth2:
- okta.apps.manage
tags:
- - ApplicationCredentials
+ - ApplicationSSOCredentialKey
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/apps/{appId}/credentials/keys/{keyId}:
parameters:
- $ref: '#/components/parameters/pathAppId'
- $ref: '#/components/parameters/pathKeyId'
get:
summary: Retrieve a Key Credential
- description: Retrieves a specific application key credential by kid
+ description: Retrieves a specific Application Key Credential by `kid`
operationId: getApplicationKey
responses:
'200':
@@ -1550,6 +2557,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/JsonWebKey'
+ examples:
+ KeyCredentialExample:
+ $ref: '#/components/examples/KeyCredentialExample'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -1561,14 +2571,21 @@ paths:
- oauth2:
- okta.apps.read
tags:
- - ApplicationCredentials
+ - ApplicationSSOCredentialKey
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/apps/{appId}/credentials/keys/{keyId}/clone:
parameters:
- $ref: '#/components/parameters/pathAppId'
- $ref: '#/components/parameters/pathKeyId'
post:
summary: Clone a Key Credential
- description: Clones a X.509 certificate for an application key credential from a source application to target application.
+ description: |-
+ Clones an X.509 certificate for an Application Key Credential from a source app to a target app.
+
+ For step-by-step instructions to clone a credential, see [Share application key credentials for IdPs across apps](https://developer.okta.com/docs/guides/sharing-cert/main/).
+ > **Note:** Sharing certificates isn't a recommended security practice.
operationId: cloneApplicationKey
parameters:
- name: targetAid
@@ -1577,6 +2594,7 @@ paths:
required: true
schema:
type: string
+ example: 0ouuytCAJSSDELFTUIDS
responses:
'201':
description: Created
@@ -1584,6 +2602,262 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/JsonWebKey'
+ examples:
+ KeyCredentialExample:
+ $ref: '#/components/examples/KeyCredentialExample'
+ '400':
+ description: Bad Request
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Error'
+ examples:
+ ErrorKeyCredentialCloneDuplicateKey:
+ $ref: '#/components/examples/ErrorKeyCredentialCloneDuplicateKey'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.apps.manage
+ tags:
+ - ApplicationSSOCredentialKey
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/apps/{appId}/credentials/secrets:
+ parameters:
+ - $ref: '#/components/parameters/pathAppId'
+ get:
+ summary: List all OAuth 2.0 Client Secrets
+ description: Lists all client secrets for an OAuth 2.0 client app
+ operationId: listOAuth2ClientSecrets
+ responses:
+ '200':
+ description: OK
+ content:
+ application/json:
+ schema:
+ type: array
+ items:
+ $ref: '#/components/schemas/OAuth2ClientSecret'
+ examples:
+ OAuthClientSecretListResponseExample:
+ $ref: '#/components/examples/oAuthClientSecretListResponse'
+ '401':
+ $ref: '#/components/responses/ErrorInvalidToken401'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.apps.read
+ tags:
+ - ApplicationSSOCredentialOAuth2ClientAuth
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ post:
+ summary: Create an OAuth 2.0 Client Secret
+ description: |-
+ Creates an OAuth 2.0 Client Secret object with a new active client secret. You can create up to two Secret objects. An error is returned if you attempt to create more than two Secret objects.
+ > **Note:** This API lets you bring your own secret. If [token_endpoint_auth_method](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication!path=4/credentials/oauthClient/token_endpoint_auth_method&t=request) of the app is `client_secret_jwt`, then the minimum length of `client_secret` is 32 characters. If no secret is specified in the request, Okta adds a new system-generated secret.
+ operationId: createOAuth2ClientSecret
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/OAuth2ClientSecretRequestBody'
+ examples:
+ createOAuth2ClientSecretSystemGeneratedRequestBody:
+ $ref: '#/components/examples/createOAuth2ClientSecretSystemGeneratedRequestBody'
+ createOAuth2ClientSecretCustomRequestBody:
+ $ref: '#/components/examples/createOAuth2ClientSecretCustomRequestBody'
+ responses:
+ '201':
+ description: Created
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/OAuth2ClientSecret'
+ examples:
+ newOAuth2ClientSecretResponse:
+ $ref: '#/components/examples/oAuth2ClientSecretResponse'
+ '400':
+ description: Bad Request
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Error'
+ examples:
+ ErrorClientSecretTooLong:
+ $ref: '#/components/examples/ErrorClientSecretTooLong'
+ ErrorClientSecretTooShort:
+ $ref: '#/components/examples/ErrorClientSecretTooShort'
+ ErrorClientSecretTooShortJWT:
+ $ref: '#/components/examples/ErrorClientSecretTooShortWithClientSecretJWT'
+ ErrorClientSecretPrivateKeyJWT:
+ $ref: '#/components/examples/ErrorClientSecretWithPrivateKeyJWT'
+ ErrorClientSecretNonAscii:
+ $ref: '#/components/examples/ErrorClientSecretNonAscii'
+ ErrorMaxNumberOfSecrets:
+ $ref: '#/components/examples/ErrorMaxNumberOfSecrets'
+ '401':
+ $ref: '#/components/responses/ErrorInvalidToken401'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.apps.manage
+ tags:
+ - ApplicationSSOCredentialOAuth2ClientAuth
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/apps/{appId}/credentials/secrets/{secretId}:
+ parameters:
+ - $ref: '#/components/parameters/pathAppId'
+ - $ref: '#/components/parameters/pathClientSecretId'
+ get:
+ summary: Retrieve an OAuth 2.0 Client Secret
+ description: Retrieves an OAuth 2.0 Client Secret by `secretId`
+ operationId: getOAuth2ClientSecret
+ responses:
+ '200':
+ description: OK
+ content:
+ application/json:
+ schema:
+ type: object
+ $ref: '#/components/schemas/OAuth2ClientSecret'
+ examples:
+ OAuthClientSecretResponseExample:
+ $ref: '#/components/examples/oAuth2ClientSecretResponse'
+ '401':
+ $ref: '#/components/responses/ErrorInvalidToken401'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.apps.read
+ tags:
+ - ApplicationSSOCredentialOAuth2ClientAuth
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ delete:
+ summary: Delete an OAuth 2.0 Client Secret
+ description: Deletes an OAuth 2.0 Client Secret by `secretId`. You can only delete an inactive Secret.
+ operationId: deleteOAuth2ClientSecret
+ responses:
+ '204':
+ description: No Content
+ '400':
+ description: Bad Request
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Error'
+ examples:
+ ErrorDeleteActiveClientSecret:
+ $ref: '#/components/examples/ErrorDeleteActiveSecret'
+ '401':
+ $ref: '#/components/responses/ErrorInvalidToken401'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.apps.manage
+ tags:
+ - ApplicationSSOCredentialOAuth2ClientAuth
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/apps/{appId}/credentials/secrets/{secretId}/lifecycle/activate:
+ parameters:
+ - $ref: '#/components/parameters/pathAppId'
+ - $ref: '#/components/parameters/pathClientSecretId'
+ post:
+ summary: Activate an OAuth 2.0 Client Secret
+ description: Activates an OAuth 2.0 Client Secret by `secretId`
+ operationId: activateOAuth2ClientSecret
+ responses:
+ '200':
+ description: OK
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/OAuth2ClientSecret'
+ examples:
+ activateOAuth2ClientSecretResponse:
+ $ref: '#/components/examples/activateOAuth2ClientSecretResponse'
+ '401':
+ $ref: '#/components/responses/ErrorInvalidToken401'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.apps.manage
+ tags:
+ - ApplicationSSOCredentialOAuth2ClientAuth
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/apps/{appId}/credentials/secrets/{secretId}/lifecycle/deactivate:
+ parameters:
+ - $ref: '#/components/parameters/pathAppId'
+ - $ref: '#/components/parameters/pathClientSecretId'
+ post:
+ summary: Deactivate an OAuth 2.0 Client Secret
+ description: Deactivates an OAuth 2.0 Client Secret by `secretId`. You can't deactivate a secret if it's the only secret of the client.
+ operationId: deactivateOAuth2ClientSecret
+ responses:
+ '200':
+ description: OK
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/OAuth2ClientSecret'
+ examples:
+ deactivateOAuth2ClientSecretResponse:
+ $ref: '#/components/examples/deactivateOAuth2ClientSecretResponse'
+ '400':
+ description: Bad Request
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Error'
+ examples:
+ ErrorDeactivateTheOnlyClientSecret:
+ $ref: '#/components/examples/ErrorDeactivateTheOnlyClientSecret'
+ '401':
+ $ref: '#/components/responses/ErrorInvalidToken401'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -1595,16 +2869,18 @@ paths:
- oauth2:
- okta.apps.manage
tags:
- - ApplicationCredentials
+ - ApplicationSSOCredentialOAuth2ClientAuth
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/apps/{appId}/features:
parameters:
- $ref: '#/components/parameters/pathAppId'
get:
summary: List all Features
description: |
- Lists all features for an application
- > **Note:** The only application feature currently supported is `USER_PROVISIONING`.
- > This request returns an error if provisioning isn't enabled for the application.
+ Lists all features for an app
+ > **Note:** This request returns an error if provisioning isn't enabled for the app.
> To set up provisioning, see [Update the default Provisioning Connection](/openapi/okta-management/management/tag/ApplicationConnections/#tag/ApplicationConnections/operation/updateDefaultProvisioningConnectionForApplication).
operationId: listFeaturesForApplication
responses:
@@ -1640,13 +2916,16 @@ paths:
- okta.apps.read
tags:
- ApplicationFeatures
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/apps/{appId}/features/{featureName}:
parameters:
- $ref: '#/components/parameters/pathAppId'
- $ref: '#/components/parameters/pathFeatureName'
get:
summary: Retrieve a Feature
- description: Retrieves a Feature object for an application
+ description: Retrieves a Feature object for an app
operationId: getFeatureForApplication
responses:
'200':
@@ -1670,20 +2949,27 @@ paths:
- okta.apps.read
tags:
- ApplicationFeatures
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
put:
summary: Update a Feature
description: |
- Updates a Feature object for an application
+ Updates a Feature object for an app
> **Note:** This endpoint supports partial updates.
operationId: updateFeatureForApplication
requestBody:
content:
application/json:
schema:
- $ref: '#/components/schemas/CapabilitiesObject'
+ oneOf:
+ - $ref: '#/components/schemas/CapabilitiesObject'
+ - $ref: '#/components/schemas/CapabilitiesInboundProvisioningObject'
examples:
UpdateAppFeatureEx:
$ref: '#/components/examples/UpdateAppFeatureRequestEx'
+ UpdateInboundProvisioningFeatureEx:
+ $ref: '#/components/examples/UpdateInboundProvisioningFeatureRequestEx'
required: true
responses:
'200':
@@ -1695,6 +2981,8 @@ paths:
examples:
UpdateAppFeatureEx:
$ref: '#/components/examples/UpdateAppFeatureResponseEx'
+ UpdateInboundProvisioningFeatureEx:
+ $ref: '#/components/examples/UpdateInboundProvisioningFeatureResponseEx'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -1709,6 +2997,9 @@ paths:
- okta.apps.manage
tags:
- ApplicationFeatures
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/apps/{appId}/grants:
parameters:
- $ref: '#/components/parameters/pathAppId'
@@ -1717,7 +3008,7 @@ paths:
description: Lists all scope consent Grants for the app
operationId: listScopeConsentGrants
parameters:
- - $ref: '#/components/parameters/queryExpand'
+ - $ref: '#/components/parameters/queryAppGrantsExpand'
responses:
'200':
description: Success
@@ -1727,6 +3018,9 @@ paths:
type: array
items:
$ref: '#/components/schemas/OAuth2ScopeConsentGrant'
+ examples:
+ ListAppGrantsExample:
+ $ref: '#/components/examples/ListAppGrantsEx'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -1739,6 +3033,9 @@ paths:
- okta.appGrants.read
tags:
- ApplicationGrants
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
post:
summary: Grant consent to scope
description: Grants consent for the app to request an OAuth 2.0 Okta scope
@@ -1749,6 +3046,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/OAuth2ScopeConsentGrant'
+ examples:
+ AppGrantsExample:
+ $ref: '#/components/examples/AppGrantsPostEx'
required: true
responses:
'201':
@@ -1757,6 +3057,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/OAuth2ScopeConsentGrant'
+ examples:
+ AppGrantsExample:
+ $ref: '#/components/examples/AppGrantsEx'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -1771,6 +3074,9 @@ paths:
- okta.appGrants.manage
tags:
- ApplicationGrants
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/apps/{appId}/grants/{grantId}:
parameters:
- $ref: '#/components/parameters/pathAppId'
@@ -1780,7 +3086,7 @@ paths:
description: Retrieves a single scope consent Grant object for the app
operationId: getScopeConsentGrant
parameters:
- - $ref: '#/components/parameters/queryExpand'
+ - $ref: '#/components/parameters/queryAppGrantsExpand'
responses:
'200':
description: Success
@@ -1788,6 +3094,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/OAuth2ScopeConsentGrant'
+ examples:
+ AppGrantsExample:
+ $ref: '#/components/examples/AppGrantsEx'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -1800,6 +3109,9 @@ paths:
- okta.appGrants.read
tags:
- ApplicationGrants
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
summary: Revoke an app Grant
description: Revokes permission for the app to grant the given scope
@@ -1820,34 +3132,33 @@ paths:
- okta.appGrants.manage
tags:
- ApplicationGrants
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/apps/{appId}/groups:
parameters:
- $ref: '#/components/parameters/pathAppId'
get:
- summary: List all Assigned Groups
- description: Lists all group assignments for an application
+ summary: List all Application Groups
+ description: Lists all app group assignments
operationId: listApplicationGroupAssignments
parameters:
- name: q
in: query
+ description: |-
+ Specifies a filter for a list of assigned groups returned based on their names. The value of `q` is matched against the group `name`.
+ This filter only supports the `startsWith` operation that matches the `q` string against the beginning of the [Group name](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Group/#tag/Group/operation/listGroups!c=200&path=profile/name&t=response).
schema:
type: string
+ example: test
- name: after
in: query
- description: Specifies the pagination cursor for the next page of assignments
- schema:
- type: string
- - name: limit
- in: query
- description: Specifies the number of results for a page
- schema:
- type: integer
- format: int32
- default: -1
- - name: expand
- in: query
+ description: Specifies the pagination cursor for the `next` page of results. Treat this as an opaque value obtained through the next link relationship. See [Pagination](https://developer.okta.com/docs/api/#pagination).
schema:
type: string
+ example: 16275000448691
+ - $ref: '#/components/parameters/queryGroupAssignmentLimit'
+ - $ref: '#/components/parameters/queryGroupAssignmentWithMetadataExpand'
responses:
'200':
description: Success
@@ -1857,6 +3168,9 @@ paths:
type: array
items:
$ref: '#/components/schemas/ApplicationGroupAssignment'
+ examples:
+ listGroupAssignmentsResponseExample:
+ $ref: '#/components/examples/GroupAssignmentExListResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -1869,29 +3183,19 @@ paths:
- okta.apps.read
tags:
- ApplicationGroups
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/apps/{appId}/groups/{groupId}:
parameters:
- $ref: '#/components/parameters/pathAppId'
- $ref: '#/components/parameters/pathGroupId'
get:
- summary: Retrieve an Assigned Group
- description: Retrieves an application group assignment
+ summary: Retrieve an Application Group
+ description: Retrieves an app group assignment
operationId: getApplicationGroupAssignment
parameters:
- - name: appId
- in: path
- required: true
- schema:
- type: string
- - name: groupId
- in: path
- required: true
- schema:
- type: string
- - name: expand
- in: query
- schema:
- type: string
+ - $ref: '#/components/parameters/queryGroupAssignmentWithGroupExpand'
responses:
'200':
description: Success
@@ -1899,6 +3203,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/ApplicationGroupAssignment'
+ examples:
+ getGroupAssignmentResponseExample:
+ $ref: '#/components/examples/EmbeddedGroupAssignmentSampleResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -1911,27 +3218,66 @@ paths:
- okta.apps.read
tags:
- ApplicationGroups
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
put:
- summary: Assign a Group
- description: Assigns a group to an application
+ summary: Assign an Application Group
+ description: |-
+ Assigns a [Group](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Group/) to an app, which in turn assigns the app to each [User](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/) that belongs to the group.
+ The resulting Application User [scope](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/ApplicationUsers/#tag/ApplicationUsers/operation/listApplicationUsers!c=200&path=scope&t=response) is `GROUP` since the assignment was from the group membership.
operationId: assignGroupToApplication
- parameters:
- - name: appId
- in: path
- required: true
- schema:
- type: string
- - name: groupId
- in: path
- required: true
- schema:
- type: string
x-codegen-request-body-name: applicationGroupAssignment
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/ApplicationGroupAssignment'
+ examples:
+ putGroupAssignmentRequestExample:
+ $ref: '#/components/examples/GroupAssignmentPutRequestExample'
+ required: false
+ responses:
+ '200':
+ description: Success
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/ApplicationGroupAssignment'
+ examples:
+ putGroupAssignmentResponseExample:
+ $ref: '#/components/examples/GroupAssignmentPutResponseExample'
+ '400':
+ $ref: '#/components/responses/ErrorApiValidationFailed400'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.apps.manage
+ tags:
+ - ApplicationGroups
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ patch:
+ summary: Update an Application Group
+ description: Updates a group assignment to an app
+ operationId: updateGroupAssignmentToApplication
+ requestBody:
+ content:
+ application/json:
+ schema:
+ type: array
+ items:
+ $ref: '#/components/schemas/JsonPatchOperation'
+ examples:
+ groupAssignmentPatchRequetExample:
+ $ref: '#/components/examples/GroupAssignmentPatchRequestExample'
required: false
responses:
'200':
@@ -1940,6 +3286,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/ApplicationGroupAssignment'
+ examples:
+ patchGroupAssignmentResponseExample:
+ $ref: '#/components/examples/GroupAssignmentPatchResponseExample'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -1954,21 +3303,13 @@ paths:
- okta.apps.manage
tags:
- ApplicationGroups
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
- summary: Unassign a Group
- description: Unassigns a group from an application
+ summary: Unassign an Application Group
+ description: Unassigns a Group from an app
operationId: unassignApplicationFromGroup
- parameters:
- - name: appId
- in: path
- required: true
- schema:
- type: string
- - name: groupId
- in: path
- required: true
- schema:
- type: string
responses:
'204':
description: No Content
@@ -1985,6 +3326,9 @@ paths:
- okta.apps.manage
tags:
- ApplicationGroups
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/apps/{appId}/lifecycle/activate:
parameters:
- $ref: '#/components/parameters/pathAppId'
@@ -2008,6 +3352,9 @@ paths:
- okta.apps.manage
tags:
- Application
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/apps/{appId}/lifecycle/deactivate:
parameters:
- $ref: '#/components/parameters/pathAppId'
@@ -2031,6 +3378,9 @@ paths:
- okta.apps.manage
tags:
- Application
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/apps/{appId}/logo:
parameters:
- $ref: '#/components/parameters/pathAppId'
@@ -2078,18 +3428,21 @@ paths:
- okta.apps.manage
tags:
- ApplicationLogos
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/apps/{appId}/policies/{policyId}:
parameters:
- $ref: '#/components/parameters/pathAppId'
- $ref: '#/components/parameters/pathPolicyId'
put:
- summary: Assign an application to a Policy
+ summary: Assign an Authentication Policy
description: |-
- Assigns an application to an [authentication policy](/openapi/okta-management/management/tag/Policy/), identified by `policyId`.
- If the application was previously assigned to another policy, this operation replaces that assignment with the updated policy identified by `policyId`.
+ Assigns an app to an [authentication policy](/openapi/okta-management/management/tag/Policy/), identified by `policyId`.
+ If the app was previously assigned to another policy, this operation replaces that assignment with the updated policy identified by `policyId`.
> **Note:** When you [merge duplicate authentication policies](https://help.okta.com/okta_help.htm?type=oie&id=ext-merge-auth-policies),
- the policy and mapping CRUD operations may be unavailable during the consolidation. When the consolidation is complete, you receive an email.
+ the policy and mapping CRUD operations may be unavailable during the consolidation. When the consolidation is complete, you receive an email with merged results.
operationId: assignApplicationPolicy
responses:
'204':
@@ -2106,37 +3459,111 @@ paths:
- okta.apps.manage
tags:
- ApplicationPolicies
- /api/v1/apps/{appId}/tokens:
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
+ /api/v1/apps/{appId}/sso/saml/metadata:
parameters:
- $ref: '#/components/parameters/pathAppId'
get:
- summary: List all OAuth 2.0 Tokens
- description: Lists all tokens for the application
- operationId: listOAuth2TokensForApplication
+ summary: Preview the application SAML metadata
+ description: Previews the SSO SAML metadata for an application
+ operationId: previewSAMLmetadataForApplication
parameters:
- - name: expand
- in: query
- schema:
- type: string
- - name: after
- in: query
- schema:
- type: string
- - name: limit
+ - name: kid
in: query
+ required: true
schema:
type: integer
- format: int32
- default: 20
+ example: mXtzOtml09Dg1ZCeKxTRBo3KrQuBWFkJ5oxhVagjTzo
responses:
'200':
- description: Success
+ description: OK
+ content:
+ text/xml:
+ schema:
+ type: string
+ description: SAML metadata in XML
+ examples:
+ previewSAML:
+ summary: SAML metadata example
+ value: |
+
+
+
+
+
+
+ MIIDqDCCApCgAwIBAgIGAVGNO4qeMA0GCSqGSIb3DQEBBQUAMIGUMQswCQYDVQQGEwJVUzETMBEG
+ A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
+ MBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJ
+ ARYNaW5mb0Bva3RhLmNvbTAeFw0xNTEyMTAxODUwMDhaFw0xNzEyMTAxODUxMDdaMIGUMQswCQYD
+ VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsG
+ A1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEc
+ MBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ ggEBALAakG48bgcTWHdwmVLHig0mkiRejxIVm3wbzrNSJcBruTq2zCYZ1rGfVxTYON8kJqvkXPmv
+ kzWKhpEkvhubL+mx29XpXY0AsNIfgcm5xIV56yhXSvlMdqzGo3ciRwoACaF+ClNLxmXK9UTZD89B
+ bVVGCG5AEvja0eCQ0GYsO5i9aSI5aTroab8Aew31PuWl/RGQWmjVy8+7P4wwkKKJNKCpxMYDlhfa
+ WRp0zwUSbUCO0qEyeAYdZx6CLES4FGrDi/7D6G+ewWC+kbz1tL1XpF2Dcg3+IOlHrV6VWzz3rG39
+ v9zFIncjvoQJFDGWhpqGqcmXvgH0Ze3SVcVF01T+bK0CAwEAATANBgkqhkiG9w0BAQUFAAOCAQEA
+ AHmnSZ4imjNrIf9wxfQIcqHXEBoJ+oJtd59cw1Ur/YQY9pKXxoglqCQ54ZmlIf4GghlcZhslLO+m
+ NdkQVwSmWMh6KLxVM18/xAkq8zyKbMbvQnTjFB7x45bgokwbjhivWqrB5LYHHCVN7k/8mKlS4eCK
+ Ci6RGEmErjojr4QN2xV0qAqP6CcGANgpepsQJCzlWucMFKAh0x9Kl8fmiQodfyLXyrebYsVnLrMf
+ jxE1b6dg4jKvv975tf5wreQSYZ7m//g3/+NnuDKkN/03HqhV7hTNi1fyctXk8I5Nwgyr+pT5LT2k
+ YoEdncuy+GQGzE9yLOhC4HNfHQXpqp2tMPdRlw==
+
+
+
+ urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
+ urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+
+
+
+
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.apps.read
+ tags:
+ - ApplicationSSO
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/apps/{appId}/tokens:
+ parameters:
+ - $ref: '#/components/parameters/pathAppId'
+ get:
+ summary: List all Application Refresh Tokens
+ description: |
+ Lists all refresh tokens for an app
+
+ > **Note:** The results are [paginated](/#pagination) according to the `limit` parameter.
+ > If there are multiple pages of results, the Link header contains a `next` link that you need to use as an opaque value (follow it, don't parse it).
+ operationId: listOAuth2TokensForApplication
+ parameters:
+ - $ref: '#/components/parameters/queryAppGrantsExpand'
+ - $ref: '#/components/parameters/queryAppAfter'
+ - $ref: '#/components/parameters/queryLimit'
+ responses:
+ '200':
+ description: Success
content:
application/json:
schema:
type: array
items:
- $ref: '#/components/schemas/OAuth2Token'
+ $ref: '#/components/schemas/OAuth2RefreshToken'
+ examples:
+ getOAuth2TokenForApplicationListExample:
+ $ref: '#/components/examples/OAuth2RefreshTokenResponseListEx'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -2149,9 +3576,12 @@ paths:
- okta.apps.read
tags:
- ApplicationTokens
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
- summary: Revoke all OAuth 2.0 Tokens
- description: Revokes all tokens for the specified application
+ summary: Revoke all Application Tokens
+ description: Revokes all OAuth 2.0 refresh tokens for the specified app. Any access tokens issued with these refresh tokens are also revoked, but access tokens issued without a refresh token aren't affected.
operationId: revokeOAuth2TokensForApplication
responses:
'204':
@@ -2169,26 +3599,29 @@ paths:
- okta.apps.manage
tags:
- ApplicationTokens
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/apps/{appId}/tokens/{tokenId}:
parameters:
- $ref: '#/components/parameters/pathAppId'
- $ref: '#/components/parameters/pathTokenId'
get:
- summary: Retrieve an OAuth 2.0 Token
- description: Retrieves a token for the specified application
+ summary: Retrieve an Application Token
+ description: Retrieves a refresh token for the specified app
operationId: getOAuth2TokenForApplication
parameters:
- - name: expand
- in: query
- schema:
- type: string
+ - $ref: '#/components/parameters/queryAppGrantsExpand'
responses:
'200':
description: Success
content:
application/json:
schema:
- $ref: '#/components/schemas/OAuth2Token'
+ $ref: '#/components/schemas/OAuth2RefreshToken'
+ examples:
+ getOAuth2TokenForApplicationExample:
+ $ref: '#/components/examples/OAuth2RefreshTokenResponseEx'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -2201,9 +3634,12 @@ paths:
- okta.apps.read
tags:
- ApplicationTokens
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
- summary: Revoke an OAuth 2.0 Token
- description: Revokes the specified token for the specified application
+ summary: Revoke an Application Token
+ description: Revokes the specified token for the specified app
operationId: revokeOAuth2TokenForApplication
responses:
'204':
@@ -2221,42 +3657,21 @@ paths:
- okta.apps.manage
tags:
- ApplicationTokens
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/apps/{appId}/users:
parameters:
- $ref: '#/components/parameters/pathAppId'
get:
- summary: List all assigned Users
+ summary: List all Application Users
description: Lists all assigned users for an app
operationId: listApplicationUsers
parameters:
- - name: q
- in: query
- schema:
- type: string
- - name: query_scope
- in: query
- schema:
- type: string
- - name: after
- in: query
- description: specifies the pagination cursor for the next page of assignments
- schema:
- type: string
- - name: limit
- in: query
- description: specifies the number of results for a page
- schema:
- type: integer
- format: int32
- default: -1
- - name: filter
- in: query
- schema:
- type: string
- - name: expand
- in: query
- schema:
- type: string
+ - $ref: '#/components/parameters/queryAppAfter'
+ - $ref: '#/components/parameters/queryAppLimit'
+ - $ref: '#/components/parameters/queryAppUserQ'
+ - $ref: '#/components/parameters/queryAppUserExpand'
responses:
'200':
description: Success
@@ -2266,6 +3681,9 @@ paths:
type: array
items:
$ref: '#/components/schemas/AppUser'
+ examples:
+ ListAppUsersExample:
+ $ref: '#/components/examples/AppUserListEx'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -2278,24 +3696,36 @@ paths:
- okta.apps.read
tags:
- ApplicationUsers
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
post:
- summary: Assign a User
+ summary: Assign an Application User
description: |-
- Assigns a user to an app with credentials and an app-specific [profile](/openapi/okta-management/management/tag/Application/#tag/Application/operation/assignUserToApplication!c=200&path=profile&t=response).
- Profile mappings defined for the app are applied first before applying any profile properties that are specified in the request.
+ Assigns a user to an app for:
- > **Notes:**
- > * You need to specify the `id` and omit the `credentials` parameter in the request body only for
- `signOnMode` or authentication schemes (`credentials.scheme`) that don't require credentials.
- > * You can only specify profile properties that aren't defined by profile mappings when Universal Directory is enabled.
- > * If your SSO app requires a profile but doesn't have provisioning enabled, you need to add a profile to the request body.
+ * SSO only
+ Assignments to SSO apps typically don't include a user profile.
+ However, if your SSO app requires a profile but doesn't have provisioning enabled, you can add profile attributes in the request body.
+
+ * SSO and provisioning
+ Assignments to SSO and provisioning apps typically include credentials and an app-specific profile.
+ Profile mappings defined for the app are applied first before applying any profile properties that are specified in the request body.
+ > **Notes:**
+ > * When Universal Directory is enabled, you can only specify profile properties that aren't defined in profile mappings.
+ > * Omit mapped properties during assignment to minimize assignment errors.
operationId: assignUserToApplication
x-codegen-request-body-name: appUser
requestBody:
content:
application/json:
schema:
- $ref: '#/components/schemas/AppUser'
+ $ref: '#/components/schemas/AppUserAssignRequest'
+ examples:
+ AppUserSSOEx:
+ $ref: '#/components/examples/AppUserAssignSSORequest'
+ AppUserProvEx:
+ $ref: '#/components/examples/AppUserAssignProvRequest'
required: true
responses:
'200':
@@ -2304,10 +3734,15 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/AppUser'
+ examples:
+ AppUserSSOEx:
+ $ref: '#/components/examples/AppUserSSOResponse'
+ AppUserProvEx:
+ $ref: '#/components/examples/AppUserProvResponse'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
- $ref: '#/components/responses/ErrorAccessDenied403'
+ $ref: '#/components/responses/ErrorAppUserForbidden403'
'404':
$ref: '#/components/responses/ErrorResourceNotFound404'
'429':
@@ -2318,19 +3753,19 @@ paths:
- okta.apps.manage
tags:
- ApplicationUsers
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/apps/{appId}/users/{userId}:
parameters:
- $ref: '#/components/parameters/pathAppId'
- - $ref: '#/components/parameters/pathUserId'
+ - $ref: '#/components/parameters/pathAppUserId'
get:
- summary: Retrieve an assigned User
- description: Retrieves a specific user assignment for app by `id`
+ summary: Retrieve an Application User
+ description: Retrieves a specific user assignment for a specific app
operationId: getApplicationUser
parameters:
- - name: expand
- in: query
- schema:
- type: string
+ - $ref: '#/components/parameters/queryAppUserExpand'
responses:
'200':
description: Success
@@ -2338,6 +3773,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/AppUser'
+ examples:
+ GetAppUserExample:
+ $ref: '#/components/examples/AppUserProvExpandResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -2350,16 +3788,24 @@ paths:
- okta.apps.read
tags:
- ApplicationUsers
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
post:
- summary: Update an App Profile for an assigned User
- description: Updates a user's profile for an application
+ summary: Update an Application User
+ description: Updates the profile or credentials of a user assigned to an app
operationId: updateApplicationUser
x-codegen-request-body-name: appUser
requestBody:
content:
application/json:
schema:
- $ref: '#/components/schemas/AppUser'
+ $ref: '#/components/schemas/AppUserUpdateRequest'
+ examples:
+ AppUserUpdateCredEx:
+ $ref: '#/components/examples/AppUserUpdateCredRequest'
+ AppUserUpdateProfileEx:
+ $ref: '#/components/examples/AppUserUpdateProfileRequest'
required: true
responses:
'200':
@@ -2368,10 +3814,15 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/AppUser'
+ examples:
+ AppUserUpdateCredEx:
+ $ref: '#/components/examples/AppUserCredUpdateResponse'
+ AppUserUpdateProfileEx:
+ $ref: '#/components/examples/AppUserProfUpdateResponse'
'400':
- $ref: '#/components/responses/ErrorApiValidationFailed400'
+ $ref: '#/components/responses/ErrorAppUserUpdateBadRequest400'
'403':
- $ref: '#/components/responses/ErrorAccessDenied403'
+ $ref: '#/components/responses/ErrorAppUserForbidden403'
'404':
$ref: '#/components/responses/ErrorResourceNotFound404'
'429':
@@ -2382,13 +3833,23 @@ paths:
- okta.apps.manage
tags:
- ApplicationUsers
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
- summary: Unassign an App User
- description: Unassigns a user from an application
+ summary: Unassign an Application User
+ description: |-
+ Unassigns a user from an app
+
+ For directories like Active Directory and LDAP, they act as the owner of the user's credential with Okta delegating authentication (DelAuth) to that directory.
+ If this request is successful for a user when DelAuth is enabled, then the user is in a state with no password. You can then reset the user's password.
+
+ > **Important:** This is a destructive operation. You can't recover the user's app profile. If the app is enabled for provisioning and configured to deactivate users, the user is also deactivated in the target app.
operationId: unassignUserFromApplication
parameters:
- name: sendEmail
in: query
+ description: Sends a deactivation email to the administrator if `true`
schema:
type: boolean
default: false
@@ -2409,6 +3870,48 @@ paths:
- okta.apps.manage
tags:
- ApplicationUsers
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/apps/{appName}/{appId}/oauth2/callback:
+ parameters:
+ - $ref: '#/components/parameters/pathOAuthProvisioningAppName'
+ - $ref: '#/components/parameters/pathAppId'
+ post:
+ summary: Verify the Provisioning Connection
+ description: |
+ Verifies the OAuth 2.0-based connection as part of the OAuth 2.0 consent flow. The validation of the consent flow is the last step of the provisioning setup for an OAuth 2.0-based connection.
+ Currently, this operation only supports `office365`,`google`, `zoomus`, and `slack` apps.
+ operationId: verifyProvisioningConnectionForApplication
+ parameters:
+ - name: code
+ in: query
+ schema:
+ type: string
+ description: Unique string associated with each authentication request
+ - name: state
+ in: query
+ schema:
+ type: string
+ description: A temporary code string that the client exchanges for an access token
+ responses:
+ '204':
+ description: No content
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.apps.manage
+ tags:
+ - ApplicationConnections
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/authenticators:
get:
summary: List all Authenticators
@@ -2421,7 +3924,7 @@ paths:
application/json:
schema:
items:
- $ref: '#/components/schemas/Authenticator'
+ $ref: '#/components/schemas/AuthenticatorBase'
type: array
examples:
OrgAuthenticatorsEx:
@@ -2436,6 +3939,11 @@ paths:
- okta.authenticators.read
tags:
- Authenticator
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
post:
summary: Create an Authenticator
description: Creates an authenticator
@@ -2446,7 +3954,7 @@ paths:
description: Whether to execute the activation lifecycle operation when Okta creates the authenticator
schema:
type: boolean
- default: false
+ default: true
x-codegen-request-body-name: authenticator
requestBody:
$ref: '#/components/requestBodies/AuthenticatorRequestBody'
@@ -2465,6 +3973,11 @@ paths:
- okta.authenticators.manage
tags:
- Authenticator
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
/api/v1/authenticators/{authenticatorId}:
parameters:
- $ref: '#/components/parameters/pathAuthenticatorId'
@@ -2487,6 +4000,11 @@ paths:
- okta.authenticators.read
tags:
- Authenticator
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
put:
summary: Replace an Authenticator
description: Replaces the properties for an Authenticator identified by `authenticatorId`
@@ -2511,6 +4029,11 @@ paths:
- okta.authenticators.manage
tags:
- Authenticator
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
/api/v1/authenticators/{authenticatorId}/lifecycle/activate:
parameters:
- $ref: '#/components/parameters/pathAuthenticatorId'
@@ -2533,6 +4056,11 @@ paths:
- okta.authenticators.manage
tags:
- Authenticator
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
/api/v1/authenticators/{authenticatorId}/lifecycle/deactivate:
parameters:
- $ref: '#/components/parameters/pathAuthenticatorId'
@@ -2542,7 +4070,7 @@ paths:
operationId: deactivateAuthenticator
responses:
'200':
- $ref: '#/components/responses/AuthenticatorResponse'
+ $ref: '#/components/responses/AuthenticatorResponseInactiveWebAuthn'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -2555,12 +4083,24 @@ paths:
- okta.authenticators.manage
tags:
- Authenticator
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
/api/v1/authenticators/{authenticatorId}/methods:
parameters:
- $ref: '#/components/parameters/pathAuthenticatorId'
get:
summary: List all Methods of an Authenticator
- description: Lists all Methods of an Authenticator identified by `authenticatorId`
+ description: |-
+ Lists all Methods of an Authenticator identified by `authenticatorId`
+ > **Note:**
+ > The AAGUID Group object supports the Early Access (Self-Service) Allow List for FIDO2 (WebAuthn) Authenticators feature. Enable the feature for your org from the **Settings** > **Features** page in the Admin Console.
+ > This feature has several limitations when enrolling a security key:
+ > - Enrollment is currently unsupported on Firefox.
+ > - Enrollment is currently unsupported on Chrome if User Verification is set to DISCOURAGED and a PIN is set on the security key.
+ > - If prompted during enrollment, users must allow Okta to see the make and model of the security key.
operationId: listAuthenticatorMethods
responses:
'200':
@@ -2571,6 +4111,11 @@ paths:
type: array
items:
$ref: '#/components/schemas/AuthenticatorMethodBase'
+ examples:
+ Phone:
+ $ref: '#/components/examples/AuthenticatorMethodPhone'
+ WebAuthn:
+ $ref: '#/components/examples/AuthenticatorMethodWebauth'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -2583,13 +4128,25 @@ paths:
- okta.authenticators.read
tags:
- Authenticator
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
/api/v1/authenticators/{authenticatorId}/methods/{methodType}:
parameters:
- $ref: '#/components/parameters/pathAuthenticatorId'
- $ref: '#/components/parameters/pathMethodType'
get:
- summary: Retrieve a Method
- description: Retrieves a Method identified by `methodType` of an Authenticator identified by `authenticatorId`
+ summary: Retrieve an Authenticator Method
+ description: |-
+ Retrieves a Method identified by `methodType` of an Authenticator identified by `authenticatorId`
+ > **Note:**
+ > The AAGUID Group object supports the Early Access (Self-Service) Allow List for FIDO2 (WebAuthn) Authenticators feature. Enable the feature for your org from the **Settings** > **Features** page in the Admin Console.
+ > This feature has several limitations when enrolling a security key:
+ > - Enrollment is currently unsupported on Firefox.
+ > - Enrollment is currently unsupported on Chrome if User Verification is set to DISCOURAGED and a PIN is set on the security key.
+ > - If prompted during enrollment, users must allow Okta to see the make and model of the security key.
operationId: getAuthenticatorMethod
responses:
'200':
@@ -2598,6 +4155,13 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/AuthenticatorMethodBase'
+ examples:
+ sms:
+ $ref: '#/components/examples/AuthenticatorMethodSms'
+ voice:
+ $ref: '#/components/examples/AuthenticatorMethodInactiveVoice'
+ webAuthn:
+ $ref: '#/components/examples/AuthenticatorMethodWebauth'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -2610,9 +4174,21 @@ paths:
- okta.authenticators.read
tags:
- Authenticator
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
put:
- summary: Replace a Method
- description: Replaces a Method of `methodType` for an Authenticator identified by `authenticatorId`
+ summary: Replace an Authenticator Method
+ description: |-
+ Replaces a Method of `methodType` for an Authenticator identified by `authenticatorId`
+ > **Note:**
+ > The AAGUID Group object supports the Early Access (Self-Service) Allow List for FIDO2 (WebAuthn) Authenticators feature. Enable the feature for your org from the **Settings** > **Features** page in the Admin Console.
+ > This feature has several limitations when enrolling a security key:
+ > - Enrollment is currently unsupported on Firefox.
+ > - Enrollment is currently unsupported on Chrome if User Verification is set to DISCOURAGED and a PIN is set on the security key.
+ > - If prompted during enrollment, users must allow Okta to see the make and model of the security key.
operationId: replaceAuthenticatorMethod
requestBody:
content:
@@ -2626,6 +4202,13 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/AuthenticatorMethodBase'
+ examples:
+ sms:
+ $ref: '#/components/examples/AuthenticatorMethodSms'
+ voice:
+ $ref: '#/components/examples/AuthenticatorMethodInactiveVoice'
+ webAuthn:
+ $ref: '#/components/examples/AuthenticatorMethodWebauth'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -2640,13 +4223,25 @@ paths:
- okta.authenticators.manage
tags:
- Authenticator
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
/api/v1/authenticators/{authenticatorId}/methods/{methodType}/lifecycle/activate:
parameters:
- $ref: '#/components/parameters/pathAuthenticatorId'
- $ref: '#/components/parameters/pathMethodType'
post:
summary: Activate an Authenticator Method
- description: Activates a Method for an Authenticator identified by `authenticatorId` and `methodType`
+ description: |-
+ Activates a Method for an Authenticator identified by `authenticatorId` and `methodType`
+ > **Note:**
+ > The AAGUID Group object supports the Early Access (Self-Service) Allow List for FIDO2 (WebAuthn) Authenticators feature. Enable the feature for your org from the **Settings** > **Features** page in the Admin Console.
+ > This feature has several limitations when enrolling a security key:
+ > - Enrollment is currently unsupported on Firefox.
+ > - Enrollment is currently unsupported on Chrome if User Verification is set to DISCOURAGED and a PIN is set on the security key.
+ > - If prompted during enrollment, users must allow Okta to see the make and model of the security key.
operationId: activateAuthenticatorMethod
responses:
'200':
@@ -2655,6 +4250,11 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/AuthenticatorMethodBase'
+ examples:
+ sms:
+ $ref: '#/components/examples/AuthenticatorMethodSms'
+ webAuthn:
+ $ref: '#/components/examples/AuthenticatorMethodWebauth'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -2667,13 +4267,25 @@ paths:
- okta.authenticators.manage
tags:
- Authenticator
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
/api/v1/authenticators/{authenticatorId}/methods/{methodType}/lifecycle/deactivate:
parameters:
- $ref: '#/components/parameters/pathAuthenticatorId'
- $ref: '#/components/parameters/pathMethodType'
post:
summary: Deactivate an Authenticator Method
- description: Deactivates a Method for an Authenticator identified by `authenticatorId` and `methodType`
+ description: |-
+ Deactivates a Method for an Authenticator identified by `authenticatorId` and `methodType`
+ > **Note:**
+ > The AAGUID Group object supports the Early Access (Self-Service) Allow List for FIDO2 (WebAuthn) Authenticators feature. Enable the feature for your org from the **Settings** > **Features** page in the Admin Console.
+ > This feature has several limitations when enrolling a security key:
+ > - Enrollment is currently unsupported on Firefox.
+ > - Enrollment is currently unsupported on Chrome if User Verification is set to DISCOURAGED and a PIN is set on the security key.
+ > - If prompted during enrollment, users must allow Okta to see the make and model of the security key.
operationId: deactivateAuthenticatorMethod
responses:
'200':
@@ -2682,6 +4294,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/AuthenticatorMethodBase'
+ examples:
+ voice:
+ $ref: '#/components/examples/AuthenticatorMethodInactiveVoice'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -2694,24 +4309,33 @@ paths:
- okta.authenticators.manage
tags:
- Authenticator
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
/api/v1/authorizationServers:
get:
summary: List all Authorization Servers
- description: Lists all authorization servers
+ description: Lists all custom authorization servers in the org
operationId: listAuthorizationServers
parameters:
- name: q
in: query
+ description: Searches the `name` and `audiences` of authorization servers for matching values
+ example: customasone
schema:
type: string
- name: limit
in: query
+ description: 'Specifies the number of authorization server results on a page. Maximum value: 200'
schema:
type: integer
format: int32
default: 200
- name: after
in: query
+ description: Specifies the pagination cursor for the next page of authorization servers. Treat as an opaque value and obtain through the next link relationship.
schema:
type: string
responses:
@@ -2723,6 +4347,9 @@ paths:
type: array
items:
$ref: '#/components/schemas/AuthorizationServer'
+ examples:
+ ListAuthServers:
+ $ref: '#/components/examples/ListAuthServersResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'429':
@@ -2733,6 +4360,11 @@ paths:
- okta.authorizationServers.read
tags:
- AuthorizationServer
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs:
+ - API Access Management
post:
summary: Create an Authorization Server
description: Creates an authorization server
@@ -2743,6 +4375,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/AuthorizationServer'
+ examples:
+ CreateAuthServer:
+ $ref: '#/components/examples/CreateAuthServerBody'
required: true
responses:
'201':
@@ -2751,6 +4386,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/AuthorizationServer'
+ examples:
+ CreateAuthServer:
+ $ref: '#/components/examples/CreateAuthServerResponse'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -2763,6 +4401,11 @@ paths:
- okta.authorizationServers.manage
tags:
- AuthorizationServer
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs:
+ - API Access Management
/api/v1/authorizationServers/{authServerId}:
parameters:
- $ref: '#/components/parameters/pathAuthServerId'
@@ -2777,6 +4420,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/AuthorizationServer'
+ examples:
+ RetrieveAuthServer:
+ $ref: '#/components/examples/RetrieveAuthServerResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -2789,6 +4435,11 @@ paths:
- okta.authorizationServers.read
tags:
- AuthorizationServer
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs:
+ - API Access Management
put:
summary: Replace an Authorization Server
description: Replaces an authorization server
@@ -2799,6 +4450,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/AuthorizationServer'
+ examples:
+ ReplaceAuthServer:
+ $ref: '#/components/examples/ReplaceAuthServerBody'
required: true
responses:
'200':
@@ -2807,6 +4461,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/AuthorizationServer'
+ examples:
+ ReplaceAuthServer:
+ $ref: '#/components/examples/ReplaceAuthServerResponse'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -2821,6 +4478,11 @@ paths:
- okta.authorizationServers.manage
tags:
- AuthorizationServer
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs:
+ - API Access Management
delete:
summary: Delete an Authorization Server
description: Deletes an authorization server
@@ -2841,22 +4503,28 @@ paths:
- okta.authorizationServers.manage
tags:
- AuthorizationServer
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs:
+ - API Access Management
/api/v1/authorizationServers/{authServerId}/associatedServers:
parameters:
- $ref: '#/components/parameters/pathAuthServerId'
get:
- summary: List all Associated Authorization Servers
- description: Lists all associated authorization servers by trusted type for the given `authServerId`
+ summary: List all associated Authorization Servers
+ description: Lists all associated Authorization Servers by trusted type for the given `authServerId`
operationId: listAssociatedServersByTrustedType
parameters:
- name: trusted
in: query
- description: Searches trusted authorization servers when true, or searches untrusted authorization servers when false
+ description: Searches trusted authorization servers when `true` or searches untrusted authorization servers when `false`
schema:
type: boolean
- name: q
in: query
- description: Searches the name or audience of the associated authorization servers
+ description: Searches for the name or audience of the associated authorization servers
+ example: customasone
schema:
type: string
- name: limit
@@ -2880,6 +4548,9 @@ paths:
type: array
items:
$ref: '#/components/schemas/AuthorizationServer'
+ examples:
+ ListAssocAuthServer:
+ $ref: '#/components/examples/ListAssocAuthServerResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -2891,10 +4562,15 @@ paths:
- oauth2:
- okta.authorizationServers.read
tags:
- - AuthorizationServer
+ - AuthorizationServerAssoc
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs:
+ - API Access Management
post:
- summary: Create the Associated Authorization Servers
- description: Creates the trusted relationships between the given authorization server and other authorization servers
+ summary: Create an associated Authorization Server
+ description: Creates trusted relationships between the given authorization server and other authorization servers
operationId: createAssociatedServers
x-codegen-request-body-name: associatedServerMediated
requestBody:
@@ -2902,6 +4578,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/AssociatedServerMediated'
+ examples:
+ CreateAssocAuthServer:
+ $ref: '#/components/examples/CreateAssocAuthServerBody'
required: true
responses:
'200':
@@ -2912,6 +4591,9 @@ paths:
type: array
items:
$ref: '#/components/schemas/AuthorizationServer'
+ examples:
+ CreateAssocAuthServer:
+ $ref: '#/components/examples/CreateAssocAuthServerResponse'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -2925,14 +4607,19 @@ paths:
- oauth2:
- okta.authorizationServers.manage
tags:
- - AuthorizationServer
+ - AuthorizationServerAssoc
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs:
+ - API Access Management
/api/v1/authorizationServers/{authServerId}/associatedServers/{associatedServerId}:
parameters:
- $ref: '#/components/parameters/pathAuthServerId'
- $ref: '#/components/parameters/pathAssociatedServerId'
delete:
- summary: Delete an Associated Authorization Server
- description: Deletes an associated authorization server
+ summary: Delete an associated Authorization Server
+ description: Deletes an associated Authorization Server
operationId: deleteAssociatedServer
responses:
'204':
@@ -2949,13 +4636,18 @@ paths:
- oauth2:
- okta.authorizationServers.manage
tags:
- - AuthorizationServer
+ - AuthorizationServerAssoc
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs:
+ - API Access Management
/api/v1/authorizationServers/{authServerId}/claims:
parameters:
- $ref: '#/components/parameters/pathAuthServerId'
get:
- summary: List all Custom Token Claims
- description: Lists all custom token claims
+ summary: List all custom token Claims
+ description: Lists all custom token Claims defined for a specified custom authorization server
operationId: listOAuth2Claims
responses:
'200':
@@ -2966,6 +4658,9 @@ paths:
type: array
items:
$ref: '#/components/schemas/OAuth2Claim'
+ examples:
+ ListCustomTokenClaims:
+ $ref: '#/components/examples/ListCustomTokenClaimsResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -2977,10 +4672,15 @@ paths:
- oauth2:
- okta.authorizationServers.read
tags:
- - AuthorizationServer
+ - AuthorizationServerClaims
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs:
+ - API Access Management
post:
- summary: Create a Custom Token Claim
- description: Creates a custom token claim
+ summary: Create a custom token Claim
+ description: Creates a custom token Claim for a custom authorization server
operationId: createOAuth2Claim
x-codegen-request-body-name: oAuth2Claim
requestBody:
@@ -2988,6 +4688,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/OAuth2Claim'
+ examples:
+ CreateCustomTokenClaim:
+ $ref: '#/components/examples/CreateCustomTokenClaimBody'
required: true
responses:
'201':
@@ -2996,6 +4699,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/OAuth2Claim'
+ examples:
+ CreateCustomTokenClaim:
+ $ref: '#/components/examples/CreateCustomTokenClaimResponse'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -3009,14 +4715,19 @@ paths:
- oauth2:
- okta.authorizationServers.manage
tags:
- - AuthorizationServer
+ - AuthorizationServerClaims
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs:
+ - API Access Management
/api/v1/authorizationServers/{authServerId}/claims/{claimId}:
parameters:
- $ref: '#/components/parameters/pathAuthServerId'
- $ref: '#/components/parameters/pathClaimId'
get:
- summary: Retrieve a Custom Token Claim
- description: Retrieves a custom token claim
+ summary: Retrieve a custom token Claim
+ description: Retrieves a custom token Claim by the specified `claimId`
operationId: getOAuth2Claim
responses:
'200':
@@ -3025,6 +4736,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/OAuth2Claim'
+ examples:
+ RetrieveCustomTokenClaim:
+ $ref: '#/components/examples/RetrieveCustomTokenClaimResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -3036,10 +4750,15 @@ paths:
- oauth2:
- okta.authorizationServers.read
tags:
- - AuthorizationServer
+ - AuthorizationServerClaims
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs:
+ - API Access Management
put:
- summary: Replace a Custom Token Claim
- description: Replaces a custom token claim
+ summary: Replace a custom token Claim
+ description: Replaces a custom token Claim specified by the `claimId`
operationId: replaceOAuth2Claim
x-codegen-request-body-name: oAuth2Claim
requestBody:
@@ -3047,6 +4766,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/OAuth2Claim'
+ examples:
+ ReplaceCustomTokenClaim:
+ $ref: '#/components/examples/ReplaceCustomTokenClaimBody'
required: true
responses:
'200':
@@ -3055,6 +4777,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/OAuth2Claim'
+ examples:
+ ReplaceCustomTokenClaim:
+ $ref: '#/components/examples/ReplaceCustomTokenClaimResponse'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -3068,10 +4793,15 @@ paths:
- oauth2:
- okta.authorizationServers.manage
tags:
- - AuthorizationServer
+ - AuthorizationServerClaims
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs:
+ - API Access Management
delete:
- summary: Delete a Custom Token Claim
- description: Deletes a custom token claim
+ summary: Delete a custom token Claim
+ description: Deletes a custom token Claim specified by the `claimId`
operationId: deleteOAuth2Claim
responses:
'204':
@@ -3088,13 +4818,18 @@ paths:
- oauth2:
- okta.authorizationServers.manage
tags:
- - AuthorizationServer
+ - AuthorizationServerClaims
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs:
+ - API Access Management
/api/v1/authorizationServers/{authServerId}/clients:
parameters:
- $ref: '#/components/parameters/pathAuthServerId'
get:
- summary: List all Clients
- description: Lists all clients
+ summary: List all Client resources for an authorization server
+ description: Lists all Client resources for which the specified authorization server has tokens
operationId: listOAuth2ClientsForAuthorizationServer
responses:
'200':
@@ -3105,6 +4840,9 @@ paths:
type: array
items:
$ref: '#/components/schemas/OAuth2Client'
+ examples:
+ ListClients:
+ $ref: '#/components/examples/ListClientsResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -3116,26 +4854,34 @@ paths:
- oauth2:
- okta.authorizationServers.read
tags:
- - AuthorizationServer
+ - AuthorizationServerClients
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs:
+ - API Access Management
/api/v1/authorizationServers/{authServerId}/clients/{clientId}/tokens:
parameters:
- $ref: '#/components/parameters/pathAuthServerId'
- $ref: '#/components/parameters/pathClientId'
get:
- summary: List all Refresh Tokens for a Client
- description: Lists all refresh tokens for a client
+ summary: List all refresh tokens for a Client
+ description: Lists all refresh tokens issued by an authorization server for a specific Client
operationId: listRefreshTokensForAuthorizationServerAndClient
parameters:
- name: expand
in: query
+ description: 'Valid value: `scope`. If specified, scope details are included in the `_embedded` attribute.'
schema:
type: string
- name: after
in: query
+ description: Specifies the pagination cursor for the next page of tokens
schema:
type: string
- name: limit
in: query
+ description: The maximum number of tokens to return (maximum 200)
schema:
type: integer
format: int32
@@ -3149,6 +4895,9 @@ paths:
type: array
items:
$ref: '#/components/schemas/OAuth2RefreshToken'
+ examples:
+ ListRefreshTokenClients:
+ $ref: '#/components/examples/ListRefreshTokensClientsResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -3160,10 +4909,15 @@ paths:
- oauth2:
- okta.authorizationServers.read
tags:
- - AuthorizationServer
+ - AuthorizationServerClients
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs:
+ - API Access Management
delete:
- summary: Revoke all Refresh Tokens for a Client
- description: Revokes all refresh tokens for a client
+ summary: Revoke all refresh tokens for a Client
+ description: Revokes all refresh tokens for a Client
operationId: revokeRefreshTokensForAuthorizationServerAndClient
responses:
'204':
@@ -3180,19 +4934,25 @@ paths:
- oauth2:
- okta.authorizationServers.manage
tags:
- - AuthorizationServer
+ - AuthorizationServerClients
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs:
+ - API Access Management
/api/v1/authorizationServers/{authServerId}/clients/{clientId}/tokens/{tokenId}:
parameters:
- $ref: '#/components/parameters/pathAuthServerId'
- $ref: '#/components/parameters/pathClientId'
- $ref: '#/components/parameters/pathTokenId'
get:
- summary: Retrieve a Refresh Token for a Client
- description: Retrieves a refresh token for a client
+ summary: Retrieve a refresh token for a Client
+ description: Retrieves a refresh token for a Client
operationId: getRefreshTokenForAuthorizationServerAndClient
parameters:
- name: expand
in: query
+ description: 'Valid value: `scope`. If specified, scope details are included in the `_embedded` attribute.'
schema:
type: string
responses:
@@ -3202,6 +4962,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/OAuth2RefreshToken'
+ examples:
+ RetrieveRefreshTokenClient:
+ $ref: '#/components/examples/RetrieveRefreshTokenClientResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -3213,10 +4976,15 @@ paths:
- oauth2:
- okta.authorizationServers.read
tags:
- - AuthorizationServer
+ - AuthorizationServerClients
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs:
+ - API Access Management
delete:
- summary: Revoke a Refresh Token for a Client
- description: Revokes a refresh token for a client
+ summary: Revoke a refresh token for a Client
+ description: Revokes a refresh token for a Client
operationId: revokeRefreshTokenForAuthorizationServerAndClient
responses:
'204':
@@ -3233,13 +5001,18 @@ paths:
- oauth2:
- okta.authorizationServers.manage
tags:
- - AuthorizationServer
+ - AuthorizationServerClients
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs:
+ - API Access Management
/api/v1/authorizationServers/{authServerId}/credentials/keys:
parameters:
- $ref: '#/components/parameters/pathAuthServerId'
get:
summary: List all Credential Keys
- description: Lists all credential keys
+ description: Lists all of the current, future, and expired Keys used by the Custom Authorization Server
operationId: listAuthorizationServerKeys
responses:
'200':
@@ -3249,7 +5022,10 @@ paths:
schema:
type: array
items:
- $ref: '#/components/schemas/JsonWebKey'
+ $ref: '#/components/schemas/AuthorizationServerJsonWebKey'
+ examples:
+ ListAuthorizationServerKeys:
+ $ref: '#/components/examples/ListAuthorizationServerKeys'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -3261,13 +5037,65 @@ paths:
- oauth2:
- okta.authorizationServers.read
tags:
- - AuthorizationServer
+ - AuthorizationServerKeys
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs:
+ - API Access Management
+ /api/v1/authorizationServers/{authServerId}/credentials/keys/{keyId}:
+ parameters:
+ - $ref: '#/components/parameters/pathAuthServerId'
+ - $ref: '#/components/parameters/pathCredentialKeyId'
+ get:
+ summary: Retrieve an Authorization Server Key
+ description: Retrieves an Authorization Server Key specified by the `keyId`
+ operationId: getAuthorizationServerKey
+ responses:
+ '200':
+ description: Success
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/AuthorizationServerJsonWebKey'
+ examples:
+ ActiveAuthorizationServerKey:
+ $ref: '#/components/examples/ActiveAuthorizationServerKey'
+ NextAuthorizationServerKey:
+ $ref: '#/components/examples/NextAuthorizationServerKey'
+ ExpiredAuthorizationServerKey:
+ $ref: '#/components/examples/ExpiredAuthorizationServerKey'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.authorizationServers.read
+ tags:
+ - AuthorizationServerKeys
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs:
+ - API Access Management
/api/v1/authorizationServers/{authServerId}/credentials/lifecycle/keyRotate:
parameters:
- $ref: '#/components/parameters/pathAuthServerId'
post:
summary: Rotate all Credential Keys
- description: Rotates all credential keys
+ description: |-
+ Rotates the current Keys for a Custom Authorization Server. If you rotate Keys,
+ the `ACTIVE` Key becomes the `EXPIRED` Key, the `NEXT` Key becomes the `ACTIVE` Key,
+ and the Custom Authorization Server immediately begins using the new active
+ Key to sign tokens.
+
+ > **Note:** Okta rotates your Keys automatically in `AUTO` mode. You can rotate Keys
+ yourself in either mode. If Keys are rotated manually, you should invalidate any intermediate cache
+ and fetch the Keys again using the Keys endpoint.
operationId: rotateAuthorizationServerKeys
x-codegen-request-body-name: use
requestBody:
@@ -3284,9 +5112,19 @@ paths:
schema:
type: array
items:
- $ref: '#/components/schemas/JsonWebKey'
+ $ref: '#/components/schemas/AuthorizationServerJsonWebKey'
+ examples:
+ RotateAuthorizationServerKeys:
+ $ref: '#/components/examples/ListAuthorizationServerKeys'
'400':
- $ref: '#/components/responses/ErrorApiValidationFailed400'
+ description: Bad Request
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Error'
+ examples:
+ InvalidRotateUse:
+ $ref: '#/components/examples/InvalidRotateUse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -3298,7 +5136,12 @@ paths:
- oauth2:
- okta.authorizationServers.manage
tags:
- - AuthorizationServer
+ - AuthorizationServerKeys
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs:
+ - API Access Management
/api/v1/authorizationServers/{authServerId}/lifecycle/activate:
parameters:
- $ref: '#/components/parameters/pathAuthServerId'
@@ -3322,6 +5165,11 @@ paths:
- okta.authorizationServers.manage
tags:
- AuthorizationServer
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs:
+ - API Access Management
/api/v1/authorizationServers/{authServerId}/lifecycle/deactivate:
parameters:
- $ref: '#/components/parameters/pathAuthServerId'
@@ -3345,6 +5193,11 @@ paths:
- okta.authorizationServers.manage
tags:
- AuthorizationServer
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs:
+ - API Access Management
/api/v1/authorizationServers/{authServerId}/policies:
parameters:
- $ref: '#/components/parameters/pathAuthServerId'
@@ -3361,6 +5214,9 @@ paths:
type: array
items:
$ref: '#/components/schemas/AuthorizationServerPolicy'
+ examples:
+ ListAuthorizationServerPolicies:
+ $ref: '#/components/examples/ListAuthorizationServerPolicies'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -3372,7 +5228,12 @@ paths:
- oauth2:
- okta.authorizationServers.read
tags:
- - AuthorizationServer
+ - AuthorizationServerPolicies
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs:
+ - API Access Management
post:
summary: Create a Policy
description: Creates a policy
@@ -3383,6 +5244,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/AuthorizationServerPolicy'
+ examples:
+ CreateAuthorizationServerPolicyRule:
+ $ref: '#/components/examples/CreateAuthorizationServerPolicyRequest'
required: true
responses:
'201':
@@ -3391,6 +5255,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/AuthorizationServerPolicy'
+ examples:
+ AuthorizationServerPolicy:
+ $ref: '#/components/examples/AuthorizationServerPolicy'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -3404,7 +5271,12 @@ paths:
- oauth2:
- okta.authorizationServers.manage
tags:
- - AuthorizationServer
+ - AuthorizationServerPolicies
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs:
+ - API Access Management
/api/v1/authorizationServers/{authServerId}/policies/{policyId}:
parameters:
- $ref: '#/components/parameters/pathAuthServerId'
@@ -3420,6 +5292,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/AuthorizationServerPolicy'
+ examples:
+ AuthorizationServerPolicy:
+ $ref: '#/components/examples/AuthorizationServerPolicy'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -3431,7 +5306,12 @@ paths:
- oauth2:
- okta.authorizationServers.read
tags:
- - AuthorizationServer
+ - AuthorizationServerPolicies
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs:
+ - API Access Management
put:
summary: Replace a Policy
description: Replaces a policy
@@ -3442,6 +5322,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/AuthorizationServerPolicy'
+ examples:
+ UpdateAuthorizationServerPolicyRule:
+ $ref: '#/components/examples/UpdateAuthorizationServerPolicyRequest'
required: true
responses:
'200':
@@ -3450,6 +5333,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/AuthorizationServerPolicy'
+ examples:
+ AuthorizationServerPolicy:
+ $ref: '#/components/examples/AuthorizationServerPolicy'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -3463,7 +5349,12 @@ paths:
- oauth2:
- okta.authorizationServers.manage
tags:
- - AuthorizationServer
+ - AuthorizationServerPolicies
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs:
+ - API Access Management
delete:
summary: Delete a Policy
description: Deletes a policy
@@ -3483,7 +5374,12 @@ paths:
- oauth2:
- okta.authorizationServers.manage
tags:
- - AuthorizationServer
+ - AuthorizationServerPolicies
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs:
+ - API Access Management
/api/v1/authorizationServers/{authServerId}/policies/{policyId}/lifecycle/activate:
parameters:
- $ref: '#/components/parameters/pathAuthServerId'
@@ -3507,7 +5403,12 @@ paths:
- oauth2:
- okta.authorizationServers.manage
tags:
- - AuthorizationServer
+ - AuthorizationServerPolicies
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs:
+ - API Access Management
/api/v1/authorizationServers/{authServerId}/policies/{policyId}/lifecycle/deactivate:
parameters:
- $ref: '#/components/parameters/pathAuthServerId'
@@ -3531,7 +5432,12 @@ paths:
- oauth2:
- okta.authorizationServers.manage
tags:
- - AuthorizationServer
+ - AuthorizationServerPolicies
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs:
+ - API Access Management
/api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules:
parameters:
- $ref: '#/components/parameters/pathAuthServerId'
@@ -3549,6 +5455,9 @@ paths:
type: array
items:
$ref: '#/components/schemas/AuthorizationServerPolicyRule'
+ examples:
+ ListAuthorizationServerPolicyRules:
+ $ref: '#/components/examples/ListAuthorizationServerPolicyRules'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -3560,7 +5469,12 @@ paths:
- oauth2:
- okta.authorizationServers.read
tags:
- - AuthorizationServer
+ - AuthorizationServerRules
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs:
+ - API Access Management
post:
summary: Create a Policy Rule
description: Creates a policy rule for the specified Custom Authorization Server and Policy
@@ -3570,7 +5484,10 @@ paths:
content:
application/json:
schema:
- $ref: '#/components/schemas/AuthorizationServerPolicyRule'
+ $ref: '#/components/schemas/AuthorizationServerPolicyRuleRequest'
+ examples:
+ CreateAuthorizationServerPolicyRule:
+ $ref: '#/components/examples/CreateAuthorizationServerPolicyRuleRequest'
required: true
responses:
'201':
@@ -3579,6 +5496,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/AuthorizationServerPolicyRule'
+ examples:
+ AuthorizationServerPolicyRule:
+ $ref: '#/components/examples/AuthorizationServerPolicyRule'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -3592,7 +5512,12 @@ paths:
- oauth2:
- okta.authorizationServers.manage
tags:
- - AuthorizationServer
+ - AuthorizationServerRules
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs:
+ - API Access Management
/api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/{ruleId}:
parameters:
- $ref: '#/components/parameters/pathAuthServerId'
@@ -3609,6 +5534,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/AuthorizationServerPolicyRule'
+ examples:
+ AuthorizationServerPolicyRule:
+ $ref: '#/components/examples/AuthorizationServerPolicyRule'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -3620,7 +5548,12 @@ paths:
- oauth2:
- okta.authorizationServers.read
tags:
- - AuthorizationServer
+ - AuthorizationServerRules
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs:
+ - API Access Management
put:
summary: Replace a Policy Rule
description: Replaces the configuration of the Policy Rule defined in the specified Custom Authorization Server and Policy
@@ -3630,7 +5563,10 @@ paths:
content:
application/json:
schema:
- $ref: '#/components/schemas/AuthorizationServerPolicyRule'
+ $ref: '#/components/schemas/AuthorizationServerPolicyRuleRequest'
+ examples:
+ UpdateAuthorizationServerPolicyRule:
+ $ref: '#/components/examples/UpdateAuthorizationServerPolicyRuleRequest'
required: true
responses:
'200':
@@ -3639,6 +5575,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/AuthorizationServerPolicyRule'
+ examples:
+ AuthorizationServerPolicyRule:
+ $ref: '#/components/examples/AuthorizationServerPolicyRule'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -3652,7 +5591,12 @@ paths:
- oauth2:
- okta.authorizationServers.manage
tags:
- - AuthorizationServer
+ - AuthorizationServerRules
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs:
+ - API Access Management
delete:
summary: Delete a Policy Rule
description: Deletes a Policy Rule defined in the specified Custom Authorization Server and Policy
@@ -3672,7 +5616,12 @@ paths:
- oauth2:
- okta.authorizationServers.manage
tags:
- - AuthorizationServer
+ - AuthorizationServerRules
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs:
+ - API Access Management
/api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/{ruleId}/lifecycle/activate:
parameters:
- $ref: '#/components/parameters/pathAuthServerId'
@@ -3697,7 +5646,12 @@ paths:
- oauth2:
- okta.authorizationServers.manage
tags:
- - AuthorizationServer
+ - AuthorizationServerRules
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs:
+ - API Access Management
/api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate:
parameters:
- $ref: '#/components/parameters/pathAuthServerId'
@@ -3722,7 +5676,12 @@ paths:
- oauth2:
- okta.authorizationServers.manage
tags:
- - AuthorizationServer
+ - AuthorizationServerRules
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs:
+ - API Access Management
/api/v1/authorizationServers/{authServerId}/scopes:
parameters:
- $ref: '#/components/parameters/pathAuthServerId'
@@ -3733,22 +5692,29 @@ paths:
parameters:
- name: q
in: query
+ description: Searches the `name` of Custom Token Scopes for matching values
schema:
type: string
- name: filter
in: query
+ description: Filter expression for Custom Token Scopes
schema:
type: string
- - name: cursor
+ - name: after
in: query
+ description: |-
+ Specifies the pagination cursor for the next page of scopes.
+ Treat the after cursor as an opaque value and obtain it through the next link relationship. See [Pagination](https://developer.okta.com/docs/api/#pagination).
schema:
type: string
- name: limit
in: query
+ description: |-
+ Specifies the number of objects to return per page.
+ If there are multiple pages of results, the Link header contains a `next` link that you need to use as an opaque value (follow it, don't parse it). See [Pagination](https://developer.okta.com/docs/api/#pagination).
schema:
type: integer
- format: int32
- default: -1
+ maximum: 200
responses:
'200':
description: Success
@@ -3758,6 +5724,9 @@ paths:
type: array
items:
$ref: '#/components/schemas/OAuth2Scope'
+ examples:
+ ExampleScopes:
+ $ref: '#/components/examples/ExampleOAuth2Scopes'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -3769,7 +5738,12 @@ paths:
- oauth2:
- okta.authorizationServers.read
tags:
- - AuthorizationServer
+ - AuthorizationServerScopes
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs:
+ - API Access Management
post:
summary: Create a Custom Token Scope
description: Creates a custom token scope
@@ -3780,6 +5754,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/OAuth2Scope'
+ examples:
+ CreateOAuth2ScopeRequest:
+ $ref: '#/components/examples/CreateOAuth2ScopeRequest'
required: true
responses:
'201':
@@ -3788,6 +5765,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/OAuth2Scope'
+ examples:
+ ExampleOAuth2Scope:
+ $ref: '#/components/examples/ExampleOAuth2Scope'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -3801,7 +5781,12 @@ paths:
- oauth2:
- okta.authorizationServers.manage
tags:
- - AuthorizationServer
+ - AuthorizationServerScopes
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs:
+ - API Access Management
/api/v1/authorizationServers/{authServerId}/scopes/{scopeId}:
parameters:
- $ref: '#/components/parameters/pathAuthServerId'
@@ -3817,6 +5802,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/OAuth2Scope'
+ examples:
+ ExampleOAuth2Scope:
+ $ref: '#/components/examples/ExampleOAuth2Scope'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -3828,7 +5816,12 @@ paths:
- oauth2:
- okta.authorizationServers.read
tags:
- - AuthorizationServer
+ - AuthorizationServerScopes
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs:
+ - API Access Management
put:
summary: Replace a Custom Token Scope
description: Replaces a custom token scope
@@ -3839,6 +5832,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/OAuth2Scope'
+ examples:
+ UpdateOAuth2Scope:
+ $ref: '#/components/examples/UpdateOAuth2ScopeRequest'
required: true
responses:
'200':
@@ -3847,6 +5843,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/OAuth2Scope'
+ examples:
+ UpdatedOAuth2Scope:
+ $ref: '#/components/examples/UpdatedOAuth2ScopeResponse'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -3860,7 +5859,12 @@ paths:
- oauth2:
- okta.authorizationServers.manage
tags:
- - AuthorizationServer
+ - AuthorizationServerScopes
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs:
+ - API Access Management
delete:
summary: Delete a Custom Token Scope
description: Deletes a custom token scope
@@ -3880,7 +5884,12 @@ paths:
- oauth2:
- okta.authorizationServers.manage
tags:
- - AuthorizationServer
+ - AuthorizationServerScopes
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs:
+ - API Access Management
/api/v1/behaviors:
get:
summary: List all Behavior Detection Rules
@@ -3905,6 +5914,9 @@ paths:
- okta.behaviors.read
tags:
- Behavior
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
post:
summary: Create a Behavior Detection Rule
description: Creates a new behavior detection rule
@@ -3948,6 +5960,9 @@ paths:
- okta.behaviors.manage
tags:
- Behavior
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/behaviors/{behaviorId}:
parameters:
- $ref: '#/components/parameters/pathBehaviorId'
@@ -3981,6 +5996,9 @@ paths:
- okta.behaviors.read
tags:
- Behavior
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
put:
summary: Replace a Behavior Detection Rule
description: Replaces a Behavior Detection Rule by `behaviorId`
@@ -4033,6 +6051,9 @@ paths:
- okta.behaviors.manage
tags:
- Behavior
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
summary: Delete a Behavior Detection Rule
description: Deletes a Behavior Detection Rule by `behaviorId`
@@ -4059,6 +6080,9 @@ paths:
- okta.behaviors.manage
tags:
- Behavior
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/behaviors/{behaviorId}/lifecycle/activate:
parameters:
- $ref: '#/components/parameters/pathBehaviorId'
@@ -4088,6 +6112,9 @@ paths:
- okta.behaviors.manage
tags:
- Behavior
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/behaviors/{behaviorId}/lifecycle/deactivate:
parameters:
- $ref: '#/components/parameters/pathBehaviorId'
@@ -4117,19 +6144,22 @@ paths:
- okta.behaviors.manage
tags:
- Behavior
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/brands:
- parameters:
- - $ref: '#/components/parameters/queryExpandBrand'
- - $ref: '#/components/parameters/queryAfter'
- - $ref: '#/components/parameters/queryLimit'
- - $ref: '#/components/parameters/queryFilter'
get:
summary: List all Brands
description: Lists all the brands in your org
operationId: listBrands
+ parameters:
+ - $ref: '#/components/parameters/queryExpandBrand'
+ - $ref: '#/components/parameters/queryAfter'
+ - $ref: '#/components/parameters/queryLimit'
+ - $ref: '#/components/parameters/queryFilter'
responses:
'200':
- description: OK
+ description: Successfully returned the list of brands
content:
application/json:
schema:
@@ -4148,7 +6178,10 @@ paths:
- oauth2:
- okta.brands.read
tags:
- - Customization
+ - Brands
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
post:
summary: Create a Brand
description: Creates a new brand in your org
@@ -4163,7 +6196,7 @@ paths:
$ref: '#/components/examples/CreateBrandRequest'
responses:
'201':
- description: Created
+ description: Successfully created the brand
content:
application/json:
schema:
@@ -4175,6 +6208,15 @@ paths:
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
+ '409':
+ description: Could not create the new brand because same name already exist.
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Error'
+ examples:
+ Cannot create brand with the same name:
+ $ref: '#/components/examples/ErrorCreateBrandExists'
'429':
$ref: '#/components/responses/ErrorTooManyRequests429'
security:
@@ -4182,18 +6224,22 @@ paths:
- oauth2:
- okta.brands.manage
tags:
- - Customization
+ - Brands
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/brands/{brandId}:
parameters:
- $ref: '#/components/parameters/pathBrandId'
- - $ref: '#/components/parameters/queryExpandBrand'
get:
summary: Retrieve a Brand
description: Retrieves a brand by `brandId`
operationId: getBrand
+ parameters:
+ - $ref: '#/components/parameters/queryExpandBrand'
responses:
'200':
- description: OK
+ description: Successfully retrieved the brand
content:
application/json:
schema:
@@ -4212,10 +6258,19 @@ paths:
- oauth2:
- okta.brands.read
tags:
- - Customization
+ - Brands
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
put:
summary: Replace a Brand
- description: Replaces a brand by `brandId`
+ description: |+
+ Replaces a brand by `brandId`
+
+ Passing an invalid `brandId` returns a `404 Not Found` status code with the error code `E0000007`.
+
+ Not providing `agreeToCustomPrivacyPolicy` with `customPrivacyPolicyUrl` returns a `400 Bad Request` status code with the error code `E0000001`.
+
operationId: replaceBrand
x-codegen-request-body-name: brand
requestBody:
@@ -4229,7 +6284,7 @@ paths:
required: true
responses:
'200':
- description: OK
+ description: Successfully replaced the brand
content:
application/json:
schema:
@@ -4250,7 +6305,10 @@ paths:
- oauth2:
- okta.brands.manage
tags:
- - Customization
+ - Brands
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
summary: Delete a brand
description: Deletes a brand by `brandId`
@@ -4280,7 +6338,10 @@ paths:
- oauth2:
- okta.brands.manage
tags:
- - Customization
+ - Brands
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/brands/{brandId}/domains:
parameters:
- $ref: '#/components/parameters/pathBrandId'
@@ -4290,7 +6351,7 @@ paths:
operationId: listBrandDomains
responses:
'200':
- description: OK
+ description: Successfully returned the list of domains for the brand
content:
application/json:
schema:
@@ -4306,7 +6367,10 @@ paths:
- oauth2:
- okta.brands.read
tags:
- - Customization
+ - Brands
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/brands/{brandId}/pages/error:
parameters:
- $ref: '#/components/parameters/pathBrandId'
@@ -4333,7 +6397,10 @@ paths:
- oauth2:
- okta.brands.read
tags:
- - Customization
+ - CustomPages
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/brands/{brandId}/pages/error/customized:
parameters:
- $ref: '#/components/parameters/pathBrandId'
@@ -4364,7 +6431,10 @@ paths:
- oauth2:
- okta.brands.read
tags:
- - Customization
+ - CustomPages
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
put:
summary: Replace the Customized Error Page
description: Replaces the customized error page. The customized error page appears in your live environment.
@@ -4400,7 +6470,10 @@ paths:
- oauth2:
- okta.brands.manage
tags:
- - Customization
+ - CustomPages
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
summary: Delete the Customized Error Page
description: Deletes the customized error page. As a result, the default error page appears in your live environment.
@@ -4420,7 +6493,10 @@ paths:
- oauth2:
- okta.brands.manage
tags:
- - Customization
+ - CustomPages
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/brands/{brandId}/pages/error/default:
parameters:
- $ref: '#/components/parameters/pathBrandId'
@@ -4446,7 +6522,10 @@ paths:
- oauth2:
- okta.brands.read
tags:
- - Customization
+ - CustomPages
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/brands/{brandId}/pages/error/preview:
parameters:
- $ref: '#/components/parameters/pathBrandId'
@@ -4477,7 +6556,10 @@ paths:
- oauth2:
- okta.brands.read
tags:
- - Customization
+ - CustomPages
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
put:
summary: Replace the Preview Error Page
description: Replaces the preview error page. The preview error page contains unpublished changes and isn't shown in your live environment. Preview it at `${yourOktaDomain}/error/preview`.
@@ -4513,7 +6595,10 @@ paths:
- oauth2:
- okta.brands.manage
tags:
- - Customization
+ - CustomPages
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
summary: Delete the Preview Error Page
description: Deletes the preview error page. The preview error page contains unpublished changes and isn't shown in your live environment. Preview it at `${yourOktaDomain}/error/preview`.
@@ -4533,7 +6618,10 @@ paths:
- oauth2:
- okta.brands.manage
tags:
- - Customization
+ - CustomPages
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/brands/{brandId}/pages/sign-in:
parameters:
- $ref: '#/components/parameters/pathBrandId'
@@ -4560,7 +6648,10 @@ paths:
- oauth2:
- okta.brands.read
tags:
- - Customization
+ - CustomPages
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/brands/{brandId}/pages/sign-in/customized:
parameters:
- $ref: '#/components/parameters/pathBrandId'
@@ -4591,7 +6682,10 @@ paths:
- oauth2:
- okta.brands.read
tags:
- - Customization
+ - CustomPages
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
put:
summary: Replace the Customized Sign-in Page
description: Replaces the customized sign-in page. The customized sign-in page appears in your live environment.
@@ -4627,7 +6721,10 @@ paths:
- oauth2:
- okta.brands.manage
tags:
- - Customization
+ - CustomPages
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
summary: Delete the Customized Sign-in Page
description: Deletes the customized sign-in page. As a result, the default sign-in page appears in your live environment.
@@ -4647,7 +6744,10 @@ paths:
- oauth2:
- okta.brands.manage
tags:
- - Customization
+ - CustomPages
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/brands/{brandId}/pages/sign-in/default:
parameters:
- $ref: '#/components/parameters/pathBrandId'
@@ -4673,7 +6773,10 @@ paths:
- oauth2:
- okta.brands.read
tags:
- - Customization
+ - CustomPages
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/brands/{brandId}/pages/sign-in/preview:
parameters:
- $ref: '#/components/parameters/pathBrandId'
@@ -4704,7 +6807,10 @@ paths:
- oauth2:
- okta.brands.read
tags:
- - Customization
+ - CustomPages
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
put:
summary: Replace the Preview Sign-in Page
description: Replaces the preview sign-in page. The preview sign-in page contains unpublished changes and isn't shown in your live environment. Preview it at `${yourOktaDomain}/login/preview`.
@@ -4740,7 +6846,10 @@ paths:
- oauth2:
- okta.brands.manage
tags:
- - Customization
+ - CustomPages
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
summary: Delete the Preview Sign-in Page
description: Deletes the preview sign-in page. The preview sign-in page contains unpublished changes and isn't shown in your live environment. Preview it at `${yourOktaDomain}/login/preview`.
@@ -4760,7 +6869,10 @@ paths:
- oauth2:
- okta.brands.manage
tags:
- - Customization
+ - CustomPages
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/brands/{brandId}/pages/sign-in/widget-versions:
parameters:
- $ref: '#/components/parameters/pathBrandId'
@@ -4789,7 +6901,10 @@ paths:
- oauth2:
- okta.brands.read
tags:
- - Customization
+ - CustomPages
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/brands/{brandId}/pages/sign-out/customized:
parameters:
- $ref: '#/components/parameters/pathBrandId'
@@ -4815,7 +6930,10 @@ paths:
- oauth2:
- okta.brands.read
tags:
- - Customization
+ - CustomPages
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
put:
summary: Replace the Sign-out Page Settings
description: Replaces the sign-out page settings
@@ -4846,13 +6964,16 @@ paths:
- oauth2:
- okta.brands.manage
tags:
- - Customization
+ - CustomPages
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/brands/{brandId}/templates/email:
parameters:
- $ref: '#/components/parameters/pathBrandId'
get:
summary: List all Email Templates
- description: Lists all email templates
+ description: Lists all supported email templates
operationId: listEmailTemplates
parameters:
- $ref: '#/components/parameters/queryAfter'
@@ -4866,7 +6987,7 @@ paths:
schema:
type: array
items:
- $ref: '#/components/schemas/EmailTemplate'
+ $ref: '#/components/schemas/EmailTemplateResponse'
examples:
List email templates response:
$ref: '#/components/examples/ListEmailTemplateResponse'
@@ -4886,7 +7007,10 @@ paths:
- oauth2:
- okta.templates.read
tags:
- - Customization
+ - CustomTemplates
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/brands/{brandId}/templates/email/{templateName}:
parameters:
- $ref: '#/components/parameters/pathBrandId'
@@ -4903,7 +7027,7 @@ paths:
content:
application/json:
schema:
- $ref: '#/components/schemas/EmailTemplate'
+ $ref: '#/components/schemas/EmailTemplateResponse'
examples:
Get email template response:
$ref: '#/components/examples/GetEmailTemplateResponse'
@@ -4918,14 +7042,20 @@ paths:
- oauth2:
- okta.templates.read
tags:
- - Customization
+ - CustomTemplates
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/brands/{brandId}/templates/email/{templateName}/customizations:
parameters:
- $ref: '#/components/parameters/pathBrandId'
- $ref: '#/components/parameters/pathTemplateName'
get:
summary: List all Email Customizations
- description: Lists all customizations of an email template
+ description: |
+ Lists all customizations of an email template
+
+ If Custom languages for Okta Email Templates is enabled, all existing customizations are retrieved, including customizations for additional languages. If disabled, only customizations for Okta-supported languages are returned.
operationId: listEmailCustomizations
parameters:
- $ref: '#/components/parameters/queryAfter'
@@ -4953,10 +7083,16 @@ paths:
- oauth2:
- okta.templates.read
tags:
- - Customization
+ - CustomTemplates
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
post:
summary: Create an Email Customization
- description: Creates a new email customization
+ description: |
+ Creates a new Email Customization
+
+ If Custom languages for Okta Email Templates is enabled, you can create a customization for any BCP47 language in addition to the Okta-supported languages.
operationId: createEmailCustomization
x-codegen-request-body-name: instance
requestBody:
@@ -5001,10 +7137,16 @@ paths:
- oauth2:
- okta.templates.manage
tags:
- - Customization
+ - CustomTemplates
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
summary: Delete all Email Customizations
- description: Deletes all customizations for an email template
+ description: |
+ Deletes all customizations for an email template
+
+ If Custom languages for Okta Email Templates is enabled, all customizations are deleted, including customizations for additional languages. If disabled, only customizations in Okta-supported languages are deleted.
operationId: deleteAllCustomizations
responses:
'204':
@@ -5021,7 +7163,10 @@ paths:
- oauth2:
- okta.templates.manage
tags:
- - Customization
+ - CustomTemplates
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/brands/{brandId}/templates/email/{templateName}/customizations/{customizationId}:
parameters:
- $ref: '#/components/parameters/pathBrandId'
@@ -5029,7 +7174,10 @@ paths:
- $ref: '#/components/parameters/pathCustomizationId'
get:
summary: Retrieve an Email Customization
- description: Retrieves an email customization by its unique identifier
+ description: |
+ Retrieves an email customization by its unique identifier
+
+ If Custom languages for Okta Email Templates is disabled, requests to retrieve an additional language customization by ID result in a `404 Not Found` error response.
operationId: getEmailCustomization
responses:
'200':
@@ -5052,10 +7200,16 @@ paths:
- oauth2:
- okta.templates.read
tags:
- - Customization
+ - CustomTemplates
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
put:
summary: Replace an Email Customization
- description: Replaces an existing email customization using the property values provided
+ description: |
+ Replaces an email customization using property values
+
+ If Custom languages for Okta Email Templates is disabled, requests to update a customization for an additional language return a `404 Not Found` error response.
operationId: replaceEmailCustomization
x-codegen-request-body-name: instance
requestBody:
@@ -5103,10 +7257,16 @@ paths:
- oauth2:
- okta.templates.manage
tags:
- - Customization
+ - CustomTemplates
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
summary: Delete an Email Customization
- description: Deletes an email customization by its unique identifier
+ description: |
+ Deletes an Email Customization by its unique identifier
+
+ If Custom languages for Okta Email Templates is disabled, deletion of an existing additional language customization by ID doesn't register.
operationId: deleteEmailCustomization
responses:
'204':
@@ -5132,7 +7292,10 @@ paths:
- oauth2:
- okta.templates.manage
tags:
- - Customization
+ - CustomTemplates
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/brands/{brandId}/templates/email/{templateName}/customizations/{customizationId}/preview:
parameters:
- $ref: '#/components/parameters/pathBrandId'
@@ -5140,7 +7303,10 @@ paths:
- $ref: '#/components/parameters/pathCustomizationId'
get:
summary: Retrieve a Preview of an Email Customization
- description: Retrieves a preview of an email customization. All variable references (e.g., `${user.profile.firstName}`) are populated using the current user's context.
+ description: |
+ Retrieves a Preview of an Email Customization. All variable references are populated from the current user's context. For example, `${user.profile.firstName}`.
+
+ If Custom languages for Okta Email Templates is disabled, requests for the preview of an additional language customization by ID return a `404 Not Found` error response.
operationId: getCustomizationPreview
responses:
'200':
@@ -5163,14 +7329,22 @@ paths:
- oauth2:
- okta.templates.read
tags:
- - Customization
+ - CustomTemplates
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/brands/{brandId}/templates/email/{templateName}/default-content:
parameters:
- $ref: '#/components/parameters/pathBrandId'
- $ref: '#/components/parameters/pathTemplateName'
get:
summary: Retrieve an Email Template Default Content
- description: Retrieves an email template's default content
+ description: |
+ Retrieves an email template's default content
+
+ Defaults to the current user's language given the following:
+ - Custom languages for Okta Email Templates is enabled
+ - An additional language is specified for the `language` parameter
operationId: getEmailDefaultContent
parameters:
- $ref: '#/components/parameters/queryLanguage'
@@ -5195,14 +7369,22 @@ paths:
- oauth2:
- okta.templates.read
tags:
- - Customization
+ - CustomTemplates
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/brands/{brandId}/templates/email/{templateName}/default-content/preview:
parameters:
- $ref: '#/components/parameters/pathBrandId'
- $ref: '#/components/parameters/pathTemplateName'
get:
- summary: Retrieve a Preview of the Email Template Default Content
- description: Retrieves a preview of an email template's default content. All variable references (e.g., `${user.profile.firstName}`) are populated using the current user's context.
+ summary: Retrieve a Preview of the Email Template default content
+ description: |
+ Retrieves a preview of an Email Template's default content. All variable references are populated using the current user's context. For example, `${user.profile.firstName}`.
+
+ Defaults to the current user's language given the following:
+ - Custom languages for Okta Email Templates is enabled
+ - An additional language is specified for the `language` parameter
operationId: getEmailDefaultPreview
parameters:
- $ref: '#/components/parameters/queryLanguage'
@@ -5227,7 +7409,10 @@ paths:
- oauth2:
- okta.templates.read
tags:
- - Customization
+ - CustomTemplates
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/brands/{brandId}/templates/email/{templateName}/settings:
parameters:
- $ref: '#/components/parameters/pathBrandId'
@@ -5242,7 +7427,7 @@ paths:
content:
application/json:
schema:
- $ref: '#/components/schemas/EmailSettings'
+ $ref: '#/components/schemas/EmailSettingsResponse'
examples:
Get email template settings response:
$ref: '#/components/examples/EmailSettingsResponse'
@@ -5257,7 +7442,10 @@ paths:
- oauth2:
- okta.templates.read
tags:
- - Customization
+ - CustomTemplates
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
put:
summary: Replace the Email Template Settings
description: Replaces an email template's settings
@@ -5268,8 +7456,15 @@ paths:
schema:
$ref: '#/components/schemas/EmailSettings'
responses:
- '204':
+ '200':
description: Successfully updated the email template's settings.
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/EmailSettings'
+ examples:
+ Update email template settings:
+ $ref: '#/components/examples/EmailSettingsResponse'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -5292,7 +7487,10 @@ paths:
- oauth2:
- okta.templates.manage
tags:
- - Customization
+ - CustomTemplates
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/brands/{brandId}/templates/email/{templateName}/test:
parameters:
- $ref: '#/components/parameters/pathBrandId'
@@ -5302,6 +7500,7 @@ paths:
description: |-
Sends a test email to the current user’s primary and secondary email addresses. The email content is selected based on the following priority:
1. The email customization for the language specified in the `language` query parameter.
+ If Custom languages for Okta Email Templates is enabled and the `language` parameter is an additional language, the test email uses the customization corresponding to the language.
2. The email template's default customization.
3. The email template’s default content, translated to the current user's language.
operationId: sendTestEmail
@@ -5322,23 +7521,32 @@ paths:
- oauth2:
- okta.templates.read
tags:
- - Customization
+ - CustomTemplates
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/brands/{brandId}/themes:
parameters:
- $ref: '#/components/parameters/pathBrandId'
get:
summary: List all Themes
- description: Lists all the themes in your brand
+ description: |-
+ Lists all the themes in your brand.
+
+ > **Important:** Currently each org supports only one Theme, therefore this contains a single object only.
operationId: listBrandThemes
responses:
'200':
- description: OK
+ description: Successfully returned the list of themes
content:
application/json:
schema:
type: array
items:
$ref: '#/components/schemas/ThemeResponse'
+ examples:
+ Get themes response:
+ $ref: '#/components/examples/ListThemesResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -5350,7 +7558,10 @@ paths:
- oauth2:
- okta.brands.read
tags:
- - Customization
+ - Themes
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/brands/{brandId}/themes/{themeId}:
parameters:
- $ref: '#/components/parameters/pathBrandId'
@@ -5361,11 +7572,14 @@ paths:
operationId: getBrandTheme
responses:
'200':
- description: OK
+ description: Successfully retrieved the theme
content:
application/json:
schema:
$ref: '#/components/schemas/ThemeResponse'
+ examples:
+ Get theme response:
+ $ref: '#/components/examples/GetThemeResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -5377,7 +7591,10 @@ paths:
- oauth2:
- okta.brands.read
tags:
- - Customization
+ - Themes
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
put:
summary: Replace a Theme
description: Replaces a theme for a brand
@@ -5387,15 +7604,21 @@ paths:
content:
application/json:
schema:
- $ref: '#/components/schemas/Theme'
+ $ref: '#/components/schemas/UpdateThemeRequest'
+ examples:
+ Update theme request:
+ $ref: '#/components/examples/UpdateThemeRequest'
required: true
responses:
'200':
- description: OK
+ description: Successfully replaced the theme
content:
application/json:
schema:
$ref: '#/components/schemas/ThemeResponse'
+ examples:
+ Update theme response:
+ $ref: '#/components/examples/UpdateThemeResponse'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -5409,7 +7632,10 @@ paths:
- oauth2:
- okta.brands.manage
tags:
- - Customization
+ - Themes
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/brands/{brandId}/themes/{themeId}/background-image:
parameters:
- $ref: '#/components/parameters/pathBrandId'
@@ -5433,7 +7659,7 @@ paths:
description: background image file
responses:
'201':
- description: Created
+ description: Content Created
content:
application/json:
schema:
@@ -5451,7 +7677,10 @@ paths:
- oauth2:
- okta.brands.manage
tags:
- - Customization
+ - Themes
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
summary: Delete the Background Image
description: Deletes a Theme background image
@@ -5471,7 +7700,10 @@ paths:
- oauth2:
- okta.brands.manage
tags:
- - Customization
+ - Themes
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/brands/{brandId}/themes/{themeId}/favicon:
parameters:
- $ref: '#/components/parameters/pathBrandId'
@@ -5485,7 +7717,7 @@ paths:
multipart/form-data:
schema:
type: object
- description: The file must be in PNG, or ico format and less than ?? in size and 128 x 128 dimensions
+ description: The file must be in PNG or ICO format and have a 1:1 ratio with a maximum dimension of 512 x 512
properties:
file:
type: string
@@ -5513,7 +7745,10 @@ paths:
- oauth2:
- okta.brands.manage
tags:
- - Customization
+ - Themes
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
summary: Delete the Favicon
description: Deletes a Theme favicon. The theme will use the default Okta favicon.
@@ -5533,7 +7768,10 @@ paths:
- oauth2:
- okta.brands.manage
tags:
- - Customization
+ - Themes
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/brands/{brandId}/themes/{themeId}/logo:
parameters:
- $ref: '#/components/parameters/pathBrandId'
@@ -5575,7 +7813,10 @@ paths:
- oauth2:
- okta.brands.manage
tags:
- - Customization
+ - Themes
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
summary: Delete the Logo
description: Deletes a Theme logo. The theme will use the default Okta logo.
@@ -5595,7 +7836,10 @@ paths:
- oauth2:
- okta.brands.manage
tags:
- - Customization
+ - Themes
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/captchas:
get:
summary: List all CAPTCHA Instances
@@ -5620,6 +7864,11 @@ paths:
- okta.captchas.read
tags:
- CAPTCHA
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
post:
summary: Create a CAPTCHA instance
description: Creates a new CAPTCHA instance. Currently, an org can only configure a single CAPTCHA instance.
@@ -5669,6 +7918,11 @@ paths:
- okta.captchas.manage
tags:
- CAPTCHA
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
/api/v1/captchas/{captchaId}:
parameters:
- $ref: '#/components/parameters/pathCaptchaId'
@@ -5700,6 +7954,11 @@ paths:
- okta.captchas.read
tags:
- CAPTCHA
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
post:
summary: Update a CAPTCHA Instance
description: Partially updates the properties of a specified CAPTCHA instance
@@ -5742,6 +8001,11 @@ paths:
- okta.captchas.manage
tags:
- CAPTCHA
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
put:
summary: Replace a CAPTCHA Instance
description: Replaces the properties for a specified CAPTCHA instance
@@ -5784,6 +8048,11 @@ paths:
- okta.captchas.manage
tags:
- CAPTCHA
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
delete:
summary: Delete a CAPTCHA Instance
description: |-
@@ -5815,9 +8084,14 @@ paths:
- okta.captchas.manage
tags:
- CAPTCHA
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
/api/v1/device-assurances:
get:
- summary: List all Device Assurance Policies
+ summary: List all device assurance policies
description: Lists all device assurance policies
operationId: listDeviceAssurancePolicies
responses:
@@ -5839,9 +8113,14 @@ paths:
- okta.deviceAssurance.read
tags:
- DeviceAssurance
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
post:
- summary: Create a Device Assurance Policy
- description: Creates a new Device Assurance Policy
+ summary: Create a device assurance policy
+ description: Creates a new device assurance policy
operationId: createDeviceAssurancePolicy
x-codegen-request-body-name: deviceAssurance
requestBody:
@@ -5864,6 +8143,18 @@ paths:
$ref: '#/components/examples/DeviceAssuranceMacOSWithThirdPartySignalProvidersRequest'
WindowsWithThirdPartySignalProviders:
$ref: '#/components/examples/DeviceAssuranceWindowsWithThirdPartySignalProvidersRequest'
+ AndroidWithDynamicVersionRequirement:
+ $ref: '#/components/examples/DeviceAssuranceAndroidWithDynamicVersionRequirementRequest'
+ iOSWithDynamicVersionRequirement:
+ $ref: '#/components/examples/DeviceAssuranceIosWithDynamicVersionRequirementRequest'
+ MacOSWithDynamicVersionRequirement:
+ $ref: '#/components/examples/DeviceAssuranceMacOSWithDynamicVersionRequirementRequest'
+ WindowsWithDynamicVersionRequirements:
+ $ref: '#/components/examples/DeviceAssuranceWindowsWithDynamicVersionRequirementsRequest'
+ WindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionString:
+ $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionStringRequest'
+ WindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirement:
+ $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirementRequest'
required: true
responses:
'200':
@@ -5887,6 +8178,18 @@ paths:
$ref: '#/components/examples/DeviceAssuranceMacOSWithThirdPartySignalProvidersResponse'
WindowsWithThirdPartySignalProviders:
$ref: '#/components/examples/DeviceAssuranceWindowsWithThirdPartySignalProvidersResponse'
+ AndroidWithDynamicVersionRequirement:
+ $ref: '#/components/examples/DeviceAssuranceAndroidWithDynamicVersionRequirementResponse'
+ iOSWithDynamicVersionRequirement:
+ $ref: '#/components/examples/DeviceAssuranceIosWithDynamicVersionRequirementResponse'
+ MacOSWithDynamicVersionRequirement:
+ $ref: '#/components/examples/DeviceAssuranceMacOSWithDynamicVersionRequirementResponse'
+ WindowsWithDynamicVersionRequirements:
+ $ref: '#/components/examples/DeviceAssuranceWindowsWithDynamicVersionRequirementsResponse'
+ WindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionString:
+ $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionStringResponse'
+ WindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirement:
+ $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirementResponse'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -5899,12 +8202,17 @@ paths:
- okta.deviceAssurance.manage
tags:
- DeviceAssurance
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
/api/v1/device-assurances/{deviceAssuranceId}:
parameters:
- $ref: '#/components/parameters/pathDeviceAssuranceId'
get:
- summary: Retrieve a Device Assurance Policy
- description: Retrieves a Device Assurance Policy by `deviceAssuranceId`
+ summary: Retrieve a device assurance policy
+ description: Retrieves a device assurance policy by `deviceAssuranceId`
operationId: getDeviceAssurancePolicy
responses:
'200':
@@ -5928,6 +8236,18 @@ paths:
$ref: '#/components/examples/DeviceAssuranceMacOSWithThirdPartySignalProvidersResponse'
WindowsWithThirdPartySignalProviders:
$ref: '#/components/examples/DeviceAssuranceWindowsWithThirdPartySignalProvidersResponse'
+ AndroidWithDynamicVersionRequirement:
+ $ref: '#/components/examples/DeviceAssuranceAndroidWithDynamicVersionRequirementResponse'
+ iOSWithDynamicVersionRequirement:
+ $ref: '#/components/examples/DeviceAssuranceIosWithDynamicVersionRequirementResponse'
+ MacOSWithDynamicVersionRequirement:
+ $ref: '#/components/examples/DeviceAssuranceMacOSWithDynamicVersionRequirementResponse'
+ WindowsWithDynamicVersionRequirements:
+ $ref: '#/components/examples/DeviceAssuranceWindowsWithDynamicVersionRequirementsResponse'
+ WindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionString:
+ $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionStringResponse'
+ WindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirement:
+ $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirementResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -5940,9 +8260,14 @@ paths:
- okta.deviceAssurance.read
tags:
- DeviceAssurance
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
put:
- summary: Replace a Device Assurance Policy
- description: Replaces a Device Assurance Policy by `deviceAssuranceId`
+ summary: Replace a device assurance policy
+ description: Replaces a device assurance policy by `deviceAssuranceId`
operationId: replaceDeviceAssurancePolicy
x-codegen-request-body-name: deviceAssurance
requestBody:
@@ -5965,6 +8290,18 @@ paths:
$ref: '#/components/examples/DeviceAssuranceMacOSWithThirdPartySignalProvidersRequest'
WindowsWithThirdPartySignalProviders:
$ref: '#/components/examples/DeviceAssuranceWindowsWithThirdPartySignalProvidersRequest'
+ AndroidWithDynamicVersionRequirement:
+ $ref: '#/components/examples/DeviceAssuranceAndroidWithDynamicVersionRequirementRequest'
+ iOSWithDynamicVersionRequirement:
+ $ref: '#/components/examples/DeviceAssuranceIosWithDynamicVersionRequirementRequest'
+ MacOSWithDynamicVersionRequirement:
+ $ref: '#/components/examples/DeviceAssuranceMacOSWithDynamicVersionRequirementRequest'
+ WindowsWithDynamicVersionRequirements:
+ $ref: '#/components/examples/DeviceAssuranceWindowsWithDynamicVersionRequirementsRequest'
+ WindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionString:
+ $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionStringRequest'
+ WindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirement:
+ $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirementRequest'
required: true
responses:
'200':
@@ -5988,6 +8325,18 @@ paths:
$ref: '#/components/examples/DeviceAssuranceMacOSWithThirdPartySignalProvidersResponse'
WindowsWithThirdPartySignalProviders:
$ref: '#/components/examples/DeviceAssuranceWindowsWithThirdPartySignalProvidersResponse'
+ AndroidWithDynamicVersionRequirement:
+ $ref: '#/components/examples/DeviceAssuranceAndroidWithDynamicVersionRequirementResponse'
+ iOSWithDynamicVersionRequirement:
+ $ref: '#/components/examples/DeviceAssuranceIosWithDynamicVersionRequirementResponse'
+ MacOSWithDynamicVersionRequirement:
+ $ref: '#/components/examples/DeviceAssuranceMacOSWithDynamicVersionRequirementResponse'
+ WindowsWithDynamicVersionRequirements:
+ $ref: '#/components/examples/DeviceAssuranceWindowsWithDynamicVersionRequirementsResponse'
+ WindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionString:
+ $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionStringResponse'
+ WindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirement:
+ $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirementResponse'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -6002,9 +8351,14 @@ paths:
- okta.deviceAssurance.manage
tags:
- DeviceAssurance
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
delete:
- summary: Delete a Device Assurance Policy
- description: Deletes a Device Assurance Policy by `deviceAssuranceId`. If the Device Assurance Policy is currently being used in the org Authentication Policies, the delete will not be allowed.
+ summary: Delete a device assurance policy
+ description: Deletes a device assurance policy by `deviceAssuranceId`. If the device assurance policy is currently being used in the org Authentication Policies, the delete will not be allowed.
operationId: deleteDeviceAssurancePolicy
responses:
'204':
@@ -6031,6 +8385,14 @@ paths:
- okta.deviceAssurance.manage
tags:
- DeviceAssurance
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
+ /api/v1/device-checks/{deviceCheckId}:
+ parameters:
+ - $ref: '#/components/parameters/pathDeviceCheckId'
/api/v1/devices:
get:
summary: List all Devices
@@ -6042,7 +8404,12 @@ paths:
This operation requires [URL encoding](https://www.w3.org/TR/html4/interact/forms.html#h-17.13.4.1). For example, `search=profile.displayName eq "Bob"` is encoded as `search=profile.displayName%20eq%20%22Bob%22`.
operationId: listDevices
parameters:
- - $ref: '#/components/parameters/queryAfter'
+ - name: after
+ in: query
+ schema:
+ type: string
+ description: The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](/#pagination) for more information.
+ example: 200u3des4afA47rYJu1d7
- name: limit
in: query
schema:
@@ -6050,12 +8417,14 @@ paths:
minimum: 1
maximum: 200
default: 200
+ example: 20
description: A limit on the number of objects to return (recommend `20`)
- name: search
in: query
description: A SCIM filter expression that filters the results. Searches include all Device `profile` properties and the Device `id`, `status`, and `lastUpdated` properties.
schema:
type: string
+ example: lastUpdated gt "2019-06-01T09:00:00.000Z"
examples:
Devices that have a `status` of `ACTIVE`:
value: status eq "ACTIVE"
@@ -6071,11 +8440,23 @@ paths:
value: profile.sid sw "S-1"
- name: expand
in: query
+ description: Includes associated user details and management status for the device in the `_embedded` attribute
schema:
type: string
- # enum:
- # - user # TODO: REVISIT WITH API TEAM
- description: Lists associated users for the device in `_embedded` element
+ example: userSummary
+ enum:
+ - user
+ - userSummary
+ x-enumDescriptions:
+ user: Lists full details for associated users
+ userSummary: Lists summaries for associated users
+ examples:
+ UserFullDetails:
+ summary: Get a detailed list of associated users
+ value: user
+ UserSummaries:
+ summary: Get the list of associated user summaries
+ value: userSummary
responses:
'200':
description: OK
@@ -6084,8 +8465,11 @@ paths:
schema:
type: array
items:
- $ref: '#/components/schemas/Device'
+ $ref: '#/components/schemas/DeviceList'
examples:
+ APIDevicesResponseUserSummaryExample:
+ type: array
+ $ref: '#/components/examples/APIDevicesListAllUserSummaryResponse'
APIDevicesResponseExample:
type: array
$ref: '#/components/examples/APIDevicesListAllResponse'
@@ -6099,6 +8483,11 @@ paths:
- okta.devices.read
tags:
- Device
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
/api/v1/devices/{deviceId}:
parameters:
- $ref: '#/components/parameters/pathDeviceId'
@@ -6128,10 +8517,15 @@ paths:
- okta.devices.read
tags:
- Device
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
delete:
summary: Delete a Device
description: |-
- Deletes (permanently) a device by `deviceId` if it has a status of `DEACTIVATED`. You can transition the device to `DEACTIVATED` status using the [Deactivate a Device](#tag/Device/operation/deactivateDevice) endpoint.
+ Deletes (permanently) a device by `deviceId` if it has a status of `DEACTIVATED`. You can transition the device to `DEACTIVATED` status using the [Deactivate a Device](/openapi/okta-management/management/tag/Device/#tag/Device/operation/deactivateDevice) endpoint.
This request is destructive and deletes all of the profile data related to the device. Once deleted, device data can't be recovered. However, reenrollment creates a new device record.
> **Note:** Attempts to delete a device that isn't in a `DEACTIVATED` state raise an error.
operationId: deleteDevice
@@ -6158,6 +8552,11 @@ paths:
- okta.devices.manage
tags:
- Device
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
/api/v1/devices/{deviceId}/lifecycle/activate:
parameters:
- $ref: '#/components/parameters/pathDeviceId'
@@ -6182,6 +8581,11 @@ paths:
- okta.devices.manage
tags:
- Device
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
/api/v1/devices/{deviceId}/lifecycle/deactivate:
parameters:
- $ref: '#/components/parameters/pathDeviceId'
@@ -6210,6 +8614,11 @@ paths:
- okta.devices.manage
tags:
- Device
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
/api/v1/devices/{deviceId}/lifecycle/suspend:
parameters:
- $ref: '#/components/parameters/pathDeviceId'
@@ -6236,6 +8645,11 @@ paths:
- okta.devices.manage
tags:
- Device
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
/api/v1/devices/{deviceId}/lifecycle/unsuspend:
parameters:
- $ref: '#/components/parameters/pathDeviceId'
@@ -6260,6 +8674,11 @@ paths:
- okta.devices.manage
tags:
- Device
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
/api/v1/devices/{deviceId}/users:
parameters:
- $ref: '#/components/parameters/pathDeviceId'
@@ -6292,6 +8711,53 @@ paths:
- okta.devices.read
tags:
- Device
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
+ /api/v1/directories/{appInstanceId}/groups/modify:
+ parameters:
+ - $ref: '#/components/parameters/appInstanceId'
+ post:
+ summary: Update an AD Group membership
+ description: Updates an AD Group membership directly in AD
+ operationId: updateADGroupMembership
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/AgentAction'
+ required: true
+ responses:
+ '200':
+ description: OK
+ '400':
+ description: Bad Request
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Error'
+ examples:
+ APIValidationFailed:
+ $ref: '#/components/examples/ErrorApiValidationFailed'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '502':
+ $ref: '#/components/responses/Error502NoConnectedAgents'
+ '504':
+ $ref: '#/components/responses/Error504AgentTimeOut'
+ security:
+ - oauth2:
+ - okta.directories.groups.manage
+ tags:
+ - DirectoriesIntegration
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
/api/v1/domains:
get:
summary: List all Custom Domains
@@ -6314,36 +8780,42 @@ paths:
- okta.domains.read
tags:
- CustomDomain
- # post:
- # summary: Create a Custom Domain
- # description: Creates your custom domain
- # operationId: createCustomDomain
- # x-codegen-request-body-name: domain
- # requestBody:
- # content:
- # application/json:
- # schema:
- # $ref: '#/components/schemas/DomainRequest'
- # required: true
- # responses:
- # '200':
- # description: Success
- # content:
- # application/json:
- # schema:
- # $ref: '#/components/schemas/DomainResponse'
- # '400':
- # $ref: '#/components/responses/ErrorApiValidationFailed400'
- # '403':
- # $ref: '#/components/responses/ErrorAccessDenied403'
- # '429':
- # $ref: '#/components/responses/ErrorTooManyRequests429'
- # security:
- # - apiToken: []
- # - oauth2:
- # - okta.domains.manage
- # tags:
- # - CustomDomain
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ post:
+ summary: Create a Custom Domain
+ description: Creates your custom domain
+ operationId: createCustomDomain
+ x-codegen-request-body-name: domain
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/DomainRequest'
+ required: true
+ responses:
+ '200':
+ description: Success
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/DomainResponse'
+ '400':
+ $ref: '#/components/responses/ErrorApiValidationFailed400'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.domains.manage
+ tags:
+ - CustomDomain
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/domains/{domainId}:
parameters:
- $ref: '#/components/parameters/pathDomainId'
@@ -6370,6 +8842,9 @@ paths:
- okta.domains.read
tags:
- CustomDomain
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
put:
summary: Replace a Custom Domain's Brand
description: Replaces a custom domain's brand
@@ -6401,6 +8876,9 @@ paths:
- okta.domains.manage
tags:
- CustomDomain
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
summary: Delete a Custom Domain
description: Deletes a custom domain by `domainId`
@@ -6421,12 +8899,20 @@ paths:
- okta.domains.manage
tags:
- CustomDomain
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/domains/{domainId}/certificate:
parameters:
- $ref: '#/components/parameters/pathDomainId'
put:
summary: Upsert the Custom Domain's Certificate
- description: Upserts (creates or renews) the `MANUAL` certificate for the custom domain. If the `certificateSourceType` in the domain is `OKTA_MANAGED`, it becomes `MANUAL` and Okta no longer manages and renews certificates for this domain since a user-managed certificate has been provided.
+ description: |-
+ Upserts (creates or renews) the `MANUAL` certificate for the custom domain
+
+ > **Notes:**
+ > * If the existing `certificateSourceType` is `OKTA_MANAGED`, this operation changes the source type to `MANUAL`. Okta no longer manages and renews certificates for this domain after you provide a user-managed certificate.
+ > * Okta supports TLS certificates and private keys that are PEM-encoded and 2048, 3072, or 4096 bits. See the [Custom domain guide](https://developer.okta.com/docs/guides/custom-url-domain/main/) for more details.
operationId: upsertCertificate
x-codegen-request-body-name: certificate
requestBody:
@@ -6453,6 +8939,9 @@ paths:
- okta.domains.manage
tags:
- CustomDomain
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/domains/{domainId}/verify:
parameters:
- $ref: '#/components/parameters/pathDomainId'
@@ -6479,6 +8968,12 @@ paths:
- okta.domains.manage
tags:
- CustomDomain
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/dr/status/{domain}:
+ parameters:
+ - $ref: '#/components/parameters/domain'
/api/v1/email-domains:
parameters:
- $ref: '#/components/parameters/queryExpandEmailDomain'
@@ -6508,6 +9003,9 @@ paths:
- okta.emailDomains.read
tags:
- EmailDomain
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
post:
summary: Create an Email Domain
description: Creates an Email Domain in your org
@@ -6555,6 +9053,9 @@ paths:
- okta.emailDomains.manage
tags:
- EmailDomain
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/email-domains/{emailDomainId}:
parameters:
- $ref: '#/components/parameters/pathEmailDomainId'
@@ -6585,6 +9086,9 @@ paths:
- okta.emailDomains.read
tags:
- EmailDomain
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
put:
summary: Replace an Email Domain
description: Replaces associated username and sender display name by `emailDomainId`
@@ -6623,6 +9127,9 @@ paths:
- okta.emailDomains.manage
tags:
- EmailDomain
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
summary: Delete an Email Domain
description: Deletes an Email Domain by `emailDomainId`
@@ -6652,6 +9159,9 @@ paths:
- okta.emailDomains.manage
tags:
- EmailDomain
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/email-domains/{emailDomainId}/verify:
parameters:
- $ref: '#/components/parameters/pathEmailDomainId'
@@ -6692,10 +9202,13 @@ paths:
- okta.emailDomains.manage
tags:
- EmailDomain
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/email-servers:
get:
summary: List all enrolled SMTP servers
- description: Lists all the enrolled custom email SMTP servers
+ description: Lists all the enrolled custom SMTP server configurations
operationId: listEmailServers
responses:
'200':
@@ -6714,9 +9227,14 @@ paths:
- okta.emailServers.read
tags:
- EmailServer
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
post:
summary: Create a custom SMTP server
- description: Creates a custom email SMTP server configuration for your organization
+ description: Creates a custom email SMTP server configuration for your org
operationId: createEmailServer
requestBody:
content:
@@ -6742,12 +9260,17 @@ paths:
- okta.emailServers.manage
tags:
- EmailServer
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
/api/v1/email-servers/{emailServerId}:
parameters:
- $ref: '#/components/parameters/pathEmailServerId'
get:
summary: Retrieve an SMTP Server configuration
- description: Retrieves a configuration of your organization's custom SMTP server with the given ID
+ description: Retrieves the specified custom SMTP server configuration
operationId: getEmailServer
responses:
'200':
@@ -6768,9 +9291,14 @@ paths:
- okta.emailServers.read
tags:
- EmailServer
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
patch:
summary: Update an SMTP Server configuration
- description: Updates one or more fields of your organization's custom SMTP Server configuration
+ description: Updates the specified custom SMTP server configuration
operationId: updateEmailServer
requestBody:
content:
@@ -6798,9 +9326,14 @@ paths:
- okta.emailServers.manage
tags:
- EmailServer
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
delete:
summary: Delete an SMTP Server configuration
- description: Deletes your organization's custom SMTP server with the given ID
+ description: Deletes the specified custom SMTP server configuration
operationId: deleteEmailServer
responses:
'204':
@@ -6817,12 +9350,17 @@ paths:
- okta.emailServers.manage
tags:
- EmailServer
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
/api/v1/email-servers/{emailServerId}/test:
parameters:
- $ref: '#/components/parameters/pathEmailServerId'
post:
summary: Test an SMTP Server configuration
- description: Tests your organization's custom SMTP Server with the given ID
+ description: Tests the specified custom SMTP Server configuration
operationId: testEmailServer
requestBody:
content:
@@ -6846,6 +9384,11 @@ paths:
- okta.emailServers.manage
tags:
- EmailServer
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
/api/v1/eventHooks:
get:
summary: List all Event Hooks
@@ -6860,6 +9403,9 @@ paths:
type: array
items:
$ref: '#/components/schemas/EventHook'
+ examples:
+ RetrieveAllEventHooks:
+ $ref: '#/components/examples/RetrieveAllEventHooks'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'429':
@@ -6870,9 +9416,23 @@ paths:
- okta.eventHooks.read
tags:
- EventHook
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
post:
summary: Create an Event Hook
- description: Creates an event hook
+ description: |-
+ Creates a new event hook for your organization in `ACTIVE` status. You pass an event hook object in the JSON payload
+ of your request. That object represents the set of required information about the event hook you're registering, including:
+ * The URI of your external service
+ * The [events](https://developer.okta.com/docs/reference/api/event-types/) in Okta you want to subscribe to
+ * An optional event hook filter that can reduce the number of event hook calls. This is a self-service Early Access (EA) feature.
+ See [Create an event hook filter](https://developer.okta.com/docs/concepts/event-hooks/#create-an-event-hook-filter).
+
+ Additionally, you can specify a secret API key for Okta to pass to your external service endpoint for security verification. Note that the API key you set here is unrelated to the Okta API token
+ you must supply when making calls to Okta APIs. Optionally, you can specify extra headers that Okta passes to your external
+ service with each call.
+ Your external service must use a valid HTTPS endpoint.
operationId: createEventHook
x-codegen-request-body-name: eventHook
requestBody:
@@ -6880,6 +9440,11 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/EventHook'
+ examples:
+ CreateAnEventHook:
+ $ref: '#/components/examples/CreateAnEventHook'
+ CreateAnEventHookWithFilter:
+ $ref: '#/components/examples/CreateAnEventHookWithFilter'
required: true
responses:
'200':
@@ -6888,6 +9453,11 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/EventHook'
+ examples:
+ CreateAnEventHook:
+ $ref: '#/components/examples/RetrieveAnEventHook'
+ CreateAnEventHookWithFilter:
+ $ref: '#/components/examples/RetrieveAnEventHookWithFilter'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -6900,6 +9470,9 @@ paths:
- okta.eventHooks.manage
tags:
- EventHook
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/eventHooks/{eventHookId}:
parameters:
- $ref: '#/components/parameters/pathEventHookId'
@@ -6914,6 +9487,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/EventHook'
+ examples:
+ RetrieveAnEventHook:
+ $ref: '#/components/examples/RetrieveAnEventHook'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -6926,9 +9502,16 @@ paths:
- okta.eventHooks.read
tags:
- EventHook
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
put:
summary: Replace an Event Hook
- description: Replaces an event hook
+ description: |-
+ Replaces an event hook. Okta validates the new properties before replacing the existing values.
+ Some event hook properties are immutable and can't be updated. Refer to the parameter description in the request body schema.
+
+ >**Note:** Updating the `channel` property requires you to verify the hook again.
operationId: replaceEventHook
x-codegen-request-body-name: eventHook
requestBody:
@@ -6936,6 +9519,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/EventHook'
+ examples:
+ ReplaceAnEventHook:
+ $ref: '#/components/examples/ReplaceAnEventHookWithFilter'
required: true
responses:
'200':
@@ -6944,6 +9530,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/EventHook'
+ examples:
+ ReplaceAnEventHook:
+ $ref: '#/components/examples/RetrieveAnEventHookWithFilter'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -6958,9 +9547,14 @@ paths:
- okta.eventHooks.manage
tags:
- EventHook
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
summary: Delete an Event Hook
- description: Deletes an event hook
+ description: |-
+ Deletes the event hook that matches the provided `id`. After deletion, the event hook is unrecoverable.
+ As a safety precaution, you can only delete event hooks with a status of `INACTIVE`.
operationId: deleteEventHook
responses:
'204':
@@ -6978,12 +9572,15 @@ paths:
- okta.eventHooks.manage
tags:
- EventHook
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/eventHooks/{eventHookId}/lifecycle/activate:
parameters:
- $ref: '#/components/parameters/pathEventHookId'
post:
summary: Activate an Event Hook
- description: Activates an event hook
+ description: Activates the event hook that matches the provided `id`
operationId: activateEventHook
responses:
'200':
@@ -6992,6 +9589,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/EventHook'
+ examples:
+ ActivateAnEventHook:
+ $ref: '#/components/examples/RetrieveAnEventHook'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -7004,12 +9604,15 @@ paths:
- okta.eventHooks.manage
tags:
- EventHook
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/eventHooks/{eventHookId}/lifecycle/deactivate:
parameters:
- $ref: '#/components/parameters/pathEventHookId'
post:
summary: Deactivate an Event Hook
- description: Deactivates an event hook
+ description: Deactivates the event hook that matches the provided `id`
operationId: deactivateEventHook
responses:
'200':
@@ -7018,6 +9621,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/EventHook'
+ examples:
+ DeactivateAnEventHook:
+ $ref: '#/components/examples/RetrieveADeactivatedEventHook'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -7030,12 +9636,21 @@ paths:
- okta.eventHooks.manage
tags:
- EventHook
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/eventHooks/{eventHookId}/lifecycle/verify:
parameters:
- $ref: '#/components/parameters/pathEventHookId'
post:
summary: Verify an Event Hook
- description: Verifies an event hook
+ description: |-
+ Verifies that the event hook matches the provided `eventHookId`. To verify ownership, your endpoint must send information back to Okta in JSON format. See [Event hooks](https://developer.okta.com/docs/concepts/event-hooks/#one-time-verification-request).
+
+ Only `ACTIVE` and `VERIFIED` event hooks can receive events from Okta.
+
+ If a response is not received within 3 seconds, the outbound request times out. One retry is attempted after a timeout or error response.
+ If a successful response still isn't received, this operation returns a 400 error with more information about the failure.
operationId: verifyEventHook
responses:
'200':
@@ -7044,6 +9659,11 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/EventHook'
+ examples:
+ VerifyAnEventHook:
+ $ref: '#/components/examples/RetrieveAnEventHook'
+ '400':
+ $ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -7056,10 +9676,13 @@ paths:
- okta.eventHooks.manage
tags:
- EventHook
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/features:
get:
summary: List all Features
- description: Lists all features
+ description: Lists all self-service features for your org
operationId: listFeatures
responses:
'200':
@@ -7070,6 +9693,10 @@ paths:
type: array
items:
$ref: '#/components/schemas/Feature'
+ examples:
+ FeaturesList:
+ summary: List all self-service features for your org
+ $ref: '#/components/examples/ListFeaturesResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'429':
@@ -7080,12 +9707,15 @@ paths:
- okta.features.read
tags:
- Feature
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/features/{featureId}:
parameters:
- $ref: '#/components/parameters/pathFeatureId'
get:
summary: Retrieve a Feature
- description: Retrieves a feature
+ description: Retrieves a feature by ID
operationId: getFeature
responses:
'200':
@@ -7094,6 +9724,10 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/Feature'
+ examples:
+ FeaturesRetrieve:
+ summary: Retrieve a Feature by ID
+ $ref: '#/components/examples/RetrieveFeaturesResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -7106,12 +9740,18 @@ paths:
- okta.features.read
tags:
- Feature
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/features/{featureId}/dependencies:
parameters:
- $ref: '#/components/parameters/pathFeatureId'
get:
- summary: List all Dependencies
- description: Lists all dependencies
+ summary: List all dependencies
+ description: |-
+ Lists all feature dependencies for a specified feature.
+
+ A feature's dependencies are the features that it requires to be enabled in order for itself to be enabled.
operationId: listFeatureDependencies
responses:
'200':
@@ -7122,6 +9762,10 @@ paths:
type: array
items:
$ref: '#/components/schemas/Feature'
+ examples:
+ FeaturesDependenciesList:
+ summary: List all Dependencies
+ $ref: '#/components/examples/ListFeatureDependenciesResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -7134,12 +9778,18 @@ paths:
- okta.features.read
tags:
- Feature
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/features/{featureId}/dependents:
parameters:
- $ref: '#/components/parameters/pathFeatureId'
get:
- summary: List all Dependents
- description: Lists all dependents
+ summary: List all dependents
+ description: |-
+ Lists all feature dependents for the specified feature.
+
+ A feature's dependents are the features that need to be disabled in order for the feature itself to be disabled.
operationId: listFeatureDependents
responses:
'200':
@@ -7150,6 +9800,10 @@ paths:
type: array
items:
$ref: '#/components/schemas/Feature'
+ examples:
+ FeaturesDependentsList:
+ summary: List all feature dependents for the specified feature
+ $ref: '#/components/examples/ListFeatureDependentsResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -7162,17 +9816,32 @@ paths:
- okta.features.read
tags:
- Feature
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/features/{featureId}/{lifecycle}:
parameters:
- $ref: '#/components/parameters/pathFeatureId'
- $ref: '#/components/parameters/pathLifecycle'
post:
- summary: Update a Feature Lifecycle
- description: Updates a feature lifecycle
+ summary: Update a Feature lifecycle
+ description: |-
+ Updates a feature's lifecycle status. Use this endpoint to enable or disable a feature for your org.
+
+ Use the `mode=force` parameter to override dependency restrictions for a particular feature. Normally, you can't enable a feature if it has one or more dependencies that aren't enabled.
+
+ When you use the `mode=force` parameter while enabling a feature, Okta first tries to enable any disabled features that this feature may have as dependencies. If you don't pass the `mode=force` parameter and the feature has dependencies that need to be enabled before the feature is enabled, a 400 error is returned.
+
+ When you use the `mode=force` parameter while disabling a feature, Okta first tries to disable any enabled features that this feature may have as dependents. If you don't pass the `mode=force` parameter and the feature has dependents that need to be disabled before the feature is disabled, a 400 error is returned.
+
+ The following chart shows the different state transitions for a feature.
+
+ ![State transitions of a feature](../../../../../images/features/update-ssfeat-flowchart.png '#width=500px;')
operationId: updateFeatureLifecycle
parameters:
- name: mode
in: query
+ description: Indicates if you want to force enable or disable a feature. Supported value is `force`.
schema:
type: string
responses:
@@ -7182,6 +9851,10 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/Feature'
+ examples:
+ FeaturesUpdate:
+ summary: Update the feature lifecycle status
+ $ref: '#/components/examples/UpdateFeatureLifecycleResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -7194,55 +9867,197 @@ paths:
- okta.features.manage
tags:
- Feature
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/first-party-app-settings/{appName}:
+ parameters:
+ - $ref: '#/components/parameters/pathFirstPartyAppName'
+ get:
+ summary: Retrieve the Okta Application Settings
+ description: Retrieves the settings for an Okta app (also known as an Okta first-party app)
+ operationId: getFirstPartyAppSettings
+ responses:
+ '200':
+ description: OK
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/AdminConsoleSettings'
+ examples:
+ exampleSettings:
+ $ref: '#/components/examples/AdminConsoleSettingsExample'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.apps.read
+ tags:
+ - OktaApplicationSettings
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ put:
+ summary: Replace the Okta Application Settings
+ description: Replaces the settings for an Okta app (also known as an Okta first-party app)
+ operationId: replaceFirstPartyAppSettings
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/AdminConsoleSettings'
+ examples:
+ exampleSettings:
+ $ref: '#/components/examples/AdminConsoleSettingsExample'
+ required: true
+ responses:
+ '200':
+ description: Success
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/AdminConsoleSettings'
+ examples:
+ exampleSettings:
+ $ref: '#/components/examples/AdminConsoleSettingsExample'
+ '400':
+ $ref: '#/components/responses/ErrorApiValidationFailed400'
+ '403':
+ description: Forbidden
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Error'
+ examples:
+ Access Denied:
+ $ref: '#/components/examples/ErrorAccessDenied'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.apps.manage
+ tags:
+ - OktaApplicationSettings
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/groups:
get:
summary: List all Groups
- description: Lists all groups with pagination support. A subset of groups can be returned that match a supported filter expression or query.
+ description: |-
+ Lists all Groups with pagination support.
+
+ The number of Groups returned depends on the specified [`limit`](/openapi/okta-management/management/tag/Group/#tag/Group/operation/listGroups!in=query&path=limit&t=request), if you have a search, filter, and/or query parameter set, and if that parameter is not null. We recommend using a limit less than or equal to 200.
+
+ A subset of Groups can be returned that match a supported filter expression, query, or search criteria.
+
+ > **Note:** Results from the filter or query parameter are driven from an eventually consistent datasource. The synchronization lag is typically less than one second.
+ See [Filtering](https://developer.okta.com/docs/api/#filter) for more information on expressions.
operationId: listGroups
parameters:
- name: q
in: query
- description: Searches the name property of groups for matching value
+ description: |-
+ Finds a Group that matches the `name` property
+ > **Note:** Paging and searching are currently mutually exclusive. You can't page a query. The default limit for a query is 300 results. Query is intended for an auto-complete picker use case where users refine their search string to constrain the results.
schema:
type: string
+ example: West&limit=10
- name: filter
in: query
- description: Filter expression for groups
+ description: |-
+ [Filter expression](https://developer.okta.com/docs/reference/core-okta-api/#filter) for Groups
+ > **Note:** All filters must be [URL encoded](https://developer.mozilla.org/en-US/docs/Glossary/Percent-encoding). For example, `filter=lastUpdated gt "2013-06-01T00:00:00.000Z"` is encoded as `filter=lastUpdated%20gt%20%222013-06-01T00:00:00.000Z%22`.
schema:
type: string
+ examples:
+ filterById:
+ value: id eq "00g1emaKYZTWRYYRRTSK"
+ summary: Filter group with a specific ID
+ filterByType:
+ value: type eq "OKTA_GROUP"
+ summary: Filter groups that are of the type `OKTA_GROUP`
+ filterByTypeAndProfileLastUpdatedAfterDate:
+ value: type eq "OKTA_GROUP" and lastUpdated gt "2016-11-11T00:00:00.000Z"
+ summary: Filter groups that are of the type `OKTA_GROUP` with Profile updated after 11/11/2015
+ filterByTypeAndProfileOrMembershipUpdatedBeforeDate:
+ value: type eq "OKTA_GROUP" and (lastUpdated lt "2015-11-11T00:00:00.000Z" or lastMembershipUpdated lt "2015-11-11T00:00:00.000Z")
+ summary: Filter groups that are of the type `OKTA_GROUP` with Profile or memberships updated before 11/11/2015
- name: after
in: query
- description: Specifies the pagination cursor for the next page of groups
+ description: Specifies the pagination cursor for the next page of Groups. The `after` cursor should be treated as an opaque value and obtained through the next link relation. See [Pagination](https://developer.okta.com/docs/api/#pagination).
schema:
type: string
- name: limit
in: query
- description: Specifies the number of group results in a page
+ description: |-
+ Specifies the number of Group results in a page.
+
+ Don't write code that depends on the default or maximum value, as it might change. If you receive an `HTTP 500` status code, you likely exceeded the request timeout. Retry your request with a smaller `limit` and [page the results](https://developer.okta.com/docs/api/#pagination).
+
+ The Okta default Everyone group isn't returned for users with a Group Admin role.
+
+ >**Note:** We strongly encourage using a limit that's less than or equal to 200. Any number greater than 200 affects performance and accuracy.
schema:
type: integer
format: int32
- default: 10000
+ maximum: 10000
- name: expand
in: query
- description: If specified, it causes additional metadata to be included in the response.
+ description: If specified, additional metadata is included in the response. Possible values are `stats` and `app`.
schema:
type: string
- name: search
in: query
- description: Searches for groups with a supported filtering expression for all attributes except for _embedded, _links, and objectClass
+ description: |-
+ Searches for groups with a supported [filtering](https://developer.okta.com/docs/reference/core-okta-api/#filter) expression for all attributes except for `_embedded`, `_links`, and `objectClass`.
+
+ Search currently performs a `startsWith` match but it should be considered an implementation detail and might change without notice in the future. This operation supports [pagination](https://developer.okta.com/docs/api/#pagination).
+
+ Using search requires [URL encoding](https://developer.mozilla.org/en-US/docs/Glossary/Percent-encoding), for example, `search=type eq "OKTA_GROUP"` is encoded as `search=type+eq+%22OKTA_GROUP%22`.
+
+ This operation searches many properties:
+ * Any group profile property, including imported app group profile properties.
+ * The top-level properties `id`, `created`, `lastMembershipUpdated`, `lastUpdated`, and `type`.
+ * The [source](/openapi/okta-management/management/tag/Group/#tag/Group/operation/listGroups!c=200&path=_links/source&t=response) of groups with type of `APP_GROUP`, accessed as `source.id`.
+ You can also use `sortBy` and `sortOrder` parameters.
schema:
type: string
+ examples:
+ searchByType:
+ value: type eq "APP_GROUP"
+ summary: Search for Groups that have a type of `APP_GROUP`
+ searchByLastMembershipUpdatedAfterDate:
+ value: lastMembershipUpdated gt "2014-01-01T00:00:00.000Z"
+ summary: Search for Groups whose memberships were last updated after a specific timestamp
+ searchById:
+ value: id eq "00gak46y5hydV6NdM0g4"
+ summary: Search for Groups with the specified ID (`00gak46y5hydV6NdM0g4`)
+ searchByProfileName:
+ value: profile.name eq "West Coast Users"
+ summary: Search for Groups that have a `name` of `West Coast Users`
+ searchBySamAccountName:
+ value: profile.samAccountName sw "West Coast"
+ summary: Search for Groups whose `samAccountName` starts with `West Coast`
+ searchBySourceId:
+ value: source.id eq "0oa2v0el0gP90aqjJ0g7"
+ summary: Search for Groups that have the source app with a specified `source.id` (`0oa2v0el0gP90aqjJ0g7`)
+ searchByIdTypeAndCreationDate:
+ value: type eq "APP_GROUP" and (created lt "2014-01-01T00:00:00.000Z" and source.id eq "0oa2v0el0gP90aqjJ0g7")
+ summary: List groups of type `APP_GROUP` that were created before 01/01/2014 and whose source app has the ID 0oa2v0el0gP90aqjJ0g7
- name: sortBy
in: query
- description: Specifies field to sort by and can be any single property (for search queries only).
+ description: Specifies field to sort by **(for search queries only)**. `sortBy` can be any single property, for example `sortBy=profile.name`.
schema:
type: string
example: lastUpdated
- name: sortOrder
in: query
- description: |-
- Specifies sort order `asc` or `desc` (for search queries only). This parameter is ignored if `sortBy` is not present.
- Groups with the same value for the `sortBy` parameter are ordered by `id`.
+ description: 'Specifies sort order: `asc` or `desc` (for search queries only). This parameter is ignored if if `sortBy` is not present. Groups with the same value for the `sortBy` property will be ordered by `id`'
schema:
type: string
default: asc
@@ -7255,6 +10070,9 @@ paths:
type: array
items:
$ref: '#/components/schemas/Group'
+ examples:
+ ListGroupExample:
+ $ref: '#/components/examples/list-groups-examples'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'429':
@@ -7265,16 +10083,24 @@ paths:
- okta.groups.read
tags:
- Group
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
post:
- summary: Create a Group
- description: Creates a new group with `OKTA_GROUP` type
- operationId: createGroup
+ summary: Add a Group
+ description: |-
+ Adds a new Group with the `OKTA_GROUP` type to your org
+ > **Note:** App import operations are responsible for syncing Groups with `APP_GROUP` type such as Active Directory Groups. See
+ [About groups](https://help.okta.com/okta_help.htm?id=Directory_Groups).
+ operationId: addGroup
x-codegen-request-body-name: group
requestBody:
content:
application/json:
schema:
- $ref: '#/components/schemas/Group'
+ properties:
+ profile:
+ $ref: '#/components/schemas/OktaUserGroupProfile'
required: true
responses:
'200':
@@ -7283,6 +10109,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/Group'
+ examples:
+ GroupExample:
+ $ref: '#/components/examples/group-example'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -7295,10 +10124,13 @@ paths:
- okta.groups.manage
tags:
- Group
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/groups/rules:
get:
- summary: List all Group Rules
- description: Lists all group rules
+ summary: List all Group rules
+ description: Lists all Group rules for your org
operationId: listGroupRules
parameters:
- name: limit
@@ -7308,6 +10140,8 @@ paths:
type: integer
format: int32
default: 50
+ minimum: 1
+ maximum: 200
- name: after
in: query
description: Specifies the pagination cursor for the next page of rules
@@ -7315,12 +10149,12 @@ paths:
type: string
- name: search
in: query
- description: Specifies the keyword to search fules for
+ description: Specifies the keyword to search rules for
schema:
type: string
- name: expand
in: query
- description: If specified as `groupIdToGroupNameMap`, then show group names
+ description: If specified as `groupIdToGroupNameMap`, then displays group names
schema:
type: string
x-okta-added-version: 1.3.0
@@ -7333,6 +10167,9 @@ paths:
type: array
items:
$ref: '#/components/schemas/GroupRule'
+ examples:
+ ListGroupRulesExample:
+ $ref: '#/components/examples/list-group-rules-example'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'429':
@@ -7342,17 +10179,25 @@ paths:
- oauth2:
- okta.groups.read
tags:
- - Group
+ - GroupRule
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
post:
- summary: Create a Group Rule
- description: Creates a group rule to dynamically add users to the specified group if they match the condition
+ summary: Create a Group rule
+ description: |-
+ Creates a Group rule to dynamically add Users to the specified Group if they match the condition
+ > **Note:** Group rules are created with the status set to `'INACTIVE'`.
operationId: createGroupRule
x-codegen-request-body-name: groupRule
requestBody:
content:
application/json:
schema:
- $ref: '#/components/schemas/GroupRule'
+ $ref: '#/components/schemas/CreateGroupRuleRequest'
+ examples:
+ GroupRuleExample:
+ $ref: '#/components/examples/create-group-rule-request-example'
required: true
responses:
'200':
@@ -7361,6 +10206,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/GroupRule'
+ examples:
+ GroupRuleExample:
+ $ref: '#/components/examples/group-rule-example'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -7372,17 +10220,21 @@ paths:
- oauth2:
- okta.groups.manage
tags:
- - Group
+ - GroupRule
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/groups/rules/{groupRuleId}:
parameters:
- $ref: '#/components/parameters/pathGroupRuleId'
get:
- summary: Retrieve a Group Rule
- description: Retrieves a specific group rule by `groupRuleId`
+ summary: Retrieve a Group rule
+ description: Retrieves a specific Group rule by ID from your org
operationId: getGroupRule
parameters:
- name: expand
in: query
+ description: If specified as `groupIdToGroupNameMap`, then show Group names
schema:
type: string
responses:
@@ -7392,6 +10244,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/GroupRule'
+ examples:
+ GroupRuleExample:
+ $ref: '#/components/examples/group-rule-example'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -7403,10 +10258,17 @@ paths:
- oauth2:
- okta.groups.read
tags:
- - Group
+ - GroupRule
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
put:
- summary: Replace a Group Rule
- description: Replaces a group rule. Only `INACTIVE` rules can be updated.
+ summary: Replace a Group rule
+ description: |-
+ Replaces a Group rule
+ > **Notes:** You only can update rules with a Group whose status is set to `'INACTIVE'`.
+ >
+ > You currently can't update the `action` section.
operationId: replaceGroupRule
x-codegen-request-body-name: groupRule
requestBody:
@@ -7414,6 +10276,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/GroupRule'
+ examples:
+ GroupRuleExample:
+ $ref: '#/components/examples/group-rule-example'
required: true
responses:
'200':
@@ -7435,17 +10300,21 @@ paths:
- oauth2:
- okta.groups.manage
tags:
- - Group
+ - GroupRule
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
- summary: Delete a group Rule
+ summary: Delete a Group Rule
description: Deletes a specific group rule by `groupRuleId`
operationId: deleteGroupRule
parameters:
- name: removeUsers
in: query
- description: Indicates whether to keep or remove users from groups assigned by this rule.
+ description: If set to `true`, removes Users from Groups assigned by this rule
schema:
type: boolean
+ default: false
responses:
'202':
description: Accepted
@@ -7461,13 +10330,16 @@ paths:
- oauth2:
- okta.groups.manage
tags:
- - Group
+ - GroupRule
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/groups/rules/{groupRuleId}/lifecycle/activate:
parameters:
- $ref: '#/components/parameters/pathGroupRuleId'
post:
summary: Activate a Group Rule
- description: Activates a specific group rule by `groupRuleId`
+ description: Activates a specific Group rule by ID from your org
operationId: activateGroupRule
responses:
'204':
@@ -7484,13 +10356,16 @@ paths:
- oauth2:
- okta.groups.manage
tags:
- - Group
+ - GroupRule
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/groups/rules/{groupRuleId}/lifecycle/deactivate:
parameters:
- $ref: '#/components/parameters/pathGroupRuleId'
post:
summary: Deactivate a Group Rule
- description: Deactivates a specific group rule by `groupRuleId`
+ description: Deactivates a specific Group rule by ID from your org
operationId: deactivateGroupRule
responses:
'204':
@@ -7507,13 +10382,16 @@ paths:
- oauth2:
- okta.groups.manage
tags:
- - Group
+ - GroupRule
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/groups/{groupId}:
parameters:
- $ref: '#/components/parameters/pathGroupId'
get:
summary: Retrieve a Group
- description: Retrieves a group by `groupId`
+ description: Retrieves a specific Group by `id` from your org
operationId: getGroup
responses:
'200':
@@ -7522,6 +10400,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/Group'
+ examples:
+ GroupExample:
+ $ref: '#/components/examples/group-example'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -7534,16 +10415,25 @@ paths:
- okta.groups.read
tags:
- Group
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
put:
summary: Replace a Group
- description: Replaces the profile for a group with `OKTA_GROUP` type
+ description: |-
+ Replaces the profile for a Group of `OKTA_GROUP` type from your org
+ > **Note :** You only can modify profiles for groups of the `OKTA_GROUP` type.
+ >
+ > App imports are responsible for updating profiles for groups of the `APP_GROUP` type, such as Active Directory groups.
operationId: replaceGroup
x-codegen-request-body-name: group
requestBody:
content:
application/json:
schema:
- $ref: '#/components/schemas/Group'
+ properties:
+ profile:
+ $ref: '#/components/schemas/OktaUserGroupProfile'
required: true
responses:
'200':
@@ -7552,6 +10442,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/Group'
+ examples:
+ GroupExample:
+ $ref: '#/components/examples/group-example'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -7566,9 +10459,14 @@ paths:
- okta.groups.manage
tags:
- Group
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
summary: Delete a Group
- description: Deletes a group with `OKTA_GROUP` type
+ description: |-
+ Deletes a Group of the `OKTA_GROUP` or `APP_GROUP` type from your org
+ > **Note:** You can't remove Groups of type `APP_GROUP` if they are used in a group push mapping.
operationId: deleteGroup
responses:
'204':
@@ -7586,12 +10484,15 @@ paths:
- okta.groups.manage
tags:
- Group
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/groups/{groupId}/apps:
parameters:
- $ref: '#/components/parameters/pathGroupId'
get:
summary: List all Assigned Applications
- description: Lists all applications that are assigned to a group
+ description: Lists all apps that are assigned to a Group. See [Application Groups API](/openapi/okta-management/management/tag/ApplicationGroups/).
operationId: listAssignedApplicationsForGroup
parameters:
- name: after
@@ -7615,6 +10516,9 @@ paths:
type: array
items:
$ref: '#/components/schemas/Application'
+ examples:
+ ListAppsExample:
+ $ref: '#/components/examples/list-apps-example'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -7627,6 +10531,9 @@ paths:
- okta.groups.read
tags:
- Group
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/groups/{groupId}/owners:
parameters:
- $ref: '#/components/parameters/pathGroupId'
@@ -7635,7 +10542,7 @@ paths:
description: Lists all owners for a specific group
operationId: listGroupOwners
parameters:
- - name: filter
+ - name: search
in: query
description: SCIM Filter expression for group owners. Allows to filter owners by type.
schema:
@@ -7677,17 +10584,16 @@ paths:
- oauth2:
- okta.groups.read
tags:
- - Group
+ - GroupOwner
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
post:
summary: Assign a Group Owner
description: Assigns a group owner
operationId: assignGroupOwner
parameters:
- - name: groupId
- in: path
- required: true
- schema:
- type: string
+ - $ref: '#/components/parameters/pathGroupId'
requestBody:
content:
application/json:
@@ -7720,7 +10626,10 @@ paths:
- oauth2:
- okta.groups.manage
tags:
- - Group
+ - GroupOwner
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/groups/{groupId}/owners/{ownerId}:
parameters:
- $ref: '#/components/parameters/pathGroupId'
@@ -7744,19 +10653,19 @@ paths:
- oauth2:
- okta.groups.manage
tags:
- - Group
+ - GroupOwner
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/groups/{groupId}/roles:
parameters:
- $ref: '#/components/parameters/pathGroupId'
get:
- summary: List all Assigned Roles of Group
- description: Lists all assigned roles of group identified by `groupId`
+ summary: List all Group Role Assignments
+ description: Lists all assigned roles of a Group by `groupId`
operationId: listGroupAssignedRoles
parameters:
- - name: expand
- in: query
- schema:
- type: string
+ - $ref: '#/components/parameters/pathQueryRoleExpand'
responses:
'200':
description: Success
@@ -7765,7 +10674,16 @@ paths:
schema:
type: array
items:
- $ref: '#/components/schemas/Role'
+ oneOf:
+ - $ref: '#/components/schemas/StandardRole'
+ - $ref: '#/components/schemas/CustomRole'
+ examples:
+ Standard Roles:
+ $ref: '#/components/examples/StandardRolesListResponseGroup'
+ Custom Roles:
+ $ref: '#/components/examples/CustomRolesListResponseGroup'
+ IAM-Based Standard Roles:
+ $ref: '#/components/examples/IAMStandardRolesListResponseGroup'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -7777,23 +10695,36 @@ paths:
- oauth2:
- okta.roles.read
tags:
- - RoleAssignment
+ - RoleAssignmentBGroup
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
post:
summary: Assign a Role to a Group
- description: Assigns a role to a group
+ description: |-
+ Assigns a [standard role](/openapi/okta-management/guides/roles/#standard-roles) to a Group.
+
+ You can also assign a custom role to a Group, but the preferred method to assign a custom role to a Group is to create a binding between the Custom Role, the Resource Set, and the Group. See [Create a Role Resource Set Binding](/openapi/okta-management/management/tag/RoleDResourceSetBinding/#tag/RoleDResourceSetBinding/operation/createResourceSetBinding).
+
+ > **Notes:**
+ > * The request payload is different for standard and custom role assignments.
+ > * For IAM-based standard role assignments, use the request payload for standard roles. However, the response payload for IAM-based role assignments is similar to the custom role's assignment response.
operationId: assignRoleToGroup
parameters:
- name: disableNotifications
in: query
- description: Setting this to `true` grants the group third-party admin status
+ description: Grants the Group third-party admin status when set to `true`
schema:
type: boolean
+ default: false
x-codegen-request-body-name: assignRoleRequest
requestBody:
content:
application/json:
schema:
- $ref: '#/components/schemas/AssignRoleRequest'
+ oneOf:
+ - $ref: '#/components/schemas/StandardRoleAssignmentSchema'
+ - $ref: '#/components/schemas/CustomRoleAssignmentSchema'
required: true
responses:
'200':
@@ -7801,7 +10732,16 @@ paths:
content:
application/json:
schema:
- $ref: '#/components/schemas/Role'
+ oneOf:
+ - $ref: '#/components/schemas/StandardRole'
+ - $ref: '#/components/schemas/CustomRole'
+ examples:
+ Standard Roles:
+ $ref: '#/components/examples/CreateStandardRoleAssignmentResponseGroup'
+ Custom Roles:
+ $ref: '#/components/examples/CreateCustomRoleResponseGroup'
+ IAM-based Standard Roles:
+ $ref: '#/components/examples/CreateIAMStandardRoleResponseGroup'
'201':
description: Success
content: {}
@@ -7818,14 +10758,17 @@ paths:
- oauth2:
- okta.roles.manage
tags:
- - RoleAssignment
- /api/v1/groups/{groupId}/roles/{roleId}:
+ - RoleAssignmentBGroup
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/groups/{groupId}/roles/{roleAssignmentId}:
parameters:
- $ref: '#/components/parameters/pathGroupId'
- - $ref: '#/components/parameters/pathRoleId'
+ - $ref: '#/components/parameters/pathRoleAssignmentId'
get:
- summary: Retrieve a Role assigned to Group
- description: Retrieves a role identified by `roleId` assigned to group identified by `groupId`
+ summary: Retrieve a Group Role Assignment
+ description: Retrieves a Role assigned to a Group (identified by the `groupId`). The `roleAssignmentId` is the unique identifier for either a standard role Group Assignment object or a custom role Resource Set Binding object.
operationId: getGroupAssignedRole
responses:
'200':
@@ -7833,7 +10776,16 @@ paths:
content:
application/json:
schema:
- $ref: '#/components/schemas/Role'
+ oneOf:
+ - $ref: '#/components/schemas/StandardRole'
+ - $ref: '#/components/schemas/CustomRole'
+ examples:
+ Standard Roles:
+ $ref: '#/components/examples/CreateStandardRoleAssignmentResponseGroup'
+ Custom Roles:
+ $ref: '#/components/examples/CreateCustomRoleResponseGroup'
+ IAM-based Standard Roles:
+ $ref: '#/components/examples/CreateIAMStandardRoleResponseGroup'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -7845,10 +10797,13 @@ paths:
- oauth2:
- okta.roles.read
tags:
- - RoleAssignment
+ - RoleAssignmentBGroup
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
- summary: Unassign a Role from a Group
- description: Unassigns a role identified by `roleId` assigned to group identified by `groupId`
+ summary: Unassign a Group Role
+ description: Unassigns a Role Assignment (identified by `roleAssignmentId`) from a Group (identified by the `groupId`)
operationId: unassignRoleFromGroup
responses:
'204':
@@ -7865,14 +10820,17 @@ paths:
- oauth2:
- okta.roles.manage
tags:
- - RoleAssignment
- /api/v1/groups/{groupId}/roles/{roleId}/targets/catalog/apps:
+ - RoleAssignmentBGroup
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/groups/{groupId}/roles/{roleAssignmentId}/targets/catalog/apps:
parameters:
- $ref: '#/components/parameters/pathGroupId'
- - $ref: '#/components/parameters/pathRoleId'
+ - $ref: '#/components/parameters/pathRoleAssignmentId'
get:
- summary: List all Application Targets for an Application Administrator Role
- description: Lists all App targets for an `APP_ADMIN` Role assigned to a Group. This methods return list may include full Applications or Instances. The response for an instance will have an `ID` value, while Application will not have an ID.
+ summary: List all Group Role Application Targets
+ description: Lists all app targets for an `APP_ADMIN` Role Assignment to a Group. The response includes a list of OIN-cataloged apps or app instances. The response payload for an app instance contains the `id` property, but an OIN-cataloged app doesn't.
operationId: listApplicationTargetsForApplicationAdministratorRoleForGroup
parameters:
- name: after
@@ -7905,15 +10863,18 @@ paths:
- oauth2:
- okta.roles.read
tags:
- - RoleTarget
- /api/v1/groups/{groupId}/roles/{roleId}/targets/catalog/apps/{appName}:
+ - RoleBTargetBGroup
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/groups/{groupId}/roles/{roleAssignmentId}/targets/catalog/apps/{appName}:
parameters:
- $ref: '#/components/parameters/pathGroupId'
- - $ref: '#/components/parameters/pathRoleId'
+ - $ref: '#/components/parameters/pathRoleAssignmentId'
- $ref: '#/components/parameters/pathAppName'
put:
- summary: Assign an Application Target to Administrator Role
- description: Assigns an application target to administrator role
+ summary: Assign an Group Role Application Target
+ description: Assigns an OIN app target to an `APP_ADMIN` Role Assignment to a Group. When you assign the first OIN app target, you reduce the scope of the Role Assignment. The Role no longer applies to all app targets but applies only to the specified target. An OIN app target that's assigned to the Role overrides any existing instance targets of the OIN app. For example, if a user is assigned to administer a specific Facebook instance, a successful request to add an OIN app with `facebook` for `appName` makes that user the administrator for all Facebook instances.
operationId: assignAppTargetToAdminRoleForGroup
responses:
'200':
@@ -7930,10 +10891,17 @@ paths:
- oauth2:
- okta.roles.manage
tags:
- - RoleTarget
+ - RoleBTargetBGroup
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
- summary: Unassign an Application Target from Application Administrator Role
- description: Unassigns an application target from application administrator role
+ summary: Unassign a Group Role Application Target
+ description: |
+ Unassigns an OIN app target from an `APP_ADMIN` Role Assignment to a Group
+
+ > **Note:** You can't remove the last app target from a Role Assignment, since this causes an exception.
+ > If you need a Role Assignment that applies to all apps, delete the `APP_ADMIN` Role Assignment and recreate a new one. See [Unassign a Group Role](/openapi/okta-management/management/tag/RoleAssignmentBGroup/#tag/RoleAssignmentBGroup/operation/unassignRoleFromGroup).
operationId: unassignAppTargetToAdminRoleForGroup
responses:
'204':
@@ -7950,16 +10918,21 @@ paths:
- oauth2:
- okta.roles.manage
tags:
- - RoleTarget
- /api/v1/groups/{groupId}/roles/{roleId}/targets/catalog/apps/{appName}/{appId}:
+ - RoleBTargetBGroup
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/groups/{groupId}/roles/{roleAssignmentId}/targets/catalog/apps/{appName}/{appId}:
parameters:
- $ref: '#/components/parameters/pathGroupId'
- - $ref: '#/components/parameters/pathRoleId'
+ - $ref: '#/components/parameters/pathRoleAssignmentId'
- $ref: '#/components/parameters/pathAppName'
- $ref: '#/components/parameters/pathAppId'
put:
- summary: Assign an Application Instance Target to Application Administrator Role
- description: Assigns App Instance Target to App Administrator Role given to a Group
+ summary: Assign an Group Role Application Instance Target
+ description: |-
+ Assigns an app instance target to an `APP_ADMIN` Role Assignment to a Group. When you assign the first OIN app or app instance target, you reduce the scope of the Role Assignment. The Role no longer applies to all app targets, but applies only to the specified target.
+ > **Note:** You can target a mixture of both OIN app and app instance targets, but you can't assign permissions to manage all instances of an OIN app and then assign a subset of permissions to the same app. For example, you can't specify that an admin has access to manage all instances of the Salesforce app and then also manage specific configurations of the Salesforce app.
operationId: assignAppInstanceTargetToAppAdminRoleForGroup
responses:
'204':
@@ -7976,10 +10949,15 @@ paths:
- oauth2:
- okta.roles.manage
tags:
- - RoleTarget
+ - RoleBTargetBGroup
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
- summary: Unassign an Application Instance Target from an Application Administrator Role
- description: Unassigns an application instance target from application administrator role
+ summary: Unassign an Group Role Application Instance Target
+ description: |-
+ Unassigns an app instance target from an `APP_ADMIN` Role Assignment to a Group
+ > **Note:** You can't remove the last app instance target from a Role Assignment since this causes an exception. > If you need a Role Assignment that applies to all apps, delete the `APP_ADMIN` Role Assignment and recreate a new one. See [Unassign a Group Role](/openapi/okta-management/management/tag/RoleAssignmentBGroup/#tag/RoleAssignmentBGroup/operation/unassignRoleFromGroup).
operationId: unassignAppInstanceTargetToAppAdminRoleForGroup
responses:
'204':
@@ -7996,14 +10974,19 @@ paths:
- oauth2:
- okta.roles.manage
tags:
- - RoleTarget
- /api/v1/groups/{groupId}/roles/{roleId}/targets/groups:
+ - RoleBTargetBGroup
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/groups/{groupId}/roles/{roleAssignmentId}/targets/groups:
parameters:
- $ref: '#/components/parameters/pathGroupId'
- - $ref: '#/components/parameters/pathRoleId'
+ - $ref: '#/components/parameters/pathRoleAssignmentId'
get:
- summary: List all Group Targets for a Group Role
- description: Lists all group targets for a group role
+ summary: List all Group Role Group Targets
+ description: |
+ Lists all Group targets for a `USER_ADMIN`, `HELP_DESK_ADMIN`, or `GROUP_MEMBERSHIP_ADMIN` Role Assignment to a Group.
+ If the Role isn't scoped to specific Group targets, an empty array `[]` is returned.
operationId: listGroupTargetsForGroupRole
parameters:
- name: after
@@ -8036,15 +11019,20 @@ paths:
- oauth2:
- okta.roles.read
tags:
- - RoleTarget
- /api/v1/groups/{groupId}/roles/{roleId}/targets/groups/{targetGroupId}:
+ - RoleBTargetBGroup
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/groups/{groupId}/roles/{roleAssignmentId}/targets/groups/{targetGroupId}:
parameters:
- $ref: '#/components/parameters/pathGroupId'
- - $ref: '#/components/parameters/pathRoleId'
+ - $ref: '#/components/parameters/pathRoleAssignmentId'
- $ref: '#/components/parameters/pathTargetGroupId'
put:
- summary: Assign a Group Target to a Group Role
- description: Assigns a group target to a group role
+ summary: Assign a Group Role Group Target
+ description: |
+ Assigns a Group target to a `USER_ADMIN`, `HELP_DESK_ADMIN`, or `GROUP_MEMBERSHIP_ADMIN` Role Assignment to a Group.
+ When you assign the first Group target, you reduce the scope of the Role Assignment. The Role no longer applies to all targets but applies only to the specified target.
operationId: assignGroupTargetToGroupAdminRole
responses:
'204':
@@ -8061,10 +11049,13 @@ paths:
- oauth2:
- okta.roles.manage
tags:
- - RoleTarget
+ - RoleBTargetBGroup
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
- summary: Unassign a Group Target from a Group Role
- description: Unassigns a group target from a group role
+ summary: Unassign a Group Role Group Target
+ description: Unassigns a Group target from a `USER_ADMIN`, `HELP_DESK_ADMIN`, or `GROUP_MEMBERSHIP_ADMIN` Role Assignment to a Group.
operationId: unassignGroupTargetFromGroupAdminRole
responses:
'204':
@@ -8081,20 +11072,22 @@ paths:
- oauth2:
- okta.roles.manage
tags:
- - RoleTarget
+ - RoleBTargetBGroup
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/groups/{groupId}/users:
parameters:
- $ref: '#/components/parameters/pathGroupId'
get:
summary: List all Member Users
- description: Lists all users that are a member of a group
+ description: |-
+ Lists all users that are a member of a Group.
+
+ The default user limit is set to a very high number due to historical reasons that are no longer valid for most orgs. This will change in a future version of this API. The recommended page limit is now `limit=200`.
operationId: listGroupUsers
parameters:
- - name: after
- in: query
- description: Specifies the pagination cursor for the next page of users
- schema:
- type: string
+ - $ref: '#/components/parameters/queryAfter'
- name: limit
in: query
description: Specifies the number of user results in a page
@@ -8111,6 +11104,9 @@ paths:
type: array
items:
$ref: '#/components/schemas/User'
+ examples:
+ ListMemberUserResponse:
+ $ref: '#/components/examples/ListUsersResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -8123,13 +11119,18 @@ paths:
- okta.groups.read
tags:
- Group
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/groups/{groupId}/users/{userId}:
parameters:
- $ref: '#/components/parameters/pathGroupId'
- $ref: '#/components/parameters/pathUserId'
put:
- summary: Assign a User
- description: Assigns a user to a group with 'OKTA_GROUP' type
+ summary: Assign a User to a Group
+ description: |-
+ Assigns a User to a Group with the `OKTA_GROUP` type
+ > **Note:** You only can modify memberships for Groups of the `OKTA_GROUP` type. App imports are responsible for managing group memberships for Groups of the `APP_GROUP` type, such as Active Directory groups.
operationId: assignUserToGroup
responses:
'204':
@@ -8147,9 +11148,16 @@ paths:
- okta.groups.manage
tags:
- Group
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
- summary: Unassign a User
- description: Unassigns a user from a group with 'OKTA_GROUP' type
+ summary: Unassign a User from a Group
+ description: |-
+ Unassigns a User from a Group with the `OKTA_GROUP` type
+ > **Note:** You only can modify memberships for groups of the `OKTA_GROUP` type.
+ >
+ > App imports are responsible for managing group memberships for groups of the `APP_GROUP` type, such as Active Directory groups.
operationId: unassignUserFromGroup
responses:
'204':
@@ -8167,6 +11175,9 @@ paths:
- okta.groups.manage
tags:
- Group
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/hook-keys:
get:
summary: List all keys
@@ -8194,14 +11205,24 @@ paths:
- okta.inlineHooks.read
tags:
- HookKey
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
post:
summary: Create a key
- description: |
+ description: |-
Creates a key for use with other parts of the application, such as inline hooks
- Use the key name to access this key for inline hook operations.
+ > **Note:** Use the key name to access this key for inline hook operations.
The total number of keys that you can create in an Okta org is limited to 50.
+
+ The response is a [Key object](https://developer.okta.com/docs/reference/api/hook-keys/#key-object) that represents the
+ key that you create. The `id` property in the response serves as the unique ID for the key, which you can specify when
+ invoking other CRUD operations. The `keyId` provided in the response is the alias of the public key that you can use to get
+ details of the public key data in a separate call.
+
+ > **Note:** The keyId is the alias of the public key that you can use to retrieve the public key.
operationId: createHookKey
x-codegen-request-body-name: keyRequest
requestBody:
@@ -8216,7 +11237,7 @@ paths:
content:
application/json:
schema:
- $ref: '#/components/schemas/HookKey'
+ $ref: '#/components/schemas/DetailedHookKeyInstance'
examples:
ResponseExample:
$ref: '#/components/examples/CreateHookKeyResponse'
@@ -8232,12 +11253,18 @@ paths:
- okta.inlineHooks.manage
tags:
- HookKey
- /api/v1/hook-keys/public/{publicKeyId}:
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/hook-keys/public/{keyId}:
parameters:
- $ref: '#/components/parameters/pathPublicKeyId'
get:
summary: Retrieve a public key
- description: Retrieves a public key by `keyId`
+ description: |-
+ Retrieves a public key by `keyId`
+
+ >**Note:** keyId is the alias of the public key.
operationId: getPublicKey
responses:
'200':
@@ -8245,7 +11272,7 @@ paths:
content:
application/json:
schema:
- $ref: '#/components/schemas/JsonWebKey'
+ $ref: '#/components/schemas/_embedded'
examples:
ResponseExample:
$ref: '#/components/examples/RetrievePublicKeyResponse'
@@ -8261,13 +11288,25 @@ paths:
- okta.inlineHooks.read
tags:
- HookKey
- /api/v1/hook-keys/{hookKeyId}:
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/hook-keys/{id}:
parameters:
- $ref: '#/components/parameters/pathHookKeyId'
get:
- summary: Retrieve a key
- description: Retrieves a key by `hookKeyId`
+ summary: Retrieve a key by ID
+ description: |-
+ Retrieves the public portion of the Key object using the `id` parameter
+
+ >**Note:** The `?expand=publickey` query parameter optionally returns the full object including the details of the public key in the response body's `_embedded` property.
operationId: getHookKey
+ parameters:
+ - name: id
+ description: A valid key ID
+ in: path
+ schema:
+ type: string
responses:
'200':
description: Success
@@ -8275,9 +11314,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/HookKey'
- examples:
- ResponseExample:
- $ref: '#/components/examples/RetrieveKeyResponse'
+ examples:
+ ResponseExample:
+ $ref: '#/components/examples/RetrieveKeyResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -8290,14 +11329,17 @@ paths:
- okta.inlineHooks.read
tags:
- HookKey
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
put:
summary: Replace a key
- description: |
- Replaces a key by `hookKeyId`
+ description: |-
+ Replaces a key by `id`
This request replaces existing properties after passing validation.
- Note: The only parameter that you can update is the name of the key, which must be unique at all times.
+ > **Note:** The only parameter that you can update is the name of the key, which must be unique at all times.
operationId: replaceHookKey
x-codegen-request-body-name: keyRequest
requestBody:
@@ -8312,10 +11354,10 @@ paths:
content:
application/json:
schema:
- $ref: '#/components/schemas/HookKey'
- examples:
- ResponseExample:
- $ref: '#/components/examples/ReplaceKeyResponse'
+ $ref: '#/components/schemas/DetailedHookKeyInstance'
+ examples:
+ ResponseExample:
+ $ref: '#/components/examples/ReplaceKeyResponse'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -8330,10 +11372,13 @@ paths:
- okta.inlineHooks.manage
tags:
- HookKey
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
summary: Delete a key
description: |
- Deletes a key by `hookKeyId`. After being deleted, the key is unrecoverable.
+ Deletes a key by `id`. After being deleted, the key is unrecoverable.
As a safety precaution, only keys that aren't being used are eligible for deletion.
operationId: deleteHookKey
@@ -8353,6 +11398,9 @@ paths:
- okta.inlineHooks.manage
tags:
- HookKey
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/iam/assignees/users:
get:
summary: List all Users with Role Assignments
@@ -8360,9 +11408,11 @@ paths:
operationId: listUsersWithRoleAssignments
parameters:
- name: after
+ description: Specifies the pagination cursor for the next page of targets
in: query
schema:
type: string
+ required: false
- name: limit
in: query
description: Specifies the number of results returned. Defaults to `100`.
@@ -8370,6 +11420,7 @@ paths:
type: integer
format: int32
default: 100
+ required: false
responses:
'200':
description: Success
@@ -8393,7 +11444,321 @@ paths:
- oauth2:
- okta.roles.read
tags:
- - RoleAssignment
+ - RoleAssignmentAUser
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/iam/governance/bundles:
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
+ get:
+ summary: List all Governance Bundles for the Admin Console
+ description: Lists all Governance Bundles for the Admin Console in your org
+ operationId: listGovernanceBundles
+ parameters:
+ - $ref: '#/components/parameters/queryAfter'
+ - $ref: '#/components/parameters/queryLimit'
+ responses:
+ '200':
+ description: OK
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/GovernanceBundlesResponse'
+ examples:
+ GovernanceBundlesResponse:
+ $ref: '#/components/examples/GovernanceBundlesResponse'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.roles.read
+ tags:
+ - GovernanceBundle
+ post:
+ summary: Create a Governance Bundle for the Admin Console in RAMP
+ description: Creates a Governance Bundle for the Admin Console in RAMP
+ operationId: createGovernanceBundle
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/GovernanceBundleCreateRequest'
+ examples:
+ GovernanceBundleCreateRequestStandardRole:
+ $ref: '#/components/examples/GovernanceBundleCreateRequestStandardRole'
+ GovernanceBundleCreateRequestScopedStandardRole:
+ $ref: '#/components/examples/GovernanceBundleCreateRequestScopedStandardRole'
+ GovernanceBundleCreateRequestCustomRole:
+ $ref: '#/components/examples/GovernanceBundleCreateRequestCustomRole'
+ required: true
+ responses:
+ '200':
+ description: Success
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/GovernanceBundle'
+ examples:
+ createGovernanceBundleResponse:
+ $ref: '#/components/examples/GovernanceBundle'
+ '400':
+ $ref: '#/components/responses/ErrorApiValidationFailed400'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.roles.manage
+ tags:
+ - GovernanceBundle
+ /api/v1/iam/governance/bundles/{bundleId}:
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
+ parameters:
+ - $ref: '#/components/parameters/pathBundleId'
+ get:
+ summary: Retrieve a Governance Bundle from RAMP
+ description: Retrieves a Governance Bundle from RAMP
+ operationId: getGovernanceBundle
+ responses:
+ '200':
+ description: OK
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/GovernanceBundle'
+ examples:
+ GovernanceBundle:
+ $ref: '#/components/examples/GovernanceBundle'
+ '400':
+ $ref: '#/components/responses/ErrorApiValidationFailed400'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.roles.read
+ tags:
+ - GovernanceBundle
+ put:
+ summary: Replace a Governance Bundle in RAMP
+ description: Replaces a Governance Bundle in RAMP
+ operationId: replaceGovernanceBundle
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/GovernanceBundleUpdateRequest'
+ examples:
+ GovernanceBundleUpdateRequestStandardRole:
+ $ref: '#/components/examples/GovernanceBundleUpdateRequestStandardRole'
+ GovernanceBundleUpdateRequestScopedStandardRole:
+ $ref: '#/components/examples/GovernanceBundleUpdateRequestScopedStandardRole'
+ GovernanceBundleUpdateRequestCustomRole:
+ $ref: '#/components/examples/GovernanceBundleUpdateRequestCustomRole'
+ required: true
+ responses:
+ '200':
+ description: Success
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/GovernanceBundle'
+ examples:
+ GovernanceBundle:
+ $ref: '#/components/examples/GovernanceBundle'
+ '400':
+ $ref: '#/components/responses/ErrorApiValidationFailed400'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.roles.manage
+ tags:
+ - GovernanceBundle
+ delete:
+ summary: Delete a Governance Bundle from RAMP
+ description: Deletes a Governance Bundle from RAMP
+ operationId: deleteGovernanceBundle
+ responses:
+ '204':
+ description: No Content
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.roles.manage
+ tags:
+ - GovernanceBundle
+ /api/v1/iam/governance/bundles/{bundleId}/entitlements:
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
+ parameters:
+ - $ref: '#/components/parameters/pathBundleId'
+ get:
+ summary: List all Entitlements for a Governance Bundle
+ description: Lists all Entitlements specific to a Governance Bundle
+ operationId: listBundleEntitlements
+ parameters:
+ - $ref: '#/components/parameters/queryAfter'
+ - $ref: '#/components/parameters/queryLimit'
+ responses:
+ '200':
+ description: OK
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/BundleEntitlementsResponse'
+ examples:
+ BundleEntitlementsResponse:
+ $ref: '#/components/examples/BundleEntitlementsResponse'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.roles.read
+ tags:
+ - GovernanceBundle
+ /api/v1/iam/governance/bundles/{bundleId}/entitlements/{entitlementId}/values:
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
+ parameters:
+ - $ref: '#/components/parameters/pathBundleId'
+ - $ref: '#/components/parameters/pathEntitlementId'
+ get:
+ summary: List all Entitlement Values for a Bundle Entitlement
+ description: Lists all Entitlement Values specific to a Bundle Entitlement
+ operationId: listBundleEntitlementValues
+ parameters:
+ - $ref: '#/components/parameters/queryAfter'
+ - $ref: '#/components/parameters/queryLimit'
+ responses:
+ '200':
+ description: OK
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/EntitlementValuesResponse'
+ examples:
+ EntitlementValuesResponse:
+ $ref: '#/components/examples/EntitlementValuesResponse'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.roles.read
+ tags:
+ - GovernanceBundle
+ /api/v1/iam/governance/optIn:
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
+ get:
+ summary: Retrieve the opt-in status from RAMP
+ description: Retrieves the opt-in status of the Admin Console from RAMP
+ operationId: getOptInStatus
+ responses:
+ '200':
+ description: OK
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/OptInStatusResponse'
+ examples:
+ OptInStatusResponse:
+ $ref: '#/components/examples/OptInStatusResponse'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.roles.read
+ tags:
+ - GovernanceBundle
+ post:
+ summary: Opt in the Admin Console to RAMP
+ description: Opts in the Admin Console to RAMP
+ operationId: optIn
+ responses:
+ '200':
+ description: Success
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/OptInStatusResponse'
+ examples:
+ OptInStatusResponse:
+ $ref: '#/components/examples/OptInStatusResponse'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.roles.manage
+ tags:
+ - GovernanceBundle
+ /api/v1/iam/governance/optOut:
+ post:
+ summary: Opt out the Admin Console from RAMP
+ description: Opts out the Admin Console from RAMP
+ operationId: optOut
+ responses:
+ '200':
+ description: Success
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/OptInStatusResponse'
+ examples:
+ OptOutStatusResponse:
+ $ref: '#/components/examples/OptOutStatusResponse'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.roles.manage
+ tags:
+ - GovernanceBundle
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
/api/v1/iam/resource-sets:
get:
summary: List all Resource Sets
@@ -8420,10 +11785,16 @@ paths:
- oauth2:
- okta.roles.read
tags:
- - ResourceSet
+ - RoleCResourceSet
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
post:
summary: Create a Resource Set
- description: Creates a new Resource Set
+ description: |-
+ Creates a new Resource Set. See [Supported Resources](/openapi/okta-management/guides/roles/#supported-resources).
+
+ > **Note:** The maximum number of `resources` allowed in a Resource Set object is 1000. Resources are identified by either an Okta Resource Name (ORN) or by a REST URL format. See [Okta Resource Name](/openapi/okta-management/guides/roles/#okta-resource-name-orn).
operationId: createResourceSet
x-codegen-request-body-name: instance
requestBody:
@@ -8463,13 +11834,16 @@ paths:
- oauth2:
- okta.roles.manage
tags:
- - ResourceSet
- /api/v1/iam/resource-sets/{resourceSetId}:
+ - RoleCResourceSet
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/iam/resource-sets/{resourceSetIdOrLabel}:
parameters:
- - $ref: '#/components/parameters/pathResourceSetId'
+ - $ref: '#/components/parameters/pathResourceSetIdOrLabel'
get:
summary: Retrieve a Resource Set
- description: Retrieves a Resource Set by `resourceSetId`
+ description: Retrieves a Resource Set by `resourceSetIdOrLabel`
operationId: getResourceSet
responses:
'200':
@@ -8492,10 +11866,13 @@ paths:
- oauth2:
- okta.roles.read
tags:
- - ResourceSet
+ - RoleCResourceSet
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
put:
summary: Replace a Resource Set
- description: Replaces a Resource Set by `resourceSetId`
+ description: Replaces the label and description of a Resource Set
operationId: replaceResourceSet
x-codegen-request-body-name: instance
requestBody:
@@ -8505,7 +11882,7 @@ paths:
$ref: '#/components/schemas/ResourceSet'
examples:
Example Request:
- $ref: '#/components/examples/ResourceSetRequest'
+ $ref: '#/components/examples/ReplaceResourceSetRequest'
required: true
responses:
'200':
@@ -8530,10 +11907,13 @@ paths:
- oauth2:
- okta.roles.manage
tags:
- - ResourceSet
+ - RoleCResourceSet
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
summary: Delete a Resource Set
- description: Deletes a role by `resourceSetId`
+ description: Deletes a Resource Set by `resourceSetIdOrLabel`
operationId: deleteResourceSet
responses:
'204':
@@ -8557,13 +11937,16 @@ paths:
- oauth2:
- okta.roles.manage
tags:
- - ResourceSet
- /api/v1/iam/resource-sets/{resourceSetId}/bindings:
+ - RoleCResourceSet
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/iam/resource-sets/{resourceSetIdOrLabel}/bindings:
parameters:
- - $ref: '#/components/parameters/pathResourceSetId'
+ - $ref: '#/components/parameters/pathResourceSetIdOrLabel'
get:
- summary: List all Bindings
- description: Lists all Resource Set bindings with pagination support
+ summary: List all Role Resource Set Bindings
+ description: Lists all Bindings for a Resource Set with pagination support
operationId: listBindings
parameters:
- $ref: '#/components/parameters/queryAfter'
@@ -8588,10 +11971,13 @@ paths:
- oauth2:
- okta.roles.read
tags:
- - ResourceSet
+ - RoleDResourceSetBinding
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
post:
- summary: Create a Resource Set Binding
- description: Creates a new Resource Set binding
+ summary: Create a Role Resource Set Binding
+ description: Creates a Binding for the Resource Set, Custom Role, and members (Users or Groups)
operationId: createResourceSetBinding
x-codegen-request-body-name: instance
requestBody:
@@ -8633,14 +12019,17 @@ paths:
- oauth2:
- okta.roles.manage
tags:
- - ResourceSet
- /api/v1/iam/resource-sets/{resourceSetId}/bindings/{roleIdOrLabel}:
+ - RoleDResourceSetBinding
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/iam/resource-sets/{resourceSetIdOrLabel}/bindings/{roleIdOrLabel}:
parameters:
- - $ref: '#/components/parameters/pathResourceSetId'
+ - $ref: '#/components/parameters/pathResourceSetIdOrLabel'
- $ref: '#/components/parameters/pathRoleIdOrLabel'
get:
- summary: Retrieve a Binding
- description: Retrieves a Resource Set binding by `resourceSetId` and `roleIdOrLabel`
+ summary: Retrieve a Role Resource Set Binding
+ description: Retrieves the Binding of a Role (identified by `roleIdOrLabel`) in a Resource Set (identified by `resourceSetIdOrLabel`)
operationId: getBinding
responses:
'200':
@@ -8663,10 +12052,13 @@ paths:
- oauth2:
- okta.roles.read
tags:
- - ResourceSet
+ - RoleDResourceSetBinding
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
- summary: Delete a Binding
- description: Deletes a Resource Set binding by `resourceSetId` and `roleIdOrLabel`
+ summary: Delete a Role Resource Set Binding
+ description: Deletes a Binding of a Role (identified by `roleIdOrLabel`) and a Resource Set (identified by `resourceSetIdOrLabel`)
operationId: deleteBinding
responses:
'204':
@@ -8690,14 +12082,17 @@ paths:
- oauth2:
- okta.roles.manage
tags:
- - ResourceSet
- /api/v1/iam/resource-sets/{resourceSetId}/bindings/{roleIdOrLabel}/members:
+ - RoleDResourceSetBinding
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/iam/resource-sets/{resourceSetIdOrLabel}/bindings/{roleIdOrLabel}/members:
parameters:
- - $ref: '#/components/parameters/pathResourceSetId'
+ - $ref: '#/components/parameters/pathResourceSetIdOrLabel'
- $ref: '#/components/parameters/pathRoleIdOrLabel'
get:
- summary: List all Members of a binding
- description: Lists all members of a Resource Set binding with pagination support
+ summary: List all Role Resource Set Binding Members
+ description: Lists all members of a Role Resource Set Binding with pagination support
operationId: listMembersOfBinding
parameters:
- $ref: '#/components/parameters/queryAfter'
@@ -8722,10 +12117,13 @@ paths:
- oauth2:
- okta.roles.read
tags:
- - ResourceSet
+ - RoleDResourceSetBindingMember
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
patch:
- summary: Add more Members to a binding
- description: Adds more members to a Resource Set binding
+ summary: Add more Role Resource Set Binding Members
+ description: Adds more members to a Role Resource Set Binding
operationId: addMembersToBinding
x-codegen-request-body-name: instance
requestBody:
@@ -8767,15 +12165,18 @@ paths:
- oauth2:
- okta.roles.manage
tags:
- - ResourceSet
- /api/v1/iam/resource-sets/{resourceSetId}/bindings/{roleIdOrLabel}/members/{memberId}:
+ - RoleDResourceSetBindingMember
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/iam/resource-sets/{resourceSetIdOrLabel}/bindings/{roleIdOrLabel}/members/{memberId}:
parameters:
- - $ref: '#/components/parameters/pathResourceSetId'
+ - $ref: '#/components/parameters/pathResourceSetIdOrLabel'
- $ref: '#/components/parameters/pathRoleIdOrLabel'
- $ref: '#/components/parameters/pathMemberId'
get:
- summary: Retrieve a Member of a binding
- description: Retrieves a member identified by `memberId` for a binding
+ summary: Retrieve a Role Resource Set Binding Member
+ description: Retrieves a Member (identified by `memberId`) that belongs to a Role Resource Set Binding
operationId: getMemberOfBinding
responses:
'200':
@@ -8798,10 +12199,13 @@ paths:
- oauth2:
- okta.roles.read
tags:
- - ResourceSet
+ - RoleDResourceSetBindingMember
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
- summary: Unassign a Member from a binding
- description: Unassigns a member identified by `memberId` from a binding
+ summary: Unassign a Role Resource Set Bindiing Member
+ description: Unassigns a Member (identified by `memberId`) from a Role Resource Set Binding
operationId: unassignMemberFromBinding
x-codegen-request-body-name: instance
responses:
@@ -8826,13 +12230,16 @@ paths:
- oauth2:
- okta.roles.manage
tags:
- - ResourceSet
- /api/v1/iam/resource-sets/{resourceSetId}/resources:
+ - RoleDResourceSetBindingMember
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/iam/resource-sets/{resourceSetIdOrLabel}/resources:
parameters:
- - $ref: '#/components/parameters/pathResourceSetId'
+ - $ref: '#/components/parameters/pathResourceSetIdOrLabel'
get:
- summary: List all Resources of a Resource Set
- description: Lists all resources that make up the Resource Set
+ summary: List all Resource Set Resources
+ description: Lists all Resources for the Resource Set
operationId: listResourceSetResources
responses:
'200':
@@ -8855,11 +12262,14 @@ paths:
- oauth2:
- okta.roles.read
tags:
- - ResourceSet
+ - RoleCResourceSetResource
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
patch:
- summary: Add more Resource to a Resource Set
- description: Adds more resources to a Resource Set
- operationId: addResourceSetResource
+ summary: Add more Resources to a Resource Set
+ description: Adds more Resources to a Resource Set
+ operationId: addResourceSetResources
x-codegen-request-body-name: instance
requestBody:
content:
@@ -8900,14 +12310,17 @@ paths:
- oauth2:
- okta.roles.manage
tags:
- - ResourceSet
- /api/v1/iam/resource-sets/{resourceSetId}/resources/{resourceId}:
+ - RoleCResourceSetResource
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/iam/resource-sets/{resourceSetIdOrLabel}/resources/{resourceId}:
parameters:
- - $ref: '#/components/parameters/pathResourceSetId'
+ - $ref: '#/components/parameters/pathResourceSetIdOrLabel'
- $ref: '#/components/parameters/pathResourceId'
delete:
- summary: Delete a Resource from a Resource Set
- description: Deletes a resource identified by `resourceId` from a Resource Set
+ summary: Delete a Resource Set Resource
+ description: Deletes a Resource (identified by `resourceId`) from a Resource Set
operationId: deleteResourceSetResource
responses:
'204':
@@ -8931,11 +12344,14 @@ paths:
- oauth2:
- okta.roles.manage
tags:
- - ResourceSet
+ - RoleCResourceSetResource
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/iam/roles:
get:
- summary: List all Roles
- description: Lists all roles with pagination support
+ summary: List all Custom Roles
+ description: Lists all Custom Roles with pagination support
operationId: listRoles
parameters:
- $ref: '#/components/parameters/queryAfter'
@@ -8958,10 +12374,13 @@ paths:
- oauth2:
- okta.roles.read
tags:
- - Role
+ - RoleECustom
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
post:
- summary: Create a Role
- description: Creates a new role
+ summary: Create a Custom Role
+ description: Creates a Custom Role
operationId: createRole
x-codegen-request-body-name: instance
requestBody:
@@ -9001,7 +12420,10 @@ paths:
- oauth2:
- okta.roles.manage
tags:
- - Role
+ - RoleECustom
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/iam/roles/{roleIdOrLabel}:
parameters:
- $ref: '#/components/parameters/pathRoleIdOrLabel'
@@ -9030,10 +12452,13 @@ paths:
- oauth2:
- okta.roles.read
tags:
- - Role
+ - RoleECustom
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
put:
- summary: Replace a Role
- description: Replaces a role by `roleIdOrLabel`
+ summary: Replace a Custom Role
+ description: Replaces the label and description for a Custom Role by `roleIdOrLabel`
operationId: replaceRole
x-codegen-request-body-name: instance
requestBody:
@@ -9043,7 +12468,7 @@ paths:
$ref: '#/components/schemas/UpdateIamRoleRequest'
examples:
Example Request:
- $ref: '#/components/examples/RoleRequest'
+ $ref: '#/components/examples/ReplaceRoleRequest'
required: true
responses:
'200':
@@ -9068,10 +12493,13 @@ paths:
- oauth2:
- okta.roles.manage
tags:
- - Role
+ - RoleECustom
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
- summary: Delete a Role
- description: Deletes a role by `roleIdOrLabel`
+ summary: Delete a Custom Role
+ description: Deletes a Custom Role by `roleIdOrLabel`
operationId: deleteRole
responses:
'204':
@@ -9095,13 +12523,16 @@ paths:
- oauth2:
- okta.roles.manage
tags:
- - Role
+ - RoleECustom
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/iam/roles/{roleIdOrLabel}/permissions:
parameters:
- $ref: '#/components/parameters/pathRoleIdOrLabel'
get:
- summary: List all Permissions
- description: Lists all permissions of the role by `roleIdOrLabel`
+ summary: List all Custom Role Permissions
+ description: Lists all permissions for a Custom Role by `roleIdOrLabel`
operationId: listRolePermissions
responses:
'200':
@@ -9124,14 +12555,17 @@ paths:
- oauth2:
- okta.roles.read
tags:
- - Role
+ - RoleECustomPermission
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/iam/roles/{roleIdOrLabel}/permissions/{permissionType}:
parameters:
- $ref: '#/components/parameters/pathRoleIdOrLabel'
- $ref: '#/components/parameters/pathPermissionType'
get:
- summary: Retrieve a Permission
- description: Retrieves a permission by `permissionType`
+ summary: Retrieve a Custom Role Permission
+ description: Retrieves a permission (identified by `permissionType`) for a Custom Role
operationId: getRolePermission
responses:
'200':
@@ -9141,8 +12575,10 @@ paths:
schema:
$ref: '#/components/schemas/Permission'
examples:
- Example Response:
+ Example Response without conditions:
$ref: '#/components/examples/PermissionResponse'
+ Example Response with conditions:
+ $ref: '#/components/examples/PermissionResponseWithConditions'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -9154,23 +12590,28 @@ paths:
- oauth2:
- okta.roles.read
tags:
- - Role
+ - RoleECustomPermission
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
post:
- summary: Create a Permission
- description: Creates a permission specified by `permissionType` to the role
+ summary: Create a Custom Role Permission
+ description: Creates a permission (specified by `permissionType`) for a Custom Role
operationId: createRolePermission
x-codegen-request-body-name: instance
requestBody:
x-okta-lifecycle:
- features:
- - CUSTOM_ADMIN_ROLES_CONDITIONS
+ lifecycle: GA
+ isGenerallyAvailable: true
content:
application/json:
schema:
$ref: '#/components/schemas/CreateUpdateIamRolePermissionRequest'
examples:
- Example Request:
- $ref: '#/components/examples/CreateUpdateIamRolePermissionRequestExample'
+ Example Request with include:
+ $ref: '#/components/examples/CreateUpdateIamRolePermissionRequestExampleWithInclude'
+ Example Request with exclude:
+ $ref: '#/components/examples/CreateUpdateIamRolePermissionRequestExampleWithExclude'
required: false
responses:
'204':
@@ -9188,13 +12629,16 @@ paths:
- oauth2:
- okta.roles.manage
tags:
- - Role
+ - RoleECustomPermission
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
put:
x-okta-lifecycle:
- features:
- - CUSTOM_ADMIN_ROLES_CONDITIONS
- summary: Replace a Permission
- description: Replaces a permission specified by `permissionType` in the role
+ lifecycle: GA
+ isGenerallyAvailable: true
+ summary: Replace a Custom Role Permission
+ description: Replaces a permission (specified by `permissionType`) for a Custom Role
operationId: replaceRolePermission
x-codegen-request-body-name: instance
requestBody:
@@ -9203,8 +12647,10 @@ paths:
schema:
$ref: '#/components/schemas/CreateUpdateIamRolePermissionRequest'
examples:
- Example Request:
- $ref: '#/components/examples/CreateUpdateIamRolePermissionRequestExample'
+ Example Request with include:
+ $ref: '#/components/examples/CreateUpdateIamRolePermissionRequestExampleWithInclude'
+ Example Request with exclude:
+ $ref: '#/components/examples/CreateUpdateIamRolePermissionRequestExampleWithExclude'
required: false
responses:
'200':
@@ -9229,10 +12675,10 @@ paths:
- oauth2:
- okta.roles.manage
tags:
- - Role
+ - RoleECustomPermission
delete:
- summary: Delete a Permission
- description: Deletes a permission from a role by `permissionType`
+ summary: Delete a Custom Role Permission
+ description: Deletes a permission (identified by `permissionType`) from a Custom Role
operationId: deleteRolePermission
responses:
'204':
@@ -9256,13 +12702,16 @@ paths:
- oauth2:
- okta.roles.manage
tags:
- - Role
+ - RoleECustomPermission
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/identity-sources/{identitySourceId}/sessions:
parameters:
- $ref: '#/components/parameters/pathIdentitySourceId'
get:
summary: List all Identity Source Sessions
- description: Lists all identity source sessions for the given identity source instance
+ description: Lists all Identity Source Sessions for the given Identity Source instance
operationId: listIdentitySourceSessions
responses:
'200':
@@ -9288,9 +12737,13 @@ paths:
- okta.identitySources.read
tags:
- IdentitySource
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
post:
summary: Create an Identity Source Session
- description: Creates an identity source session for the given identity source instance
+ description: Creates an Identity Source Session for the given Identity Source instance
operationId: createIdentitySourceSession
responses:
'200':
@@ -9298,12 +12751,10 @@ paths:
content:
application/json:
schema:
- type: object
- items:
- $ref: '#/components/schemas/IdentitySourceSession'
+ $ref: '#/components/schemas/IdentitySourceSession'
examples:
- sessionsList:
- $ref: '#/components/examples/ListSessionsResponse'
+ session:
+ $ref: '#/components/examples/GetSessionResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -9316,13 +12767,17 @@ paths:
- okta.identitySources.manage
tags:
- IdentitySource
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
/api/v1/identity-sources/{identitySourceId}/sessions/{sessionId}:
parameters:
- $ref: '#/components/parameters/pathIdentitySourceId'
- $ref: '#/components/parameters/pathIdentitySourceSessionId'
get:
summary: Retrieve an Identity Source Session
- description: Retrieves an identity source session for a given identity source id and session id
+ description: Retrieves an Identity Source Session for a given Identity Source ID and session ID
operationId: getIdentitySourceSession
responses:
'200':
@@ -9332,8 +12787,8 @@ paths:
schema:
$ref: '#/components/schemas/IdentitySourceSession'
examples:
- Session:
- $ref: '#/components/examples/ListSessionsResponse'
+ session:
+ $ref: '#/components/examples/GetSessionResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -9346,9 +12801,13 @@ paths:
- okta.identitySources.read
tags:
- IdentitySource
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
delete:
summary: Delete an Identity Source Session
- description: Deletes an identity source session for a given `identitySourceId` and `sessionId`
+ description: Deletes an Identity Source Session for a given `identitySourceId` and `sessionId`
operationId: deleteIdentitySourceSession
responses:
'204':
@@ -9365,19 +12824,26 @@ paths:
- okta.identitySources.manage
tags:
- IdentitySource
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
/api/v1/identity-sources/{identitySourceId}/sessions/{sessionId}/bulk-delete:
parameters:
- $ref: '#/components/parameters/pathIdentitySourceId'
- $ref: '#/components/parameters/pathIdentitySourceSessionId'
post:
summary: Upload the data to be deleted in Okta
- description: Uploads entities that need to be deleted in Okta from the identity source for the given session
+ description: Uploads external IDs of entities that need to be deleted in Okta from the Identity Source for the given session
operationId: uploadIdentitySourceDataForDelete
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/BulkDeleteRequestBody'
+ examples:
+ bulkDeletePayload:
+ $ref: '#/components/examples/bulkDeletePayload'
responses:
'202':
description: Accepted
@@ -9395,19 +12861,26 @@ paths:
- okta.identitySources.manage
tags:
- IdentitySource
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
/api/v1/identity-sources/{identitySourceId}/sessions/{sessionId}/bulk-upsert:
parameters:
- $ref: '#/components/parameters/pathIdentitySourceId'
- $ref: '#/components/parameters/pathIdentitySourceSessionId'
post:
summary: Upload the data to be upserted in Okta
- description: Uploads entities that need to be upserted in Okta from the identity source for the given session
+ description: Uploads entities that need to be inserted or updated in Okta from the Identity Source for the given session
operationId: uploadIdentitySourceDataForUpsert
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/BulkUpsertRequestBody'
+ examples:
+ bulkUpsertPayload:
+ $ref: '#/components/examples/bulkUpsertPayload'
responses:
'202':
description: Accepted
@@ -9425,13 +12898,17 @@ paths:
- okta.identitySources.manage
tags:
- IdentitySource
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
/api/v1/identity-sources/{identitySourceId}/sessions/{sessionId}/start-import:
parameters:
- $ref: '#/components/parameters/pathIdentitySourceId'
- $ref: '#/components/parameters/pathIdentitySourceSessionId'
post:
summary: Start the import from the Identity Source
- description: Starts the import from the identity source described by the uploaded bulk operations
+ description: Starts the import from the Identity Source described by the uploaded bulk operations
operationId: startImportFromIdentitySource
responses:
'200':
@@ -9439,11 +12916,9 @@ paths:
content:
application/json:
schema:
- type: object
- items:
- $ref: '#/components/schemas/IdentitySourceSession'
+ $ref: '#/components/schemas/IdentitySourceSession'
examples:
- sessionsList:
+ triggeredSession:
$ref: '#/components/examples/TriggerSessionResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
@@ -9457,6 +12932,10 @@ paths:
- okta.identitySources.manage
tags:
- IdentitySource
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
/api/v1/idps:
get:
summary: List all Identity Providers
@@ -9465,26 +12944,17 @@ paths:
parameters:
- name: q
in: query
- description: Searches the name property of IdPs for matching value
- schema:
- type: string
- - name: after
- in: query
- description: Specifies the pagination cursor for the next page of IdPs
+ description: Searches the `name` property of IdPs for matching value
schema:
type: string
- - name: limit
- in: query
- description: Specifies the number of IdP results in a page
- schema:
- type: integer
- format: int32
- default: 20
+ example: Example SAML
+ - $ref: '#/components/parameters/queryAfter'
+ - $ref: '#/components/parameters/queryLimit'
- name: type
in: query
- description: Filters IdPs by type
+ description: Filters IdPs by `type`
schema:
- type: string
+ $ref: '#/components/schemas/IdentityProviderType'
responses:
'200':
description: Success
@@ -9494,6 +12964,9 @@ paths:
type: array
items:
$ref: '#/components/schemas/IdentityProvider'
+ examples:
+ MultipleIdPsResponse:
+ $ref: '#/components/examples/MultipleIdPsResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'429':
@@ -9504,16 +12977,60 @@ paths:
- okta.idps.read
tags:
- IdentityProvider
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
post:
summary: Create an Identity Provider
- description: Creates a new identity provider integration
+ description: |-
+ Creates a new Identity Provider integration.
+
+ #### SAML 2.0 Identity Provider
+
+ You must first add the IdP's signature certificate to the IdP key store before you can add a SAML 2.0 IdP with a `kid` credential reference.
+
+ Don't use `fromURI` to automatically redirect a user to a particular app after successfully authenticating with a third-party IdP. Instead, use SAML deep links. Using `fromURI` isn't tested or supported. For more information about using deep links when signing users in using an SP-initiated flow, see [Understanding SP-Initiated Login flow](https://developer.okta.com/docs/concepts/saml/#understanding-sp-initiated-login-flow).
+
+ Use SAML deep links to automatically redirect the user to an app after successfully authenticating with a third-party IdP. To use deep links, assemble these three parts into a URL:
+
+ * SP ACS URL
+ For example: `https://${yourOktaDomain}/sso/saml2/:idpId`
+ * The app to which the user is automatically redirected after successfully authenticating with the IdP
+ For example: `/app/:app-location/:appId/sso/saml`
+ * Optionally, if the app is an outbound SAML app, you can specify the `relayState` passed to it.
+ For example: `?RelayState=:anyUrlEncodedValue`
+
+ The deep link for the above three parts is:
+ `https://${yourOktaDomain}/sso/saml2/:idpId/app/:app-location/:appId/sso/saml?RelayState=:anyUrlEncodedValue`
+
+ #### Smart Card X509 Identity Provider
+
+ You must first add the IdP's server certificate to the IdP key store before you can add a Smart Card `X509` IdP with a `kid` credential reference.
+ You need to upload the whole trust chain as a single key using the [Key Store API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProviderKeys/#tag/IdentityProviderKeys/operation/createIdentityProviderKey).
+ Depending on the information stored in the smart card, select the proper [template](https://developer.okta.com/docs/reference/okta-expression-language/#idp-user-profile) `idpuser.subjectAltNameEmail` or `idpuser.subjectAltNameUpn`.
operationId: createIdentityProvider
x-codegen-request-body-name: identityProvider
requestBody:
+ description: IdP settings
content:
application/json:
schema:
$ref: '#/components/schemas/IdentityProvider'
+ examples:
+ CreateGenericOidcIdPRequest:
+ $ref: '#/components/examples/CreateGenericOidcIdPRequest'
+ CreateSamlIdPRequest:
+ $ref: '#/components/examples/CreateSamlIdPRequest'
+ CreateAppleIdPRequest:
+ $ref: '#/components/examples/CreateAppleIdPRequest'
+ CreateFacebookIdPRequest:
+ $ref: '#/components/examples/CreateFacebookIdPRequest'
+ CreateGoogleIdPRequest:
+ $ref: '#/components/examples/CreateGoogleIdPRequest'
+ CreateMicrosoftIdPRequest:
+ $ref: '#/components/examples/CreateMicrosoftIdPRequest'
+ CreateSmartCardIdPRequest:
+ $ref: '#/components/examples/CreateSmartCardIdPRequest'
required: true
responses:
'200':
@@ -9522,6 +13039,21 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/IdentityProvider'
+ examples:
+ CreateGenericOidcIdpResponse:
+ $ref: '#/components/examples/GenericOidcIdpResponse'
+ CreateSamlIdPResponse:
+ $ref: '#/components/examples/SamlIdPResponse'
+ CreateAppleIdPResponse:
+ $ref: '#/components/examples/AppleIdPResponse'
+ CreateFacebookIdPResponse:
+ $ref: '#/components/examples/FacebookIdPResponse'
+ CreateGoogleIdPResponse:
+ $ref: '#/components/examples/GoogleIdPResponse'
+ CreateMicrosoftIdPResponse:
+ $ref: '#/components/examples/MicrosoftIdPResponse'
+ CreateSmartCardIdPResponse:
+ $ref: '#/components/examples/SmartCardIdPResponse'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -9534,24 +13066,17 @@ paths:
- okta.idps.manage
tags:
- IdentityProvider
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/idps/credentials/keys:
get:
- summary: List all Credential Keys
- description: Lists all IdP key credentials
+ summary: List all IdP Key Credentials
+ description: Lists all IdP Key Credentials
operationId: listIdentityProviderKeys
parameters:
- - name: after
- in: query
- description: Specifies the pagination cursor for the next page of keys
- schema:
- type: string
- - name: limit
- in: query
- description: Specifies the number of key results in a page
- schema:
- type: integer
- format: int32
- default: 20
+ - $ref: '#/components/parameters/queryAfter'
+ - $ref: '#/components/parameters/queryLimit'
responses:
'200':
description: Success
@@ -9560,7 +13085,10 @@ paths:
schema:
type: array
items:
- $ref: '#/components/schemas/JsonWebKey'
+ $ref: '#/components/schemas/IdPKeyCredential'
+ examples:
+ ListIdPKeyCredentialsResponse:
+ $ref: '#/components/examples/MultipleIdPKeyCredentialsResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'429':
@@ -9570,17 +13098,22 @@ paths:
- oauth2:
- okta.idps.read
tags:
- - IdentityProvider
+ - IdentityProviderKeys
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
post:
- summary: Create an X.509 Certificate Public Key
- description: Creates a new X.509 certificate credential to the IdP key store.
+ summary: Create an IdP Key Credential
+ description: |-
+ Creates a new X.509 certificate credential in the IdP key store
+ > **Note:** RSA-based certificates are supported for all IdP types. Okta currently supports EC-based certificates only for the `X509` IdP type. For EC-based certificates we support only P-256, P-384, and P-521 curves.
operationId: createIdentityProviderKey
x-codegen-request-body-name: jsonWebKey
requestBody:
content:
application/json:
schema:
- $ref: '#/components/schemas/JsonWebKey'
+ $ref: '#/components/schemas/IdPCertificateCredential'
required: true
responses:
'200':
@@ -9588,7 +13121,10 @@ paths:
content:
application/json:
schema:
- $ref: '#/components/schemas/JsonWebKey'
+ $ref: '#/components/schemas/IdPKeyCredential'
+ examples:
+ IdPKeyCredentialResponse:
+ $ref: '#/components/examples/IdPKeyCredentialResponse'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -9600,12 +13136,15 @@ paths:
- oauth2:
- okta.idps.manage
tags:
- - IdentityProvider
- /api/v1/idps/credentials/keys/{idpKeyId}:
+ - IdentityProviderKeys
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/idps/credentials/keys/{kid}:
parameters:
- - $ref: '#/components/parameters/pathIdpKeyId'
+ - $ref: '#/components/parameters/pathKid'
get:
- summary: Retrieve an Credential Key
+ summary: Retrieve an IdP Key Credential
description: Retrieves a specific IdP Key Credential by `kid`
operationId: getIdentityProviderKey
responses:
@@ -9614,7 +13153,10 @@ paths:
content:
application/json:
schema:
- $ref: '#/components/schemas/JsonWebKey'
+ $ref: '#/components/schemas/IdPKeyCredential'
+ examples:
+ IdPKeyCredentialResponse:
+ $ref: '#/components/examples/IdPKeyCredentialResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -9626,10 +13168,54 @@ paths:
- oauth2:
- okta.idps.read
tags:
- - IdentityProvider
+ - IdentityProviderKeys
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ put:
+ summary: Replace an IdP Key Credential
+ description: Replaces an IdP Key Credential by `kid`
+ operationId: replaceIdentityProviderKey
+ requestBody:
+ description: Updated IdP Key Credential
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/IdPKeyCredential'
+ examples:
+ IdPKeyCredentialRequest:
+ $ref: '#/components/examples/IdPKeyCredentialRequest'
+ required: true
+ responses:
+ '200':
+ description: Success
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/IdPKeyCredential'
+ examples:
+ IdPKeyCredentialResponse:
+ $ref: '#/components/examples/IdPKeyCredentialResponse'
+ '400':
+ $ref: '#/components/responses/ErrorApiValidationFailed400'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.idps.manage
+ tags:
+ - IdentityProviderKeys
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
- summary: Delete a Signing Credential Key
- description: Deletes a specific IdP Key Credential by `kid` if it is not currently being used by an Active or Inactive IdP
+ summary: Delete an IdP Key Credential
+ description: Deletes a specific IdP Key Credential by `kid` if it isn't currently being used by an active or inactive IdP
operationId: deleteIdentityProviderKey
responses:
'204':
@@ -9646,7 +13232,10 @@ paths:
- oauth2:
- okta.idps.manage
tags:
- - IdentityProvider
+ - IdentityProviderKeys
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/idps/{idpId}:
parameters:
- $ref: '#/components/parameters/pathIdpId'
@@ -9661,6 +13250,11 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/IdentityProvider'
+ examples:
+ GenericOidcIdpResponse:
+ $ref: '#/components/examples/GenericOidcIdpResponse'
+ SamlIdPResponse:
+ $ref: '#/components/examples/SamlIdPResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -9673,16 +13267,23 @@ paths:
- okta.idps.read
tags:
- IdentityProvider
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
put:
summary: Replace an Identity Provider
description: Replaces an identity provider integration by `idpId`
operationId: replaceIdentityProvider
x-codegen-request-body-name: identityProvider
requestBody:
+ description: Updated configuration for the IdP
content:
application/json:
schema:
$ref: '#/components/schemas/IdentityProvider'
+ examples:
+ ReplaceIdPRequest:
+ $ref: '#/components/examples/ReplaceIdPRequestResponse'
required: true
responses:
'200':
@@ -9691,6 +13292,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/IdentityProvider'
+ examples:
+ ReplaceIdPResponse:
+ $ref: '#/components/examples/ReplaceIdPRequestResponse'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -9705,9 +13309,15 @@ paths:
- okta.idps.manage
tags:
- IdentityProvider
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
summary: Delete an Identity Provider
- description: Deletes an identity provider integration by `idpId`
+ description: |-
+ Deletes an identity provider integration by `idpId`
+ * All existing IdP users are unlinked with the highest order profile source taking precedence for each IdP user.
+ * Unlinked users keep their existing authentication provider such as `FEDERATION` or `SOCIAL`.
operationId: deleteIdentityProvider
responses:
'204':
@@ -9725,6 +13335,9 @@ paths:
- okta.idps.manage
tags:
- IdentityProvider
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/idps/{idpId}/credentials/csrs:
parameters:
- $ref: '#/components/parameters/pathIdpId'
@@ -9740,7 +13353,10 @@ paths:
schema:
type: array
items:
- $ref: '#/components/schemas/Csr'
+ $ref: '#/components/schemas/IdPCsr'
+ examples:
+ MultipleIdPCsrsResponse:
+ $ref: '#/components/examples/MultipleIdPCsrsResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -9752,10 +13368,15 @@ paths:
- oauth2:
- okta.idps.read
tags:
- - IdentityProvider
+ - IdentityProviderSigningKeys
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
post:
summary: Generate a Certificate Signing Request
- description: Generates a new key pair and returns a Certificate Signing Request for it
+ description: |-
+ Generates a new key pair and returns a Certificate Signing Request (CSR) for it
+ > **Note:** The private key isn't listed in the [Signing Key Credentials for IdP](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProviderSigningKeys/#tag/IdentityProviderSigningKeys/operation/listIdentityProviderSigningKeys) until it's published.
operationId: generateCsrForIdentityProvider
x-codegen-request-body-name: metadata
requestBody:
@@ -9770,7 +13391,16 @@ paths:
content:
application/json:
schema:
- $ref: '#/components/schemas/Csr'
+ $ref: '#/components/schemas/IdPCsr'
+ examples:
+ CsrJsonResponse:
+ $ref: '#/components/examples/CsrJsonResponse'
+ application/pkcs10:
+ schema:
+ $ref: '#/components/schemas/IdPCsrPkcs10'
+ examples:
+ CsrPkcs10Response:
+ $ref: '#/components/examples/CsrPkcs10Response'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -9784,14 +13414,17 @@ paths:
- oauth2:
- okta.idps.manage
tags:
- - IdentityProvider
+ - IdentityProviderSigningKeys
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/idps/{idpId}/credentials/csrs/{idpCsrId}:
parameters:
- $ref: '#/components/parameters/pathIdpId'
- $ref: '#/components/parameters/pathIdpCsrId'
get:
summary: Retrieve a Certificate Signing Request
- description: Retrieves a specific Certificate Signing Request model by id
+ description: Retrieves a specific Certificate Signing Request by `id`
operationId: getCsrForIdentityProvider
responses:
'200':
@@ -9799,7 +13432,16 @@ paths:
content:
application/json:
schema:
- $ref: '#/components/schemas/Csr'
+ $ref: '#/components/schemas/IdPCsr'
+ examples:
+ CsrJsonResponse:
+ $ref: '#/components/examples/CsrJsonResponse'
+ application/pkcs10:
+ schema:
+ $ref: '#/components/schemas/IdPCsrPkcs10'
+ examples:
+ CsrPkcs10Response:
+ $ref: '#/components/examples/CsrPkcs10Response'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -9811,10 +13453,13 @@ paths:
- oauth2:
- okta.idps.read
tags:
- - IdentityProvider
+ - IdentityProviderSigningKeys
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
summary: Revoke a Certificate Signing Request
- description: Revokes a certificate signing request and deletes the key pair from the IdP
+ description: Revokes a CSR and deletes the key pair from the IdP
operationId: revokeCsrForIdentityProvider
responses:
'204':
@@ -9831,32 +13476,49 @@ paths:
- oauth2:
- okta.idps.manage
tags:
- - IdentityProvider
+ - IdentityProviderSigningKeys
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/idps/{idpId}/credentials/csrs/{idpCsrId}/lifecycle/publish:
parameters:
- $ref: '#/components/parameters/pathIdpId'
- $ref: '#/components/parameters/pathIdpCsrId'
post:
summary: Publish a Certificate Signing Request
- description: Publishes a certificate signing request with a signed X.509 certificate and adds it into the signing key credentials for the IdP
+ description: |-
+ Publishes the CSR with a signed X.509 certificate and adds it into the signing Key Credentials for the IdP
+ > **Notes:**
+ > * Publishing a certificate completes the lifecycle of the CSR, and it's no longer accessible.
+ > * If the validity period of the certificate is less than 90 days, a 400 error response is returned.
operationId: publishCsrForIdentityProvider
requestBody:
required: true
content:
- application/x-x509-ca-cert:
+ application/pkix-cert:
schema:
type: string
format: binary
- x-okta-operationId: publishBinaryCerCertForIdentityProvider
- application/pkix-cert:
+ description: |-
+ X.509 certificate in `DER` format.
+ The client can either post in binary or Base64URL-encoded. If the post is Base64URL-encoded, set the `Content-Transfer-Encoding` header to `base64`.
+ example: MIIFgjCCA2qgAwIBAgICEAcwDQYJKoZIhvcNAQELBQAwXjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARPa3RhMQwwCgYDVQQLDANFbmcxDTALBgNVBAMMBFJvb3QwHhcNMTcwMzI3MjEyMDQ3WhcNMTgwNDA2MjEyMDQ3WjB4MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzETMBEGA1UECgwKT2t0YSwgSW5jLjEQMA4GA1UECwwHSmFua3lDbzEVMBMGA1UEAwwMSWRQIElzc3VlciA3MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmkC6yAJVvFwUlmM9gKjb2d+YK5qHFt+mXSsbjWKKs4EfNm+BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL/q7n0f/SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH+bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQIDAQABo4IBLjCCASowCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAwMwYJYIZIAYb4QgENBCYWJE9wZW5TU0wgR2VuZXJhdGVkIFNlcnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUVqJukDmyENw/2pTApbxc/HRKbngwgZAGA1UdIwSBiDCBhYAUFx245ZZXqWTTbARfMlFWN77L9EahYqRgMF4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEMMAoGA1UECwwDRW5nMQ0wCwYDVQQDDARSb290ggkAlIfpwZjO5o8wDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4ICAQCcoBSRtY+9cJY00hLvq6AloYZcdn/kUQupfmyz4n3lKE3wV2FB0swKnK0QDi8iNuQJFdag/19vDHC4/LhoSuv1Q+KXM61pPZVRXXPyC1+e7Y6hj93tEI5HcqLPcDRH1AIG2l8tE7LBn+MQB5Vh6oxjG2IdoWxg6abMfISU+MauPWql4vMDUWo9iNShAo44Z5fd+nuz+hlAinU9Xn9Jf2QsfKvcbMRq7iuqgkabgdmObmWb9KK0Vm7TDkxCH0pB0onPr6epVUP8Obg/pT1Oj/1hOLbfR8CHHWdAWzUBGGvp2TIy2A8LUaEoFnwkxZfdL7Bnd0RH/ClBtAjzLOxmUo7NbZmEnYCcD5pZz7BdZI0db/eBXFqfOlA88rEe+9Sv+NndIq0/WNIIsJi2RgjJnxsxvB5MjhhzmItpFIUl5yqoO3C9jcCp6HDBJxtCGbvAr5ALPn5RCJeBIr67WpAiTd7L3Ebu9SQZlXnoHX8kP04EA6ylR3W0EFbh7KUtq8M2H2vo0wjMj7ysl/3tT7cEZ97s1ygO5iJx3GfMDyrDhtLXSBJ20uSxTJeptRw8SDiwTqunIh1WyKlcQz1WGauSbW4eXdj/r9KYMJ3qMMkdP/9THQUtTcOYx51r8RV9pdzqF2HPnZZNziBa+wXJZHEWp70NyoakNthgYwtypqiDHs2f3Q==
+ x-okta-operationId: publishBinaryDerCertForIdentityProvider
+ application/x-x509-ca-cert:
schema:
type: string
format: binary
- x-okta-operationId: publishBinaryDerCertForIdentityProvider
+ description: |-
+ X.509 certificate in `CER` format.
+ The client can either post in binary or Base64URL-encoded. If the post is Base64URL-encoded, set the `Content-Transfer-Encoding` header to `base64`.
+ example: '@certificate.cer'
+ x-okta-operationId: publishBinaryCerCertForIdentityProvider
application/x-pem-file:
schema:
type: string
format: binary
+ description: X.509 certificate in `PEM` format
+ example: '@certificate.pem'
x-okta-operationId: publishBinaryPemCertForIdentityProvider
responses:
'201':
@@ -9864,7 +13526,7 @@ paths:
content:
application/json:
schema:
- $ref: '#/components/schemas/JsonWebKey'
+ $ref: '#/components/schemas/IdPKeyCredential'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -9878,13 +13540,16 @@ paths:
- oauth2:
- okta.idps.manage
tags:
- - IdentityProvider
+ - IdentityProviderSigningKeys
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/idps/{idpId}/credentials/keys:
parameters:
- $ref: '#/components/parameters/pathIdpId'
get:
- summary: List all Signing Credential Keys
- description: Lists all signing key credentials for an IdP
+ summary: List all signing Key Credentials for IdP
+ description: Lists all signing Key Credentials for an IdP
operationId: listIdentityProviderSigningKeys
responses:
'200':
@@ -9894,7 +13559,10 @@ paths:
schema:
type: array
items:
- $ref: '#/components/schemas/JsonWebKey'
+ $ref: '#/components/schemas/IdPKeyCredential'
+ examples:
+ MultipleIdPSigningKeyCredentialsResponse:
+ $ref: '#/components/examples/MultipleIdPSigningKeyCredentialsResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -9906,13 +13574,18 @@ paths:
- oauth2:
- okta.idps.read
tags:
- - IdentityProvider
+ - IdentityProviderSigningKeys
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/idps/{idpId}/credentials/keys/generate:
parameters:
- $ref: '#/components/parameters/pathIdpId'
post:
- summary: Generate a new Signing Credential Key
- description: Generates a new X.509 certificate for an IdP signing key credential to be used for signing assertions sent to the IdP
+ summary: Generate a new signing Key Credential for IdP
+ description: |-
+ Generates a new X.509 certificate for an IdP signing Key Credential to be used for signing assertions sent to the IdP. IdP signing keys are read-only.
+ > **Note:** To update an IdP with the newly generated Key Credential, [update your IdP](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/replaceIdentityProvider) using the returned key's `kid` in the [signing credential](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/replaceIdentityProvider!path=protocol/0/credentials/signing/kid&t=request).
operationId: generateIdentityProviderSigningKey
parameters:
- name: validityYears
@@ -9922,13 +13595,18 @@ paths:
schema:
type: integer
format: int32
+ minimum: 2
+ maximum: 10
responses:
'200':
description: Success
content:
application/json:
schema:
- $ref: '#/components/schemas/JsonWebKey'
+ $ref: '#/components/schemas/IdPKeyCredential'
+ examples:
+ IdPSigningKeyCredentialResponse:
+ $ref: '#/components/examples/IdPSigningKeyCredentialResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -9940,13 +13618,16 @@ paths:
- oauth2:
- okta.idps.manage
tags:
- - IdentityProvider
- /api/v1/idps/{idpId}/credentials/keys/{idpKeyId}:
+ - IdentityProviderSigningKeys
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/idps/{idpId}/credentials/keys/{kid}:
parameters:
- $ref: '#/components/parameters/pathIdpId'
- - $ref: '#/components/parameters/pathIdpKeyId'
+ - $ref: '#/components/parameters/pathKid'
get:
- summary: Retrieve a Signing Credential Key
+ summary: Retrieve a signing Key Credential for IdP
description: Retrieves a specific IdP Key Credential by `kid`
operationId: getIdentityProviderSigningKey
responses:
@@ -9955,7 +13636,10 @@ paths:
content:
application/json:
schema:
- $ref: '#/components/schemas/JsonWebKey'
+ $ref: '#/components/schemas/IdPKeyCredential'
+ examples:
+ IdPSigningKeyCredentialResponse:
+ $ref: '#/components/examples/IdPSigningKeyCredentialResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -9967,19 +13651,27 @@ paths:
- oauth2:
- okta.idps.read
tags:
- - IdentityProvider
- /api/v1/idps/{idpId}/credentials/keys/{idpKeyId}/clone:
+ - IdentityProviderSigningKeys
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/idps/{idpId}/credentials/keys/{kid}/clone:
parameters:
- $ref: '#/components/parameters/pathIdpId'
- - $ref: '#/components/parameters/pathIdpKeyId'
+ - $ref: '#/components/parameters/pathKid'
post:
- summary: Clone a Signing Credential Key
- description: Clones a X.509 certificate for an IdP signing key credential from a source IdP to target IdP
+ summary: Clone a signing Key Credential for IdP
+ description: |-
+ Clones an X.509 certificate for an IdP signing Key Credential from a source IdP to target IdP
+ > **Caution:** Sharing certificates isn't a recommended security practice.
+
+ > **Note:** If the key is already present in the list of Key Credentials for the target IdP, you receive a 400 error response.
operationId: cloneIdentityProviderKey
parameters:
- name: targetIdpId
in: query
required: true
+ description: '`id` of the target IdP'
schema:
type: string
responses:
@@ -9988,7 +13680,10 @@ paths:
content:
application/json:
schema:
- $ref: '#/components/schemas/JsonWebKey'
+ $ref: '#/components/schemas/IdPKeyCredential'
+ examples:
+ IdPSigningKeyCredentialResponse:
+ $ref: '#/components/examples/IdPSigningKeyCredentialResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -10000,7 +13695,10 @@ paths:
- oauth2:
- okta.idps.manage
tags:
- - IdentityProvider
+ - IdentityProviderSigningKeys
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/idps/{idpId}/lifecycle/activate:
parameters:
- $ref: '#/components/parameters/pathIdpId'
@@ -10015,6 +13713,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/IdentityProvider'
+ examples:
+ ActivateIdPResponse:
+ $ref: '#/components/examples/ActivateIdPResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -10027,6 +13728,9 @@ paths:
- okta.idps.manage
tags:
- IdentityProvider
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/idps/{idpId}/lifecycle/deactivate:
parameters:
- $ref: '#/components/parameters/pathIdpId'
@@ -10041,6 +13745,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/IdentityProvider'
+ examples:
+ DeactivateIdPResponse:
+ $ref: '#/components/examples/DeactivateIdPResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -10053,36 +13760,26 @@ paths:
- okta.idps.manage
tags:
- IdentityProvider
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/idps/{idpId}/users:
parameters:
- $ref: '#/components/parameters/pathIdpId'
get:
- summary: List all Users
- description: Lists all users linked to the identity provider
+ summary: List all Users for IdP
+ description: Lists all the Users linked to an Identity Provider
operationId: listIdentityProviderApplicationUsers
parameters:
- - name: q
- in: query
- description: Searches the name property of IdPs for matching value
- schema:
- type: string
- - name: after
- in: query
- description: Specifies the pagination cursor for the next page of IdPs
- schema:
- type: string
- - name: limit
- in: query
- description: Specifies the number of IdP results in a page
- schema:
- type: integer
- format: int32
- default: 20
+ - $ref: '#/components/parameters/queryFilter'
+ - $ref: '#/components/parameters/queryAfter'
+ - $ref: '#/components/parameters/queryLimit'
- name: expand
in: query
description: Expand user data
schema:
type: string
+ example: user
responses:
'200':
description: Success
@@ -10092,6 +13789,9 @@ paths:
type: array
items:
$ref: '#/components/schemas/IdentityProviderApplicationUser'
+ examples:
+ ListIdPUsersResponse:
+ $ref: '#/components/examples/ListIdPUsersResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -10103,14 +13803,17 @@ paths:
- oauth2:
- okta.idps.read
tags:
- - IdentityProvider
+ - IdentityProviderUsers
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/idps/{idpId}/users/{userId}:
parameters:
- $ref: '#/components/parameters/pathIdpId'
- $ref: '#/components/parameters/pathUserId'
get:
- summary: Retrieve a User
- description: Retrieves a linked IdP user by ID
+ summary: Retrieve a User for IdP
+ description: Retrieves a linked IdP User by ID
operationId: getIdentityProviderApplicationUser
responses:
'200':
@@ -10119,6 +13822,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/IdentityProviderApplicationUser'
+ examples:
+ IdPAppUserResponse:
+ $ref: '#/components/examples/IdPAppUserResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -10130,10 +13836,17 @@ paths:
- oauth2:
- okta.idps.read
tags:
- - IdentityProvider
+ - IdentityProviderUsers
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
post:
- summary: Link a User to a Social IdP
- description: Links an Okta user to an existing Social Identity Provider. This does not support the SAML2 Identity Provider Type
+ summary: Link a User to IdP
+ description: |-
+ Links an Okta User to an existing SAML or social Identity Provider.
+
+ The SAML Identity Provider must have `honorPersistentNameId` set to `true` to use this API.
+ The [Name Identifier Format](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/replaceIdentityProvider!path=protocol/0/settings&t=request) of the incoming assertion must be `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent`.
operationId: linkUserToIdentityProvider
x-codegen-request-body-name: userIdentityProviderLinkRequest
requestBody:
@@ -10149,6 +13862,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/IdentityProviderApplicationUser'
+ examples:
+ LinkIdPAppUserResponse:
+ $ref: '#/components/examples/LinkIdPAppUserResponse'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -10162,10 +13878,13 @@ paths:
- oauth2:
- okta.users.manage
tags:
- - IdentityProvider
+ - IdentityProviderUsers
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
summary: Unlink a User from IdP
- description: Unlinks the link between the Okta user and the IdP user
+ description: Unlinks the Okta User and the IdP User. The next time the User federates into Okta through this IdP, they have to re-link their account according to the account link policy.
operationId: unlinkUserFromIdentityProvider
responses:
'204':
@@ -10182,14 +13901,20 @@ paths:
- oauth2:
- okta.idps.manage
tags:
- - IdentityProvider
+ - IdentityProviderUsers
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/idps/{idpId}/users/{userId}/credentials/tokens:
parameters:
- $ref: '#/components/parameters/pathIdpId'
- $ref: '#/components/parameters/pathUserId'
get:
- summary: List all Tokens from a OIDC Identity Provider
- description: Lists the tokens minted by the Social Authentication Provider when the user authenticates with Okta via Social Auth
+ summary: List all Tokens from OIDC IdP
+ description: |-
+ Lists the tokens minted by the Social Authentication Provider when the user authenticates with Okta via Social Auth.
+
+ Okta doesn't import all the User information from a social provider. If the app needs information that isn't imported, it can get the User token from this endpoint. Then the app can make an API call to the social provider with the token to request the additional information.
operationId: listSocialAuthTokens
responses:
'200':
@@ -10200,6 +13925,9 @@ paths:
type: array
items:
$ref: '#/components/schemas/SocialAuthToken'
+ examples:
+ SocialAuthTokensResponse:
+ $ref: '#/components/examples/SocialAuthTokensResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -10211,17 +13939,28 @@ paths:
- oauth2:
- okta.idps.read
tags:
- - IdentityProvider
+ - IdentityProviderUsers
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/inlineHooks:
get:
- summary: List all Inline Hooks
- description: Lists all inline hooks
+ summary: List all inline hooks
+ description: |-
+ Lists all inline hooks or all inline hooks of a specific type.
+
+ When listing a specific inline hook, you need to specify its type. The following types are currently supported:
+ | Type Value | Name |
+ |------------------------------------|----------------------------------------------------------------|
+ | `com.okta.import.transform` | [User import inline hook](/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createUserImportInlineHook) |
+ | `com.okta.oauth2.tokens.transform` | [Token inline hook]((/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createTokenInlineHook) |
+ | `com.okta.saml.tokens.transform` | [SAML assertion inline hook](/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createSAMLAssertionInlineHook) |
+ | `com.okta.telephony.provider` | [Telephony inline hook](/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createTelephonyInlineHook) |
+ | `com.okta.user.credential.password.import` | [Password import inline hook](/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createPasswordImportInlineHook)|
+ | `com.okta.user.pre-registration` | [Registration inline hook](/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/create-registration-hook) |
operationId: listInlineHooks
parameters:
- - name: type
- in: query
- schema:
- type: string
+ - $ref: '#/components/parameters/inlineHookType'
responses:
'200':
description: Success
@@ -10231,6 +13970,9 @@ paths:
type: array
items:
$ref: '#/components/schemas/InlineHook'
+ examples:
+ InlineHooktMgmtListAllexample:
+ $ref: '#/components/examples/InlineHooktMgmtListAllexample'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'429':
@@ -10241,16 +13983,50 @@ paths:
- okta.inlineHooks.read
tags:
- InlineHook
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
post:
- summary: Create an Inline Hook
- description: Creates an inline hook
+ summary: Create an inline hook
+ description: |-
+ Creates an inline hook
+
+ This endpoint creates an inline hook for your org in an `ACTIVE` status. You need to pass an inline hooks object in the JSON payload of your request.
+ That object represents the set of required information about the inline hook that you're registering, including:
+
+ * The URI of your external service endpoint
+ * The type of inline hook you're registering
+ * The type of authentication you're registering
+
+ There are two authentication options that you can configure for your inline hook: HTTP headers and OAuth 2.0 tokens.
+
+ HTTP headers let you specify a secret API key that you want Okta to pass to your external service endpoint (so that your external service can check for its presence as a security measure).
+
+ >**Note:** The API key that you set here is unrelated to the Okta API token you must supply when making calls to Okta APIs.
+
+ You can also optionally specify extra headers that you want Okta to pass to your external service with each call.
+
+ To configure HTTP header authentication, see parameters for the `config` object.
+
+ OAuth 2.0 tokens provide enhanced security between Okta and your external service. You can configure these tokens for the following types—client secret and private key.
+
+ >**Note:** Your external service's endpoint needs to be a valid HTTPS endpoint. The URI you specify should always begin with `https://`.
+
+ The total number of inline hooks that you can create in an Okta org is limited to 50, which is a combined total for any combination of inline hook types.
operationId: createInlineHook
- x-codegen-request-body-name: inlineHook
+ x-codegen-request-body-name: inlineHookCreate
requestBody:
content:
application/json:
schema:
- $ref: '#/components/schemas/InlineHook'
+ $ref: '#/components/schemas/InlineHookCreate'
+ examples:
+ CreateInlineHookHTTP:
+ $ref: '#/components/examples/InlineHookMgmtCreateHTTPRequest'
+ CreateInlineHookOAuthClientSecret:
+ $ref: '#/components/examples/InlineHookMgmtCreateOAuthClientSecretRequest'
+ CreateInlineHookOAuthPrivateKey:
+ $ref: '#/components/examples/InlineHookMgmtCreateOAuthPrivateKeyRequest'
required: true
responses:
'200':
@@ -10258,7 +14034,14 @@ paths:
content:
application/json:
schema:
- $ref: '#/components/schemas/InlineHook'
+ $ref: '#/components/schemas/InlineHookCreateResponse'
+ examples:
+ CreateInlineHookHTTP:
+ $ref: '#/components/examples/InlineHookMgmtCreateHTTPResponse'
+ CreateInlineHookOAuthClientSecret:
+ $ref: '#/components/examples/InlineHookMgmtCreateOAuthClientSecretResponse'
+ CreateInlineHookOAuthPrivateKey:
+ $ref: '#/components/examples/InlineHookMgmtCreateOAuthPrivateKeyResponse'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -10271,6 +14054,9 @@ paths:
- okta.inlineHooks.manage
tags:
- InlineHook
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/inlineHooks/{inlineHookId}:
parameters:
- $ref: '#/components/parameters/pathInlineHookId'
@@ -10285,6 +14071,13 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/InlineHook'
+ examples:
+ InlineHookHTTP:
+ $ref: '#/components/examples/InlineHookMgmtHTTPexample'
+ InlineHookOAuthClientSecret:
+ $ref: '#/components/examples/InlineHookMgmtOAuthCSPexample'
+ InlineHookOAuthPrivateKey:
+ $ref: '#/components/examples/InlineHookMgmtOauthPKJexample'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -10297,16 +14090,66 @@ paths:
- okta.inlineHooks.read
tags:
- InlineHook
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ post:
+ summary: Update an Inline Hook
+ description: Updates an inline hook by `inlineHookId`
+ operationId: updateInlineHook
+ x-codegen-request-body-name: inlineHook
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/InlineHookReplace'
+ examples:
+ UpdateInlineHookHTTP:
+ $ref: '#/components/examples/InlineHookMgmtPutHTTPRequest'
+ required: true
+ responses:
+ '200':
+ description: Success
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/InlineHook'
+ examples:
+ UpdateInlineHookHTTP:
+ $ref: '#/components/examples/InlineHookMgmtPutResponse'
+ '400':
+ $ref: '#/components/responses/ErrorApiValidationFailed400'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.inlineHooks.manage
+ tags:
+ - InlineHook
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
put:
- summary: Replace an Inline Hook
- description: Replaces an inline hook by `inlineHookId`
+ summary: Replace an inline hook
+ description: |-
+ Replaces an inline hook by `inlineHookId`. The submitted inline hook properties replace the existing properties after passing validation.
+
+ >**Note:** Some properties are immutable and can't be updated.
operationId: replaceInlineHook
x-codegen-request-body-name: inlineHook
requestBody:
content:
application/json:
schema:
- $ref: '#/components/schemas/InlineHook'
+ $ref: '#/components/schemas/InlineHookReplace'
+ examples:
+ UpdateInlineHookHTTP:
+ $ref: '#/components/examples/InlineHookMgmtPutHTTPRequest'
required: true
responses:
'200':
@@ -10315,6 +14158,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/InlineHook'
+ examples:
+ UpdateInlineHookHTTP:
+ $ref: '#/components/examples/InlineHookMgmtPutResponse'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -10329,9 +14175,12 @@ paths:
- okta.inlineHooks.manage
tags:
- InlineHook
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
- summary: Delete an Inline Hook
- description: Deletes an inline hook by `inlineHookId`. Once deleted, the Inline Hook is unrecoverable. As a safety precaution, only Inline Hooks with a status of INACTIVE are eligible for deletion.
+ summary: Delete an inline hook
+ description: Deletes an inline hook by `inlineHookId`. After it's deleted, the inline hook is unrecoverable. As a safety precaution, only inline hooks with a status of `INACTIVE` are eligible for deletion.
operationId: deleteInlineHook
responses:
'204':
@@ -10349,19 +14198,49 @@ paths:
- okta.inlineHooks.manage
tags:
- InlineHook
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/inlineHooks/{inlineHookId}/execute:
parameters:
- $ref: '#/components/parameters/pathInlineHookId'
post:
- summary: Execute an Inline Hook
- description: Executes the inline hook by `inlineHookId` using the request body as the input. This will send the provided data through the Channel and return a response if it matches the correct data contract. This execution endpoint should only be used for testing purposes.
+ summary: Execute an inline hook
+ description: |-
+ Executes the inline hook that matches the provided `inlineHookId` by using the request body as the input. This inline hook sends the provided
+ data through the `channel` object and returns a response if it matches the correct data contract. Otherwise it returns an error. You need to
+ construct a JSON payload that matches the payloads that Okta would send to your external service for this inline hook type.
+
+ A timeout of three seconds is enforced on all outbound requests, with one retry in the event of a timeout or an error response from the remote system.
+ If a successful response isn't received after the request, a 400 error is returned with more information about what failed.
+
+ >**Note:** This execution endpoint isn't tied to any other functionality in Okta, and you should only use it for testing purposes.
operationId: executeInlineHook
x-codegen-request-body-name: payloadData
requestBody:
content:
application/json:
schema:
- $ref: '#/components/schemas/InlineHookPayload'
+ oneOf:
+ - $ref: '#/components/schemas/PasswordImportRequestExecute'
+ - $ref: '#/components/schemas/TelephonyRequestExecute'
+ - $ref: '#/components/schemas/RegistrationInlineHookRequest'
+ - $ref: '#/components/schemas/TokenRequest'
+ - $ref: '#/components/schemas/SAMLPayloadExecute'
+ - $ref: '#/components/schemas/UserImportRequestExecute'
+ examples:
+ PasswordImportPayloadExample:
+ $ref: '#/components/examples/PasswordImportPayloadExample'
+ TelephonyPayloadExample:
+ $ref: '#/components/examples/TelephonyPayloadExample'
+ ProfileEnrollmentRequest:
+ $ref: '#/components/examples/ProfileEnrollmentRequest'
+ TokenPayLoadExample:
+ $ref: '#/components/examples/TokenPayLoadExample'
+ SAMLPayloadExample:
+ $ref: '#/components/examples/SAMLPayLoadExample'
+ UserImportPayloadExample:
+ $ref: '#/components/examples/UserImportPayloadExample'
required: true
responses:
'200':
@@ -10369,7 +14248,26 @@ paths:
content:
application/json:
schema:
- $ref: '#/components/schemas/InlineHookResponse'
+ oneOf:
+ - $ref: '#/components/schemas/PasswordImportResponse'
+ - $ref: '#/components/schemas/TelephonyResponse'
+ - $ref: '#/components/schemas/RegistrationInlineHookResponse'
+ - $ref: '#/components/schemas/TokenHookResponse'
+ - $ref: '#/components/schemas/SAMLHookResponse'
+ - $ref: '#/components/schemas/UserImportResponse'
+ examples:
+ PasswordImportPayloadExample:
+ $ref: '#/components/examples/PasswordImportVerifiedResponse'
+ TelephonyPayloadExample:
+ $ref: '#/components/examples/TelephonySuccessResponse'
+ ProfileEnrollmentRequest:
+ $ref: '#/components/examples/ProfileEnrollmentResponse'
+ TokenPayLoadExample:
+ $ref: '#/components/examples/TokenHookResponse'
+ SAMLPayloadExample:
+ $ref: '#/components/examples/SAMLHookResponseExample'
+ UserImportPayloadExample:
+ $ref: '#/components/examples/UserImportChangeAppUserProfileExample'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -10384,6 +14282,9 @@ paths:
- okta.inlineHooks.manage
tags:
- InlineHook
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/inlineHooks/{inlineHookId}/lifecycle/activate:
parameters:
- $ref: '#/components/parameters/pathInlineHookId'
@@ -10398,6 +14299,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/InlineHook'
+ examples:
+ ActivateAnInlineHook:
+ $ref: '#/components/examples/InlineHookMgmtOAuthCSPexample'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -10410,6 +14314,9 @@ paths:
- okta.inlineHooks.manage
tags:
- InlineHook
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/inlineHooks/{inlineHookId}/lifecycle/deactivate:
parameters:
- $ref: '#/components/parameters/pathInlineHookId'
@@ -10424,6 +14331,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/InlineHook'
+ examples:
+ DeactivateAnInlineHook:
+ $ref: '#/components/examples/InlineHookMgmtHTTPexampleDeactivate'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -10436,6 +14346,9 @@ paths:
- okta.inlineHooks.manage
tags:
- InlineHook
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/logStreams:
get:
summary: List all Log Streams
@@ -10472,6 +14385,10 @@ paths:
- okta.logStreams.read
tags:
- LogStream
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
post:
summary: Create a Log Stream
description: Creates a new Log Stream object
@@ -10515,6 +14432,10 @@ paths:
- okta.logStreams.manage
tags:
- LogStream
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
/api/v1/logStreams/{logStreamId}:
parameters:
- $ref: '#/components/parameters/pathLogStreamId'
@@ -10544,6 +14465,10 @@ paths:
- okta.logStreams.read
tags:
- LogStream
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
put:
summary: Replace a Log Stream
description: |-
@@ -10591,6 +14516,10 @@ paths:
- okta.logStreams.manage
tags:
- LogStream
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
delete:
summary: Delete a Log Stream
description: Deletes a Log Stream object from your org by ID
@@ -10618,6 +14547,10 @@ paths:
- okta.logStreams.manage
tags:
- LogStream
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
/api/v1/logStreams/{logStreamId}/lifecycle/activate:
parameters:
- $ref: '#/components/parameters/pathLogStreamId'
@@ -10647,6 +14580,10 @@ paths:
- okta.logStreams.manage
tags:
- LogStream
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
/api/v1/logStreams/{logStreamId}/lifecycle/deactivate:
parameters:
- $ref: '#/components/parameters/pathLogStreamId'
@@ -10676,44 +14613,64 @@ paths:
- okta.logStreams.manage
tags:
- LogStream
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
/api/v1/logs:
get:
summary: List all System Log Events
- description: Lists all system log events. The Okta System Log API provides read access to your organization’s system log. This API provides more functionality than the Events API
+ description: Lists all System Log Events
operationId: listLogEvents
parameters:
- name: since
+ description: Filters the lower time bound of the log events `published` property for bounded queries or persistence time for polling queries
in: query
schema:
type: string
- format: date-time
+ format: ISO 8601 compliant timestamp
+ default: 7 days prior to until
- name: until
+ description: Filters the upper time bound of the log events `published` property for bounded queries or persistence time for polling queries.
+ in: query
+ schema:
+ type: string
+ format: ISO 8601 compliant timestamp
+ default: current time
+ - name: after
+ description: Retrieves the next page of results. Okta returns a link in the HTTP Header (`rel=next`) that includes the after query parameter
in: query
schema:
type: string
- format: date-time
+ format: Opaque token
- name: filter
+ description: Filter expression that filters the results. All operators except [ ] are supported. See [Filter](https://developer.okta.com/docs/api/#filter).
in: query
schema:
type: string
+ format: SCIM Filter expression
- name: q
+ description: Filters log events results by one or more case insensitive keywords.
in: query
schema:
type: string
+ format: URL encoded string. Max length is 40 characters per keyword, with a maximum of 10 keyword filters per query (before encoding)
- name: limit
+ description: Sets the number of results that are returned in the response
in: query
schema:
type: integer
+ format: Integer between 0 and 1000
default: 100
- name: sortOrder
+ description: The order of the returned events that are sorted by the `published` property
in: query
schema:
type: string
+ enum:
+ - ASCENDING
+ - DESCENDING
default: ASCENDING
- - name: after
- in: query
- schema:
- type: string
responses:
'200':
description: Success
@@ -10723,6 +14680,11 @@ paths:
type: array
items:
$ref: '#/components/schemas/LogEvent'
+ examples:
+ ListLogs:
+ $ref: '#/components/examples/ListLogs'
+ LogTargetChangeDetails:
+ $ref: '#/components/examples/LogTargetChangeDetails'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'429':
@@ -10733,6 +14695,10 @@ paths:
- okta.logs.read
tags:
- SystemLog
+ x-okta-lifecycle:
+ isCorsEnabled: true
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/mappings:
get:
summary: List all Profile Mappings
@@ -10789,6 +14755,10 @@ paths:
- okta.profileMappings.read
tags:
- ProfileMapping
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
/api/v1/mappings/{mappingId}:
parameters:
- $ref: '#/components/parameters/pathMappingId'
@@ -10819,6 +14789,10 @@ paths:
- okta.profileMappings.read
tags:
- ProfileMapping
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
post:
summary: Update a Profile Mapping
description: Updates an existing profile mapping by adding, updating, or removing one or many property mappings
@@ -10868,66 +14842,27 @@ paths:
- okta.profileMappings.manage
tags:
- ProfileMapping
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
/api/v1/meta/layouts/apps/{appName}:
parameters:
- $ref: '#/components/parameters/pathAppName'
- get:
- summary: Retrieve the links for UI schemas for an Application
- description: Retrieves the links for UI schemas for an Application given `appName`
- operationId: getAppUISchemaLinks
- responses:
- '200':
- description: successful operation
- content:
- application/json:
- schema:
- $ref: '#/components/schemas/ApplicationLayouts'
- '403':
- $ref: '#/components/responses/ErrorAccessDenied403'
- '404':
- $ref: '#/components/responses/ErrorResourceNotFound404'
- '429':
- $ref: '#/components/responses/ErrorTooManyRequests429'
- security:
- - apiToken: []
- - oauth2:
- - okta.schemas.read
- tags:
- - Schema
/api/v1/meta/layouts/apps/{appName}/sections/{section}/{operation}:
parameters:
- $ref: '#/components/parameters/pathAppName'
- $ref: '#/components/parameters/pathSection'
- $ref: '#/components/parameters/pathOperation'
- get:
- summary: Retrieve the UI schema for a section
- description: Retrieves the UI schema for an Application given `appName`, `section` and `operation`
- operationId: getAppUISchema
- responses:
- '200':
- description: successful operation
- content:
- application/json:
- schema:
- $ref: '#/components/schemas/ApplicationLayout'
- '403':
- $ref: '#/components/responses/ErrorAccessDenied403'
- '404':
- $ref: '#/components/responses/ErrorResourceNotFound404'
- '429':
- $ref: '#/components/responses/ErrorTooManyRequests429'
- security:
- - apiToken: []
- - oauth2:
- - okta.schemas.read
- tags:
- - Schema
/api/v1/meta/schemas/apps/{appId}/default:
parameters:
- $ref: '#/components/parameters/pathAppId'
get:
- summary: Retrieve the default Application User Schema for an Application
- description: Retrieves the Schema for an App User
+ summary: Retrieve the default App User Schema for an App
+ description: |-
+ Retrieves the default Schema for an App User.
+
+ The [User Types](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/) feature does not extend to apps. All users assigned to a given app use the same App User Schema. Therefore, unlike the User Schema operations, the App User Schema operations all specify `default` and don't accept a Schema ID.
operationId: getApplicationUserSchema
responses:
'200':
@@ -10948,9 +14883,15 @@ paths:
- okta.schemas.read
tags:
- Schema
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
post:
- summary: Update the default Application User Schema for an Application
- description: Partially updates on the User Profile properties of the Application User Schema
+ summary: Update the App User Profile Schema for an App
+ description: |-
+ Updates the App User Schema. This updates, adds, or removes one or more custom profile properties or the nullability of a base property in the App User Schema for an app. Changing a base property's nullability (for example, the value of its `required` field) is allowed only if it is nullable in the default predefined Schema for the App.
+
+ The [User Types](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/) feature does not extend to apps. All users assigned to a given app use the same App User Schema. Therefore, unlike the User Schema operations, the App User Schema operations all specify `default` and don't accept a Schema ID.
operationId: updateApplicationUserProfile
x-codegen-request-body-name: body
requestBody:
@@ -10986,10 +14927,16 @@ paths:
- okta.schemas.manage
tags:
- Schema
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/meta/schemas/group/default:
get:
summary: Retrieve the default Group Schema
- description: Retrieves the group schema
+ description: |-
+ Retrieves the Group Schema
+
+ The [User Types](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/) feature does not extend to groups. All groups use the same Group Schema. Unlike User Schema operations, Group Schema operations all specify `default` and don't accept a Schema ID.
operationId: getGroupSchema
parameters: []
responses:
@@ -11012,9 +14959,17 @@ paths:
- okta.schemas.read
tags:
- Schema
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
post:
- summary: Update the default Group Schema
- description: Updates the default group schema. This updates, adds, or removes one or more custom Group Profile properties in the schema.
+ summary: Update the Group Profile Schema
+ description: |-
+ Updates the Group Profile schema. This updates, adds, or removes one or more custom profile properties in a Group Schema. Currently Okta does not support changing base Group Profile properties.
+
+ The [User Types](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/) feature does not extend to groups. All groups use the same Group Schema. Unlike User Schema operations, Group Schema operations all specify `default` and don't accept a Schema ID.
+
+ **Note:** Since POST is interpreted as a partial update, you must set properties explicitly to null to remove them from the Schema.
operationId: updateGroupSchema
requestBody:
content:
@@ -11046,10 +15001,13 @@ paths:
- okta.schemas.manage
tags:
- Schema
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/meta/schemas/logStream:
get:
summary: List the Log Stream Schemas
- description: Lists the schema for all log stream types visible for this org
+ description: Lists the Schema for all Log Stream types visible for this org
operationId: listLogStreamSchemas
responses:
'200':
@@ -11073,12 +15031,16 @@ paths:
- okta.logStreams.read
tags:
- Schema
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
/api/v1/meta/schemas/logStream/{logStreamType}:
parameters:
- $ref: '#/components/parameters/pathLogStreamType'
get:
summary: Retrieve the Log Stream Schema for the schema type
- description: Retrieves the schema for a Log Stream type. The `logStreamType` element in the URL specifies the Log Stream type, which is either `aws_eventbridge` or `splunk_cloud_logstreaming`. Use the `aws_eventbridge` literal to retrieve the AWS EventBridge type schema, and use the `splunk_cloud_logstreaming` literal retrieve the Splunk Cloud type schema.
+ description: Retrieves the Schema for a Log Stream type. The `logStreamType` element in the URL specifies the Log Stream type, which is either `aws_eventbridge` or `splunk_cloud_logstreaming`. Use the `aws_eventbridge` literal to retrieve the AWS EventBridge type schema, and use the `splunk_cloud_logstreaming` literal retrieve the Splunk Cloud type schema.
operationId: getLogStreamSchema
responses:
'200':
@@ -11104,10 +15066,14 @@ paths:
- okta.logStreams.read
tags:
- Schema
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
/api/v1/meta/schemas/user/linkedObjects:
get:
summary: List all Linked Object Definitions
- description: Lists all linked object definitions
+ description: Lists all Linked Object definitions
operationId: listLinkedObjectDefinitions
responses:
'200':
@@ -11118,6 +15084,9 @@ paths:
type: array
items:
$ref: '#/components/schemas/LinkedObject'
+ examples:
+ ListLinkedObjectsEx:
+ $ref: '#/components/examples/ListLinkedObjects'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'429':
@@ -11128,9 +15097,12 @@ paths:
- okta.linkedObjects.read
tags:
- LinkedObject
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
post:
summary: Create a Linked Object Definition
- description: Creates a linked object definition
+ description: Creates a Linked Object definition
operationId: createLinkedObjectDefinition
x-codegen-request-body-name: linkedObject
requestBody:
@@ -11138,6 +15110,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/LinkedObject'
+ examples:
+ CreateLinkedObjectRequestEx:
+ $ref: '#/components/examples/CreateLinkedObjectRequest'
required: true
responses:
'201':
@@ -11146,10 +15121,22 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/LinkedObject'
+ examples:
+ CreateLinkedObjectResponseEx:
+ $ref: '#/components/examples/CreateLinkedObjectResponse'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
+ '409':
+ description: Conflict
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Error'
+ examples:
+ ErrorInvalidLinkedObjectDefEx:
+ $ref: '#/components/examples/ErrorInvalidLinkedObjectDef'
'429':
$ref: '#/components/responses/ErrorTooManyRequests429'
security:
@@ -11158,12 +15145,15 @@ paths:
- okta.linkedObjects.manage
tags:
- LinkedObject
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/meta/schemas/user/linkedObjects/{linkedObjectName}:
parameters:
- $ref: '#/components/parameters/pathLinkedObjectName'
get:
summary: Retrieve a Linked Object Definition
- description: Retrieves a linked object definition
+ description: Retrieves a Linked Object definition
operationId: getLinkedObjectDefinition
responses:
'200':
@@ -11172,6 +15162,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/LinkedObject'
+ examples:
+ CreateLinkedObjectResponseEx:
+ $ref: '#/components/examples/CreateLinkedObjectResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -11184,9 +15177,12 @@ paths:
- okta.linkedObjects.read
tags:
- LinkedObject
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
summary: Delete a Linked Object Definition
- description: Deletes a linked object definition
+ description: Deletes the Linked Object definition specified by either the `primary` or `associated` name. The entire definition is removed, regardless of which name that you specify.
operationId: deleteLinkedObjectDefinition
responses:
'204':
@@ -11204,12 +15200,15 @@ paths:
- okta.linkedObjects.manage
tags:
- LinkedObject
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/meta/schemas/user/{schemaId}:
parameters:
- $ref: '#/components/parameters/pathSchemaId'
get:
summary: Retrieve a User Schema
- description: Retrieves the schema for a Schema Id
+ description: Retrieves the Schema for a User Type
operationId: getUserSchema
responses:
'200':
@@ -11233,9 +15232,15 @@ paths:
- okta.schemas.read
tags:
- Schema
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
post:
summary: Update a User Schema
- description: Partially updates on the User Profile properties of the user schema
+ description: |-
+ Updates a User Schema. This updates, adds, or removes one or more profile properties in a User Schema.
+
+ Unlike custom User Profile properties, limited changes are allowed to base User Profile properties (permissions, nullability of the `firstName` and `lastName` properties, or pattern for `login`). A property cannot be removed from the default Schema if it is being referenced as a [matchAttribute](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/) in SAML2 IdPs. Currently, all validation of SAML assertions is only performed against the default user type.
operationId: updateUserProfile
x-codegen-request-body-name: userSchema
requestBody:
@@ -11271,6 +15276,9 @@ paths:
- okta.schemas.manage
tags:
- Schema
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/meta/types/user:
get:
summary: List all User Types
@@ -11298,6 +15306,9 @@ paths:
- okta.userTypes.read
tags:
- UserType
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
post:
summary: Create a User Type
description: |-
@@ -11336,6 +15347,9 @@ paths:
- okta.userTypes.manage
tags:
- UserType
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/meta/types/user/{typeId}:
parameters:
- $ref: '#/components/parameters/pathTypeId'
@@ -11365,10 +15379,13 @@ paths:
- okta.userTypes.read
tags:
- UserType
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
post:
summary: Update a User Type
description: |-
- Updates an existing User Type.
+ Updates an existing User Type. This operation is a partial update.
> **Note**: You can only update the `displayName` and `description` elements. The `name` of an existing User Type can't be changed.
operationId: updateUserType
x-codegen-request-body-name: userType
@@ -11405,10 +15422,13 @@ paths:
- okta.userTypes.manage
tags:
- UserType
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
put:
summary: Replace a User Type
description: |-
- Replaces an existing User Type.
+ Replaces an existing User Type. This operation is a full update.
> **Note**: The `name` of an existing User Type can't be changed, but must be part of the request body. You can only replace the `displayName` and `description` elements.
operationId: replaceUserType
x-codegen-request-body-name: userType
@@ -11444,6 +15464,9 @@ paths:
- okta.userTypes.manage
tags:
- UserType
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
summary: Delete a User Type
description: |-
@@ -11466,6 +15489,9 @@ paths:
- okta.userTypes.manage
tags:
- UserType
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/meta/uischemas:
get:
summary: List all UI Schemas
@@ -11494,6 +15520,11 @@ paths:
- okta.uischemas.read
tags:
- UISchema
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
post:
summary: Create a UI Schema
description: Creates an input for an enrollment form
@@ -11530,6 +15561,11 @@ paths:
- okta.uischemas.manage
tags:
- UISchema
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
/api/v1/meta/uischemas/{id}:
parameters:
- $ref: '#/components/parameters/UISchemaId'
@@ -11560,6 +15596,11 @@ paths:
- okta.uischemas.read
tags:
- UISchema
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
put:
summary: Replace a UI Schema
description: Replaces a UI Schema by `id`
@@ -11598,6 +15639,11 @@ paths:
- okta.uischemas.manage
tags:
- UISchema
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
delete:
summary: Delete a UI Schema
description: Deletes a UI Schema by `id`
@@ -11620,10 +15666,15 @@ paths:
- okta.uischemas.manage
tags:
- UISchema
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
/api/v1/org:
get:
- summary: Retrieve the Org Settings
- description: Retrieves the org settings
+ summary: Retrieve the Org General Settings
+ description: Retrieves the Org General Settings
operationId: getOrgSettings
parameters: []
responses:
@@ -11633,6 +15684,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/OrgSetting'
+ examples:
+ example-1:
+ $ref: '#/components/examples/OrgSettingResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'429':
@@ -11642,16 +15696,22 @@ paths:
- oauth2:
- okta.orgs.read
tags:
- - OrgSetting
+ - OrgSettingGeneral
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
post:
- summary: Update the Org Settings
- description: Partially updates the org settings depending on provided fields
+ summary: Update the Org General Settings
+ description: Updates partial Org General Settings
operationId: updateOrgSettings
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/OrgSetting'
+ examples:
+ example-1:
+ $ref: '#/components/examples/UpdateOrgSettingEx'
responses:
'200':
description: Success
@@ -11659,6 +15719,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/OrgSetting'
+ examples:
+ example-1:
+ $ref: '#/components/examples/OrgSettingResponse'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -11670,10 +15733,13 @@ paths:
- oauth2:
- okta.orgs.manage
tags:
- - OrgSetting
+ - OrgSettingGeneral
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
put:
- summary: Replace the Org Settings
- description: Replaces the settings of your organization
+ summary: Replace the Org General Settings
+ description: Replaces the Org General Settings for your Okta org
operationId: replaceOrgSettings
x-codegen-request-body-name: orgSetting
requestBody:
@@ -11681,6 +15747,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/OrgSetting'
+ examples:
+ example-1:
+ $ref: '#/components/examples/UpdateOrgSettingEx'
required: true
responses:
'200':
@@ -11689,6 +15758,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/OrgSetting'
+ examples:
+ example-1:
+ $ref: '#/components/examples/OrgSettingResponse'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -11700,12 +15772,15 @@ paths:
- oauth2:
- okta.orgs.manage
tags:
- - OrgSetting
+ - OrgSettingGeneral
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/org/captcha:
get:
summary: Retrieve the Org-wide CAPTCHA Settings
description: |-
- Retrieves the CAPTCHA settings object for your organization.
+ Retrieves the CAPTCHA settings object for your organization
> **Note**: If the current organization hasn't configured CAPTCHA Settings, the request returns an empty object.
operationId: getOrgCaptchaSettings
responses:
@@ -11730,10 +15805,15 @@ paths:
- okta.captchas.read
tags:
- CAPTCHA
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
put:
summary: Replace the Org-wide CAPTCHA Settings
description: |-
- Replaces the CAPTCHA settings object for your organization.
+ Replaces the CAPTCHA settings object for your organization
> **Note**: You can disable CAPTCHA for your organization by setting `captchaId` and `enabledPages` to `null`.
operationId: replacesOrgCaptchaSettings
requestBody:
@@ -11779,6 +15859,11 @@ paths:
- okta.captchas.manage
tags:
- CAPTCHA
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
delete:
summary: Delete the Org-wide CAPTCHA Settings
description: Deletes the CAPTCHA settings object for your organization
@@ -11798,11 +15883,16 @@ paths:
- okta.captchas.manage
tags:
- CAPTCHA
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
/api/v1/org/contacts:
get:
- summary: Retrieve the Org Contact Types
- description: Retrieves Contact Types of your organization
- operationId: getOrgContactTypes
+ summary: List all Org Contact Types
+ description: Lists all Org Contact Types for your Okta org
+ operationId: listOrgContactTypes
parameters: []
responses:
'200':
@@ -11813,6 +15903,9 @@ paths:
items:
$ref: '#/components/schemas/OrgContactTypeObj'
type: array
+ examples:
+ orgContactTypeEx:
+ $ref: '#/components/examples/orgContactTypeResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'429':
@@ -11822,13 +15915,16 @@ paths:
- oauth2:
- okta.orgs.read
tags:
- - OrgSetting
+ - OrgSettingContact
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/org/contacts/{contactType}:
parameters:
- $ref: '#/components/parameters/pathContactType'
get:
- summary: Retrieve the User of the Contact Type
- description: Retrieves the URL of the User associated with the specified Contact Type
+ summary: Retrieve the Contact Type User
+ description: Retrieves the ID and the User resource associated with the specified Contact Type
operationId: getOrgContactUser
responses:
'200':
@@ -11837,6 +15933,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/OrgContactUser'
+ examples:
+ contactTypeUserEx:
+ $ref: '#/components/examples/orgContactUserResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -11848,9 +15947,12 @@ paths:
- oauth2:
- okta.orgs.read
tags:
- - OrgSetting
+ - OrgSettingContact
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
put:
- summary: Replace the User of the Contact Type
+ summary: Replace the Contact Type User
description: Replaces the User associated with the specified Contact Type
operationId: replaceOrgContactUser
x-codegen-request-body-name: orgContactUser
@@ -11859,6 +15961,11 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/OrgContactUser'
+ examples:
+ contactTypeUserEx:
+ summary: Contact User
+ value:
+ userId: 00ux3u0ujW1r5AfZC1d7
required: true
responses:
'200':
@@ -11867,6 +15974,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/OrgContactUser'
+ examples:
+ contactTypeUserEx:
+ $ref: '#/components/examples/orgContactUserResponse'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -11880,11 +15990,20 @@ paths:
- oauth2:
- okta.orgs.manage
tags:
- - OrgSetting
+ - OrgSettingContact
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/org/email/bounces/remove-list:
post:
- summary: Remove Emails from Email Provider Bounce List
- description: Removes a list of email addresses to be removed from the set of email addresses that are bounced
+ summary: Remove Bounced Emails
+ description: |
+ Removes emails from an email service bounce list.
+
+ The emails submitted in this operation are removed from the bounce list by an asynchronous job.
+ Any email address that passes validation is accepted for the removal process, even if there are other email addresses in the request that failed validation.
+
+ > **Note:** If there are validation errors for all email addresses, a `200 OK` HTTP status is still returned.
operationId: bulkRemoveEmailAddressBounces
requestBody:
content:
@@ -11893,6 +16012,7 @@ paths:
$ref: '#/components/schemas/BouncesRemoveListObj'
examples:
example-1:
+ summary: Request example
value:
emailAddresses:
- name@company.com
@@ -11900,13 +16020,14 @@ paths:
- name@okta@com
responses:
'200':
- description: Deletes the provided list of emails from the set of email addresses that are bounced so that the provider resumes sending emails to those addresses.
+ description: OK
content:
application/json:
schema:
$ref: '#/components/schemas/BouncesRemoveListResult'
examples:
example-1:
+ summary: Response example
value:
errors:
- emailAddress: unknown.email@okta.com
@@ -11924,22 +16045,207 @@ paths:
- oauth2:
- okta.orgs.manage
tags:
- - OrgSetting
+ - EmailCustomization
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/org/factors/yubikey_token/tokens:
+ parameters:
+ - name: after
+ in: query
+ description: Specifies the pagination cursor for the next page of tokens
+ schema:
+ type: string
+ - name: expand
+ in: query
+ description: Embeds the [User](/openapi/okta-management/management/tag/User/) resource if the YubiKey Token is assigned to a user and `expand` is set to `user`
+ schema:
+ type: string
+ - name: filter
+ in: query
+ description: The expression used to filter tokens
+ schema:
+ type: string
+ enum:
+ - profile.email
+ - profile.serial
+ - activated
+ - user.id
+ - created
+ - status
+ - lastVerified
+ - name: forDownload
+ in: query
+ description: Returns tokens in a CSV to download instead of in the response. When you use this query parameter, the `limit` default changes to 1000.
+ schema:
+ type: boolean
+ default: false
+ - name: limit
+ in: query
+ description: Specifies the number of results per page
+ schema:
+ type: integer
+ default: 20
+ maximum: 200
+ - name: sortBy
+ in: query
+ description: The value of how the tokens are sorted
+ schema:
+ type: string
+ enum:
+ - profile.email
+ - profile.serial
+ - activated
+ - user.id
+ - created
+ - status
+ - lastVerified
+ - name: sortOrder
+ in: query
+ description: Specifies the sort order, either `ASC` or `DESC`
+ schema:
+ type: string
+ enum:
+ - ASC
+ - DESC
+ get:
+ summary: List all YubiKey OTP Tokens
+ description: Lists all YubiKey OTP Tokens
+ operationId: listYubikeyOtpTokens
+ responses:
+ '200':
+ description: Success
+ content:
+ application/json:
+ schema:
+ type: array
+ items:
+ $ref: '#/components/schemas/UserFactorYubikeyOtpToken'
+ examples:
+ ListYubikeyOptTokensResponse:
+ $ref: '#/components/examples/ListYubikeyOptTokensResponse'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.users.read
+ tags:
+ - UserFactor
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ post:
+ summary: Upload a YubiKey OTP Seed
+ description: Uploads a seed for a user to enroll a YubiKey OTP
+ operationId: uploadYubikeyOtpTokenSeed
+ requestBody:
+ content:
+ application/json:
+ schema:
+ type: object
+ properties:
+ serialNumber:
+ type: string
+ description: The unique identifier assigned to each YubiKey device
+ publicId:
+ type: string
+ description: The Yubikey's public ID
+ privateId:
+ type: string
+ description: The Yubikey's private ID
+ aesKey:
+ type: string
+ description: The cryptographic key used in the AES algorithm to encrypt and decrypt YubiKey OTP
+ examples:
+ uploadYubikeyOtpSeedRequest:
+ $ref: '#/components/examples/UploadYubikeyTokenSeedRequest'
+ required: true
+ responses:
+ '200':
+ description: Success
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/UserFactorYubikeyOtpToken'
+ examples:
+ yubikeyToken:
+ $ref: '#/components/examples/UploadYubikeyTokenSeedResponse'
+ '400':
+ $ref: '#/components/responses/ErrorApiValidationFailed400'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.users.manage
+ tags:
+ - UserFactor
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/org/factors/yubikey_token/tokens/{tokenId}:
+ parameters:
+ - $ref: '#/components/parameters/yubikeyTokenId'
+ get:
+ summary: Retrieve a YubiKey OTP Token
+ description: Retrieves the specified YubiKey OTP Token by `id`
+ operationId: getYubikeyOtpTokenById
+ parameters:
+ - name: tokenId
+ in: path
+ required: true
+ description: The YubikeyOTP token ID
+ schema:
+ type: string
+ responses:
+ '200':
+ description: Success
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/UserFactorYubikeyOtpToken'
+ examples:
+ Token:
+ $ref: '#/components/examples/GetYubikeyOptTokenResponse'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.users.read
+ tags:
+ - UserFactor
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/org/logo:
post:
summary: Upload the Org Logo
- description: Uploads and replaces the logo for your organization. The file must be in PNG, JPG, or GIF format and less than 100kB in size. For best results use landscape orientation, a transparent background, and a minimum size of 300px by 50px to prevent upscaling.
+ description: Uploads and replaces the logo for your organization
operationId: uploadOrgLogo
requestBody:
content:
multipart/form-data:
schema:
- description: The file must be in PNG, JPG, or GIF format and less than 100kB in size. For best results use landscape orientation, a transparent background, and a minimum size of 300px by 50px to prevent upscaling.
type: object
properties:
file:
type: string
format: binary
+ description: The file must be in PNG, JPG, or GIF format and less than 1 MB in size. For best results use landscape orientation, a transparent background, and a minimum size of 420px by 120px to prevent upscaling.
required:
- file
description: logo file
@@ -11957,11 +16263,78 @@ paths:
- oauth2:
- okta.apps.manage
tags:
- - OrgSetting
+ - OrgSettingCustomization
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/org/orgSettings/thirdPartyAdminSetting:
+ get:
+ summary: Retrieve the Org Third-Party Admin Setting
+ description: Retrieves the Third-Party Admin Setting. See [Configure third-party administrators](https://help.okta.com/okta_help.htm?type=oie&id=csh_admin-third) in the Okta product documentation.
+ operationId: getThirdPartyAdminSetting
+ parameters: []
+ responses:
+ '200':
+ description: Success
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/ThirdPartyAdminSetting'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.orgs.read
+ tags:
+ - OrgSettingAdmin
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ post:
+ summary: Update the Org Third-Party Admin Setting
+ description: |
+ Updates the Third-Party Admin Setting.
+ This setting allows third-party admins to perform administrative actions in the Admin Console, but they can't do any of the following:
+ * Receive Okta admin email notifications
+ * Contact Okta support
+ * Sign in to the Okta Help Center
+
+ See [Configure third-party administrators](https://help.okta.com/okta_help.htm?type=oie&id=csh_admin-third) in the Okta product documentation.
+ operationId: updateThirdPartyAdminSetting
+ parameters: []
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/ThirdPartyAdminSetting'
+ required: true
+ responses:
+ '200':
+ description: Success
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/ThirdPartyAdminSetting'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.orgs.manage
+ tags:
+ - OrgSettingAdmin
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/org/preferences:
get:
summary: Retrieve the Org Preferences
- description: Retrieves preferences of your organization
+ description: Retrieves preferences of your Okta org
operationId: getOrgPreferences
parameters: []
responses:
@@ -11971,6 +16344,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/OrgPreferences'
+ examples:
+ retrieveOrgPrefEx:
+ $ref: '#/components/examples/orgShowFooterPrefResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'429':
@@ -11980,12 +16356,15 @@ paths:
- oauth2:
- okta.orgs.read
tags:
- - OrgSetting
+ - OrgSettingCustomization
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/org/preferences/hideEndUserFooter:
post:
- summary: Update the Preference to Hide the Okta Dashboard Footer
- description: Updates the preference hide the Okta UI footer for all end users of your organization
- operationId: updateOrgHideOktaUIFooter
+ summary: Set the Hide Dashboard Footer Preference
+ description: Sets the preference to hide the Okta UI footer for all end users of your org
+ operationId: setOrgHideOktaUIFooter
parameters: []
responses:
'200':
@@ -11994,6 +16373,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/OrgPreferences'
+ examples:
+ hideOrgPrefEx:
+ $ref: '#/components/examples/orgHideFooterPrefResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'429':
@@ -12003,12 +16385,15 @@ paths:
- oauth2:
- okta.orgs.manage
tags:
- - OrgSetting
+ - OrgSettingCustomization
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/org/preferences/showEndUserFooter:
post:
- summary: Update the Preference to Show the Okta Dashboard Footer
- description: Updates the preference to show the Okta UI footer for all end users of your organization
- operationId: updateOrgShowOktaUIFooter
+ summary: Set the Show Dashboard Footer Preference
+ description: Sets the preference to show the Okta UI footer for all end users of your org
+ operationId: setOrgShowOktaUIFooter
parameters: []
responses:
'200':
@@ -12017,6 +16402,151 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/OrgPreferences'
+ examples:
+ showOrgPrefEx:
+ $ref: '#/components/examples/orgShowFooterPrefResponse'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.orgs.manage
+ tags:
+ - OrgSettingCustomization
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/org/privacy/aerial:
+ get:
+ summary: Retrieve Okta Aerial consent for your Org
+ description: Retrieves the Okta Aerial consent grant details for your Org. Returns a 404 Not Found error if no consent has been granted.
+ operationId: getAerialConsent
+ parameters: []
+ responses:
+ '200':
+ description: Success
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/OrgAerialConsentDetails'
+ examples:
+ example-read-grant-response:
+ $ref: '#/components/examples/AerialConsentDetails'
+ '400':
+ description: Can't complete request due to errors
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Error'
+ examples:
+ example-no-already-present-response:
+ $ref: '#/components/examples/AerialGrantAlreadyPresentErrorResponse'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ description: Consent hasn't been given and there are no grants to any Aerial Accounts
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Error'
+ examples:
+ example-no-grant-found-response:
+ $ref: '#/components/examples/AerialGrantNotFoundResponse'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.orgs.manage
+ tags:
+ - OrgSettingSupport
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
+ /api/v1/org/privacy/aerial/grant:
+ post:
+ summary: Grant Okta Aerial access to your Org
+ description: Grants an Okta Aerial account access to your Org. If the org is a child org, consent is taken from the parent org. Grant calls directly to the child are not allowed.
+ operationId: grantAerialConsent
+ parameters: []
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/OrgAerialConsent'
+ examples:
+ example-grant-call:
+ description: Request body to grant an Okta Aerial account access to your Org
+ value:
+ accountId: 0200bs0617vvhv2v675mch1cukp
+ responses:
+ '200':
+ description: Success
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/OrgAerialConsentDetails'
+ examples:
+ example-grant-success-response:
+ $ref: '#/components/examples/AerialConsentDetails'
+ '400':
+ description: Can't complete request due to errors
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Error'
+ examples:
+ example-invalid-account-id:
+ $ref: '#/components/examples/AerialConsentInvalidAccountIdResponse'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.orgs.manage
+ tags:
+ - OrgSettingSupport
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
+ /api/v1/org/privacy/aerial/revoke:
+ post:
+ summary: Revoke Okta Aerial access to your Org
+ description: Revokes access of an Okta Aerial account to your Org. The revoke operation will fail if the org has already been added to an Aerial account.
+ operationId: revokeAerialConsent
+ parameters: []
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/OrgAerialConsent'
+ examples:
+ example-revoke-request:
+ description: Request body for revoking an Okta Aerial account
+ value:
+ accountId: 0200bs0617vvhv2v675mch1cukp
+ responses:
+ '200':
+ description: Success
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/OrgAerialConsentRevoked'
+ '400':
+ description: Can't complete request due to errors
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Error'
+ examples:
+ example-org-is-linked:
+ $ref: '#/components/examples/AerialConsentOrgAlreadyLinkedResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'429':
@@ -12026,11 +16556,15 @@ paths:
- oauth2:
- okta.orgs.manage
tags:
- - OrgSetting
+ - OrgSettingSupport
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
/api/v1/org/privacy/oktaCommunication:
get:
summary: Retrieve the Okta Communication Settings
- description: Retrieves Okta Communication Settings of your organization
+ description: Retrieves Okta Communication Settings of your org
operationId: getOktaCommunicationSettings
parameters: []
responses:
@@ -12040,6 +16574,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/OrgOktaCommunicationSetting'
+ examples:
+ retrieveOktaCommSettingsEx:
+ $ref: '#/components/examples/orgCommunicationOptOutResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'429':
@@ -12049,11 +16586,14 @@ paths:
- oauth2:
- okta.orgs.read
tags:
- - OrgSetting
+ - OrgSettingCommunication
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/org/privacy/oktaCommunication/optIn:
post:
- summary: Opt in all Users to Okta Communication emails
- description: Opts in all users of this org to Okta Communication emails
+ summary: Opt in to Okta User Communication Emails
+ description: Opts in all users of this org to Okta communication emails
operationId: optInUsersToOktaCommunicationEmails
parameters: []
responses:
@@ -12063,6 +16603,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/OrgOktaCommunicationSetting'
+ examples:
+ optInOktaCommSettingsEx:
+ $ref: '#/components/examples/orgCommunicationOptInResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'429':
@@ -12072,11 +16615,14 @@ paths:
- oauth2:
- okta.orgs.manage
tags:
- - OrgSetting
+ - OrgSettingCommunication
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/org/privacy/oktaCommunication/optOut:
post:
- summary: Opt out all Users from Okta Communication emails
- description: Opts out all users of this org from Okta Communication emails
+ summary: Opt out of Okta User Communication Emails
+ description: Opts out all users of this org from Okta communication emails
operationId: optOutUsersFromOktaCommunicationEmails
parameters: []
responses:
@@ -12086,6 +16632,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/OrgOktaCommunicationSetting'
+ examples:
+ optOutOktaCommSettingsEx:
+ $ref: '#/components/examples/orgCommunicationOptOutResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'429':
@@ -12095,11 +16644,14 @@ paths:
- oauth2:
- okta.orgs.manage
tags:
- - OrgSetting
+ - OrgSettingCommunication
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/org/privacy/oktaSupport:
get:
summary: Retrieve the Okta Support Settings
- description: Retrieves Okta Support Settings of your organization
+ description: Retrieves Okta Support Settings for your org
operationId: getOrgOktaSupportSettings
parameters: []
responses:
@@ -12109,6 +16661,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/OrgOktaSupportSettingsObj'
+ examples:
+ RetrieveOktaSupportEx:
+ $ref: '#/components/examples/orgSupportSettingsResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'429':
@@ -12118,7 +16673,10 @@ paths:
- oauth2:
- okta.orgs.read
tags:
- - OrgSetting
+ - OrgSettingSupport
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/org/privacy/oktaSupport/extend:
post:
summary: Extend Okta Support Access
@@ -12132,6 +16690,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/OrgOktaSupportSettingsObj'
+ examples:
+ ExtendOktaSupportEx:
+ $ref: '#/components/examples/orgSupportSettingsResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'429':
@@ -12141,10 +16702,13 @@ paths:
- oauth2:
- okta.orgs.manage
tags:
- - OrgSetting
+ - OrgSettingSupport
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/org/privacy/oktaSupport/grant:
post:
- summary: Grant Okta Support Access to your Org
+ summary: Grant Okta Support Access
description: Grants Okta Support temporary access your org as an administrator for eight hours
operationId: grantOktaSupport
parameters: []
@@ -12155,6 +16719,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/OrgOktaSupportSettingsObj'
+ examples:
+ GrantOktaSupportEx:
+ $ref: '#/components/examples/orgSupportSettingsResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'429':
@@ -12164,11 +16731,14 @@ paths:
- oauth2:
- okta.orgs.manage
tags:
- - OrgSetting
+ - OrgSettingSupport
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/org/privacy/oktaSupport/revoke:
post:
summary: Revoke Okta Support Access
- description: Revokes Okta Support access to your organization
+ description: Revokes Okta Support access to your org
operationId: revokeOktaSupport
parameters: []
responses:
@@ -12178,6 +16748,64 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/OrgOktaSupportSettingsObj'
+ examples:
+ RevokeOktaSupportEx:
+ $ref: '#/components/examples/orgSupportSettingsRevokeResponse'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.orgs.manage
+ tags:
+ - OrgSettingSupport
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/org/settings/clientPrivilegesSetting:
+ get:
+ summary: Retrieve the Default Public Client App Role Setting
+ description: Retrieves the org setting to assign the [Super Admin role](https://help.okta.com/okta_help.htm?type=oie&id=ext_superadmin) to new public client apps
+ operationId: getClientPrivilegesSetting
+ parameters: []
+ responses:
+ '200':
+ description: Success
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/ClientPrivilegesSetting'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.orgs.read
+ tags:
+ - OrgSettingAdmin
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ put:
+ summary: Assign the Default Public Client App Role Setting
+ description: Assigns the [Super Admin role](https://help.okta.com/okta_help.htm?type=oie&id=ext_superadmin) as the default role for new public client apps
+ operationId: assignClientPrivilegesSetting
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/ClientPrivilegesSetting'
+ responses:
+ '200':
+ description: Success
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/ClientPrivilegesSetting'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'429':
@@ -12187,8 +16815,58 @@ paths:
- oauth2:
- okta.orgs.manage
tags:
- - OrgSetting
-# Policy Begin
+ - OrgSettingAdmin
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/orgs:
+ post:
+ summary: Create an org
+ description: |-
+ Creates an org (child org) that has the same features as the current requesting org (parent org).
+ A child org inherits any new features added to the parent org, but new features added to the child org aren't propagated back to the parent org.
+ > **Notes:**
+ > * Some features associated with products, such as Atspoke, Workflows, and Okta Identity Governance, aren't propagated to the child org.
+ > * Wait at least 30 seconds after a 201-Created response before you make API requests to the new child org.
+ > * For rate limits, see [Org creation rate limits](https://developer.okta.com/docs/reference/rl-additional-limits/#org-creation-rate-limits).
+ operationId: createChildOrg
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/ChildOrg'
+ examples:
+ CreateChildOrg:
+ $ref: '#/components/examples/CreateChildOrgRequestEx'
+ responses:
+ '201':
+ description: Created
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/ChildOrg'
+ examples:
+ CreateChildOrg:
+ $ref: '#/components/examples/CreateChildOrgResponseEx'
+ '400':
+ $ref: '#/components/responses/ErrorApiValidationFailed400'
+ '401':
+ $ref: '#/components/responses/ErrorInvalidToken401'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ '500':
+ $ref: '#/components/responses/ErrorInternalServer500'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.orgs.manage
+ tags:
+ - OrgCreator
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/policies:
get:
summary: List all Policies
@@ -12200,24 +16878,67 @@ paths:
required: true
schema:
type: string
+ enum:
+ - OKTA_SIGN_ON
+ - PASSWORD
+ - MFA_ENROLL
+ - IDP_DISCOVERY
+ - ACCESS_POLICY
+ - PROFILE_ENROLLMENT
+ - POST_AUTH_SESSION
+ - ENTITY_RISK
+ description: Specifies the type of policy to return. The following policy types are available only with the Okta Identity Engine - `ACCESS_POLICY`, `PROFILE_ENROLLMENT`, `POST_AUTH_SESSION`, and `ENTITY_RISK`.
- name: status
in: query
schema:
type: string
+ description: Refines the query by the `status` of the policy - `ACTIVE` or `INACTIVE`
+ - name: q
+ in: query
+ schema:
+ type: string
+ description: Refines the query by policy name prefix (startWith method) passed in as `q=string`
- name: expand
in: query
schema:
type: string
default: ''
+ - name: sortBy
+ in: query
+ schema:
+ type: string
+ description: Refines the query by sorting on the policy `name` in ascending order
+ - name: limit
+ in: query
+ schema:
+ type: string
+ description: Defines the number of policies returned, see [Pagination](https://developer.okta.com/docs/api/#pagination)
+ - name: resourceId
+ in: query
+ schema:
+ type: string
+ description: Reference to the associated authorization server
+ - name: after
+ in: query
+ schema:
+ type: string
+ description: End page cursor for pagination, see [Pagination](https://developer.okta.com/docs/api/#pagination)
responses:
'200':
description: Success
content:
application/json:
schema:
- type: array
- items:
- $ref: '#/components/schemas/Policy'
+ $ref: '#/components/schemas/Policy'
+ examples:
+ password:
+ $ref: '#/components/examples/password-policy-response'
+ mfa-enroll:
+ $ref: '#/components/examples/mfa-enroll-policy-response'
+ idp-discovery:
+ $ref: '#/components/examples/idp-discovery-policy-response'
+ profile-enrollment:
+ $ref: '#/components/examples/profile-enrollment-policy-response'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'429':
@@ -12228,12 +16949,16 @@ paths:
- okta.policies.read
tags:
- Policy
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
post:
summary: Create a Policy
- description: Creates a policy
+ description: Creates a policy. There are many types of policies that you can create. See [Policies](https://developer.okta.com/docs/concepts/policies/) for an overview of the types of policies available and then links to more indepth information.
operationId: createPolicy
parameters:
- name: activate
+ description: This query parameter is only valid for Classic Engine orgs.
in: query
schema:
type: boolean
@@ -12252,6 +16977,15 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/Policy'
+ examples:
+ password:
+ $ref: '#/components/examples/password-policy-response'
+ mfa-enroll:
+ $ref: '#/components/examples/mfa-enroll-policy-response'
+ idp-discovery:
+ $ref: '#/components/examples/idp-discovery-policy-response'
+ profile-enrollment:
+ $ref: '#/components/examples/profile-enrollment-policy-response'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -12264,6 +16998,57 @@ paths:
- okta.policies.manage
tags:
- Policy
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/policies/simulate:
+ parameters:
+ - $ref: '#/components/parameters/simulateParameter'
+ post:
+ summary: Create a Policy Simulation
+ description: |-
+ Creates a policy or policy rule simulation. The access simulation evaluates policy and policy rules based on the existing policy rule configuration.
+ The evaluation result simulates what the real-world authentication flow is and what policy rules have been applied or matched to the authentication flow.
+ operationId: createPolicySimulation
+ x-codegen-request-body-name: simulatePolicy
+ requestBody:
+ content:
+ application/json:
+ schema:
+ type: array
+ items:
+ $ref: '#/components/schemas/SimulatePolicyBody'
+ examples:
+ SimulatePolicy:
+ $ref: '#/components/examples/SimulatePolicyBody'
+ required: true
+ responses:
+ '200':
+ description: Success
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/SimulatePolicyResponse'
+ examples:
+ SimulatePolicy:
+ $ref: '#/components/examples/SimulatePolicyResponse'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.policies.read
+ tags:
+ - Policy
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
/api/v1/policies/{policyId}:
parameters:
- $ref: '#/components/parameters/pathPolicyId'
@@ -12284,6 +17069,15 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/Policy'
+ examples:
+ password:
+ $ref: '#/components/examples/password-policy-response'
+ mfa-enroll:
+ $ref: '#/components/examples/mfa-enroll-policy-response'
+ idp-discovery:
+ $ref: '#/components/examples/idp-discovery-policy-response'
+ profile-enrollment:
+ $ref: '#/components/examples/profile-enrollment-policy-response'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -12296,6 +17090,9 @@ paths:
- okta.policies.read
tags:
- Policy
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
put:
summary: Replace a Policy
description: Replaces the properties of a Policy identified by `policyId`
@@ -12314,6 +17111,15 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/Policy'
+ examples:
+ password:
+ $ref: '#/components/examples/password-policy-response'
+ mfa-enroll:
+ $ref: '#/components/examples/mfa-enroll-policy-response'
+ idp-discovery:
+ $ref: '#/components/examples/idp-discovery-policy-response'
+ profile-enrollment:
+ $ref: '#/components/examples/profile-enrollment-policy-response'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -12328,6 +17134,9 @@ paths:
- okta.policies.manage
tags:
- Policy
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
summary: Delete a Policy
description: Deletes a policy
@@ -12347,6 +17156,9 @@ paths:
- okta.policies.manage
tags:
- Policy
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/policies/{policyId}/app:
parameters:
- $ref: '#/components/parameters/pathPolicyId'
@@ -12379,6 +17191,9 @@ paths:
- okta.policies.read
tags:
- Policy
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/policies/{policyId}/clone:
parameters:
- $ref: '#/components/parameters/pathPolicyId'
@@ -12393,6 +17208,15 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/Policy'
+ examples:
+ password:
+ $ref: '#/components/examples/password-policy-response'
+ mfa-enroll:
+ $ref: '#/components/examples/mfa-enroll-policy-response'
+ idp-discovery:
+ $ref: '#/components/examples/idp-discovery-policy-response'
+ profile-enrollment:
+ $ref: '#/components/examples/profile-enrollment-policy-response'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -12407,6 +17231,11 @@ paths:
- okta.policies.manage
tags:
- Policy
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
/api/v1/policies/{policyId}/lifecycle/activate:
parameters:
- $ref: '#/components/parameters/pathPolicyId'
@@ -12430,6 +17259,9 @@ paths:
- okta.policies.manage
tags:
- Policy
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/policies/{policyId}/lifecycle/deactivate:
parameters:
- $ref: '#/components/parameters/pathPolicyId'
@@ -12453,6 +17285,9 @@ paths:
- okta.policies.manage
tags:
- Policy
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/policies/{policyId}/mappings:
parameters:
- $ref: '#/components/parameters/pathPolicyId'
@@ -12469,6 +17304,9 @@ paths:
type: array
items:
$ref: '#/components/schemas/PolicyMapping'
+ examples:
+ policy-mapping-response:
+ $ref: '#/components/examples/policy-mapping-list-response'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -12481,6 +17319,9 @@ paths:
- okta.policies.read
tags:
- Policy
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
post:
summary: Map a resource to a Policy
description: Maps a resource to a Policy identified by `policyId`
@@ -12498,6 +17339,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/PolicyMapping'
+ examples:
+ policy-mapping-response:
+ $ref: '#/components/examples/policy-mapping-response'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -12512,6 +17356,9 @@ paths:
- okta.policies.manage
tags:
- Policy
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/policies/{policyId}/mappings/{mappingId}:
parameters:
- $ref: '#/components/parameters/pathPolicyId'
@@ -12527,6 +17374,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/PolicyMapping'
+ examples:
+ policy-mapping-response:
+ $ref: '#/components/examples/policy-mapping-response'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -12539,6 +17389,9 @@ paths:
- okta.policies.read
tags:
- Policy
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
summary: Delete a policy resource Mapping
description: Deletes the resource Mapping for a Policy identified by `policyId` and `mappingId`
@@ -12559,9 +17412,13 @@ paths:
- okta.policies.manage
tags:
- Policy
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/policies/{policyId}/rules:
parameters:
- $ref: '#/components/parameters/pathPolicyId'
+ - $ref: '#/components/parameters/limitParameter'
get:
summary: List all Policy Rules
description: Lists all policy rules
@@ -12575,6 +17432,17 @@ paths:
type: array
items:
$ref: '#/components/schemas/PolicyRule'
+ examples:
+ okta-sign-on:
+ $ref: '#/components/examples/list-all-sign-on-policy-rule-response'
+ password:
+ $ref: '#/components/examples/list-all-password-policy-rule-response'
+ idp-discovery:
+ $ref: '#/components/examples/list-all-idp-discovery-policy-rule-response'
+ mfa-enroll:
+ $ref: '#/components/examples/list-all-mfa-enroll-policy-rule-response'
+ profile-enrollment:
+ $ref: '#/components/examples/list-all-profile-enrollment-policy-rule-response'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -12587,10 +17455,23 @@ paths:
- okta.policies.read
tags:
- Policy
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
post:
summary: Create a Policy Rule
- description: Creates a policy rule
+ description: |-
+ Creates a policy rule
+
+ > **Note:** You can't create additional rules for the `PROFILE_ENROLLMENT` or `POST_AUTH_SESSION` policies.
operationId: createPolicyRule
+ parameters:
+ - name: activate
+ description: Set this parameter to `false` to create an `INACTIVE` rule.
+ in: query
+ schema:
+ type: boolean
+ default: true
x-codegen-request-body-name: policyRule
requestBody:
content:
@@ -12604,17 +17485,28 @@ paths:
$ref: '#/components/examples/sspr-enabled-sso-step-up'
EnableSsprNoStepUp:
$ref: '#/components/examples/sspr-enabled-no-step-up'
+ EnableSsprOAMP:
+ $ref: '#/components/examples/sspr-enabled-OAMP'
Enable2FAPreciseAuth:
- $ref: "#/components/examples/twofa-enabled-disallow-password-allow-phishing"
+ $ref: '#/components/examples/twofa-enabled-disallow-password-allow-phishing'
EnableSpecificRoutingRule:
- $ref: "#/components/examples/idp-discovery-specific-routing-rule"
+ $ref: '#/components/examples/idp-discovery-specific-routing-rule'
EnableDynamicRoutingRule:
- $ref: "#/components/examples/idp-discovery-dynamic-routing-rule"
- x-okta-feature-flag-amends:
- IDX_SSPR_EXTENDED_PRIMARY_FACTORS:
- examples:
- EnableSsprWithConstraints:
- $ref: '#/components/examples/sspr-enabled-sso-step-up-with-constraints'
+ $ref: '#/components/examples/idp-discovery-dynamic-routing-rule'
+ CreateAuthPolicyRuleDevicePlatformCondition:
+ $ref: '#/components/examples/create-auth-policy-rule-condition'
+ SignOnPolicy:
+ $ref: '#/components/examples/sign-on-policy-rule'
+ SkipFactorChallengeOnPremRule:
+ $ref: '#/components/examples/skip-factor-challenge-on-prem-rule'
+ RadiusRule:
+ $ref: '#/components/examples/radius-rule'
+ CloudRule:
+ $ref: '#/components/examples/cloud-rule'
+ DenyRule:
+ $ref: '#/components/examples/deny-rule'
+ EnableSsprWithConstraints:
+ $ref: '#/components/examples/sspr-enabled-sso-step-up-with-constraints'
required: true
responses:
'200':
@@ -12630,17 +17522,28 @@ paths:
$ref: '#/components/examples/sspr-enabled-sso-step-up-response'
EnableSsprNoStepUp:
$ref: '#/components/examples/sspr-enabled-no-step-up-response'
+ EnableSsprWithOAMP:
+ $ref: '#/components/examples/sspr-enabled-OAMP-response'
Enable2FAPreciseAuth:
$ref: '#/components/examples/twofa-enabled-disallow-password-allow-phishing-response'
EnableSpecificRoutingRule:
- $ref: "#/components/examples/idp-discovery-specific-routing-rule-response"
+ $ref: '#/components/examples/idp-discovery-specific-routing-rule-response'
EnableDynamicRoutingRule:
- $ref: "#/components/examples/idp-discovery-dynamic-routing-rule-response"
- x-okta-feature-flag-amends:
- IDX_SSPR_EXTENDED_PRIMARY_FACTORS:
- examples:
- EnableSsprWithConstraints:
- $ref: '#/components/examples/sspr-enabled-sso-step-up-with-constraints-response'
+ $ref: '#/components/examples/idp-discovery-dynamic-routing-rule-response'
+ CreateAuthPolicyRuleDevicePlatformCondition:
+ $ref: '#/components/examples/create-auth-policy-rule-condition-response'
+ SignOnPolicy:
+ $ref: '#/components/examples/sign-on-policy-rule-response'
+ SkipFactorChallengeOnPremRule:
+ $ref: '#/components/examples/skip-factor-challenge-on-prem-rule-response'
+ RadiusRule:
+ $ref: '#/components/examples/radius-rule-response'
+ CloudRule:
+ $ref: '#/components/examples/cloud-rule-response'
+ DenyRule:
+ $ref: '#/components/examples/deny-rule-response'
+ EnableSsprWithConstraints:
+ $ref: '#/components/examples/sspr-enabled-sso-step-up-with-constraints-response'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -12655,6 +17558,9 @@ paths:
- okta.policies.manage
tags:
- Policy
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/policies/{policyId}/rules/{ruleId}:
parameters:
- $ref: '#/components/parameters/pathPolicyId'
@@ -12677,11 +17583,24 @@ paths:
$ref: '#/components/examples/sspr-enabled-sso-step-up-update'
EnableSsprNoStepUp:
$ref: '#/components/examples/sspr-enabled-no-step-up-update'
- x-okta-feature-flag-amends:
- IDX_SSPR_EXTENDED_PRIMARY_FACTORS:
- examples:
- EnableSsprWithConstraints:
- $ref: '#/components/examples/sspr-enabled-sso-step-up-with-constraints-update'
+ EnableSsprWithOAMP:
+ $ref: '#/components/examples/sspr-enabled-OAMP-update'
+ EnableSpecificRoutingRule:
+ $ref: '#/components/examples/idp-discovery-specific-routing-rule-response'
+ EnableDynamicRoutingRule:
+ $ref: '#/components/examples/idp-discovery-dynamic-routing-rule-response'
+ SignOnPolicy:
+ $ref: '#/components/examples/sign-on-policy-rule-response'
+ SkipFactorChallengeOnPremRule:
+ $ref: '#/components/examples/skip-factor-challenge-on-prem-rule-response'
+ RadiusRule:
+ $ref: '#/components/examples/radius-rule-response'
+ CloudRule:
+ $ref: '#/components/examples/cloud-rule-response'
+ DenyRule:
+ $ref: '#/components/examples/deny-rule-response'
+ EnableSsprWithConstraints:
+ $ref: '#/components/examples/sspr-enabled-sso-step-up-with-constraints-update'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -12694,6 +17613,9 @@ paths:
- okta.policies.read
tags:
- Policy
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
put:
summary: Replace a Policy Rule
description: Replaces the properties for a Policy Rule identified by `policyId` and `ruleId`
@@ -12711,11 +17633,24 @@ paths:
$ref: '#/components/examples/sspr-enabled-sso-step-up-update'
EnableSsprNoStepUp:
$ref: '#/components/examples/sspr-enabled-no-step-up-update'
- x-okta-feature-flag-amends:
- IDX_SSPR_EXTENDED_PRIMARY_FACTORS:
- examples:
- EnableSsprWithConstraints:
- $ref: '#/components/examples/sspr-enabled-sso-step-up-with-constraints-update'
+ UpdateAuthenticationPolicyRuleWithPlatformDeviceConstraints:
+ $ref: '#/components/examples/update-auth-policy-rule-condition'
+ EnableSpecificRoutingRule:
+ $ref: '#/components/examples/idp-discovery-specific-routing-rule'
+ EnableDynamicRoutingRule:
+ $ref: '#/components/examples/idp-discovery-dynamic-routing-rule'
+ SignOnPolicy:
+ $ref: '#/components/examples/sign-on-policy-rule'
+ SkipFactorChallengeOnPremRule:
+ $ref: '#/components/examples/skip-factor-challenge-on-prem-rule'
+ RadiusRule:
+ $ref: '#/components/examples/radius-rule'
+ CloudRule:
+ $ref: '#/components/examples/cloud-rule'
+ DenyRule:
+ $ref: '#/components/examples/deny-rule'
+ EnableSsprWithConstraints:
+ $ref: '#/components/examples/sspr-enabled-sso-step-up-with-constraints-update'
required: true
responses:
'200':
@@ -12731,11 +17666,24 @@ paths:
$ref: '#/components/examples/sspr-enabled-sso-step-up-response'
EnableSsprNoStepUp:
$ref: '#/components/examples/sspr-enabled-no-step-up-response'
- x-okta-feature-flag-amends:
- IDX_SSPR_EXTENDED_PRIMARY_FACTORS:
- examples:
- EnableSsprWithConstraints:
- $ref: '#/components/examples/sspr-enabled-sso-step-up-with-constraints-response'
+ UpdateAuthenticationPolicyRuleWithPlatformDeviceConstraints:
+ $ref: '#/components/examples/update-auth-policy-rule-condition-response'
+ EnableSpecificRoutingRule:
+ $ref: '#/components/examples/idp-discovery-specific-routing-rule-response'
+ EnableDynamicRoutingRule:
+ $ref: '#/components/examples/idp-discovery-dynamic-routing-rule-response'
+ SignOnPolicy:
+ $ref: '#/components/examples/sign-on-policy-rule-response'
+ SkipFactorChallengeOnPremRule:
+ $ref: '#/components/examples/skip-factor-challenge-on-prem-rule-response'
+ RadiusRule:
+ $ref: '#/components/examples/radius-rule-response'
+ CloudRule:
+ $ref: '#/components/examples/cloud-rule-response'
+ DenyRule:
+ $ref: '#/components/examples/deny-rule-response'
+ EnableSsprWithConstraints:
+ $ref: '#/components/examples/sspr-enabled-sso-step-up-with-constraints-response'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -12750,6 +17698,9 @@ paths:
- okta.policies.manage
tags:
- Policy
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
summary: Delete a Policy Rule
description: Deletes a Policy Rule identified by `policyId` and `ruleId`
@@ -12770,6 +17721,9 @@ paths:
- okta.policies.manage
tags:
- Policy
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/activate:
parameters:
- $ref: '#/components/parameters/pathPolicyId'
@@ -12793,6 +17747,9 @@ paths:
- okta.policies.manage
tags:
- Policy
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate:
parameters:
- $ref: '#/components/parameters/pathPolicyId'
@@ -12816,49 +17773,9 @@ paths:
- okta.policies.manage
tags:
- Policy
- /api/v1/policies/simulate:
- parameters:
- - $ref: '#/components/parameters/simulateParameter'
- post:
- summary: Create a Policy Simulation
- description: |-
- Creates a policy or policy rule simulation. The access simulation evaluates policy and policy rules based on the existing policy rule configuration.
- The evaluation result simulates what the real-world authentication flow is and what policy rules have been applied or matched to the authentication flow.
- operationId: createPolicySimulation
- x-codegen-request-body-name: simulatePolicy
- requestBody:
- content:
- application/json:
- schema:
- type: array
- items:
- $ref: '#/components/schemas/SimulatePolicyBody'
- examples:
- SimulatePolicy:
- $ref: '#/components/examples/SimulatePolicyBody'
- required: true
- responses:
- '204':
- description: Success
- content:
- application/json:
- schema:
- $ref: '#/components/schemas/SimulatePolicyResponse'
- examples:
- SimulatePolicy:
- $ref: '#/components/examples/SimulatePolicyResponse'
- '403':
- $ref: '#/components/responses/ErrorAccessDenied403'
- '404':
- $ref: '#/components/responses/ErrorResourceNotFound404'
- '429':
- $ref: '#/components/responses/ErrorTooManyRequests429'
- security:
- - apiToken: []
- - oauth2:
- - okta.policies.read
- tags:
- - Policy
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/principal-rate-limits:
get:
summary: List all Principal Rate Limits
@@ -12901,6 +17818,9 @@ paths:
- okta.principalRateLimits.read
tags:
- PrincipalRateLimit
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
post:
summary: Create a Principal Rate Limit
description: Creates a new Principal Rate Limit entity. In the current release, we only allow one Principal Rate Limit entity per org and principal.
@@ -12941,6 +17861,9 @@ paths:
- okta.principalRateLimits.manage
tags:
- PrincipalRateLimit
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/principal-rate-limits/{principalRateLimitId}:
parameters:
- $ref: '#/components/parameters/pathPrincipalRateLimitId'
@@ -12970,6 +17893,9 @@ paths:
- okta.principalRateLimits.read
tags:
- PrincipalRateLimit
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
put:
summary: Replace a Principal Rate Limit
description: Replaces a principal rate limit entity by `principalRateLimitId`
@@ -13010,6 +17936,9 @@ paths:
- okta.principalRateLimits.manage
tags:
- PrincipalRateLimit
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/push-providers:
get:
summary: List all Push Providers
@@ -13026,6 +17955,39 @@ paths:
description: OK
content:
application/json:
+ example:
+ value:
+ - id: ppchvbeucdTgqeiGxR0g4
+ providerType: APNS
+ name: Example Push Provider 1
+ lastUpdatedDate: '2022-01-00T00:00:00.000Z'
+ configuration:
+ keyId: ABC123DEFG
+ teamId: DEF123GHIJ
+ fileName: fileName.p8
+ _links:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/push-providers/{pushProviderId}
+ hints:
+ allow:
+ - DELETE
+ - GET
+ - PUT
+ - id: ppctekcmngGaqeiBxB0g4
+ providerType: FCM
+ name: Example Push Provider 2
+ lastUpdatedDate: '2022-01-00T00:00:00.000Z'
+ configuration:
+ projectId: PROJECT_ID
+ fileName: fileName.json
+ _links:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/push-providers/{pushProviderId}
+ hints:
+ allow:
+ - DELETE
+ - GET
+ - PUT
schema:
type: array
items:
@@ -13040,9 +18002,14 @@ paths:
- okta.pushProviders.read
tags:
- PushProvider
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
post:
summary: Create a Push Provider
- description: Creates a new push provider
+ description: Creates a new push provider. Each Push Provider must have a unique `name`.
operationId: createPushProvider
x-codegen-request-body-name: pushProvider
requestBody:
@@ -13080,6 +18047,11 @@ paths:
- okta.pushProviders.manage
tags:
- PushProvider
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
/api/v1/push-providers/{pushProviderId}:
parameters:
- $ref: '#/components/parameters/pathPushProviderId'
@@ -13111,6 +18083,11 @@ paths:
- okta.pushProviders.read
tags:
- PushProvider
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
put:
summary: Replace a Push Provider
description: Replaces a push provider by `pushProviderId`
@@ -13153,6 +18130,11 @@ paths:
- okta.pushProviders.manage
tags:
- PushProvider
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
delete:
summary: Delete a Push Provider
description: Deletes a push provider by `pushProviderId`. If the push provider is currently being used in the org by a custom authenticator, the delete will not be allowed.
@@ -13182,6 +18164,11 @@ paths:
- okta.pushProviders.manage
tags:
- PushProvider
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
/api/v1/rate-limit-settings/admin-notifications:
get:
summary: Retrieve the Rate Limit Admin Notification Settings
@@ -13209,6 +18196,9 @@ paths:
- okta.rateLimits.read
tags:
- RateLimitSettings
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
put:
summary: Replace the Rate Limit Admin Notification Settings
description: Replaces the Rate Limit Admin Notification Settings and returns the configured properties
@@ -13249,6 +18239,9 @@ paths:
- okta.rateLimits.manage
tags:
- RateLimitSettings
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/rate-limit-settings/per-client:
get:
summary: Retrieve the Per-Client Rate Limit Settings
@@ -13278,6 +18271,9 @@ paths:
- okta.rateLimits.read
tags:
- RateLimitSettings
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
put:
summary: Replace the Per-Client Rate Limit Settings
description: Replaces the Per-Client Rate Limit Settings and returns the configured properties
@@ -13322,6 +18318,9 @@ paths:
- okta.rateLimits.manage
tags:
- RateLimitSettings
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/rate-limit-settings/warning-threshold:
get:
summary: Retrieve the Rate Limit Warning Threshold Percentage
@@ -13347,6 +18346,9 @@ paths:
- okta.rateLimits.read
tags:
- RateLimitSettings
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
put:
summary: Replace the Rate Limit Warning Threshold Percentage
description: Replaces the Rate Limit Warning Threshold Percentage and returns the configured property
@@ -13382,37 +18384,17 @@ paths:
- okta.rateLimits.manage
tags:
- RateLimitSettings
- /api/v1/realms:
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/realm-assignments:
get:
- summary: List all Realms
- description: Lists all Realms
- operationId: listRealms
+ summary: List all Realm Assignments
+ description: Lists all Realm Assignments
+ operationId: listRealmAssignments
parameters:
- - name: limit
- in: query
- description: Specifies the number of results returned. Defaults to 10 if `search` is provided.
- schema:
- type: integer
- format: int32
- default: 200
+ - $ref: '#/components/parameters/queryLimit'
- $ref: '#/components/parameters/queryAfter'
- - name: search
- in: query
- description: Searches for Realms with a supported filtering expression for most properties
- schema:
- type: string
- - name: sortBy
- in: query
- description: Specifies field to sort by and can be any single property (for search queries only).
- schema:
- type: string
- example: profile.name
- - name: sortOrder
- in: query
- description: Specifies sort order `asc` or `desc` (for search queries only). This parameter is ignored if `sortBy` isn't present.
- schema:
- type: string
- default: asc
responses:
'200':
description: OK
@@ -13421,10 +18403,10 @@ paths:
schema:
type: array
items:
- $ref: '#/components/schemas/Realm'
+ $ref: '#/components/schemas/RealmAssignment'
examples:
- Realm Lists:
- $ref: '#/components/examples/ListRealmsResponse'
+ AssignmentLists:
+ $ref: '#/components/examples/ListRealmAssignmentsResponse'
'403':
description: Forbidden
content:
@@ -13436,27 +18418,154 @@ paths:
security:
- apiToken: []
- oauth2:
- - okta.realms.read
+ - okta.realmAssignments.read
tags:
- - Realm
+ - RealmAssignment
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
post:
- summary: Create a Realm
- description: Creates a new Realm
- operationId: createRealm
+ summary: Create a Realm Assignment
+ description: Creates a new Realm Assignment
+ operationId: createRealmAssignment
x-codegen-request-body-name: body
requestBody:
content:
application/json:
schema:
- $ref: '#/components/schemas/Realm'
+ $ref: '#/components/schemas/CreateRealmAssignmentRequest'
required: true
+ responses:
+ '201':
+ description: Created
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/RealmAssignment'
+ '400':
+ $ref: '#/components/responses/ErrorApiValidationFailed400'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.realmAssignments.manage
+ tags:
+ - RealmAssignment
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
+ /api/v1/realm-assignments/operations:
+ get:
+ summary: List all Realm Assignment operations
+ description: Lists all Realm Assignment operations. The upper limit is 200 and operations are sorted in descending order from most recent to oldest by id
+ operationId: listRealmAssignmentOperations
+ parameters:
+ - $ref: '#/components/parameters/queryLimit'
+ - $ref: '#/components/parameters/queryAfter'
responses:
'200':
- description: Success
+ description: OK
content:
application/json:
schema:
- $ref: '#/components/schemas/Realm'
+ type: array
+ items:
+ $ref: '#/components/schemas/OperationResponse'
+ examples:
+ Executions:
+ value:
+ - id: rre4mje4ez6B2a7B60g7
+ type: realm:assignment
+ status: COMPLETED
+ created: '2023-10-25T21:02:54.000Z'
+ started: '2023-10-25T21:02:54.000Z'
+ completed: '2023-10-25T21:02:54.000Z'
+ realmId: 00g1b7rvh0xPLKXFf0g5
+ realmName: Realm Name
+ assignmentOperation:
+ configuration:
+ id: 0pr1b7rxZj2ibQzfP0g5
+ name: Realm Assignment 1
+ conditions:
+ profileSourceId: 0oa4enoRyjwSCy5hx0g4
+ expression:
+ value: string
+ actions:
+ assignUserToRealm:
+ realmId: 00g1b7rvh0xPLKXFf0g5
+ numUserMoved: 50
+ _links:
+ self:
+ rel: self
+ href: http://your-subdomain.okta.com/api/v1/operations/rre4mje4ez6B2a7B60g7
+ method: GET
+ - id: rre4mje4ez7B2a7B60g7
+ type: realm:assignment
+ status: COMPLETED
+ created: '2023-10-25T21:02:54.000Z'
+ started: '2023-10-25T21:02:54.000Z'
+ completed: '2023-10-25T21:02:54.000Z'
+ assignmentOperation:
+ configuration:
+ id: ALL
+ name: All Assignments
+ numUserMoved: 50
+ _links:
+ self:
+ rel: self
+ href: http://your-subdomain.okta.com/api/v1/operations/rre4mje4ez7B2a7B60g7
+ method: GET
+ '403':
+ description: Forbidden
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Error'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.realmAssignments.read
+ tags:
+ - RealmAssignment
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
+ post:
+ summary: Execute a Realm Assignment
+ description: Executes a Realm Assignment
+ operationId: executeRealmAssignment
+ x-codegen-request-body-name: body
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/OperationRequest'
+ examples:
+ ExecuteSpecificAssignment:
+ value:
+ assignmentId: 0pr1b7rxZj2ibQzfP0g5
+ ExecuteAllAssignments:
+ value:
+ assignmentId: ALL
+ required: true
+ responses:
+ '201':
+ description: Created
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/OperationResponse'
+ examples:
+ Execution:
+ $ref: '#/components/examples/OperationResponse'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -13466,28 +18575,32 @@ paths:
security:
- apiToken: []
- oauth2:
- - okta.realms.manage
+ - okta.realmAssignments.manage
tags:
- - Realm
- /api/v1/realms/{realmId}:
+ - RealmAssignment
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
+ /api/v1/realm-assignments/{assignmentId}:
parameters:
- - $ref: '#/components/parameters/pathRealmId'
+ - $ref: '#/components/parameters/assignmentId'
get:
- summary: Retrieve a Realm
- description: Retrieves a Realm
- operationId: getRealm
+ summary: Retrieve a Realm Assignment
+ description: Retrieves a Realm Assignment
+ operationId: getRealmAssignment
responses:
'200':
description: Success
content:
application/json:
schema:
- $ref: '#/components/schemas/Realm'
+ $ref: '#/components/schemas/RealmAssignment'
examples:
- DefaultRealm:
- $ref: '#/components/examples/DefaultRealmResponse'
- NonDefaultRealm:
- $ref: '#/components/examples/RealmResponse'
+ RealmAssignment:
+ $ref: '#/components/examples/GetRealmAssignmentResponse'
+ CatchAllRealmAssignment:
+ $ref: '#/components/examples/DefaultRealmAssignment'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -13499,19 +18612,23 @@ paths:
security:
- apiToken: []
- oauth2:
- - okta.realms.read
+ - okta.realmAssignments.read
tags:
- - Realm
- post:
- summary: Update a Realm
- description: Updates a Realm
- operationId: updateRealm
+ - RealmAssignment
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
+ put:
+ summary: Replace a Realm Assignment
+ description: Replaces a Realm Assignment
+ operationId: replaceRealmAssignment
x-codegen-request-body-name: body
requestBody:
content:
application/json:
schema:
- $ref: '#/components/schemas/Realm'
+ $ref: '#/components/schemas/UpdateRealmAssignmentRequest'
required: true
responses:
'200':
@@ -13519,7 +18636,7 @@ paths:
content:
application/json:
schema:
- $ref: '#/components/schemas/Realm'
+ $ref: '#/components/schemas/RealmAssignment'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -13531,13 +18648,281 @@ paths:
security:
- apiToken: []
- oauth2:
- - okta.realms.manage
+ - okta.realmAssignments.manage
tags:
- - Realm
+ - RealmAssignment
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
delete:
- summary: Delete a Realm
- description: Deletes a Realm permanently. This operation can only be performed after disassociating other entities like Users and Identity Providers from a Realm.
- operationId: deleteRealm
+ summary: Delete a Realm Assignment
+ description: Deletes a Realm Assignment
+ operationId: deleteRealmAssignment
+ responses:
+ '204':
+ description: No Content
+ content: {}
+ '400':
+ description: Bad Request
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Error'
+ '403':
+ description: Forbidden
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Error'
+ '404':
+ description: Not Found
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Error'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.realmAssignments.manage
+ tags:
+ - RealmAssignment
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
+ /api/v1/realm-assignments/{assignmentId}/lifecycle/activate:
+ parameters:
+ - $ref: '#/components/parameters/assignmentId'
+ post:
+ summary: Activate a Realm Assignment
+ description: Activates a Realm Assignment
+ operationId: activateRealmAssignment
+ responses:
+ '204':
+ description: No Content
+ content: {}
+ '400':
+ $ref: '#/components/responses/ErrorApiValidationFailed400'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.realmAssignments.manage
+ tags:
+ - RealmAssignment
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
+ /api/v1/realm-assignments/{assignmentId}/lifecycle/deactivate:
+ parameters:
+ - $ref: '#/components/parameters/assignmentId'
+ post:
+ summary: Deactivate a Realm Assignment
+ description: Deactivates a Realm Assignment
+ operationId: deactivateRealmAssignment
+ responses:
+ '204':
+ description: No Content
+ content: {}
+ '400':
+ $ref: '#/components/responses/ErrorApiValidationFailed400'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.realmAssignments.manage
+ tags:
+ - RealmAssignment
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
+ /api/v1/realms:
+ get:
+ summary: List all Realms
+ description: Lists all Realms
+ operationId: listRealms
+ parameters:
+ - name: limit
+ in: query
+ description: Specifies the number of results returned. Defaults to 10 if `search` is provided.
+ schema:
+ type: integer
+ format: int32
+ default: 200
+ - $ref: '#/components/parameters/queryAfter'
+ - name: search
+ in: query
+ description: Searches for Realms with a supported filtering expression for most properties
+ schema:
+ type: string
+ - name: sortBy
+ in: query
+ description: Specifies field to sort by and can be any single property (for search queries only).
+ schema:
+ type: string
+ example: profile.name
+ - name: sortOrder
+ in: query
+ description: Specifies sort order `asc` or `desc` (for search queries only). This parameter is ignored if `sortBy` isn't present.
+ schema:
+ type: string
+ default: asc
+ responses:
+ '200':
+ description: OK
+ content:
+ application/json:
+ schema:
+ type: array
+ items:
+ $ref: '#/components/schemas/Realm'
+ examples:
+ Realm Lists:
+ $ref: '#/components/examples/ListRealmsResponse'
+ '403':
+ description: Forbidden
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Error'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.realms.read
+ tags:
+ - Realm
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
+ post:
+ summary: Create a Realm
+ description: Creates a new Realm
+ operationId: createRealm
+ x-codegen-request-body-name: body
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/CreateRealmRequest'
+ required: true
+ responses:
+ '200':
+ description: Success
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Realm'
+ '400':
+ $ref: '#/components/responses/ErrorApiValidationFailed400'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.realms.manage
+ tags:
+ - Realm
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
+ /api/v1/realms/{realmId}:
+ parameters:
+ - $ref: '#/components/parameters/pathRealmId'
+ get:
+ summary: Retrieve a Realm
+ description: Retrieves a Realm
+ operationId: getRealm
+ responses:
+ '200':
+ description: Success
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Realm'
+ examples:
+ DefaultRealm:
+ $ref: '#/components/examples/DefaultRealmResponse'
+ NonDefaultRealm:
+ $ref: '#/components/examples/RealmResponse'
+ '400':
+ $ref: '#/components/responses/ErrorApiValidationFailed400'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.realms.read
+ tags:
+ - Realm
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
+ put:
+ summary: Replace the realm profile
+ description: Replaces the realm profile
+ operationId: replaceRealm
+ x-codegen-request-body-name: body
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/UpdateRealmRequest'
+ required: true
+ responses:
+ '200':
+ description: Success
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Realm'
+ '400':
+ $ref: '#/components/responses/ErrorApiValidationFailed400'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.realms.manage
+ tags:
+ - Realm
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
+ delete:
+ summary: Delete a Realm
+ description: Deletes a Realm permanently. This operation can only be performed after disassociating other entities like Users and Identity Providers from a Realm.
+ operationId: deleteRealm
responses:
'204':
description: No Content
@@ -13568,6 +18953,13 @@ paths:
- okta.realms.manage
tags:
- Realm
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
+ /api/v1/resource-selectors/{resourceSelectorId}:
+ parameters:
+ - $ref: '#/components/parameters/pathResourceSelectorId'
/api/v1/risk/events/ip:
post:
summary: Send multiple Risk Events
@@ -13610,6 +19002,10 @@ paths:
- okta.riskEvents.manage
tags:
- RiskEvent
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
/api/v1/risk/providers:
get:
summary: List all Risk Providers
@@ -13637,6 +19033,10 @@ paths:
- okta.riskProviders.read
tags:
- RiskProvider
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
post:
summary: Create a Risk Provider
description: Creates a Risk Provider object. A maximum of three Risk Provider objects can be created.
@@ -13680,6 +19080,10 @@ paths:
- okta.riskProviders.manage
tags:
- RiskProvider
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
/api/v1/risk/providers/{riskProviderId}:
parameters:
- $ref: '#/components/parameters/pathRiskProviderId'
@@ -13709,6 +19113,10 @@ paths:
- okta.riskProviders.read
tags:
- RiskProvider
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
put:
summary: Replace a Risk Provider
description: Replaces the properties for a given Risk Provider object ID
@@ -13747,6 +19155,10 @@ paths:
- okta.riskProviders.manage
tags:
- RiskProvider
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
delete:
summary: Delete a Risk Provider
description: Deletes a Risk Provider object by its ID
@@ -13774,6 +19186,10 @@ paths:
- okta.riskProviders.manage
tags:
- RiskProvider
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
/api/v1/roles/{roleRef}/subscriptions:
parameters:
- $ref: '#/components/parameters/pathRoleRef'
@@ -13802,6 +19218,9 @@ paths:
- okta.roles.read
tags:
- Subscription
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/roles/{roleRef}/subscriptions/{notificationType}:
parameters:
- $ref: '#/components/parameters/pathRoleRef'
@@ -13829,6 +19248,9 @@ paths:
- okta.roles.read
tags:
- Subscription
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/roles/{roleRef}/subscriptions/{notificationType}/subscribe:
parameters:
- $ref: '#/components/parameters/pathRoleRef'
@@ -13852,6 +19274,9 @@ paths:
- okta.roles.manage
tags:
- Subscription
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/roles/{roleRef}/subscriptions/{notificationType}/unsubscribe:
parameters:
- $ref: '#/components/parameters/pathRoleRef'
@@ -13875,71 +19300,185 @@ paths:
- okta.roles.manage
tags:
- Subscription
- /api/v1/sessions:
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/security-events-providers:
+ get:
+ summary: List all Security Events Providers
+ description: Lists all Security Events Provider instances
+ operationId: listSecurityEventsProviderInstances
+ responses:
+ '200':
+ description: OK
+ content:
+ application/json:
+ schema:
+ type: array
+ items:
+ $ref: '#/components/schemas/SecurityEventsProviderResponse'
+ examples:
+ list:
+ $ref: '#/components/examples/ListOfSecurityEventsProviderInstances'
+ '401':
+ $ref: '#/components/responses/ErrorInvalidToken401'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.securityEventsProviders.read
+ tags:
+ - SSFReceiver
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
post:
- summary: Create a Session with session token
- description: Creates a new Session for a user with a valid session token. Use this API if, for example, you want to set the session cookie yourself instead of allowing Okta to set it, or want to hold the session ID to delete a session through the API instead of visiting the logout URL.
- operationId: createSession
- x-codegen-request-body-name: createSessionRequest
+ summary: Create a Security Events Provider
+ description: Creates a Security Events Provider instance
+ operationId: createSecurityEventsProviderInstance
+ x-codegen-request-body-name: instance
requestBody:
+ required: true
content:
application/json:
schema:
- $ref: '#/components/schemas/CreateSessionRequest'
- required: true
+ $ref: '#/components/schemas/SecurityEventsProviderRequest'
+ examples:
+ well-known-URL-provided:
+ $ref: '#/components/examples/SecurityEventsProviderRequestWellKnownUrl'
+ issuer-and-JWKS-URL-provided:
+ $ref: '#/components/examples/SecurityEventsProviderRequestIssuerAndJwksUrl'
responses:
'200':
- description: Success
+ description: OK
content:
application/json:
schema:
- $ref: '#/components/schemas/Session'
+ $ref: '#/components/schemas/SecurityEventsProviderResponse'
+ examples:
+ well-known-URL-provided:
+ $ref: '#/components/examples/SecurityEventsProviderResponseWellKnownUrl'
+ issuer-and-JWKS-URL-provided:
+ $ref: '#/components/examples/SecurityEventsProviderResponseIssuerAndJwksUrl'
'400':
- description: Bad Request
+ $ref: '#/components/responses/ErrorApiValidationFailed400'
+ '401':
+ $ref: '#/components/responses/ErrorInvalidToken401'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'429':
$ref: '#/components/responses/ErrorTooManyRequests429'
security:
- apiToken: []
+ - oauth2:
+ - okta.securityEventsProviders.manage
tags:
- - Session
- /api/v1/sessions/{sessionId}:
+ - SSFReceiver
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
+ /api/v1/security-events-providers/{securityEventProviderId}:
parameters:
- - $ref: '#/components/parameters/pathSessionId'
+ - $ref: '#/components/parameters/pathSecurityEventProviderId'
get:
- summary: Retrieve a Session
- description: Retrieves information about the Session specified by the given session ID
- operationId: getSession
+ summary: Retrieve the Security Events Provider
+ description: Retrieves the Security Events Provider instance specified by `id`
+ operationId: getSecurityEventsProviderInstance
responses:
'200':
- description: Success
+ description: OK
content:
application/json:
schema:
- $ref: '#/components/schemas/Session'
+ $ref: '#/components/schemas/SecurityEventsProviderResponse'
+ examples:
+ get:
+ $ref: '#/components/examples/SecurityEventsProviderResponseWellKnownUrl'
+ '401':
+ $ref: '#/components/responses/ErrorInvalidToken401'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.securityEventsProviders.read
+ tags:
+ - SSFReceiver
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
+ put:
+ summary: Replace a Security Events Provider
+ description: Replaces a Security Events Provider instance specified by `id`
+ operationId: replaceSecurityEventsProviderInstance
+ x-codegen-request-body-name: instance
+ requestBody:
+ required: true
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/SecurityEventsProviderRequest'
+ examples:
+ well-known-URL-provided:
+ $ref: '#/components/examples/SecurityEventsProviderRequestWellKnownUrl'
+ issuer-and-JWKS-URL-provided:
+ $ref: '#/components/examples/SecurityEventsProviderRequestIssuerAndJwksUrl'
+ responses:
+ '200':
+ description: OK
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/SecurityEventsProviderResponse'
+ examples:
+ well-known-URL-provided:
+ $ref: '#/components/examples/SecurityEventsProviderResponseWellKnownUrl'
+ issuer-and-JWKS-URL-provided:
+ $ref: '#/components/examples/SecurityEventsProviderResponseIssuerAndJwksUrl'
'400':
- description: Bad Request
+ $ref: '#/components/responses/ErrorApiValidationFailed400'
+ '401':
+ $ref: '#/components/responses/ErrorInvalidToken401'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
- description: Not Found
+ $ref: '#/components/responses/ErrorResourceNotFound404'
'429':
$ref: '#/components/responses/ErrorTooManyRequests429'
security:
- apiToken: []
- oauth2:
- - okta.sessions.read
+ - okta.securityEventsProviders.manage
tags:
- - Session
+ - SSFReceiver
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
delete:
- summary: Revoke a Session
- description: Revokes the specified Session
- operationId: revokeSession
+ summary: Delete a Security Events Provider
+ description: Deletes a Security Events Provider instance specified by `id`
+ operationId: deleteSecurityEventsProviderInstance
responses:
'204':
description: No Content
content: {}
+ '401':
+ $ref: '#/components/responses/ErrorInvalidToken401'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -13949,74 +19488,104 @@ paths:
security:
- apiToken: []
- oauth2:
- - okta.sessions.manage
+ - okta.securityEventsProviders.manage
tags:
- - Session
- /api/v1/sessions/{sessionId}/lifecycle/refresh:
+ - SSFReceiver
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
+ /api/v1/security-events-providers/{securityEventProviderId}/lifecycle/activate:
parameters:
- - $ref: '#/components/parameters/pathSessionId'
+ - $ref: '#/components/parameters/pathSecurityEventProviderId'
post:
- summary: Refresh a Session
- description: Refreshes an existing Session using the `id` for that Session. A successful response contains the refreshed Session with an updated `expiresAt` timestamp.
- operationId: refreshSession
+ summary: Activate a Security Events Provider
+ description: |-
+ Activates a Security Events Provider instance by setting its status to `ACTIVE`.
+ This operation resumes the flow of events from the Security Events Provider to Okta.
+ operationId: activateSecurityEventsProviderInstance
responses:
'200':
- description: Success
+ description: OK
content:
application/json:
schema:
- $ref: '#/components/schemas/Session'
+ $ref: '#/components/schemas/SecurityEventsProviderResponse'
+ examples:
+ activatedInstance:
+ $ref: '#/components/examples/SecurityEventsProviderResponseWellKnownUrl'
+ '401':
+ $ref: '#/components/responses/ErrorInvalidToken401'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
- description: Not Found
+ $ref: '#/components/responses/ErrorResourceNotFound404'
'429':
$ref: '#/components/responses/ErrorTooManyRequests429'
security:
- apiToken: []
- oauth2:
- - okta.sessions.manage
+ - okta.securityEventsProviders.manage
tags:
- - Session
- /api/v1/templates/sms:
- get:
- summary: List all SMS Templates
- description: Lists all custom SMS templates. A subset of templates can be returned that match a template type.
- operationId: listSmsTemplates
- parameters:
- - name: templateType
- in: query
- schema:
- $ref: '#/components/schemas/SmsTemplateType'
+ - SSFReceiver
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
+ /api/v1/security-events-providers/{securityEventProviderId}/lifecycle/deactivate:
+ parameters:
+ - $ref: '#/components/parameters/pathSecurityEventProviderId'
+ post:
+ summary: Deactivate a Security Events Provider
+ description: |-
+ Deactivates a Security Events Provider instance by setting its status to `INACTIVE`.
+ This operation stops the flow of events from the Security Events Provider to Okta.
+ operationId: deactivateSecurityEventsProviderInstance
responses:
'200':
- description: Success
+ description: OK
content:
application/json:
schema:
- type: array
- items:
- $ref: '#/components/schemas/SmsTemplate'
+ $ref: '#/components/schemas/SecurityEventsProviderResponse'
+ examples:
+ deactivatedInstance:
+ $ref: '#/components/examples/DeactivatedSecurityEventsProviderResponse'
+ '401':
+ $ref: '#/components/responses/ErrorInvalidToken401'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
'429':
$ref: '#/components/responses/ErrorTooManyRequests429'
security:
- apiToken: []
- oauth2:
- - okta.templates.read
+ - okta.securityEventsProviders.manage
tags:
- - Template
+ - SSFReceiver
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
+ /api/v1/sessions:
post:
- summary: Create an SMS Template
- description: Creates a new custom SMS template
- operationId: createSmsTemplate
- x-codegen-request-body-name: smsTemplate
+ summary: Create a Session with session token
+ description: Creates a new Session for a user with a valid session token. Use this API if, for example, you want to set the session cookie yourself instead of allowing Okta to set it, or want to hold the session ID to delete a session through the API instead of visiting the logout URL.
+ operationId: createSession
+ x-codegen-request-body-name: createSessionRequest
requestBody:
content:
application/json:
schema:
- $ref: '#/components/schemas/SmsTemplate'
+ $ref: '#/components/schemas/CreateSessionRequest'
+ examples:
+ SessionsCreate:
+ $ref: '#/components/examples/CreateSessionBody'
required: true
responses:
'200':
@@ -14024,113 +19593,160 @@ paths:
content:
application/json:
schema:
- $ref: '#/components/schemas/SmsTemplate'
+ $ref: '#/components/schemas/Session'
+ examples:
+ SessionsCreate:
+ summary: Create a new Session with a valid session token
+ $ref: '#/components/examples/CreateSessionResponse'
'400':
- $ref: '#/components/responses/ErrorApiValidationFailed400'
+ description: Bad Request
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'429':
$ref: '#/components/responses/ErrorTooManyRequests429'
security:
- apiToken: []
- - oauth2:
- - okta.templates.manage
tags:
- - Template
- /api/v1/templates/sms/{templateId}:
- parameters:
- - $ref: '#/components/parameters/pathTemplateId'
+ - Session
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/sessions/me:
get:
- summary: Retrieve an SMS Template
- description: Retrieves a specific template by `id`
- operationId: getSmsTemplate
+ summary: Retrieve the current Session
+ description: |-
+ Retrieves Session information for the current user. Use this method in a browser-based application to determine if the user is signed in.
+
+ > **Note:** This operation requires a session cookie for the user. An API token isn't allowed for this operation.
+ operationId: getCurrentSession
+ parameters:
+ - in: header
+ name: Cookie
+ schema:
+ description: Session ID (`sid`) or Identity Engine (`idx`) cookie
+ type: string
+ example: sid=abcde-123 or idx=abcde-123
responses:
'200':
description: Success
content:
application/json:
schema:
- $ref: '#/components/schemas/SmsTemplate'
- '403':
- $ref: '#/components/responses/ErrorAccessDenied403'
+ $ref: '#/components/schemas/Session'
+ examples:
+ CurrentSessionsRetrieve:
+ summary: Retrieve current Session information
+ $ref: '#/components/examples/RetrieveCurrentSessionResponse'
+ '404':
+ description: Not Found
+ security: []
+ tags:
+ - Session
+ x-okta-lifecycle:
+ isCorsEnabled: true
+ lifecycle: GA
+ isGenerallyAvailable: true
+ delete:
+ summary: Close the current Session
+ description: |-
+ Closes the Session for the user who is currently signed in. Use this method in a browser-based application to sign out a user.
+
+ > **Note:** This operation requires a session cookie for the user. An API token isn't allowed for this operation.
+ operationId: closeCurrentSession
+ parameters:
+ - in: header
+ name: Cookie
+ schema:
+ description: Session ID (`sid`) or Identity Engine (`idx`) cookie
+ type: string
+ example: sid=abcde-123 or idx=abcde-123
+ responses:
+ '204':
+ description: No Content
+ content: {}
'404':
$ref: '#/components/responses/ErrorResourceNotFound404'
- '429':
- $ref: '#/components/responses/ErrorTooManyRequests429'
- security:
- - apiToken: []
- - oauth2:
- - okta.templates.read
+ security: []
tags:
- - Template
+ - Session
+ x-okta-lifecycle:
+ isCorsEnabled: true
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/sessions/me/lifecycle/refresh:
post:
- summary: Update an SMS Template
- description: Updates an SMS template
- operationId: updateSmsTemplate
- x-codegen-request-body-name: smsTemplate
- requestBody:
- content:
- application/json:
- schema:
- $ref: '#/components/schemas/SmsTemplate'
- required: true
+ summary: Refresh the current Session
+ description: |-
+ Refreshes the Session for the current user
+
+ > **Note:** This operation requires a session cookie for the user. An API token isn't allowed for this operation.
+ operationId: refreshCurrentSession
+ parameters:
+ - in: header
+ name: Cookie
+ schema:
+ description: Session ID (`sid`) or Identity Engine (`idx`) cookie
+ type: string
+ example: sid=abcde-123 or idx=abcde-123
responses:
'200':
description: Success
content:
application/json:
schema:
- $ref: '#/components/schemas/SmsTemplate'
- '400':
- $ref: '#/components/responses/ErrorApiValidationFailed400'
- '403':
- $ref: '#/components/responses/ErrorAccessDenied403'
+ $ref: '#/components/schemas/Session'
+ examples:
+ CurrentSessionsRefresh:
+ summary: Refersh current Session
+ $ref: '#/components/examples/RefreshCurrentSessionResponse'
'404':
- $ref: '#/components/responses/ErrorResourceNotFound404'
- '429':
- $ref: '#/components/responses/ErrorTooManyRequests429'
- security:
- - apiToken: []
- - oauth2:
- - okta.templates.manage
+ description: Not Found
+ security: []
tags:
- - Template
- put:
- summary: Replace an SMS Template
- description: Replaces the SMS template
- operationId: replaceSmsTemplate
- x-codegen-request-body-name: smsTemplate
- requestBody:
- content:
- application/json:
- schema:
- $ref: '#/components/schemas/SmsTemplate'
- required: true
+ - Session
+ x-okta-lifecycle:
+ isCorsEnabled: true
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/sessions/{sessionId}:
+ parameters:
+ - $ref: '#/components/parameters/pathSessionId'
+ get:
+ summary: Retrieve a Session
+ description: Retrieves information about the Session specified by the given session ID
+ operationId: getSession
responses:
'200':
description: Success
content:
application/json:
schema:
- $ref: '#/components/schemas/SmsTemplate'
+ $ref: '#/components/schemas/Session'
+ examples:
+ SessionsRetrieve:
+ summary: Retrieve Session information for a single session ID
+ $ref: '#/components/examples/RetrieveSessionResponse'
'400':
- $ref: '#/components/responses/ErrorApiValidationFailed400'
+ description: Bad Request
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
- $ref: '#/components/responses/ErrorResourceNotFound404'
+ description: Not Found
'429':
$ref: '#/components/responses/ErrorTooManyRequests429'
security:
- apiToken: []
- oauth2:
- - okta.templates.manage
+ - okta.sessions.read
tags:
- - Template
+ - Session
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
- summary: Delete an SMS Template
- description: Deletes an SMS template
- operationId: deleteSmsTemplate
+ summary: Revoke a Session
+ description: Revokes the specified Session
+ operationId: revokeSession
responses:
'204':
description: No Content
@@ -14144,13 +19760,478 @@ paths:
security:
- apiToken: []
- oauth2:
- - okta.templates.manage
+ - okta.sessions.manage
tags:
- - Template
- /api/v1/threats/configuration:
- get:
- summary: Retrieve the ThreatInsight Configuration
- description: Retrieves the ThreatInsight configuration for the org
+ - Session
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/sessions/{sessionId}/lifecycle/refresh:
+ parameters:
+ - $ref: '#/components/parameters/pathSessionId'
+ post:
+ summary: Refresh a Session
+ description: Refreshes an existing Session using the `id` for that Session. A successful response contains the refreshed Session with an updated `expiresAt` timestamp.
+ operationId: refreshSession
+ responses:
+ '200':
+ description: Success
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Session'
+ examples:
+ SessionsRefresh:
+ summary: Refresh an existing Session using the session ID
+ $ref: '#/components/examples/RefreshSessionResponse'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ description: Not Found
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.sessions.manage
+ tags:
+ - Session
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/ssf/stream:
+ get:
+ summary: Retrieve the SSF Stream configuration(s)
+ description: |-
+ Retrieves either a list of all known SSF Stream configurations or the individual configuration if specified by ID.
+
+ As Stream configurations are tied to a Client ID, only the Stream associated with the Client ID of the request OAuth 2.0 access token can be viewed.
+ operationId: getSsfStreams
+ parameters:
+ - in: query
+ name: stream_id
+ schema:
+ type: string
+ example: esc1k235GIIztAuGK0g5
+ description: The ID of the specified SSF Stream configuration
+ responses:
+ '200':
+ description: OK
+ content:
+ application/json:
+ schema:
+ oneOf:
+ - type: array
+ title: List of Stream Configurations
+ items:
+ $ref: '#/components/schemas/StreamConfiguration'
+ - $ref: '#/components/schemas/StreamConfiguration'
+ examples:
+ listResponse:
+ $ref: '#/components/examples/listStreamConfigurationExample'
+ individualStreamResponse:
+ $ref: '#/components/examples/streamConfigurationExample'
+ '401':
+ $ref: '#/components/responses/ErrorInvalidToken401'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - oauth2:
+ - ssf.read
+ tags:
+ - SSFTransmitter
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
+ post:
+ summary: Create an SSF Stream
+ description: |-
+ Creates an SSF Stream for an event receiver to start receiving security events in the form of Security Event Tokens (SETs) from Okta.
+
+ An SSF Stream is associated with the Client ID of the OAuth 2.0 access token used to create the stream. The Client ID is provided by Okta for an [OAuth 2.0 app integration](https://help.okta.com/okta_help.htm?id=ext_Apps_App_Integration_Wizard-oidc). One SSF Stream is allowed for each Client ID, hence, one SSF Stream is allowed for each app integration in Okta.
+
+ A maximum of 10 SSF Stream configurations can be created for one org.
+ operationId: createSsfStream
+ x-codegen-request-body-name: instance
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/StreamConfigurationCreateRequest'
+ required: true
+ responses:
+ '201':
+ description: Created
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/StreamConfiguration'
+ '400':
+ $ref: '#/components/responses/ErrorApiValidationFailed400'
+ '401':
+ $ref: '#/components/responses/ErrorInvalidToken401'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - oauth2:
+ - ssf.manage
+ tags:
+ - SSFTransmitter
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
+ put:
+ summary: Replace an SSF Stream
+ description: |-
+ Replaces all properties for an existing SSF Stream configuration.
+
+ If the `stream_id` isn't provided in the request body, the associated stream with the Client ID (through the request OAuth 2.0 access token) is replaced.
+ operationId: replaceSsfStream
+ x-codegen-request-body-name: instance
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/StreamConfiguration'
+ required: true
+ responses:
+ '200':
+ description: OK
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/StreamConfiguration'
+ '400':
+ $ref: '#/components/responses/ErrorApiValidationFailed400'
+ '401':
+ $ref: '#/components/responses/ErrorInvalidToken401'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - oauth2:
+ - ssf.manage
+ tags:
+ - SSFTransmitter
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
+ patch:
+ summary: Update an SSF Stream
+ description: |-
+ Updates properties for an existing SSF Stream configuration.
+
+ If the `stream_id` isn't provided in the request body, the associated stream with the Client ID (through the request OAuth 2.0 access token) is updated.
+ operationId: updateSsfStream
+ x-codegen-request-body-name: instance
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/StreamConfiguration'
+ required: true
+ responses:
+ '200':
+ description: OK
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/StreamConfiguration'
+ '400':
+ $ref: '#/components/responses/ErrorApiValidationFailed400'
+ '401':
+ $ref: '#/components/responses/ErrorInvalidToken401'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - oauth2:
+ - ssf.manage
+ tags:
+ - SSFTransmitter
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
+ delete:
+ summary: Delete an SSF Stream
+ description: |-
+ Deletes the specified SSF Stream.
+
+ If the `stream_id` is not provided in the query string, the associated stream with the Client ID (through the request OAuth 2.0 access token) is deleted. Otherwise, the SSF Stream with the `stream_id` is deleted, if found.
+ operationId: deleteSsfStream
+ parameters:
+ - in: query
+ name: stream_id
+ schema:
+ type: string
+ example: esc1k235GIIztAuGK0g5
+ description: The ID of the specified SSF Stream configuration
+ responses:
+ '204':
+ description: No Content
+ content: {}
+ '400':
+ $ref: '#/components/responses/ErrorApiValidationFailed400'
+ '401':
+ $ref: '#/components/responses/ErrorInvalidToken401'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - oauth2:
+ - ssf.manage
+ tags:
+ - SSFTransmitter
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
+ /api/v1/templates/sms:
+ get:
+ summary: List all SMS Templates
+ description: Lists all custom SMS templates. A subset of templates can be returned that match a template type.
+ operationId: listSmsTemplates
+ parameters:
+ - name: templateType
+ in: query
+ schema:
+ $ref: '#/components/schemas/SmsTemplateType'
+ responses:
+ '200':
+ description: Success
+ content:
+ application/json:
+ schema:
+ type: array
+ items:
+ $ref: '#/components/schemas/SmsTemplate'
+ examples:
+ SMS Template List response:
+ $ref: '#/components/examples/SMSTemplateListResponse'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.templates.read
+ tags:
+ - Template
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ post:
+ summary: Create an SMS Template
+ description: Creates a new custom SMS template
+ operationId: createSmsTemplate
+ x-codegen-request-body-name: smsTemplate
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/SmsTemplate'
+ examples:
+ Create an SMS Template request:
+ $ref: '#/components/examples/CreateOrReplaceSMSTemplateRequest'
+ required: true
+ responses:
+ '200':
+ description: Success
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/SmsTemplate'
+ examples:
+ Create an SMS Template response:
+ $ref: '#/components/examples/CreateOrReplaceSMSTemplateResponse'
+ '400':
+ $ref: '#/components/responses/ErrorApiValidationFailed400'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.templates.manage
+ tags:
+ - Template
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/templates/sms/{templateId}:
+ parameters:
+ - $ref: '#/components/parameters/pathTemplateId'
+ get:
+ summary: Retrieve an SMS Template
+ description: Retrieves a specific template by `id`
+ operationId: getSmsTemplate
+ responses:
+ '200':
+ description: Success
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/SmsTemplate'
+ examples:
+ Get an SMS template response:
+ $ref: '#/components/examples/CreateOrReplaceSMSTemplateResponse'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.templates.read
+ tags:
+ - Template
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ post:
+ summary: Update an SMS Template
+ description: |
+ Updates only some of the SMS Template properties:
+ * All properties within the custom SMS Template that have values are updated.
+ * Any translation that doesn't exist is added.
+ * Any translation with a null or empty value is removed.
+ * Any translation with non-empty/null value is updated.
+ operationId: updateSmsTemplate
+ x-codegen-request-body-name: smsTemplate
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/SmsTemplate'
+ examples:
+ Update an SMS Template request:
+ $ref: '#/components/examples/UpdateSMSTemplateRequest'
+ required: true
+ responses:
+ '200':
+ description: Success
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/SmsTemplate'
+ examples:
+ Update an SMS Template response:
+ $ref: '#/components/examples/UpdateSMSTemplateResponse'
+ '400':
+ $ref: '#/components/responses/ErrorApiValidationFailed400'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.templates.manage
+ tags:
+ - Template
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ put:
+ summary: Replace an SMS Template
+ description: |
+ Replaces the SMS Template
+ > **Notes:** You can't update the default SMS Template.
+ operationId: replaceSmsTemplate
+ x-codegen-request-body-name: smsTemplate
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/SmsTemplate'
+ examples:
+ Replace an SMS Template request:
+ $ref: '#/components/examples/CreateOrReplaceSMSTemplateRequest'
+ required: true
+ responses:
+ '200':
+ description: Success
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/SmsTemplate'
+ examples:
+ Replace an SMS Template response:
+ $ref: '#/components/examples/CreateOrReplaceSMSTemplateResponse'
+ '400':
+ $ref: '#/components/responses/ErrorApiValidationFailed400'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.templates.manage
+ tags:
+ - Template
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ delete:
+ summary: Delete an SMS Template
+ description: Deletes an SMS template
+ operationId: deleteSmsTemplate
+ responses:
+ '204':
+ description: No Content
+ content: {}
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.templates.manage
+ tags:
+ - Template
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/threats/configuration:
+ get:
+ summary: Retrieve the ThreatInsight Configuration
+ description: Retrieves the ThreatInsight configuration for the org
operationId: getCurrentConfiguration
responses:
'200':
@@ -14172,6 +20253,9 @@ paths:
- okta.threatInsights.read
tags:
- ThreatInsight
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
post:
summary: Update the ThreatInsight Configuration
description: Updates the ThreatInsight configuration for the org
@@ -14208,6 +20292,9 @@ paths:
- okta.threatInsights.manage
tags:
- ThreatInsight
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/trustedOrigins:
get:
summary: List all Trusted Origins
@@ -14215,23 +20302,32 @@ paths:
operationId: listTrustedOrigins
parameters:
- name: q
+ description: A search string that will prefix match against the `name` and `origin`
in: query
schema:
type: string
- name: filter
+ description: |
+ [Filter](/#filter) Trusted Origins with a supported expression for a subset of properties. You can filter on the following properties: `name`, `origin`, `status`, and `type` (type of scopes).
in: query
schema:
type: string
+ examples:
+ By name:
+ value: name eq "Example Trusted Origin"
- name: after
+ description: The after cursor provided by a prior request.
in: query
schema:
type: string
- name: limit
+ description: Specifies the number of results.
in: query
schema:
type: integer
format: int32
- default: -1
+ default: 20
+ maximum: 200
responses:
'200':
description: Success
@@ -14241,6 +20337,9 @@ paths:
type: array
items:
$ref: '#/components/schemas/TrustedOrigin'
+ examples:
+ TrustedOriginsResponse:
+ $ref: '#/components/examples/TrustedOriginsResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'429':
@@ -14251,6 +20350,9 @@ paths:
- okta.trustedOrigins.read
tags:
- TrustedOrigin
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
post:
summary: Create a Trusted Origin
description: Creates a trusted origin
@@ -14260,7 +20362,14 @@ paths:
content:
application/json:
schema:
- $ref: '#/components/schemas/TrustedOrigin'
+ $ref: '#/components/schemas/TrustedOriginWrite'
+ examples:
+ TrustedOriginBody:
+ $ref: '#/components/examples/TrustedOriginBody'
+ TrustedOriginBodyWithIframeEmbedding:
+ $ref: '#/components/examples/TrustedOriginBodyWithIframeEmbedding'
+ TrustedOriginBodyWithIframeEmbeddingSignIn:
+ $ref: '#/components/examples/TrustedOriginBodyWithIframeEmbeddingSignIn'
required: true
responses:
'200':
@@ -14269,6 +20378,13 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/TrustedOrigin'
+ examples:
+ TrustedOriginResponse:
+ $ref: '#/components/examples/TrustedOriginResponse'
+ TrustedOriginResponseWithIframeEmbedding:
+ $ref: '#/components/examples/TrustedOriginResponseWithIframeEmbedding'
+ TrustedOriginResponseWithIframeEmbeddingSignIn:
+ $ref: '#/components/examples/TrustedOriginResponseWithIframeEmbeddingSignIn'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -14281,6 +20397,9 @@ paths:
- okta.trustedOrigins.manage
tags:
- TrustedOrigin
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/trustedOrigins/{trustedOriginId}:
parameters:
- $ref: '#/components/parameters/pathTrustedOriginId'
@@ -14295,6 +20414,13 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/TrustedOrigin'
+ examples:
+ TrustedOriginResponse:
+ $ref: '#/components/examples/TrustedOriginResponse'
+ TrustedOriginResponseWithIframeEmbedding:
+ $ref: '#/components/examples/TrustedOriginResponseWithIframeEmbedding'
+ TrustedOriginResponseWithIframeEmbeddingSignIn:
+ $ref: '#/components/examples/TrustedOriginResponseWithIframeEmbeddingSignIn'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -14307,6 +20433,9 @@ paths:
- okta.trustedOrigins.read
tags:
- TrustedOrigin
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
put:
summary: Replace a Trusted Origin
description: Replaces a trusted origin
@@ -14317,6 +20446,11 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/TrustedOrigin'
+ examples:
+ TrustedOriginPutBody:
+ $ref: '#/components/examples/TrustedOriginPutBody'
+ TrustedOriginPutBodyWithIframeEmbedding:
+ $ref: '#/components/examples/TrustedOriginPutBodyWithIframeEmbedding'
required: true
responses:
'200':
@@ -14325,6 +20459,11 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/TrustedOrigin'
+ examples:
+ TrustedOriginPutResponse:
+ $ref: '#/components/examples/TrustedOriginPutResponse'
+ TrustedOriginPutResponseWithIFrameEmbedding:
+ $ref: '#/components/examples/TrustedOriginPutResponseWithIframeEmbedding'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -14339,6 +20478,9 @@ paths:
- okta.trustedOrigins.manage
tags:
- TrustedOrigin
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
summary: Delete a Trusted Origin
description: Deletes a trusted origin
@@ -14359,12 +20501,15 @@ paths:
- okta.trustedOrigins.manage
tags:
- TrustedOrigin
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/trustedOrigins/{trustedOriginId}/lifecycle/activate:
parameters:
- $ref: '#/components/parameters/pathTrustedOriginId'
post:
summary: Activate a Trusted Origin
- description: Activates a trusted origin
+ description: Activates a Trusted Origin. Sets the `status` to `ACTIVE`.
operationId: activateTrustedOrigin
responses:
'200':
@@ -14373,6 +20518,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/TrustedOrigin'
+ examples:
+ TrustedOriginResponse:
+ $ref: '#/components/examples/TrustedOriginResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -14385,12 +20533,15 @@ paths:
- okta.trustedOrigins.manage
tags:
- TrustedOrigin
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/trustedOrigins/{trustedOriginId}/lifecycle/deactivate:
parameters:
- $ref: '#/components/parameters/pathTrustedOriginId'
post:
summary: Deactivate a Trusted Origin
- description: Deactivates a trusted origin
+ description: Deactivates a Trusted Origin. Sets the `status` to `INACTIVE`.
operationId: deactivateTrustedOrigin
responses:
'200':
@@ -14399,6 +20550,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/TrustedOrigin'
+ examples:
+ TrustedOriginInactiveResponse:
+ $ref: '#/components/examples/TrustedOriginInactiveResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -14411,15 +20565,27 @@ paths:
- okta.trustedOrigins.manage
tags:
- TrustedOrigin
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/users:
get:
- summary: List all Users
- description: Lists all users that do not have a status of 'DEPROVISIONED' (by default), up to the maximum (200 for most orgs), with pagination. A subset of users can be returned that match a supported filter expression or search criteria.
+ summary: List all users
+ description: |-
+ Lists users in your org, with pagination in most cases.
+
+ A subset of users can be returned that match a supported filter expression or search criteria.
operationId: listUsers
parameters:
+ - $ref: '#/components/parameters/OktaResponse'
- name: q
in: query
- description: Finds a user that matches firstName, lastName, and email properties
+ description: |-
+ Finds users who match the specified query. This doesn't support pagination.
+
+ This might not deliver optimal performance for large orgs, and is deprecated for such use cases. To ensure optimal performance, use a [`search` parameter](/openapi/okta-management/management/tag/User/#tag/User/operation/listUsers!in=query&path=search&t=request) instead.
+
+ Use the `q` parameter for a simple lookup of users by name, for example when creating a people picker. The value of `q` is matched against `firstName`, `lastName`, or `email`. This performs a `startsWith` match, but this is an implementation detail and can change without notice. You don't need to specify `firstName`, `lastName`, or `email`.
schema:
type: string
- $ref: '#/components/parameters/queryAfter'
@@ -14432,21 +20598,72 @@ paths:
default: 200
- name: filter
in: query
- description: Filters users with a supported expression for a subset of properties
+ description: |-
+ Filters users with a supported expression for a subset of properties.
+
+ This requires [URL encoding](https://developer.mozilla.org/en-US/docs/Glossary/Percent-encoding). For example, `filter=lastUpdated gt "2013-06-01T00:00:00.000Z"` is encoded as `filter=lastUpdated%20gt%20%222013-06-01T00:00:00.000Z%22`. Filtering is case-sensitive for attribute names and query values, while attribute operators are case-insensitive.
+
+ Filtering supports the following limited number of properties: `status`, `lastUpdated`, `id`, `profile.login`, `profile.email`, `profile.firstName`, and `profile.lastName`.
+
+ Additionally, filtering supports only the equal `eq` operator from the standard Okta API filtering semantics, except in the case of the `lastUpdated` property. This property can also use the inequality operators (`gt`, `ge`, `lt`, and `le`). For logical operators, only the logical operators `and` and `or` are supported. The `not` operator isn't supported. See [Filtering](https://developer.okta.com/docs/api/#filter) and [Operators](https://developer.okta.com/docs/api/#operators).
schema:
type: string
+ examples:
+ filterByStatus:
+ value: status eq "LOCKED_OUT"
+ summary: Filter users with status of `LOCKED_OUT`
+ filterByLogin:
+ value: profile.login eq "login@example.com"
+ summary: Filter users with a specified `login`
+ filterByDateRange:
+ value: filter=lastUpdated gt "2013-06-01T00:00:00.000Z" and lastUpdated lt "2014-01-01T00:00:00.000Z"
+ summary: Filter users updated after 06/01/2013 but before 01/01/2014
+ filterByTypeAndProfileLastUpdatedAfterDate:
+ value: lastUpdated gt "2013-06-01T00:00:00.000Z" and (status eq "LOCKED_OUT" or status eq "RECOVERY")
+ summary: Filter users updated after 06/01/2013 but with a status of `LOCKED_OUT` or `RECOVERY`
- name: search
in: query
- description: Searches for users with a supported filtering expression for most properties. Okta recommends using this parameter for search for best performance.
+ description: |-
+ Searches for users with a supported filtering expression for most properties. Okta recommends using this parameter for search for best performance. This operation supports [pagination](https://developer.okta.com/docs/api/#pagination). Use an ID lookup for records that you update to ensure your results contain the latest data.
+
+ Property names in the search parameter are case sensitive, whereas operators (`eq`, `sw`, and so on) and string values are case insensitive. Unlike with user logins, diacritical marks are significant in search string values: a search for `isaac.brock` finds `Isaac.Brock`, but doesn't find a property whose value is `isáà c.bröck`. This operation requires [URL encoding](https://developer.mozilla.org/en-US/docs/Glossary/Percent-encoding). For example, `search=profile.department eq "Engineering"` is encoded as `search=profile.department%20eq%20%22Engineering%22`.
+
+ > **Note:** If you use the special character `"` within a quoted string, it must also be escaped `\` and encoded. For example, `search=profile.lastName eq "bob"smith"` is encoded as `search=profile.lastName%20eq%20%22bob%5C%22smith%22`.
+
+ This operation searches many properties:
+ * Any user profile property, including custom-defined properties
+ * The top-level properties `id`, `status`, `created`, `activated`, `statusChanged`, and `lastUpdated`
+ * The [user type](https://developer.okta.com/docs/reference/api/user-types/) accessed as `type.id`
+
+ You can also use `sortBy` and `sortOrder` parameters. The `ne` (not equal) operator isn't supported, but you can obtain the same result by using `lt ... or ... gt`. For example, to see all users except those that have a status of `STAGED`, use `(status lt "STAGED" or status gt "STAGED")`.
+
+ You can search properties that are arrays. If any element matches the search term, the entire array (object) is returned. Okta follows the [SCIM Protocol Specification](https://tools.ietf.org/html/rfc7644#section-3.4.2.2) for searching arrays. You can search multiple arrays, multiple values in an array, as well as using the standard logical and filtering operators. See [Filter](https://developer.okta.com/docs/reference/core-okta-api/#filter).
schema:
type: string
+ examples:
+ searchByStatus:
+ value: status eq "STAGED"
+ summary: Search for users that have a status of `STAGED`
+ searchByLastUpdatedAfterDate:
+ value: lastUpdated gt "2014-01-01T00:00:00.000Z"
+ summary: Search for users that have last updated after a specific timestamp
+ searchById:
+ value: id eq "00u1ero7vZFVEIYLWPBN"
+ summary: Search for groups with the specified ID (`00gak46y5hydV6NdM0g4`)
+ searchByProfileDepartmentCreatedAndStatus:
+ value: profile.department eq "Engineering" and (created lt "2014-01-01T00:00:00.000Z" or status eq "ACTIVE")
+ summary: Search for users in the department of `Engineering` who were created before `01/01/2014` or have a status of `ACTIVE`
+ searchArrayAttributes:
+ value: profile.arrayAttr eq "arrayAttrVal1"
+ summary: Searches for properties that are arrays. Custom user attribute `arrayAttr` that contains values ["arrayAttrVal1", "arrayAttrVal2"...]
- name: sortBy
in: query
+ description: Specifies field to sort by (for search queries only). This can be any single property, for example `sortBy=profile.lastName`. Users with the same value for the `sortBy` property will be ordered by `id`.
schema:
type: string
- name: sortOrder
in: query
- description: Sorting is done in ASCII sort order (that is, by ASCII character value), but isn't case sensitive.
+ description: Specifies sort order asc or desc (for search queries only). Sorting is done in ASCII sort order (that is, by ASCII character value), but isn't case sensitive. `sortOrder` is ignored if `sortBy` is not present.
schema:
type: string
responses:
@@ -14460,12 +20677,7 @@ paths:
$ref: '#/components/schemas/User'
examples:
UserList:
- $ref: '#/components/examples/ListUsersResponse'
- x-okta-feature-flag-amends:
- UD_REALMS:
- examples:
- UserList:
- $ref: '#/components/examples/ListRealmAwareUsersResponse'
+ $ref: '#/components/examples/ListRealmAwareUsersResponse'
'403':
description: Forbidden
content:
@@ -14480,20 +20692,37 @@ paths:
- okta.users.read
tags:
- User
+ x-okta-lifecycle:
+ isCorsEnabled: true
+ lifecycle: GA
+ isGenerallyAvailable: true
post:
- summary: Create a User
+ summary: Create a user
description: |-
- Creates a new user in your Okta organization with or without credentials
- > **Legal Disclaimer**
- After a user is added to the Okta directory, they receive an activation email. As part of signing up for this service,
- you agreed not to use Okta's service/product to spam and/or send unsolicited messages.
- Please refrain from adding unrelated accounts to the directory as Okta is not responsible for, and disclaims any and all
- liability associated with, the activation email's content. You, and you alone, bear responsibility for the emails sent to any recipients.
+ Creates a new user in your Okta org with or without credentials.
+ > **Legal Disclaimer**
+ >
+ > After a user is added to the Okta directory, they receive an activation email. As part of signing up for this service,
+ > you agreed not to use Okta's service/product to spam and/or send unsolicited messages.
+ > Please refrain from adding unrelated accounts to the directory as Okta is not responsible for, and disclaims any and all
+ > liability associated with, the activation email's content. You, and you alone, bear responsibility for the emails sent to any recipients.
+
+ All responses return the created user. Activation of a user is an asynchronous operation. The system performs group reconciliation during activation and assigns the user to all apps via direct or indirect relationships (group memberships).
+ * The user's `transitioningToStatus` property is `ACTIVE` during activation to indicate that the user hasn't completed the asynchronous operation.
+ * The user's `status` is `ACTIVE` when the activation process is complete.
+
+ The user is emailed a one-time activation token if activated without a password.
+
+ > **Note:** If the user is assigned to an app that is configured for provisioning, the activation process triggers downstream provisioning to the app. It is possible for a user to sign in before these apps have been successfully provisioned for the user.
+
+ > **Important:** Do not generate or send a one-time activation token when activating users with an assigned password. Users should sign in with their assigned password.
+
+ For more information about the various scenarios of creating a user listed in the examples, see the [User creation scenarios](/openapi/okta-management/management/tag/User/#user-creation-scenarios) section.
operationId: createUser
parameters:
- name: activate
in: query
- description: Executes activation lifecycle operation when creating the user
+ description: Executes an [activation lifecycle](/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/activateUser) operation when creating the user
schema:
type: boolean
default: true
@@ -14505,7 +20734,7 @@ paths:
default: false
- name: nextLogin
in: query
- description: With activate=true, set nextLogin to "changePassword" to have the password be EXPIRED, so user must change it the next time they log in.
+ description: With `activate=true`, if `nextLogin=changePassword`, a user is created, activated, and the password is set to `EXPIRED`. The user must change it the next time they sign in.
schema:
$ref: '#/components/schemas/UserNextLogin'
x-okta-added-version: 0.14.0
@@ -14515,6 +20744,25 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/CreateUserRequest'
+ examples:
+ Create user without credentials:
+ $ref: '#/components/examples/create-user-without-credentials-request'
+ Create user with recovery question:
+ $ref: '#/components/examples/create-user-with-recovery-question-request'
+ Create user with password:
+ $ref: '#/components/examples/create-user-with-password-request'
+ Create user with imported hashed password:
+ $ref: '#/components/examples/create-user-with-imported-hashed-password-request'
+ Create user with password import inline hook:
+ $ref: '#/components/examples/create-user-with-password-import-inline-hook-request'
+ Create user with password and recovery question:
+ $ref: '#/components/examples/create-user-with-password-and-recovery-question-request'
+ Create user with authentication provider:
+ $ref: '#/components/examples/create-user-with-authentication-provider-request'
+ Create user in group:
+ $ref: '#/components/examples/create-user-in-group-request'
+ Create user with non-default user type:
+ $ref: '#/components/examples/create-user-with-non-default-user-type-request'
required: true
responses:
'200':
@@ -14523,6 +20771,25 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/User'
+ examples:
+ Create user without credentials:
+ $ref: '#/components/examples/create-user-without-credentials-response'
+ Create user with recovery question:
+ $ref: '#/components/examples/create-user-with-recovery-question-response'
+ Create user with password:
+ $ref: '#/components/examples/create-user-with-password-response'
+ Create user with imported hashed password:
+ $ref: '#/components/examples/create-user-with-imported-hashed-password-response'
+ Create user with password import inline hook:
+ $ref: '#/components/examples/create-user-with-password-import-inline-hook-response'
+ Create user with password and recovery question:
+ $ref: '#/components/examples/create-user-with-password-and-recovery-question-response'
+ Create user with authentication provider:
+ $ref: '#/components/examples/create-user-with-authentication-provider-response'
+ Create user in group:
+ $ref: '#/components/examples/create-user-in-group-response'
+ Create user with non-default user type:
+ $ref: '#/components/examples/create-user-with-non-default-user-type-response'
'400':
description: Bad Request
content:
@@ -14550,20 +20817,70 @@ paths:
- okta.users.manage
tags:
- User
- /api/v1/users/{userId}:
+ x-okta-lifecycle:
+ isCorsEnabled: true
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/users/me/lifecycle/delete_sessions:
+ post:
+ summary: End a current User session
+ description: |-
+ Ends Okta sessions for the currently signed in User. By default, the current session remains active. Use this method in a browser-based app.
+ > **Note:** This operation requires a session cookie for the User. The API token isn't allowed for this operation.
+ operationId: endUserSessions
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/KeepCurrent'
+ responses:
+ '200':
+ description: OK
+ content: {}
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2: []
+ tags:
+ - UserSessions
+ x-okta-lifecycle:
+ isCorsEnabled: true
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/users/{id}:
parameters:
- - $ref: '#/components/parameters/pathUserId'
+ - $ref: '#/components/parameters/pathId'
get:
- summary: Retrieve a User
- description: Retrieves a user from your Okta organization
+ summary: Retrieve a user
+ description: |-
+ Retrieves a user from your Okta org.
+
+ You can substitute `me` for the `id` to fetch the current user linked to an API token or session cookie.
+ * The request returns the user linked to the API token that is specified in the Authorization header, not the user linked to the active session. Details of the admin user who granted the API token is returned.
+ * When the end user has an active Okta session, it is typically a CORS request from the browser. Therefore, it's possible to retrieve the current user without the Authorization header.
+
+ When fetching a user by `login` or `login shortname`, [URL encode](https://developer.mozilla.org/en-US/docs/Glossary/Percent-encoding) the request parameter to ensure that special characters are escaped properly. Logins with a `/` character can only be fetched by `id` due to URL issues with escaping the `/` character. If you don't know a user's ID, you can use the [List all users](/openapi/okta-management/management/tag/User/#tag/User/operation/listUsers) endpoint to find it.
+
+ > **Note:** Some browsers block third-party cookies by default, which disrupts Okta functionality in certain flows. See [Mitigate the impact of third-party cookie deprecation](https://help.okta.com/okta_help.htm?type=oie&id=ext-third-party-cookies).
operationId: getUser
+ parameters:
+ - $ref: '#/components/parameters/OktaResponse'
+ - $ref: '#/components/parameters/queryUserExpand'
responses:
'200':
description: Success
content:
application/json:
schema:
- $ref: '#/components/schemas/User'
+ $ref: '#/components/schemas/UserGetSingleton'
+ examples:
+ GetUserExample:
+ $ref: '#/components/examples/user-example'
'403':
description: Forbidden
content:
@@ -14584,21 +20901,46 @@ paths:
- okta.users.read
tags:
- User
+ x-okta-lifecycle:
+ isCorsEnabled: true
+ lifecycle: GA
+ isGenerallyAvailable: true
post:
- summary: Update a User
- description: Updates a user partially determined by the request parameters
+ summary: Update a user
+ description: |-
+ Updates a user's profile or credentials with partial update semantics.
+
+ > **Important:** Use the `POST` method for partial updates. Unspecified properties are set to null with `PUT`.
+
+ `profile` and `credentials` can be updated independently or together with a single request.
+ > **Note**: Currently, the user type of a user can only be changed via a full replacement PUT operation. If the request parameters of a partial update include the type element from the user object,
+ the value must match the existing type of the user. Only admins are permitted to change the user type of a user; end users are not allowed to change their own user type.
+
+ > **Note**: To update a current user's profile with partial semantics, the `/api/v1/users/me` endpoint can be invoked.
+ >
+ > A user can only update profile properties for which the user has write access. Within the profile, if the user tries to update the primary or the secondary email IDs, verification emails are sent to those email IDs, and the fields are updated only upon verification.
+
+ If you are using this endpoint to set a password, it sets a password without validating existing user credentials. This is an administrative operation. For operations that validate credentials, refer to the `Reset Password`, `Forgot Password`, and `Change Password` endpoints.
operationId: updateUser
parameters:
- name: strict
in: query
schema:
type: boolean
+ description: If true, validates against minimum age and history password policy
x-codegen-request-body-name: user
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/UpdateUserRequest'
+ examples:
+ Update user Profile:
+ $ref: '#/components/examples/update-user-profile-request'
+ Update user password:
+ $ref: '#/components/examples/update-user-set-password-request'
+ Set recovery question and answer:
+ $ref: '#/components/examples/update-user-set-recovery-question-and-answer'
required: true
responses:
'200':
@@ -14607,6 +20949,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/User'
+ examples:
+ Update user Response:
+ $ref: '#/components/examples/user-example'
'400':
description: Bad Request
content:
@@ -14633,13 +20978,22 @@ paths:
- okta.users.manage
tags:
- User
+ x-okta-lifecycle:
+ isCorsEnabled: true
+ lifecycle: GA
+ isGenerallyAvailable: true
put:
- summary: Replace a User
- description: Replaces a user's profile and/or credentials using strict-update semantics
+ summary: Replace a user
+ description: |-
+ Replaces a user's profile, credentials, or both using strict-update semantics.
+
+ All profile properties must be specified when updating a user's profile with a `PUT` method. Any property not specified in the request is deleted.
+ > **Important:** Don't use a `PUT` method for partial updates.
operationId: replaceUser
parameters:
- name: strict
in: query
+ description: If `true`, validates against minimum age and history password policy
schema:
type: boolean
x-okta-added-version: 1.10.0
@@ -14648,7 +21002,10 @@ paths:
content:
application/json:
schema:
- $ref: '#/components/schemas/User'
+ $ref: '#/components/schemas/UpdateUserRequest'
+ examples:
+ Replace user Request:
+ $ref: '#/components/examples/replace-user-request'
required: true
responses:
'200':
@@ -14657,6 +21014,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/User'
+ examples:
+ Replace user Response:
+ $ref: '#/components/examples/user-example'
'400':
description: Bad Request
content:
@@ -14683,17 +21043,36 @@ paths:
- okta.users.manage
tags:
- User
+ x-okta-lifecycle:
+ isCorsEnabled: true
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
- summary: Delete a User
- description: Deletes a user permanently. This operation can only be performed on users that have a `DEPROVISIONED` status. **This action cannot be recovered!**. Calling this on an `ACTIVE` user will transition the user to `DEPROVISIONED`.
+ summary: Delete a user
+ description: |-
+ Deletes a user permanently. This operation can only be performed on users that have a `DEPROVISIONED` status. **This action can't be recovered!**
+
+ This operation on a user that hasn't been deactivated causes that user to be deactivated. A second delete operation is required to delete the user.
+
+ > **Note:** You can also perform user deletion asynchronously. To invoke asynchronous user deletion, pass an HTTP header `Prefer: respond-async` with the request.
+
+ This header is also supported by user deactivation, which is performed if the delete endpoint is invoked on a user that hasn't been deactivated.
operationId: deleteUser
parameters:
- name: sendEmail
in: query
+ description: Sends a deactivation email to the admin if `true`
schema:
type: boolean
default: false
x-okta-added-version: 1.5.0
+ - name: Prefer
+ in: header
+ required: false
+ schema:
+ type: string
+ enum:
+ - respond-async
responses:
'204':
description: No Content
@@ -14724,22 +21103,39 @@ paths:
- okta.users.manage
tags:
- User
- /api/v1/users/{userId}/appLinks:
+ x-okta-lifecycle:
+ isCorsEnabled: true
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/users/{id}/lifecycle/reactivate:
parameters:
- - $ref: '#/components/parameters/pathUserId'
- get:
- summary: List all Assigned Application Links
- description: Lists all appLinks for all direct or indirect (via group membership) assigned applications
- operationId: listAppLinks
+ - $ref: '#/components/parameters/pathId'
+ post:
+ summary: Reactivate a User
+ description: |-
+ Reactivates a user.
+
+ This operation can only be performed on Users with a `PROVISIONED` or `RECOVERY` [status](/openapi/okta-management/management/tag/User/#tag/User/operation/listUsers!c=200&path=status&t=response).
+ This operation restarts the activation workflow if for some reason the user activation wasn't completed when using the `activationToken` from [Activate User](/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/activateUser).
+
+ Users that don't have a password must complete the flow by completing [Reset Password](/openapi/okta-management/management/tag/UserCred/#tag/UserCred/operation/resetPassword) and MFA enrollment steps to transition the user to `ACTIVE` status.
+
+ If `sendEmail` is `false`, returns an activation link for the user to set up their account. The activation token can be used to create a custom activation link.
+ operationId: reactivateUser
+ parameters:
+ - name: sendEmail
+ in: query
+ description: Sends an activation email to the user if `true`
+ schema:
+ type: boolean
+ default: false
responses:
'200':
description: Success
content:
application/json:
schema:
- type: array
- items:
- $ref: '#/components/schemas/AppLink'
+ $ref: '#/components/schemas/UserActivationToken'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -14749,30 +21145,29 @@ paths:
security:
- apiToken: []
- oauth2:
- - okta.users.read
+ - okta.users.manage
tags:
- - User
- /api/v1/users/{userId}/blocks:
+ - UserLifecycle
+ x-okta-lifecycle:
+ isCorsEnabled: true
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/users/{userIdOrLogin}/linkedObjects/{primaryRelationshipName}/{primaryUserId}:
parameters:
- - $ref: '#/components/parameters/pathUserId'
- get:
- summary: List all User Blocks
- description: Lists information about how the user is blocked from accessing their account
- operationId: listUserBlocks
+ - $ref: '#/components/parameters/pathUserIdOrLogin'
+ - $ref: '#/components/parameters/pathPrimaryRelationshipName'
+ - $ref: '#/components/parameters/pathPrimaryUserId'
+ put:
+ summary: Assign a Linked Object value for primary
+ description: |-
+ Assigns the first User as the `associated` and the second User as the `primary` for the specified relationship.
+
+ If the first User is already associated with a different `primary` for this relationship, the previous link is removed. A Linked Object relationship can specify only one primary User for an associated User.
+ operationId: assignLinkedObjectValueForPrimary
responses:
- '200':
+ '204':
description: Success
- content:
- application/json:
- schema:
- type: array
- items:
- $ref: '#/components/schemas/UserBlock'
- examples:
- BlocksUnknownDevices:
- $ref: '#/components/examples/ListUserBlocksUnknownDevicesResponse'
- BlocksAnyDevices:
- $ref: '#/components/examples/ListUserBlocksAnyDevicesResponse'
+ content: {}
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -14780,17 +21175,160 @@ paths:
'429':
$ref: '#/components/responses/ErrorTooManyRequests429'
security:
- - apiToken: []
- oauth2:
- - okta.users.read
+ - okta.users.manage
tags:
- - User
- /api/v1/users/{userId}/clients:
+ - UserLinkedObject
+ x-okta-lifecycle:
+ isCorsEnabled: true
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/users/{userIdOrLogin}/linkedObjects/{relationshipName}:
+ parameters:
+ - $ref: '#/components/parameters/pathUserIdOrLogin'
+ - $ref: '#/components/parameters/pathRelationshipName'
+ get:
+ summary: List the primary or all of the associated Linked Object values
+ description: |-
+ Lists either the `self` link for the primary User or all associated Users in the relationship specified by `relationshipName`. If the specified User isn't associated in any relationship, an empty array is returned.
+
+ Use `me` instead of `id` to specify the current session User.
+ operationId: listLinkedObjectsForUser
+ responses:
+ '200':
+ description: Success
+ content:
+ application/json:
+ schema:
+ type: array
+ items:
+ $ref: '#/components/schemas/ResponseLinks'
+ examples:
+ GetPrimaryLinkedObjectResponse:
+ $ref: '#/components/examples/GetPrimaryLinkedObjectResponse'
+ GetAssociatedLinkedObjectResponse:
+ $ref: '#/components/examples/GetAssociatedLinkedObjectsResponse'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.users.read
+ tags:
+ - UserLinkedObject
+ x-okta-lifecycle:
+ isCorsEnabled: true
+ lifecycle: GA
+ isGenerallyAvailable: true
+ delete:
+ summary: Delete a Linked Object value
+ description: |-
+ Deletes any existing relationship between the `associated` and `primary` user. For the `associated` User, this is specified by the ID. The `primary` name specifies the relationship.
+
+ The operation is successful if the relationship is deleted or if the specified User isn't in the `associated` relationship for any instance of the specified `primary` and thus, no relationship is found.
+ operationId: deleteLinkedObjectForUser
+ responses:
+ '204':
+ description: No Content
+ content: {}
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.users.manage
+ tags:
+ - UserLinkedObject
+ x-okta-lifecycle:
+ isCorsEnabled: true
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/users/{userId}/appLinks:
+ parameters:
+ - $ref: '#/components/parameters/pathUserId'
+ get:
+ summary: List all Assigned App Links
+ description: Lists all App Links for all direct or indirect (via group membership) assigned apps
+ operationId: listAppLinks
+ responses:
+ '200':
+ description: Success
+ content:
+ application/json:
+ schema:
+ type: array
+ items:
+ $ref: '#/components/schemas/AppLink'
+ examples:
+ List App Links:
+ $ref: '#/components/examples/ListAppLinks'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.users.read
+ tags:
+ - UserResources
+ x-okta-lifecycle:
+ isCorsEnabled: true
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/users/{userId}/blocks:
+ parameters:
+ - $ref: '#/components/parameters/pathUserId'
+ get:
+ summary: List all user blocks
+ description: Lists information about how the user is blocked from accessing their account
+ operationId: listUserBlocks
+ responses:
+ '200':
+ description: Success
+ content:
+ application/json:
+ schema:
+ type: array
+ items:
+ $ref: '#/components/schemas/UserBlock'
+ examples:
+ BlocksUnknownDevices:
+ $ref: '#/components/examples/ListUserBlocksUnknownDevicesResponse'
+ BlocksAnyDevices:
+ $ref: '#/components/examples/ListUserBlocksAnyDevicesResponse'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.users.read
+ tags:
+ - User
+ x-okta-lifecycle:
+ isCorsEnabled: true
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/users/{userId}/clients:
parameters:
- $ref: '#/components/parameters/pathUserId'
get:
summary: List all Clients
- description: Lists all client resources for which the specified user has grants or tokens
+ description: Lists all Client resources for which the specified User has grants or tokens
operationId: listUserClients
responses:
'200':
@@ -14801,6 +21339,9 @@ paths:
type: array
items:
$ref: '#/components/schemas/OAuth2Client'
+ examples:
+ List User Clients:
+ $ref: '#/components/examples/ListUserClients'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -14812,29 +21353,38 @@ paths:
- oauth2:
- okta.users.read
tags:
- - User
+ - UserResources
+ x-okta-lifecycle:
+ isCorsEnabled: true
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/users/{userId}/clients/{clientId}/grants:
parameters:
- $ref: '#/components/parameters/pathUserId'
- $ref: '#/components/parameters/pathClientId'
get:
summary: List all Grants for a Client
- description: Lists all grants for a specified user and client
+ description: Lists all Grants for a specified User and client
operationId: listGrantsForUserAndClient
parameters:
- name: expand
in: query
+ description: 'Valid value: `scope`. If specified, scope details are included in the `_embedded` attribute.'
schema:
type: string
- name: after
in: query
+ description: The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination).
schema:
type: string
- name: limit
in: query
+ description: Specifies the number of tokens to return
schema:
type: integer
format: int32
+ minimum: 1
+ maximum: 200
default: 20
responses:
'200':
@@ -14856,10 +21406,14 @@ paths:
- oauth2:
- okta.users.read
tags:
- - User
+ - UserGrant
+ x-okta-lifecycle:
+ isCorsEnabled: true
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
summary: Revoke all Grants for a Client
- description: Revokes all grants for the specified user and client
+ description: Revokes all Grants for the specified User and client
operationId: revokeGrantsForUserAndClient
responses:
'204':
@@ -14876,29 +21430,39 @@ paths:
- oauth2:
- okta.users.manage
tags:
- - User
+ - UserGrant
+ x-okta-lifecycle:
+ isCorsEnabled: true
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/users/{userId}/clients/{clientId}/tokens:
parameters:
- $ref: '#/components/parameters/pathUserId'
- $ref: '#/components/parameters/pathClientId'
get:
summary: List all Refresh Tokens for a Client
- description: Lists all refresh tokens issued for the specified User and Client
+ description: Lists all refresh Tokens issued for the specified User and client
operationId: listRefreshTokensForUserAndClient
parameters:
- name: expand
in: query
+ description: 'Valid value: `scope`. If specified, scope details are included in the `_embedded` attribute.'
schema:
type: string
+ example: scope
- name: after
in: query
+ description: The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination).
schema:
type: string
- name: limit
in: query
+ description: Specifies the number of tokens to return
schema:
type: integer
format: int32
+ minimum: 1
+ maximum: 200
default: 20
responses:
'200':
@@ -14920,10 +21484,14 @@ paths:
- oauth2:
- okta.users.read
tags:
- - User
+ - UserOAuth
+ x-okta-lifecycle:
+ isCorsEnabled: true
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
summary: Revoke all Refresh Tokens for a Client
- description: Revokes all refresh tokens issued for the specified User and Client
+ description: Revokes all refresh Tokens issued for the specified User and client
operationId: revokeTokensForUserAndClient
responses:
'204':
@@ -14940,7 +21508,11 @@ paths:
- oauth2:
- okta.users.manage
tags:
- - User
+ - UserOAuth
+ x-okta-lifecycle:
+ isCorsEnabled: true
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/users/{userId}/clients/{clientId}/tokens/{tokenId}:
parameters:
- $ref: '#/components/parameters/pathUserId'
@@ -14948,22 +21520,15 @@ paths:
- $ref: '#/components/parameters/pathTokenId'
get:
summary: Retrieve a Refresh Token for a Client
- description: Retrieves a refresh token issued for the specified User and Client
+ description: Retrieves a refresh Token issued for the specified User and client
operationId: getRefreshTokenForUserAndClient
parameters:
- name: expand
in: query
+ description: 'Valid value: `scope`. If specified, scope details are included in the `_embedded` attribute.'
schema:
type: string
- - name: limit
- in: query
- schema:
- type: integer
- default: 20
- - name: after
- in: query
- schema:
- type: string
+ example: scope
responses:
'200':
description: Success
@@ -14982,10 +21547,14 @@ paths:
- oauth2:
- okta.users.read
tags:
- - User
+ - UserOAuth
+ x-okta-lifecycle:
+ isCorsEnabled: true
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
summary: Revoke a Token for a Client
- description: Revokes the specified refresh token
+ description: Revokes the specified refresh Token
operationId: revokeTokenForUserAndClient
responses:
'204':
@@ -15002,19 +21571,32 @@ paths:
- oauth2:
- okta.users.manage
tags:
- - User
+ - UserOAuth
+ x-okta-lifecycle:
+ isCorsEnabled: true
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/users/{userId}/credentials/change_password:
parameters:
- $ref: '#/components/parameters/pathUserId'
post:
- summary: Change Password
- description: Changes a user's password by validating the user's current password. This operation can only be performed on users in `STAGED`, `ACTIVE`, `PASSWORD_EXPIRED`, or `RECOVERY` status that have a valid password credential
+ summary: Update Password
+ description: |-
+ Updates a User's password by validating the User's current Password.
+
+ This operation provides an option to delete all the sessions of the specified User. However, if the request is made in the context of a session owned by the specified User, that session isn't cleared.
+
+ You can only perform this operation on Users in `STAGED`, `ACTIVE`, `PASSWORD_EXPIRED`, or `RECOVERY` status that have a valid [Password credential](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/createUser!path=credentials/password&t=request).
+
+ The User transitions to `ACTIVE` status when successfully invoked in `RECOVERY` status.
operationId: changePassword
parameters:
- name: strict
in: query
+ description: If true, validates against password minimum age policy
schema:
type: boolean
+ default: false
x-okta-added-version: 1.10.0
x-codegen-request-body-name: changePasswordRequest
requestBody:
@@ -15022,6 +21604,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/ChangePasswordRequest'
+ examples:
+ Change Password Request:
+ $ref: '#/components/examples/ChangePwdRequest'
required: true
responses:
'200':
@@ -15030,6 +21615,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/UserCredentials'
+ examples:
+ Change Password Response:
+ $ref: '#/components/examples/ChangePwdResponse'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -15043,13 +21631,19 @@ paths:
- oauth2:
- okta.users.manage
tags:
- - User
+ - UserCred
+ x-okta-lifecycle:
+ isCorsEnabled: true
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/users/{userId}/credentials/change_recovery_question:
parameters:
- $ref: '#/components/parameters/pathUserId'
post:
- summary: Change Recovery Question
- description: Changes a user's recovery question & answer credential by validating the user's current password. This operation can only be performed on users in **STAGED**, **ACTIVE** or **RECOVERY** `status` that have a valid password credential
+ summary: Update Recovery Question
+ description: |-
+ Updates a User's Recovery Question and answer credential by validating the User's current Password.
+ You can only perform this operation on Users in `STAGED`, `ACTIVE`, or `RECOVERY` status that have a valid [Password credential](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/createUser!path=credentials/password&t=request).
operationId: changeRecoveryQuestion
x-codegen-request-body-name: userCredentials
requestBody:
@@ -15057,6 +21651,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/UserCredentials'
+ examples:
+ Update Recovery Question Request:
+ $ref: '#/components/examples/UpdateRecQuestionRequest'
required: true
responses:
'200':
@@ -15065,6 +21662,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/UserCredentials'
+ examples:
+ Update Recovery Question Response:
+ $ref: '#/components/examples/UpdateRecQuestionResponse'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -15078,28 +21678,50 @@ paths:
- oauth2:
- okta.users.manage
tags:
- - User
+ - UserCred
+ x-okta-lifecycle:
+ isCorsEnabled: true
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/users/{userId}/credentials/forgot_password:
parameters:
- $ref: '#/components/parameters/pathUserId'
post:
- summary: Initiate Forgot Password
- description: Initiates the forgot password flow. Generates a one-time token (OTT) that can be used to reset a user's password.
+ summary: Start forgot password flow
+ description: |-
+ Starts the forgot password flow.
+
+ Generates a one-time token (OTT) that you can use to reset a User's Password.
+
+ The User must validate their security question's answer when visiting the reset link. This operation can only be performed on Users with an ACTIVE status and
+ a valid [Recovery Question credential](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/createUser!path=credentials/recovery_question&t=request).
+
+ > **Note:** If you have migrated to Identity Engine, you can allow Users to recover passwords with any enrolled MFA authenticator. See [Self-service account recovery](https://help.okta.com/oie/en-us/content/topics/identity-engine/authenticators/configure-sspr.htm?cshid=ext-config-sspr)
+
+ If an email address is associated with multiple Users, keep in mind the following to ensure a successful password recovery lookup:
+ * Okta no longer includes deactivated Users in the lookup.
+ * The lookup searches sign-in IDs first, then primary email addresses, and then secondary email addresses.
+
+ If `sendEmail` is `false`, returns a link for the User to reset their Password. This operation doesn't affect the status of the User.
operationId: forgotPassword
parameters:
- name: sendEmail
in: query
+ description: Sends a forgot password email to the User if `true`
required: false
schema:
type: boolean
default: true
responses:
'200':
- description: Reset url
+ description: Reset URL
content:
application/json:
schema:
$ref: '#/components/schemas/ForgotPasswordResponse'
+ examples:
+ Forgot Password Response:
+ $ref: '#/components/examples/ForgotPwdResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -15111,13 +21733,19 @@ paths:
- oauth2:
- okta.users.manage
tags:
- - User
+ - UserCred
+ x-okta-lifecycle:
+ isCorsEnabled: true
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/users/{userId}/credentials/forgot_password_recovery_question:
parameters:
- $ref: '#/components/parameters/pathUserId'
post:
summary: Reset Password with Recovery Question
- description: Resets the user's password to the specified password if the provided answer to the recovery question is correct
+ description: |-
+ Resets the User's password to the specified password if the provided answer to the recovery question is correct.
+ You must include the Recovery Question answer with the submission.
operationId: forgotPasswordSetNewPassword
parameters:
- name: sendEmail
@@ -15132,6 +21760,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/UserCredentials'
+ examples:
+ Forgot Password Recovery Question Request:
+ $ref: '#/components/examples/ForgotPwdRecoveryQuestionRequest'
required: true
responses:
'200':
@@ -15140,6 +21771,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/UserCredentials'
+ examples:
+ Forgot Password Recovery Question Response:
+ $ref: '#/components/examples/ForgotPwdRecoveryQuestionResponse'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -15153,13 +21787,17 @@ paths:
- oauth2:
- okta.users.manage
tags:
- - User
+ - UserCred
+ x-okta-lifecycle:
+ isCorsEnabled: true
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/users/{userId}/factors:
parameters:
- $ref: '#/components/parameters/pathUserId'
get:
- summary: List all Factors
- description: Lists all the enrolled factors for the specified user
+ summary: List all enrolled Factors
+ description: Lists all enrolled Factors for the specified user
operationId: listFactors
responses:
'200':
@@ -15170,6 +21808,9 @@ paths:
type: array
items:
$ref: '#/components/schemas/UserFactor'
+ examples:
+ ListFactorsResponse:
+ $ref: '#/components/examples/ListFactorsResults'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -15182,34 +21823,72 @@ paths:
- okta.users.read
tags:
- UserFactor
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
post:
summary: Enroll a Factor
- description: Enrolls a user with a supported factor
+ description: |-
+ Enrolls a supported Factor for the specified user
+
+ > **Note:** All responses return the enrolled Factor with a status of either `PENDING_ACTIVATION`` or `ACTIVE`.
+
+ #### Additional SMS/Call Factor information
+ * **Rate limits**: Okta may return a `429 Too Many Requests` status code if you attempt to resend an SMS or a voice call challenge (OTP) within the same time window. The current [rate limit](https://developer.okta.com/docs/reference/rate-limits/) is one SMS/CALL challenge per phone number every 30 seconds.
+ * **Existing phone numbers**: Okta may return a `400 Bad Request` status code if a user attempts to enroll with a different phone number when the user has an existing mobile phone or has an existing phone with voice call capability. A user can enroll only one mobile phone for `sms` and enroll only one voice call capable phone for `call` factor.
+
+ #### Additional WebAuthn Factor information
+ **Enroll WebAuthn response parameters**
+ * For detailed information on the Webauthn standard, including an up-to-date list of supported browsers, see [webauthn.me](https://a0.to/webauthnme-okta-docs).
+
+ * In the enroll API response, the `response._embedded.activation` object contains properties used to help the client to create a new WebAuthn credential for use with Okta. See the [WebAuthn spec for PublicKeyCredentialCreationOptions](https://www.w3.org/TR/webauthn/#dictionary-makecredentialoptions).
+
+ #### Additional Custom TOTP Factor information
+
+ **Enroll Custom TOTP Factor**
+ * The enrollment process involves passing both the `factorProfileId` and `sharedSecret` properties for a token.
+
+ * A Factor Profile represents a particular configuration of the Custom TOTP factor. It includes certain properties that match the hardware token that end users possess, such as the HMAC algorithm, passcode length, and time interval. There can be multiple Custom TOTP factor profiles per org, but users can only enroll in one Custom TOTP factor. Admins can [create Custom TOTP factor profiles](https://help.okta.com/okta_help.htm?id=ext-mfa-totp) in the Admin Console. Then, copy the `factorProfileId` from the Admin Console into the API request.
+
+ *
+ For Custom TOTP enrollment, Okta automaticaly enrolls a user with a `token:software:totp` factor and the `push` factor if the user isn't currently enrolled with these factors.
operationId: enrollFactor
parameters:
- name: updatePhone
+ description: If `true`, indicates that you are replacing the currently registered phone number for the specified user. This parameter is ignored if the existing phone number is used by an activated Factor.
in: query
schema:
type: boolean
default: false
- name: templateId
in: query
- description: id of SMS template (only for SMS factor)
+ description: ID of an existing custom SMS template. See the [SMS Templates API](../Template). This parameter is only used by `sms` Factors. If the provided ID doesn't exist, the default template is used instead.
schema:
type: string
+ example: cstk2flOtuCMDJK4b0g3
- name: tokenLifetimeSeconds
+ description: Defines how long the token remains valid
in: query
schema:
type: integer
format: int32
+ minimum: 1
+ maximum: 86400
default: 300
x-okta-added-version: 1.3.0
- name: activate
+ description: If `true`, the factor is immediately activated as part of the enrollment. An activation process isn't required. Currently auto-activation is supported by `sms`, `call`, `email` and `token:hotp` (Custom TOTP) Factor.
in: query
schema:
type: boolean
default: false
x-okta-added-version: 1.3.0
+ - name: Accept-Language
+ description: An ISO 639-1 two-letter language code that defines a localized message to send. This parameter is only used by `sms` Factors. If a localized message doesn't exist or the `templateId` is incorrect, the default template is used instead.
+ in: header
+ schema:
+ type: string
+ example: fr
x-codegen-request-body-name: body
requestBody:
description: Factor
@@ -15217,6 +21896,33 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/UserFactor'
+ examples:
+ question:
+ $ref: '#/components/examples/EnrollFactorQuestionRequest'
+ sms:
+ $ref: '#/components/examples/EnrollFactorSmsRequest'
+ call:
+ $ref: '#/components/examples/EnrollFactorCallRequest'
+ token:software:totp:
+ $ref: '#/components/examples/EnrollFactorOVTotpRequest'
+ push:
+ $ref: '#/components/examples/EnrollFactorOVPushRequest'
+ google:
+ $ref: '#/components/examples/EnrollFactorGoogleRequest'
+ rsa_securId:
+ $ref: '#/components/examples/EnrollFactorRsaSecurIdRequest'
+ symantec_vip:
+ $ref: '#/components/examples/EnrollFactorSymantecVipRequest'
+ yubikey:
+ $ref: '#/components/examples/EnrollFactorYubikeyRequest'
+ email:
+ $ref: '#/components/examples/EnrollFactorEmailRequest'
+ u2f:
+ $ref: '#/components/examples/EnrollFactorU2fRequest'
+ webAuthn:
+ $ref: '#/components/examples/EnrollFactorWebauthnRequest'
+ customTotp:
+ $ref: '#/components/examples/EnrollFactorCustomTotpRequest'
required: true
responses:
'200':
@@ -15225,6 +21931,33 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/UserFactor'
+ examples:
+ question:
+ $ref: '#/components/examples/EnrollFactorQuestionResponse'
+ sms:
+ $ref: '#/components/examples/EnrollFactorSmsResponse'
+ call:
+ $ref: '#/components/examples/EnrollFactorCallResponse'
+ token:software:totp:
+ $ref: '#/components/examples/EnrollFactorOVTotpResponse'
+ push:
+ $ref: '#/components/examples/EnrollFactorOVPushResponse'
+ google:
+ $ref: '#/components/examples/EnrollFactorGoogleResponse'
+ rsa_securId:
+ $ref: '#/components/examples/EnrollFactorRsaSecurIdResponse'
+ symantec_vip:
+ $ref: '#/components/examples/EnrollFactorSymantecVipResponse'
+ yubikey:
+ $ref: '#/components/examples/EnrollFactorYubikeyResponse'
+ email:
+ $ref: '#/components/examples/EnrollFactorEmailResponse'
+ u2f:
+ $ref: '#/components/examples/EnrollFactorU2fResponse'
+ webAuthn:
+ $ref: '#/components/examples/EnrollFactorWebauthnResponse'
+ customTotp:
+ $ref: '#/components/examples/EnrollFactorCustomTotpResponse'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -15239,12 +21972,15 @@ paths:
- okta.users.manage
tags:
- UserFactor
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/users/{userId}/factors/catalog:
parameters:
- $ref: '#/components/parameters/pathUserId'
get:
- summary: List all Supported Factors
- description: Lists all the supported factors that can be enrolled for the specified user
+ summary: List all supported Factors
+ description: Lists all the supported Factors that can be enrolled for the specified user
operationId: listSupportedFactors
responses:
'200':
@@ -15254,7 +21990,10 @@ paths:
schema:
type: array
items:
- $ref: '#/components/schemas/UserFactor'
+ $ref: '#/components/schemas/UserFactorSupported'
+ examples:
+ SupportedFactorResponse:
+ $ref: '#/components/examples/SupportedFactorResults'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -15267,22 +22006,33 @@ paths:
- okta.users.read
tags:
- UserFactor
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/users/{userId}/factors/questions:
parameters:
- $ref: '#/components/parameters/pathUserId'
get:
- summary: List all Supported Security Questions
- description: Lists all available security questions for a user's `question` factor
+ x-okta-no-scope-required: true
+ summary: List all supported Security Questions
+ description: Lists all available Security Questions for the specified user
operationId: listSupportedSecurityQuestions
responses:
'200':
description: Success
content:
application/json:
+ example:
+ - question: disliked_food
+ questionText: What is the food you least liked as a child?
+ - question: name_of_first_plush_toy
+ questionText: What is the name of your first stuffed animal?
+ - question: first_award
+ questionText: What did you earn your first medal or award for?
schema:
type: array
items:
- $ref: '#/components/schemas/SecurityQuestion'
+ $ref: '#/components/schemas/UserFactorSecurityQuestionProfile'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -15293,21 +22043,21 @@ paths:
- apiToken: []
tags:
- UserFactor
+ x-okta-lifecycle:
+ isCorsEnabled: true
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/users/{userId}/factors/{factorId}:
parameters:
- $ref: '#/components/parameters/pathUserId'
- $ref: '#/components/parameters/pathFactorId'
get:
summary: Retrieve a Factor
- description: Retrieves a factor for the specified user
+ description: Retrieves an existing Factor for the specified user
operationId: getFactor
responses:
'200':
- description: Success
- content:
- application/json:
- schema:
- $ref: '#/components/schemas/UserFactor'
+ $ref: '#/components/responses/GetFactorResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -15320,12 +22070,19 @@ paths:
- okta.users.read
tags:
- UserFactor
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
summary: Unenroll a Factor
- description: Unenrolls an existing factor for the specified user, allowing the user to enroll a new factor
+ description: |-
+ Unenrolls an existing Factor for the specified user. This allows the user to enroll a new Factor.
+
+ > **Note**: If you unenroll the `push` or the `signed_nonce` Factors, Okta also unenrolls any other `totp`, `signed_nonce`, or Okta Verify `push` Factors associated with the user.
operationId: unenrollFactor
parameters:
- name: removeRecoveryEnrollment
+ description: If `true`, removes the phone number as both a recovery method and a Factor. This parameter is only used for the `sms` and `call` Factors.
in: query
schema:
type: boolean
@@ -15346,20 +22103,41 @@ paths:
- okta.users.manage
tags:
- UserFactor
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/users/{userId}/factors/{factorId}/lifecycle/activate:
parameters:
- $ref: '#/components/parameters/pathUserId'
- $ref: '#/components/parameters/pathFactorId'
post:
summary: Activate a Factor
- description: Activates a factor. The `sms` and `token:software:totp` factor types require activation to complete the enrollment process.
+ description: |-
+ Activates a Factor. Some Factors (`call`, `email`, `push`, `sms`, `token:software:totp`, `u2f`, and `webauthn`) require activation to complete the enrollment process.
+
+ Okta enforces a rate limit of five activation attempts within five minutes. After a user exceeds the rate limit, Okta returns an error message.
+
+ > **Note**: If the user exceeds their SMS, call, or email factor activate rate limit, then an OTP resend request (`/api/v1/users/${userId}}/factors/${factorId}/resend`) isn't allowed for the same Factor.
operationId: activateFactor
x-codegen-request-body-name: body
requestBody:
content:
application/json:
schema:
- $ref: '#/components/schemas/ActivateFactorRequest'
+ $ref: '#/components/schemas/UserFactorActivateRequest'
+ examples:
+ token:software:totp:
+ $ref: '#/components/examples/FactorPasscodeRequest'
+ sms:
+ $ref: '#/components/examples/FactorPasscodeRequest'
+ call:
+ $ref: '#/components/examples/FactorPasscodeRequest'
+ email:
+ $ref: '#/components/examples/FactorPasscodeRequest'
+ u2f:
+ $ref: '#/components/examples/ActivateFactorU2fRequest'
+ webauthn:
+ $ref: '#/components/examples/ActivateFactorWebauthnRequest'
required: false
responses:
'200':
@@ -15367,7 +22145,22 @@ paths:
content:
application/json:
schema:
- $ref: '#/components/schemas/UserFactor'
+ $ref: '#/components/schemas/UserFactorActivateResponse'
+ examples:
+ token:software:totp:
+ $ref: '#/components/examples/ActivateFactorTotpResponse'
+ sms:
+ $ref: '#/components/examples/ActivateFactorSmsResponse'
+ call:
+ $ref: '#/components/examples/ActivateFactorCallResponse'
+ push:
+ $ref: '#/components/examples/ActivateFactorPushResponse'
+ email:
+ $ref: '#/components/examples/ActivateFactorEmailResponse'
+ u2f:
+ $ref: '#/components/examples/ActivateFactorU2fResponse'
+ webauthn:
+ $ref: '#/components/examples/ActivateFactorWebauthnResponse'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -15382,26 +22175,41 @@ paths:
- okta.users.manage
tags:
- UserFactor
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/users/{userId}/factors/{factorId}/resend:
parameters:
- $ref: '#/components/parameters/pathUserId'
- $ref: '#/components/parameters/pathFactorId'
post:
- summary: Resend a factor enrollment
- description: Resends a factor challenge (SMS/call/email OTP) as part of an enrollment flow. The current rate limit is one OTP challenge (call or SMS) per device every 30 seconds. Okta round-robins between SMS providers with every resend request to help ensure delivery of an SMS OTP across different carriers.
+ summary: Resend a Factor enrollment
+ description: |-
+ Resends an `sms`, `call`, or `email` factor challenge as part of an enrollment flow
+
+ For `call` and `sms` factors, Okta enforces a rate limit of one OTP challenge per device every 30 seconds. You can configure your `sms` and `call` factors to use a third-party telephony provider. See the [Telephony inline hook reference](https://developer.okta.com/docs/reference/telephony-hook/). Okta round-robins between SMS providers with every resend request to help ensure delivery of an SMS and Call OTPs across different carriers.
+
+ > **Note**: Resend operations aren't allowed after a factor exceeds the activation rate limit. See [Activate a Factor](./#tag/UserFactor/operation/activateFactor).
operationId: resendEnrollFactor
parameters:
- name: templateId
in: query
- description: ID of SMS template (only for SMS factor)
+ description: ID of an existing custom SMS template. See the [SMS Templates API](../Template). This parameter is only used by `sms` Factors.
schema:
+ example: cstk2flOtuCMDJK4b0g3
type: string
requestBody:
- description: Factor
content:
application/json:
schema:
- $ref: '#/components/schemas/UserFactor'
+ $ref: '#/components/schemas/ResendUserFactor'
+ examples:
+ sms:
+ value:
+ factorType: sms
+ provider: OKTA
+ profile:
+ phoneNumber: +1-555-415-1337
required: true
responses:
'200':
@@ -15409,7 +22217,10 @@ paths:
content:
application/json:
schema:
- $ref: '#/components/schemas/UserFactor'
+ $ref: '#/components/schemas/ResendUserFactor'
+ examples:
+ sms:
+ $ref: '#/components/examples/EnrollFactorSmsResponse'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -15424,14 +22235,17 @@ paths:
- okta.users.manage
tags:
- UserFactor
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/users/{userId}/factors/{factorId}/transactions/{transactionId}:
parameters:
- $ref: '#/components/parameters/pathUserId'
- $ref: '#/components/parameters/pathFactorId'
- $ref: '#/components/parameters/pathTransactionId'
get:
- summary: Retrieve a Factor Transaction Status
- description: Retrieves the factors verification transaction status
+ summary: Retrieve a Factor transaction status
+ description: Retrieves the status of a `push` Factor verification transaction
operationId: getFactorTransactionStatus
responses:
'200':
@@ -15439,7 +22253,16 @@ paths:
content:
application/json:
schema:
- $ref: '#/components/schemas/VerifyUserFactorResponse'
+ $ref: '#/components/schemas/UserFactorPushTransaction'
+ examples:
+ WAITING:
+ $ref: '#/components/examples/UserFactorVerifyPushTransactionWaiting'
+ SUCCESS:
+ $ref: '#/components/examples/UserFactorVerifyPushTransactionApproved'
+ REJECTED:
+ $ref: '#/components/examples/UserFactorVerifyPushTransactionRejected'
+ TIMEOUT:
+ $ref: '#/components/examples/UserFactorVerifyPushTransactionTimeout'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -15452,46 +22275,81 @@ paths:
- okta.users.read
tags:
- UserFactor
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/users/{userId}/factors/{factorId}/verify:
parameters:
- $ref: '#/components/parameters/pathUserId'
- $ref: '#/components/parameters/pathFactorId'
post:
- summary: Verify an MFA Factor
- description: Verifies an OTP for a `token` or `token:hardware` factor
+ summary: Verify a Factor
+ description: |-
+ Verifies an OTP for a Factor. Some Factors (`call`, `email`, `push`, `sms`, `u2f`, and `webauthn`) must first issue a challenge before you can verify the Factor. Do this by making a request without a body. After a challenge is issued, make another request to verify the Factor.
+
+ **Note**: To verify a `push` factor, use the **poll** link returned when you issue the challenge. See [Retrieve a Factor Transaction Status](/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/getFactorTransactionStatus).
operationId: verifyFactor
parameters:
- name: templateId
+ description: ID of an existing custom SMS template. See the [SMS Templates API](../Template). This parameter is only used by `sms` Factors.
in: query
schema:
type: string
+ example: cstk2flOtuCMDJK4b0g3
- name: tokenLifetimeSeconds
+ description: Defines how long the token remains valid
in: query
schema:
type: integer
format: int32
+ minimum: 1
+ maximum: 86400
default: 300
x-okta-added-version: 1.3.0
- name: X-Forwarded-For
+ description: Public IP address for the user agent
in: header
schema:
type: string
x-okta-added-version: 1.11.0
- name: User-Agent
+ description: Type of user agent detected when the request is made. Required to verify `push` Factors.
in: header
schema:
type: string
x-okta-added-version: 1.11.0
- name: Accept-Language
+ description: An ISO 639-1 two-letter language code that defines a localized message to send. This parameter is only used by `sms` Factors. If a localized message doesn't exist or the `templateId` is incorrect, the default template is used instead.
in: header
schema:
type: string
+ example: fr
x-codegen-request-body-name: body
requestBody:
+ description: Some Factors (`call`, `email`, `push`, `sms`, `u2f`, and `webauthn`) must first issue a challenge before you can verify the Factor. Do this by making a request without a body. After a challenge is issued, make another request to verify the Factor.
content:
application/json:
schema:
- $ref: '#/components/schemas/VerifyFactorRequest'
+ $ref: '#/components/schemas/UserFactorVerifyRequest'
+ examples:
+ sms verify:
+ $ref: '#/components/examples/FactorPasscodeRequest'
+ call verify:
+ $ref: '#/components/examples/FactorPasscodeRequest'
+ email verify:
+ $ref: '#/components/examples/FactorPasscodeRequest'
+ u2f verify:
+ $ref: '#/components/examples/UserFactorVerifyU2fRequest'
+ webAuthn verify:
+ $ref: '#/components/examples/UserFactorVerifyWebauthnRequest'
+ security question verify:
+ $ref: '#/components/examples/UserFactorVerifySecurityQuestionRequest'
+ totp verify:
+ $ref: '#/components/examples/FactorPasscodeRequest'
+ token verify:
+ $ref: '#/components/examples/FactorPasscodeRequest'
+ yubikey verify:
+ $ref: '#/components/examples/FactorPasscodeRequest'
required: false
responses:
'200':
@@ -15499,7 +22357,38 @@ paths:
content:
application/json:
schema:
- $ref: '#/components/schemas/VerifyUserFactorResponse'
+ $ref: '#/components/schemas/UserFactorVerifyResponse'
+ examples:
+ sms challenge:
+ $ref: '#/components/examples/UserFactorChallengeSmsResponse'
+ sms verify:
+ $ref: '#/components/examples/UserFactorVerifySuccessSmsResponse'
+ call challenge:
+ $ref: '#/components/examples/UserFactorChallengeCallResponse'
+ call verify:
+ $ref: '#/components/examples/UserFactorVerifyCallSuccessResponse'
+ push challenge:
+ $ref: '#/components/examples/UserFactorChallengePushResponse'
+ email challenge:
+ $ref: '#/components/examples/UserFactorChallengeEmailResponse'
+ email verify:
+ $ref: '#/components/examples/UserFactorVerifyEmailSuccessResponse'
+ u2f challenge:
+ $ref: '#/components/examples/UserFactorChallengeU2fResponse'
+ u2f verify:
+ $ref: '#/components/examples/UserFactorVerifyU2fResponse'
+ webAuthn challenge:
+ $ref: '#/components/examples/UserFactorChallengeWebauthnResponse'
+ webAuthn verify:
+ $ref: '#/components/examples/UserFactorVerifyWebauthnResponse'
+ security question verify:
+ $ref: '#/components/examples/UserFactorVerifySuccessSqResponse'
+ totp verify:
+ $ref: '#/components/examples/UserFactorVerifySuccessTotpResponse'
+ token verify:
+ $ref: '#/components/examples/UserFactorVerifySuccessTokenResponse'
+ yubikey verify:
+ $ref: '#/components/examples/UserFactorVerifySuccessYubikeyResponse'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -15514,31 +22403,41 @@ paths:
- okta.users.manage
tags:
- UserFactor
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/users/{userId}/grants:
parameters:
- $ref: '#/components/parameters/pathUserId'
get:
summary: List all User Grants
- description: Lists all grants for the specified user
+ description: Lists all Grants for the specified user
operationId: listUserGrants
parameters:
- name: scopeId
in: query
+ description: The scope ID to filter on
schema:
type: string
- name: expand
in: query
+ description: 'Valid value: `scope`. If specified, scope details are included in the `_embedded` attribute.'
schema:
type: string
+ example: scope
- name: after
in: query
+ description: The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination).
schema:
type: string
- name: limit
in: query
+ description: Specifies the number of grants to return
schema:
type: integer
format: int32
+ minimum: 1
+ maximum: 200
default: 20
responses:
'200':
@@ -15560,10 +22459,14 @@ paths:
- oauth2:
- okta.users.read
tags:
- - User
+ - UserGrant
+ x-okta-lifecycle:
+ isCorsEnabled: true
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
summary: Revoke all User Grants
- description: Revokes all grants for a specified user
+ description: Revokes all Grants for a specified User
operationId: revokeUserGrants
responses:
'204':
@@ -15580,20 +22483,26 @@ paths:
- oauth2:
- okta.users.manage
tags:
- - User
+ - UserGrant
+ x-okta-lifecycle:
+ isCorsEnabled: true
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/users/{userId}/grants/{grantId}:
parameters:
- $ref: '#/components/parameters/pathUserId'
- $ref: '#/components/parameters/pathGrantId'
get:
summary: Retrieve a User Grant
- description: Retrieves a grant for the specified user
+ description: Retrieves a Grant for the specified User
operationId: getUserGrant
parameters:
- name: expand
in: query
+ description: 'Valid value: `scope`. If specified, scope details are included in the `_embedded` attribute.'
schema:
type: string
+ example: scope
responses:
'200':
description: Success
@@ -15612,10 +22521,14 @@ paths:
- oauth2:
- okta.users.read
tags:
- - User
+ - UserGrant
+ x-okta-lifecycle:
+ isCorsEnabled: true
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
summary: Revoke a User Grant
- description: Revokes one grant for a specified user
+ description: Revokes one Grant for a specified User
operationId: revokeUserGrant
responses:
'204':
@@ -15632,13 +22545,17 @@ paths:
- oauth2:
- okta.users.manage
tags:
- - User
+ - UserGrant
+ x-okta-lifecycle:
+ isCorsEnabled: true
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/users/{userId}/groups:
parameters:
- $ref: '#/components/parameters/pathUserId'
get:
summary: List all Groups
- description: Lists all groups of which the user is a member
+ description: Lists all Groups of which the User is a member
operationId: listUserGroups
responses:
'200':
@@ -15649,6 +22566,9 @@ paths:
type: array
items:
$ref: '#/components/schemas/Group'
+ examples:
+ List User Groups:
+ $ref: '#/components/examples/ListUserGroups'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -15660,13 +22580,17 @@ paths:
- oauth2:
- okta.users.read
tags:
- - User
+ - UserResources
+ x-okta-lifecycle:
+ isCorsEnabled: true
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/users/{userId}/idps:
parameters:
- $ref: '#/components/parameters/pathUserId'
get:
- summary: List all Identity Providers
- description: Lists the IdPs associated with the user
+ summary: List all Identity Providers for User
+ description: Lists the IdPs associated with the User
operationId: listUserIdentityProviders
responses:
'200':
@@ -15677,6 +22601,9 @@ paths:
type: array
items:
$ref: '#/components/schemas/IdentityProvider'
+ examples:
+ MultipleIdPsResponse:
+ $ref: '#/components/examples/MultipleIdPsResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -15688,32 +22615,41 @@ paths:
- oauth2:
- okta.users.read
tags:
- - User
+ - IdentityProviderUsers
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/users/{userId}/lifecycle/activate:
parameters:
- $ref: '#/components/parameters/pathUserId'
post:
summary: Activate a User
description: |-
- Activates a user. This operation can only be performed on users with a `STAGED` or `DEPROVISIONED` status.
- Activation of a user is an asynchronous operation. The user will have the `transitioningToStatus`
- property with a value of `ACTIVE` during activation to indicate that the user hasn't completed the asynchronous operation.
- The user will have a status of `ACTIVE` when the activation process is complete.
- > **Multibrand and User activation**
- If you want to send a branded User Activation email, change the subdomain of your request to the custom domain that's associated with the brand.
- For example, change `subdomain.okta.com` to `custom.domain.one`. See [Multibrand and custom domains](https://developer.okta.com/docs/concepts/brands/#multibrand-and-custom-domains).
-
- > **Legal disclaimer**
- After a user is added to the Okta directory, they receive an activation email. As part of signing up for this service,
- you agreed not to use Okta's service/product to spam and/or send unsolicited messages.
- Please refrain from adding unrelated accounts to the directory as Okta is not responsible for, and disclaims any and all
- liability associated with, the activation email's content. You, and you alone, bear responsibility for the emails sent to any recipients.
+ Activates a User.
+
+ This operation can only be performed on Users with a `STAGED` or `DEPROVISIONED` status. Activation of a User is an asynchronous operation.
+ * The User will have the `transitioningToStatus` property with an `ACTIVE` value during activation to indicate that the user hasn't completed the asynchronous operation.
+ * The User will have an `ACTIVE` status when the activation process completes.
+
+ Users who don't have a password must complete the welcome flow by visiting the activation link to complete the transition to `ACTIVE` status.
+
+ > **Note:** If you want to send a branded User Activation email, change the subdomain of your request to the custom domain that's associated with the brand.
+ > For example, change `subdomain.okta.com` to `custom.domain.one`. See [Multibrand and custom domains](https://developer.okta.com/docs/concepts/brands/#multibrand-and-custom-domains).
+
+ > **Note:** If you have Optional Password enabled, visiting the activation link is optional for users who aren't required to enroll a password.
+ > See [Create user with Optional Password enabled](https://developer.okta.com/docs/reference/api/users/#create-user-with-optional-password-enabled).
+
+ > **Legal disclaimer**
+ > After a user is added to the Okta directory, they receive an activation email. As part of signing up for this service,
+ > you agreed not to use Okta's service/product to spam and/or send unsolicited messages.
+ > Please refrain from adding unrelated accounts to the directory as Okta is not responsible for, and disclaims any and all
+ > liability associated with, the activation email's content. You, and you alone, bear responsibility for the emails sent to any recipients.
operationId: activateUser
parameters:
- name: sendEmail
in: query
- description: Sends an activation email to the user if true
- required: true
+ description: Sends an activation email to the user if `true`
+ required: false
schema:
type: boolean
default: true
@@ -15735,21 +22671,44 @@ paths:
- oauth2:
- okta.users.manage
tags:
- - User
+ - UserLifecycle
+ x-okta-lifecycle:
+ isCorsEnabled: true
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/users/{userId}/lifecycle/deactivate:
parameters:
- $ref: '#/components/parameters/pathUserId'
post:
summary: Deactivate a User
- description: 'Deactivates a user. This operation can only be performed on users that do not have a `DEPROVISIONED` status. While the asynchronous operation (triggered by HTTP header `Prefer: respond-async`) is proceeding the user''s `transitioningToStatus` property is `DEPROVISIONED`. The user''s status is `DEPROVISIONED` when the deactivation process is complete.'
+ description: |-
+ Deactivates a User.
+
+ This operation can only be performed on Users that do not have a `DEPROVISIONED` status.
+ * The User's `transitioningToStatus` property is `DEPROVISIONED` during deactivation to indicate that the user hasn't completed the asynchronous operation.
+ * The User's status is `DEPROVISIONED` when the deactivation process is complete.
+
+ > **Important:** Deactivating a User is a **destructive** operation. The User is deprovisioned from all assigned apps, which might destroy their data such as email or files.
+ **This action cannot be recovered!**
+
+ You can also perform user deactivation asynchronously. To invoke asynchronous user deactivation, pass an HTTP header `Prefer: respond-async` with the request.
operationId: deactivateUser
parameters:
- name: sendEmail
in: query
+ description: Sends a deactivation email to the admin if `true`
schema:
type: boolean
default: false
x-okta-added-version: 1.5.0
+ - name: Prefer
+ in: header
+ required: false
+ schema:
+ type: string
+ enum:
+ - respond-async
+ description: Request asynchronous processing
responses:
'200':
description: OK
@@ -15765,13 +22724,22 @@ paths:
- oauth2:
- okta.users.manage
tags:
- - User
+ - UserLifecycle
+ x-okta-lifecycle:
+ isCorsEnabled: true
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/users/{userId}/lifecycle/expire_password:
parameters:
- $ref: '#/components/parameters/pathUserId'
post:
summary: Expire Password
- description: Expires a user's password and transitions the user to the status of `PASSWORD_EXPIRED` so that the user is required to change their password at their next login
+ description: |-
+ Expires the password. This operation transitions the User status to `PASSWORD_EXPIRED` so that the User must change their password the next time that they sign in.
+
+ If you have integrated Okta with your on-premises Active Directory (AD), then setting a User's Password as expired in Okta also expires the Password in AD.
+ When the User tries to sign in to Okta, delegated authentication finds the password-expired status in AD,
+ and the User is presented with the password-expired page where they can change their Password.
operationId: expirePassword
responses:
'200':
@@ -15780,6 +22748,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/User'
+ examples:
+ Expire Password Response:
+ $ref: '#/components/examples/ExpirePwdResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -15791,18 +22762,29 @@ paths:
- oauth2:
- okta.users.manage
tags:
- - User
+ - UserCred
+ x-okta-lifecycle:
+ isCorsEnabled: true
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/users/{userId}/lifecycle/expire_password_with_temp_password:
parameters:
- $ref: '#/components/parameters/pathUserId'
post:
- summary: Expire Password and Set Temporary Password
- description: Expires a user's password and transitions the user to the status of `PASSWORD_EXPIRED` so that the user is required to change their password at their next login, and also sets the user's password to a temporary password returned in the response
- operationId: expirePasswordAndGetTemporaryPassword
+ summary: Expire Password with temporary password
+ description: |-
+ Expires the password and resets the User's Password to a temporary password. This operation transitions the User status to `PASSWORD_EXPIRED` so that the User must change their password the next time that they sign in.
+ User's Password is reset to a temporary password that is returned, and then the User's Password is expired.
+ If `revokeSessions` is included in the request with a value of `true`, the User's current outstanding sessions are revoked and require re-authentication.
+
+ If you have integrated Okta with your on-premises Active Directory (AD), then setting a User's Password as expired in Okta also expires the Password in AD.
+ When the User tries to sign in to Okta, delegated authentication finds the password-expired status in AD,
+ and the User is presented with the password-expired page where they can change their Password.
+ operationId: expirePasswordWithTempPassword
parameters:
- name: revokeSessions
- description: When set to `true` (and the session is a user session), all user sessions are revoked except the current session.
in: query
+ description: Revokes the User's existing sessions if `true`
required: false
schema:
type: boolean
@@ -15813,40 +22795,10 @@ paths:
content:
application/json:
schema:
- $ref: '#/components/schemas/TempPassword'
- '403':
- $ref: '#/components/responses/ErrorAccessDenied403'
- '404':
- $ref: '#/components/responses/ErrorResourceNotFound404'
- '429':
- $ref: '#/components/responses/ErrorTooManyRequests429'
- security:
- - apiToken: []
- - oauth2:
- - okta.users.manage
- tags:
- - User
- /api/v1/users/{userId}/lifecycle/reactivate:
- parameters:
- - $ref: '#/components/parameters/pathUserId'
- post:
- summary: Reactivate a User
- description: Reactivates a user. This operation can only be performed on users with a `PROVISIONED` status. This operation restarts the activation workflow if for some reason the user activation was not completed when using the activationToken from [Activate User](#activate-user).
- operationId: reactivateUser
- parameters:
- - name: sendEmail
- in: query
- description: Sends an activation email to the user if true
- schema:
- type: boolean
- default: false
- responses:
- '200':
- description: Success
- content:
- application/json:
- schema:
- $ref: '#/components/schemas/UserActivationToken'
+ $ref: '#/components/schemas/User'
+ examples:
+ Expire Password with Temp Password Response:
+ $ref: '#/components/examples/ExpirePwdWithTempPwdResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -15858,13 +22810,17 @@ paths:
- oauth2:
- okta.users.manage
tags:
- - User
+ - UserCred
+ x-okta-lifecycle:
+ isCorsEnabled: true
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/users/{userId}/lifecycle/reset_factors:
parameters:
- $ref: '#/components/parameters/pathUserId'
post:
- summary: Reset all Factors
- description: Resets all factors for the specified user. All MFA factor enrollments returned to the unenrolled state. The user's status remains ACTIVE. This link is present only if the user is currently enrolled in one or more MFA factors.
+ summary: Reset Factors
+ description: Resets all factors for the specified User. All MFA factor enrollments return to the unenrolled state. The User's status remains `ACTIVE`. This link is present only if the User is currently enrolled in one or more MFA factors.
operationId: resetFactors
responses:
'200':
@@ -15881,14 +22837,30 @@ paths:
- oauth2:
- okta.users.manage
tags:
- - User
+ - UserLifecycle
+ x-okta-lifecycle:
+ isCorsEnabled: true
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/users/{userId}/lifecycle/reset_password:
parameters:
- $ref: '#/components/parameters/pathUserId'
post:
- summary: Generate a Reset Password Token
- description: Generates a one-time token (OTT) that can be used to reset a user's password. The OTT link can be automatically emailed to the user or returned to the API caller and distributed using a custom flow.
- operationId: generateResetPasswordToken
+ summary: Reset password
+ description: |-
+ Resets password. Generates a one-time token (OTT) that you can use to reset a User's password. You can automatically email the OTT link to the User or return the OTT to the API caller and distribute using a custom flow.
+
+ This operation transitions the User to the `RECOVERY` status. The User is then not able to sign in or initiate a forgot password flow until they complete the reset flow.
+
+ This operation provides an option to delete all the User's sessions. However, if the request is made in the context of a session owned by the specified User, that session isn't cleared.
+ > **Note:** You can also use this API to convert a User with the Okta Credential Provider to use a Federated Provider. After this conversion, the User can't directly sign in with a password.
+ > To convert a federated User back to an Okta User, use the default API call.
+
+ If an email address is associated with multiple Users, keep in mind the following to ensure a successful password recovery lookup:
+ * Okta no longer includes deactivated Users in the lookup.
+ * The lookup searches sign-in IDs first, then primary email addresses, and then secondary email addresses.
+ If `sendEmail` is `false`, returns a link for the User to reset their password.
+ operationId: resetPassword
parameters:
- name: sendEmail
in: query
@@ -15896,7 +22868,7 @@ paths:
schema:
type: boolean
- name: revokeSessions
- description: When set to `true` (and the session is a user session), all user sessions are revoked except the current session.
+ description: Revokes all User sessions, except for the current session, if set to `true`
in: query
required: false
schema:
@@ -15909,6 +22881,9 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/ResetPasswordToken'
+ examples:
+ Reset Password without Sending Email Response:
+ $ref: '#/components/examples/ResetPwdWithoutSendingEmailResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -15920,18 +22895,27 @@ paths:
- oauth2:
- okta.users.manage
tags:
- - User
+ - UserCred
+ x-okta-lifecycle:
+ isCorsEnabled: true
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/users/{userId}/lifecycle/suspend:
parameters:
- $ref: '#/components/parameters/pathUserId'
post:
summary: Suspend a User
- description: Suspends a user. This operation can only be performed on users with an `ACTIVE` status. The user will have a status of `SUSPENDED` when the process is complete.
+ description: |-
+ Suspends a user. This operation can only be performed on Users with an `ACTIVE` status. The User has a `SUSPENDED` status when the process completes.
+
+ Suspended users can't sign in to Okta. They can only be unsuspended or deactivated. Their group and app assignments are retained.
operationId: suspendUser
responses:
'200':
description: OK
content: {}
+ '400':
+ $ref: '#/components/responses/ErrorMissingRequiredParameter400'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -15943,13 +22927,19 @@ paths:
- oauth2:
- okta.users.manage
tags:
- - User
+ - UserLifecycle
+ x-okta-lifecycle:
+ isCorsEnabled: true
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/users/{userId}/lifecycle/unlock:
parameters:
- $ref: '#/components/parameters/pathUserId'
post:
summary: Unlock a User
- description: Unlocks a user with a `LOCKED_OUT` status or unlocks a user with an `ACTIVE` status that is blocked from unknown devices. Unlocked users have an `ACTIVE` status and can sign in with their current password.
+ description: |-
+ Unlocks a User with a `LOCKED_OUT` status or unlocks a User with an `ACTIVE` status that is blocked from unknown devices. Unlocked Users have an `ACTIVE` status and can sign in with their current password.
+ > **Note:** This operation works with Okta-sourced users. It doesn't support directory-sourced accounts such as Active Directory.
operationId: unlockUser
responses:
'200':
@@ -15966,18 +22956,24 @@ paths:
- oauth2:
- okta.users.manage
tags:
- - User
+ - UserLifecycle
+ x-okta-lifecycle:
+ isCorsEnabled: true
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/users/{userId}/lifecycle/unsuspend:
parameters:
- $ref: '#/components/parameters/pathUserId'
post:
summary: Unsuspend a User
- description: Unsuspends a user and returns them to the `ACTIVE` state. This operation can only be performed on users that have a `SUSPENDED` status.
+ description: Unsuspends a user and returns them to the `ACTIVE` state. This operation can only be performed on users that have a `SUSPENDED` status.
operationId: unsuspendUser
responses:
'200':
description: Success
content: {}
+ '400':
+ $ref: '#/components/responses/ErrorMissingRequiredParameter400'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -15989,59 +22985,30 @@ paths:
- oauth2:
- okta.users.manage
tags:
- - User
- /api/v1/users/{userId}/linkedObjects/{primaryRelationshipName}/{primaryUserId}:
- parameters:
- - $ref: '#/components/parameters/pathUserId'
- - $ref: '#/components/parameters/pathPrimaryRelationshipName'
- - $ref: '#/components/parameters/pathPrimaryUserId'
- put:
- summary: Create a Linked Object for two Users
- description: Creates a Linked Object for two users
- operationId: setLinkedObjectForUser
- responses:
- '204':
- description: Success
- content: {}
- '403':
- $ref: '#/components/responses/ErrorAccessDenied403'
- '404':
- $ref: '#/components/responses/ErrorResourceNotFound404'
- '429':
- $ref: '#/components/responses/ErrorTooManyRequests429'
- security:
- - oauth2:
- - okta.users.manage
- tags:
- - User
- /api/v1/users/{userId}/linkedObjects/{relationshipName}:
+ - UserLifecycle
+ x-okta-lifecycle:
+ isCorsEnabled: true
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/users/{userId}/risk:
parameters:
- $ref: '#/components/parameters/pathUserId'
- - $ref: '#/components/parameters/pathRelationshipName'
get:
- summary: List all Linked Objects
- description: Lists all linked objects for a user, relationshipName can be a primary or associated relationship name
- operationId: listLinkedObjectsForUser
- parameters:
- - name: after
- in: query
- schema:
- type: string
- - name: limit
- in: query
- schema:
- type: integer
- format: int32
- default: -1
+ summary: Retrieve the user's risk
+ description: Retrieves the User Risk object for a user ID
+ operationId: getUserRisk
responses:
'200':
- description: Success
+ description: OK
content:
application/json:
schema:
- type: array
- items:
- $ref: '#/components/schemas/ResponseLinks'
+ $ref: '#/components/schemas/UserRiskGetResponse'
+ examples:
+ UserRiskResponseExample:
+ $ref: '#/components/examples/UserRiskResponse'
+ UserRiskNoneResponseExample:
+ $ref: '#/components/examples/UserRiskNoneResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -16051,17 +23018,48 @@ paths:
security:
- apiToken: []
- oauth2:
- - okta.users.read
+ - okta.userRisk.read
tags:
- - User
- delete:
- summary: Delete a Linked Object
- description: Deletes linked objects for a user, relationshipName can be ONLY a primary relationship name
- operationId: deleteLinkedObjectForUser
+ - UserRisk
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
+ put:
+ summary: Upsert the user's risk
+ description: Upserts (creates or updates) the User Risk object for a user ID
+ operationId: upsertUserRisk
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/UserRiskRequest'
+ examples:
+ RiskProviderRequestExample:
+ $ref: '#/components/examples/UserRiskRequest'
+ required: true
responses:
- '204':
- description: No Content
- content: {}
+ '200':
+ description: Updated the user's risk
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/UserRiskPutResponse'
+ examples:
+ UserRiskResponseExample:
+ $ref: '#/components/examples/UserRiskResponse'
+ '201':
+ description: Created the user's risk
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/UserRiskPutResponse'
+ examples:
+ UserRiskResponseExample:
+ $ref: '#/components/examples/UserRiskResponse'
+ '400':
+ $ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -16071,21 +23069,23 @@ paths:
security:
- apiToken: []
- oauth2:
- - okta.users.manage
+ - okta.userRisk.manage
tags:
- - User
+ - UserRisk
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
/api/v1/users/{userId}/roles:
parameters:
- $ref: '#/components/parameters/pathUserId'
get:
- summary: List all Roles assigned to a User
- description: Lists all roles assigned to a user identified by `userId`
+ summary: List all user role assignments
+ description: Lists all roles assigned to a user (identified by `userId`)
operationId: listAssignedRolesForUser
parameters:
- - name: expand
- in: query
- schema:
- type: string
+ - $ref: '#/components/parameters/pathQueryRoleExpand'
responses:
'200':
description: Success
@@ -16094,7 +23094,16 @@ paths:
schema:
type: array
items:
- $ref: '#/components/schemas/Role'
+ oneOf:
+ - $ref: '#/components/schemas/StandardRole'
+ - $ref: '#/components/schemas/CustomRole'
+ examples:
+ Standard Roles:
+ $ref: '#/components/examples/StandardRolesListResponse'
+ Custom Roles:
+ $ref: '#/components/examples/StandardAndCustomRolesListResponse'
+ IAM-based Standard Roles:
+ $ref: '#/components/examples/IAMStandardRolesListResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -16106,10 +23115,20 @@ paths:
- oauth2:
- okta.roles.read
tags:
- - RoleAssignment
+ - RoleAssignmentAUser
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
post:
- summary: Assign a Role to a User
- description: Assigns a role to a user identified by `userId`
+ summary: Assign a user role
+ description: |-
+ Assigns a [standard role](/openapi/okta-management/guides/roles/#standard-roles) to a user.
+
+ You can also assign a custom role to a user, but the preferred method to assign a custom role to a user is to create a binding between the custom role, the resource set, and the user. See [Create a Role Resource Set Binding](/openapi/okta-management/management/tag/RoleDResourceSetBinding/#tag/RoleDResourceSetBinding/operation/createResourceSetBinding).
+
+ > **Notes:**
+ > * The request payload is different for standard and custom role assignments.
+ > * For IAM-based standard role assignments, use the request payload for standard roles. However, the response payload for IAM-based role assignments is similar to the custom role's assignment response.
operationId: assignRoleToUser
parameters:
- name: disableNotifications
@@ -16117,12 +23136,16 @@ paths:
in: query
schema:
type: boolean
+ default: false
x-codegen-request-body-name: assignRoleRequest
requestBody:
content:
application/json:
schema:
- $ref: '#/components/schemas/AssignRoleRequest'
+ type: object
+ oneOf:
+ - $ref: '#/components/schemas/StandardRoleAssignmentSchema'
+ - $ref: '#/components/schemas/CustomRoleAssignmentSchema'
required: true
responses:
'201':
@@ -16130,7 +23153,17 @@ paths:
content:
application/json:
schema:
- $ref: '#/components/schemas/Role'
+ type: object
+ oneOf:
+ - $ref: '#/components/schemas/StandardRole'
+ - $ref: '#/components/schemas/CustomRole'
+ examples:
+ Standard Roles:
+ $ref: '#/components/examples/StandardRoleResponseUser'
+ Custom Roles:
+ $ref: '#/components/examples/CustomRoleResponseUser'
+ IAM-based Standard Roles:
+ $ref: '#/components/examples/IAMStandardRoleResponseUser'
'400':
$ref: '#/components/responses/ErrorApiValidationFailed400'
'403':
@@ -16144,14 +23177,17 @@ paths:
- oauth2:
- okta.roles.manage
tags:
- - RoleAssignment
- /api/v1/users/{userId}/roles/{roleId}:
+ - RoleAssignmentAUser
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/users/{userId}/roles/{roleAssignmentId}:
parameters:
- $ref: '#/components/parameters/pathUserId'
- - $ref: '#/components/parameters/pathRoleId'
+ - $ref: '#/components/parameters/pathRoleAssignmentId'
get:
- summary: Retrieve a Role assigned to a User
- description: Retrieves a role identified by `roleId` assigned to a user identified by `userId`
+ summary: Retrieve a user role assignment
+ description: Retrieves a role assigned to a user (identified by `userId`). The `roleAssignmentId` parameter is the unique identifier for either a standard role assignment object or a custom role resource set binding object.
operationId: getUserAssignedRole
responses:
'200':
@@ -16159,7 +23195,16 @@ paths:
content:
application/json:
schema:
- $ref: '#/components/schemas/Role'
+ oneOf:
+ - $ref: '#/components/schemas/StandardRole'
+ - $ref: '#/components/schemas/CustomRole'
+ examples:
+ Standard Roles:
+ $ref: '#/components/examples/StandardRoleResponseUser'
+ Custom Roles:
+ $ref: '#/components/examples/CustomRoleResponseUser'
+ IAM-based Standard Roles:
+ $ref: '#/components/examples/IAMStandardRoleResponseUser'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
@@ -16171,10 +23216,13 @@ paths:
- oauth2:
- okta.roles.read
tags:
- - RoleAssignment
+ - RoleAssignmentAUser
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
- summary: Unassign a Role from a User
- description: Unassigns a role identified by `roleId` from a user identified by `userId`
+ summary: Unassign a user role
+ description: Unassigns a role assignment (identified by `roleAssignmentId`) from a user (identified by `userId`)
operationId: unassignRoleFromUser
responses:
'204':
@@ -16191,14 +23239,121 @@ paths:
- oauth2:
- okta.roles.manage
tags:
- - RoleAssignment
- /api/v1/users/{userId}/roles/{roleId}/targets/catalog/apps:
+ - RoleAssignmentAUser
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/users/{userId}/roles/{roleAssignmentId}/governance:
+ parameters:
+ - $ref: '#/components/parameters/pathUserId'
+ - $ref: '#/components/parameters/pathRoleAssignmentId'
+ get:
+ summary: Retrieve all User Role Governance Sources
+ description: Retrieves the governance sources of a Role (identified by `roleAssignmentId`) that's assigned to a User (identified by `userId`)
+ operationId: getUserAssignedRoleGovernance
+ responses:
+ '200':
+ description: Success
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/RoleGovernance'
+ examples:
+ Example Response:
+ $ref: '#/components/examples/GetUseRoleGovernanceResponse'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.roles.read
+ tags:
+ - RoleAssignmentAUser
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
+ /api/v1/users/{userId}/roles/{roleAssignmentId}/governance/{grantId}:
+ parameters:
+ - $ref: '#/components/parameters/pathUserId'
+ - $ref: '#/components/parameters/pathRoleAssignmentId'
+ - $ref: '#/components/parameters/pathGrantId'
+ get:
+ summary: Retrieve a User Role Governance Source
+ description: Retrieves a Governance Source (identified by `grantId`) for a Role (identified by `roleAssignmentId`) that's assigned to a User (identified by `userId`)
+ operationId: getRoleAssignmentGovernanceGrant
+ responses:
+ '200':
+ description: Success
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/RoleGovernanceSource'
+ examples:
+ Example Response:
+ $ref: '#/components/examples/GetRoleAssignmentGovernanceGrantResponse'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.roles.read
+ tags:
+ - RoleAssignmentAUser
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
+ /api/v1/users/{userId}/roles/{roleAssignmentId}/governance/{grantId}/resources:
+ parameters:
+ - $ref: '#/components/parameters/pathUserId'
+ - $ref: '#/components/parameters/pathRoleAssignmentId'
+ - $ref: '#/components/parameters/pathGrantId'
+ get:
+ summary: Retrieve the User Role Governance Source Resources
+ description: Retrieves the resources of a Governance Source (identified by `grantId`) for a Role (identified by `roleAssignmentId`) that's assigned to a User (identified by `userId`)
+ operationId: getRoleAssignmentGovernanceGrantResources
+ responses:
+ '200':
+ description: Success
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/RoleGovernanceResources'
+ examples:
+ Example Response:
+ $ref: '#/components/examples/GetRoleAssignmentGovernanceGrantResources'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.roles.read
+ tags:
+ - RoleAssignmentAUser
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
+ /api/v1/users/{userId}/roles/{roleAssignmentId}/targets/catalog/apps:
parameters:
- $ref: '#/components/parameters/pathUserId'
- - $ref: '#/components/parameters/pathRoleId'
+ - $ref: '#/components/parameters/pathRoleAssignmentId'
get:
- summary: List all Application Targets for Application Administrator Role
- description: Lists all App targets for an `APP_ADMIN` Role assigned to a User. This methods return list may include full Applications or Instances. The response for an instance will have an `ID` value, while Application will not have an ID.
+ summary: List all admin role application targets
+ description: Lists all app targets for an `APP_ADMIN` role assigned to a user. The response is a list that includes OIN-cataloged apps or app instances. The response payload for an app instance contains the `id` property, but an OIN-cataloged app payload doesn't.
operationId: listApplicationTargetsForApplicationAdministratorRoleForUser
parameters:
- name: after
@@ -16231,10 +23386,13 @@ paths:
- oauth2:
- okta.roles.read
tags:
- - RoleTarget
+ - RoleBTargetAdmin
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
put:
- summary: Assign all Apps as Target to Role
- description: Assigns all Apps as Target to Role
+ summary: Assign all apps as target to role
+ description: Assigns all apps as target to role
operationId: assignAllAppsAsTargetToRoleForUser
responses:
'200':
@@ -16251,15 +23409,21 @@ paths:
- oauth2:
- okta.roles.manage
tags:
- - RoleTarget
- /api/v1/users/{userId}/roles/{roleId}/targets/catalog/apps/{appName}:
+ - RoleBTargetAdmin
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/users/{userId}/roles/{roleAssignmentId}/targets/catalog/apps/{appName}:
parameters:
- $ref: '#/components/parameters/pathUserId'
- - $ref: '#/components/parameters/pathRoleId'
+ - $ref: '#/components/parameters/pathRoleAssignmentId'
- $ref: '#/components/parameters/pathAppName'
put:
- summary: Assign an Application Target to Administrator Role
- description: Assigns an application target to administrator role
+ summary: Assign an admin role application target
+ description: |
+ Assigns an OIN app target for an `APP_ADMIN` role assignment to an admin user. When you assign the first app target, you reduce the scope of the role assignment.
+ The role no longer applies to all app targets, but applies only to the specified target. Assigning an OIN app target overrides any existing app instance targets of the OIN app.
+ For example, if a user was assigned to administer a specific Facebook instance, a successful request to add an OIN app target with `facebook` for `appName` makes that user the administrator for all Facebook instances.
operationId: assignAppTargetToAdminRoleForUser
responses:
'204':
@@ -16276,10 +23440,17 @@ paths:
- oauth2:
- okta.roles.manage
tags:
- - RoleTarget
+ - RoleBTargetAdmin
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
- summary: Unassign an Application Target from an Application Administrator Role
- description: Unassigns an application target from application administrator role
+ summary: Unassign an admin role application target
+ description: |
+ Unassigns an OIN app target from an `APP_ADMIN` role assignment to an admin user.
+
+ > **Note:** You can't remove the last OIN app target from a role assignment since this causes an exception.
+ > If you need a role assignment that applies to all apps, delete the `APP_ADMIN` role assignment to the user and recreate a new one.
operationId: unassignAppTargetFromAppAdminRoleForUser
responses:
'204':
@@ -16296,16 +23467,24 @@ paths:
- oauth2:
- okta.roles.manage
tags:
- - RoleTarget
- /api/v1/users/{userId}/roles/{roleId}/targets/catalog/apps/{appName}/{appId}:
+ - RoleBTargetAdmin
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/users/{userId}/roles/{roleAssignmentId}/targets/catalog/apps/{appName}/{appId}:
parameters:
- $ref: '#/components/parameters/pathUserId'
- - $ref: '#/components/parameters/pathRoleId'
+ - $ref: '#/components/parameters/pathRoleAssignmentId'
- $ref: '#/components/parameters/pathAppName'
- $ref: '#/components/parameters/pathAppId'
put:
- summary: Assign an Application Instance Target to an Application Administrator Role
- description: Assigns anapplication instance target to appplication administrator role
+ summary: Assign an admin role application instance target
+ description: |
+ Assigns an app instance target to an `APP_ADMIN` role assignment to an admin user. When you assign the first OIN app or app instance target, you reduce the scope of the role assignment.
+ The role no longer applies to all app targets, but applies only to the specified target.
+
+ > **Note:** You can target a mixture of both OIN app and app instance targets, but can't assign permissions to manage all instances of an OIN app and then assign a subset of permission to the same OIN app.
+ > For example, you can't specify that an admin has access to manage all instances of the Salesforce app and then also manage specific configurations of the Salesforce app.
operationId: assignAppInstanceTargetToAppAdminRoleForUser
responses:
'204':
@@ -16322,10 +23501,17 @@ paths:
- oauth2:
- okta.roles.manage
tags:
- - RoleTarget
+ - RoleBTargetAdmin
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
- summary: Unassign an Application Instance Target from an Application Administrator Role
- description: Unassigns an application instance target from an application administrator role
+ summary: Unassign an admin role application instance target
+ description: |-
+ Unassigns an app instance target from an `APP_ADMIN` role assignment to an admin user.
+
+ > **Note:** You can't remove the last app instance target from a role assignment since this causes an exception.
+ > If you need a role assignment that applies to all apps, delete the `APP_ADMIN` role assignment and recreate a new one.
operationId: unassignAppInstanceTargetFromAdminRoleForUser
responses:
'204':
@@ -16342,14 +23528,19 @@ paths:
- oauth2:
- okta.roles.manage
tags:
- - RoleTarget
- /api/v1/users/{userId}/roles/{roleId}/targets/groups:
+ - RoleBTargetAdmin
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/users/{userId}/roles/{roleAssignmentId}/targets/groups:
parameters:
- $ref: '#/components/parameters/pathUserId'
- - $ref: '#/components/parameters/pathRoleId'
+ - $ref: '#/components/parameters/pathRoleAssignmentId'
get:
- summary: List all Group Targets for Role
- description: Lists all group targets for role
+ summary: List all admin role group targets
+ description: |
+ Lists all group targets for a `USER_ADMIN`, `HELP_DESK_ADMIN`, or `GROUP_MEMBERSHIP_ADMIN` role assignment to an admin user.
+ If the role isn't scoped to specific group targets, an empty array `[]` is returned.
operationId: listGroupTargetsForRole
parameters:
- name: after
@@ -16382,15 +23573,20 @@ paths:
- oauth2:
- okta.roles.read
tags:
- - RoleTarget
- /api/v1/users/{userId}/roles/{roleId}/targets/groups/{groupId}:
+ - RoleBTargetAdmin
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /api/v1/users/{userId}/roles/{roleAssignmentId}/targets/groups/{groupId}:
parameters:
- $ref: '#/components/parameters/pathUserId'
- - $ref: '#/components/parameters/pathRoleId'
+ - $ref: '#/components/parameters/pathRoleAssignmentId'
- $ref: '#/components/parameters/pathGroupId'
put:
- summary: Assign a Group Target to Role
- description: Assigns a Group Target to Role
+ summary: Assign an admin role group target
+ description: |
+ Assigns a group target for a `USER_ADMIN`, `HELP_DESK_ADMIN`, or `GROUP_MEMBERSHIP_ADMIN` role assignment to an admin user.
+ When you assign the first group target, you reduce the scope of the role assignment. The role no longer applies to all targets but applies only to the specified target.
operationId: assignGroupTargetToUserRole
responses:
'204':
@@ -16407,10 +23603,17 @@ paths:
- oauth2:
- okta.roles.manage
tags:
- - RoleTarget
+ - RoleBTargetAdmin
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
- summary: Unassign a Group Target from Role
- description: Unassigns a Group Target from Role
+ summary: Unassign an admin role group target
+ description: |
+ Unassigns a group target from a `USER_ADMIN`, `HELP_DESK_ADMIN`, or `GROUP_MEMBERSHIP_ADMIN` role assignment to an admin user.
+
+ > **Note:** You can't remove the last group target from a role assignment since this causes an exception.
+ > If you need a role assignment that applies to all groups, delete the role assignment to the user and recreate a new one.
operationId: unassignGroupTargetFromUserAdminRole
responses:
'204':
@@ -16427,13 +23630,18 @@ paths:
- oauth2:
- okta.roles.manage
tags:
- - RoleTarget
+ - RoleBTargetAdmin
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/users/{userId}/sessions:
parameters:
- $ref: '#/components/parameters/pathUserId'
delete:
- summary: Revoke all User Sessions
- description: Revokes all active identity provider sessions of the user. This forces the user to authenticate on the next operation. Optionally revokes OpenID Connect and OAuth refresh and access tokens issued to the user.
+ summary: Revoke all User sessions
+ description: |-
+ Revokes all active Identity Provider sessions of the User. This forces the user to authenticate on the next operation. Optionally revokes OpenID Connect and OAuth refresh and access tokens issued to the User.
+ > **Note:** This operation doesn't clear the sessions created for web or native apps.
operationId: revokeUserSessions
parameters:
- name: oauthTokens
@@ -16457,13 +23665,17 @@ paths:
- oauth2:
- okta.users.manage
tags:
- - User
+ - UserSessions
+ x-okta-lifecycle:
+ isCorsEnabled: true
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/users/{userId}/subscriptions:
parameters:
- $ref: '#/components/parameters/pathUserId'
get:
- summary: List all Subscriptions for a User
- description: Lists all subscriptions available to a specified User. Returns an `AccessDeniedException` message if requests are made for another user.
+ summary: List all subscriptions for a user
+ description: Lists all subscriptions available to a specified user. Returns an `AccessDeniedException` message if requests are made for another user.
operationId: listSubscriptionsUser
parameters:
- in: path
@@ -16493,13 +23705,16 @@ paths:
- okta.users.read
tags:
- Subscription
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/users/{userId}/subscriptions/{notificationType}:
parameters:
- $ref: '#/components/parameters/pathUserId'
- $ref: '#/components/parameters/pathNotificationType'
get:
- summary: Retrieve a Subscription for a User
- description: Retrieves a subscription by `notificationType` for a specified User. Returns an `AccessDeniedException` message if requests are made for another user.
+ summary: Retrieve a subscription for a user
+ description: Retrieves a subscription by `notificationType` for a specified user. Returns an `AccessDeniedException` message if requests are made for another user.
operationId: getSubscriptionsNotificationTypeUser
parameters:
- in: path
@@ -16528,12 +23743,15 @@ paths:
- okta.users.read
tags:
- Subscription
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/users/{userId}/subscriptions/{notificationType}/subscribe:
parameters:
- $ref: '#/components/parameters/pathUserId'
- $ref: '#/components/parameters/pathNotificationType'
post:
- summary: Subscribe a User to a Specific Notification Type
+ summary: Subscribe a user to a specific notification type
description: Subscribes the current user to a specified notification type. Returns an `AccessDeniedException` message if requests are made for another user.
operationId: subscribeByNotificationTypeUser
parameters:
@@ -16559,12 +23777,15 @@ paths:
- okta.users.manage
tags:
- Subscription
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/users/{userId}/subscriptions/{notificationType}/unsubscribe:
parameters:
- $ref: '#/components/parameters/pathUserId'
- $ref: '#/components/parameters/pathNotificationType'
post:
- summary: Unsubscribe a User from a Specific Notification Type
+ summary: Unsubscribe a user from a specific notification type
description: Unsubscribes the current user from a specified notification type. Returns an `AccessDeniedException` message if requests are made for another user.
operationId: unsubscribeByNotificationTypeUser
parameters:
@@ -16590,11 +23811,14 @@ paths:
- okta.users.manage
tags:
- Subscription
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/zones:
get:
summary: List all Network Zones
description: |-
- Lists all network zones with pagination. A subset of zones can be returned that match a supported filter expression or query.
+ Lists all Network Zones with pagination. A subset of zones can be returned that match a supported filter expression or query.
This operation requires URL encoding. For example, `filter=(id eq "nzoul0wf9jyb8xwZm0g3" or id eq "nzoul1MxmGN18NDQT0g3")` is encoded as `filter=%28id+eq+%22nzoul0wf9jyb8xwZm0g3%22+or+id+eq+%22nzoul1MxmGN18NDQT0g3%22%29`.
@@ -16603,24 +23827,24 @@ paths:
parameters:
- name: after
in: query
- description: Specifies the pagination cursor for the next page of network zones
- example: 200u7yq5goxNFTiMjW1d7
schema:
type: string
+ description: Specifies the pagination cursor for the next page of Network Zones
+ example: BlockedIpZones
- name: limit
in: query
- description: Specifies the number of results for a page
- example: 5
schema:
type: integer
+ description: Specifies the number of results for a page
format: int32
+ example: 5
default: -1
- name: filter
in: query
- description: Filters zones by usage or ID expression
- example: filter=%28id+eq+%22nzowc1U5Jh5xuAK0o0g3%22%29
schema:
type: string
+ description: Filters zones by usage or ID expression
+ example: id eq "nzowc1U5Jh5xuAK0o0g3"
responses:
'200':
description: Success
@@ -16645,12 +23869,16 @@ paths:
- okta.networkZones.read
tags:
- NetworkZone
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
post:
summary: Create a Network Zone
description: |-
- Creates a new network zone.
- * At least one of either the `gateways` attribute or `proxies` attribute must be defined when creating a Network Zone.
- * At least one of the following attributes must be defined: `proxyType`, `locations`, or `asns`.
+ Creates a Network Zone
+ * For an IP Network Zone, you must define either `gateways` or `proxies`.
+ * For a Dynamic Network Zone, you must define at least one of the following: `asns`, `locations`, or `proxyType`.
+ * For an Enhanced Dynamic Network Zone, you must define at least one of the following: `asns`, `locations`, or `ipServiceCategories`.
operationId: createNetworkZone
x-codegen-request-body-name: zone
requestBody:
@@ -16663,6 +23891,8 @@ paths:
$ref: '#/components/examples/CreateIPPolicyNetworkZone'
CreateIPPolicyBlocklistNetworkZone:
$ref: '#/components/examples/CreateIPPolicyBlockListNetworkZone'
+ CreateEDNetworkZone:
+ $ref: '#/components/examples/CreateEDNZRequest'
required: true
responses:
'200':
@@ -16676,8 +23906,10 @@ paths:
$ref: '#/components/examples/CreateIPPolicyNetworkZoneResponse'
CreateIPPolicyBlocklistNetworkZone:
$ref: '#/components/examples/CreateIPPolicyBlockListNetworkZoneResponse'
+ CreateEDNetworkZone:
+ $ref: '#/components/examples/CreateEDNZResponse'
'400':
- $ref: '#/components/responses/ErrorApiValidationFailed400'
+ $ref: '#/components/responses/NzErrorApiValidationFailed400'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'429':
@@ -16688,12 +23920,15 @@ paths:
- okta.networkZones.manage
tags:
- NetworkZone
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/zones/{zoneId}:
parameters:
- $ref: '#/components/parameters/pathZoneId'
get:
summary: Retrieve a Network Zone
- description: Retrieves a network zone by `zoneId`
+ description: Retrieves a Network Zone by `zoneId`
operationId: getNetworkZone
responses:
'200':
@@ -16707,10 +23942,12 @@ paths:
$ref: '#/components/examples/RetrieveNetworkZoneIP'
RetrieveNetworkZoneDynamic:
$ref: '#/components/examples/RetrieveNetworkZoneDynamic'
+ RetrieveNetworkZoneEnhancedDynamic:
+ $ref: '#/components/examples/CreateEDNZResponse'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
- $ref: '#/components/responses/ErrorResourceNotFound404'
+ $ref: '#/components/responses/NzErrorResourceNotFound404'
'429':
$ref: '#/components/responses/ErrorTooManyRequests429'
security:
@@ -16719,11 +23956,14 @@ paths:
- okta.networkZones.read
tags:
- NetworkZone
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
put:
summary: Replace a Network Zone
description: |-
- Replaces a network zone by `zoneId`. The replaced network zone type must be the same as the existing type.
- You may replace the usage (`POLICY`, `BLOCKLIST`) of a network zone by updating the `usage` attribute.
+ Replaces a Network Zone by `zoneId`. The replaced Network Zone type must be the same as the existing type.
+ You can replace the usage (`POLICY`, `BLOCKLIST`) of a Network Zone by updating the `usage` attribute.
operationId: replaceNetworkZone
x-codegen-request-body-name: zone
requestBody:
@@ -16746,11 +23986,11 @@ paths:
ReplaceNetworkZone:
$ref: '#/components/examples/ReplaceNetworkZoneResponse'
'400':
- $ref: '#/components/responses/ErrorApiValidationFailed400'
+ $ref: '#/components/responses/NzErrorApiValidationFailed400'
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
- $ref: '#/components/responses/ErrorResourceNotFound404'
+ $ref: '#/components/responses/NzErrorResourceNotFound404'
'429':
$ref: '#/components/responses/ErrorTooManyRequests429'
security:
@@ -16759,9 +23999,16 @@ paths:
- okta.networkZones.manage
tags:
- NetworkZone
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
summary: Delete a Network Zone
- description: Deletes network zone by `zoneId`
+ description: |-
+ Deletes a Network Zone by `zoneId`
+ > **Notes:**
+ > * You can't delete a Network Zone that's used by a [Policy](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Policy/) or [Rule](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Policy/#tag/Policy/operation/listPolicyRules).
+ > * For Okta Identity Engine orgs, you can't delete a Network Zone with an ACTIVE `status`.
operationId: deleteNetworkZone
responses:
'204':
@@ -16770,7 +24017,7 @@ paths:
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
- $ref: '#/components/responses/ErrorResourceNotFound404'
+ $ref: '#/components/responses/NzErrorResourceNotFound404'
'429':
$ref: '#/components/responses/ErrorTooManyRequests429'
security:
@@ -16779,12 +24026,15 @@ paths:
- okta.networkZones.manage
tags:
- NetworkZone
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/zones/{zoneId}/lifecycle/activate:
parameters:
- $ref: '#/components/parameters/pathZoneId'
post:
summary: Activate a Network Zone
- description: Activates a network zone by `zoneId`
+ description: Activates a Network Zone by `zoneId`
operationId: activateNetworkZone
responses:
'200':
@@ -16799,7 +24049,7 @@ paths:
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
- $ref: '#/components/responses/ErrorResourceNotFound404'
+ $ref: '#/components/responses/NzErrorResourceNotFound404'
'429':
$ref: '#/components/responses/ErrorTooManyRequests429'
security:
@@ -16808,12 +24058,15 @@ paths:
- okta.networkZones.manage
tags:
- NetworkZone
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/api/v1/zones/{zoneId}/lifecycle/deactivate:
parameters:
- $ref: '#/components/parameters/pathZoneId'
post:
summary: Deactivate a Network Zone
- description: Deactivates a network zone by `zoneId`
+ description: Deactivates a Network Zone by `zoneId`
operationId: deactivateNetworkZone
responses:
'200':
@@ -16828,7 +24081,7 @@ paths:
'403':
$ref: '#/components/responses/ErrorAccessDenied403'
'404':
- $ref: '#/components/responses/ErrorResourceNotFound404'
+ $ref: '#/components/responses/NzErrorResourceNotFound404'
'429':
$ref: '#/components/responses/ErrorTooManyRequests429'
security:
@@ -16837,6 +24090,80 @@ paths:
- okta.networkZones.manage
tags:
- NetworkZone
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /attack-protection/api/v1/authenticator-settings:
+ get:
+ summary: Retrieve the Authenticator Settings
+ description: Retrieves the Authenticator Settings for an org
+ operationId: getAuthenticatorSettings
+ responses:
+ '200':
+ description: OK
+ content:
+ application/json:
+ schema:
+ type: array
+ items:
+ $ref: '#/components/schemas/AttackProtectionAuthenticatorSettings'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.orgs.read
+ tags:
+ - AttackProtection
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
+ put:
+ summary: Replace the Authenticator Settings
+ description: Replaces the Authenticator Settings for an org
+ operationId: replaceAuthenticatorSettings
+ x-codegen-request-body-name: authenticatorSettings
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/AttackProtectionAuthenticatorSettings'
+ required: true
+ responses:
+ '200':
+ description: OK
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/AttackProtectionAuthenticatorSettings'
+ '400':
+ $ref: '#/components/responses/ErrorApiValidationFailed400'
+ '403':
+ description: Forbidden
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Error'
+ examples:
+ Access Denied:
+ $ref: '#/components/examples/ErrorAccessDenied'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.orgs.manage
+ tags:
+ - AttackProtection
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
/attack-protection/api/v1/user-lockout-settings:
get:
summary: Retrieve the User Lockout Settings
@@ -16861,6 +24188,9 @@ paths:
- okta.orgs.read
tags:
- AttackProtection
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
put:
summary: Replace the User Lockout Settings
description: Replaces the User Lockout Settings for an org
@@ -16898,6 +24228,147 @@ paths:
- okta.orgs.manage
tags:
- AttackProtection
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /device-access/api/v1/desktop-mfa/enforce-number-matching-challenge-settings:
+ get:
+ summary: Retrieve the Desktop MFA Enforce Number Matching Challenge Org Setting
+ description: Retrieves the status of the Desktop MFA Enforce Number Matching Challenge push notifications feature. That is, whether or not the feature is enabled for your org.
+ operationId: getDesktopMFAEnforceNumberMatchingChallengeOrgSetting
+ responses:
+ '200':
+ description: OK
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/DesktopMFAEnforceNumberMatchingChallengeOrgSetting'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.orgs.read
+ tags:
+ - DeviceAccess
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
+ put:
+ summary: Replace the Desktop MFA Enforce Number Matching Challenge Org Setting
+ description: Replaces the status of the Desktop MFA Enforce Number Matching Challenge push notifications feature. That is, whether or not the feature is enabled for your org.
+ operationId: replaceDesktopMFAEnforceNumberMatchingChallengeOrgSetting
+ x-codegen-request-body-name: DesktopMFAEnforceNumberMatchingChallengeOrgSetting
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/DesktopMFAEnforceNumberMatchingChallengeOrgSetting'
+ required: true
+ responses:
+ '200':
+ description: OK
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/DesktopMFAEnforceNumberMatchingChallengeOrgSetting'
+ '400':
+ $ref: '#/components/responses/ErrorApiValidationFailed400'
+ '403':
+ description: Forbidden
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Error'
+ examples:
+ Access Denied:
+ $ref: '#/components/examples/ErrorAccessDenied'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.orgs.manage
+ tags:
+ - DeviceAccess
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
+ /device-access/api/v1/desktop-mfa/recovery-pin-settings:
+ get:
+ summary: Retrieve the Desktop MFA Recovery PIN Org setting
+ description: Retrieves the status of the Desktop MFA Recovery PIN feature. That is, whether or not the feature is enabled for your org.
+ operationId: getDesktopMFARecoveryPinOrgSetting
+ responses:
+ '200':
+ description: OK
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/DesktopMFARecoveryPinOrgSetting'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.orgs.read
+ tags:
+ - DeviceAccess
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
+ put:
+ summary: Replace the Desktop MFA Recovery PIN Org Setting
+ description: Replaces the Desktop MFA Recovery PIN feature for your org
+ operationId: replaceDesktopMFARecoveryPinOrgSetting
+ x-codegen-request-body-name: DesktopMFARecoveryPinOrgSetting
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/DesktopMFARecoveryPinOrgSetting'
+ required: true
+ responses:
+ '200':
+ description: OK
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/DesktopMFARecoveryPinOrgSetting'
+ '400':
+ $ref: '#/components/responses/ErrorApiValidationFailed400'
+ '403':
+ description: Forbidden
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Error'
+ examples:
+ Access Denied:
+ $ref: '#/components/examples/ErrorAccessDenied'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.orgs.manage
+ tags:
+ - DeviceAccess
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
/integrations/api/v1/api-services:
get:
summary: List all API Service Integration instances
@@ -16929,6 +24400,9 @@ paths:
- okta.oauthIntegrations.read
tags:
- ApiServiceIntegrations
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
post:
summary: Create an API Service Integration instance
description: Creates and authorizes an API Service Integration instance
@@ -16964,6 +24438,9 @@ paths:
- apiToken: []
tags:
- ApiServiceIntegrations
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/integrations/api/v1/api-services/{apiServiceId}:
parameters:
- $ref: '#/components/parameters/pathApiServiceId'
@@ -16995,6 +24472,9 @@ paths:
- okta.oauthIntegrations.read
tags:
- ApiServiceIntegrations
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
delete:
summary: Delete an API Service Integration instance
description: Deletes an API Service Integration instance by `id`. This operation also revokes access to scopes that were previously granted to this API Service Integration instance.
@@ -17016,6 +24496,9 @@ paths:
- okta.oauthIntegrations.manage
tags:
- ApiServiceIntegrations
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/integrations/api/v1/api-services/{apiServiceId}/credentials/secrets:
parameters:
- $ref: '#/components/parameters/pathApiServiceId'
@@ -17049,6 +24532,9 @@ paths:
- okta.oauthIntegrations.read
tags:
- ApiServiceIntegrations
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
post:
summary: Create an API Service Integration instance Secret
description: Creates an API Service Integration instance Secret object with a new active client secret. You can create up to two Secret objects. An error is returned if you attempt to create more than two Secret objects.
@@ -17077,6 +24563,9 @@ paths:
- okta.oauthIntegrations.manage
tags:
- ApiServiceIntegrations
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/integrations/api/v1/api-services/{apiServiceId}/credentials/secrets/{secretId}:
parameters:
- $ref: '#/components/parameters/pathApiServiceId'
@@ -17102,6 +24591,9 @@ paths:
- okta.oauthIntegrations.manage
tags:
- ApiServiceIntegrations
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/integrations/api/v1/api-services/{apiServiceId}/credentials/secrets/{secretId}/lifecycle/activate:
parameters:
- $ref: '#/components/parameters/pathApiServiceId'
@@ -17134,6 +24626,9 @@ paths:
- okta.oauthIntegrations.manage
tags:
- ApiServiceIntegrations
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
/integrations/api/v1/api-services/{apiServiceId}/credentials/secrets/{secretId}/lifecycle/deactivate:
parameters:
- $ref: '#/components/parameters/pathApiServiceId'
@@ -17166,4089 +24661,20534 @@ paths:
- okta.oauthIntegrations.manage
tags:
- ApiServiceIntegrations
-components:
- examples:
- APIDevicesListAllResponse:
- summary: Response example
- value:
- - id: guo4a5u7YAHhjXrMK0g4
- status: CREATED
- created: '2019-10-02T18:03:07.000Z'
- lastUpdated: '2019-10-02T18:03:07.000Z'
- profile:
- displayName: Example Device name 1
- platform: WINDOWS
- serialNumber: XXDDRFCFRGF3M8MD6D
- sid: S-1-11-111
- registered: true
- secureHardwarePresent: false
- diskEncryptionType: ALL_INTERNAL_VOLUMES
- resourceType: UDDevice
- resourceDisplayName:
- value: Example Device name 1
- sensitive: false
- resourceAlternateId: null
- resourceId: guo4a5u7YAHhjXrMK0g4
- _links:
- activate:
- href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g4/lifecycle/activate
- hints:
- allow:
- - POST
- self:
- href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g4
- hints:
- allow:
- - GET
- - PATCH
- - PUT
- users:
- href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g4/users
- hints:
- allow:
- - GET
- - id: guo4a5u7YAHhjXrMK0g5
- status: ACTIVE
- created: '2023-06-21T23:24:02.000Z'
- lastUpdated: '2023-06-21T23:24:02.000Z'
- profile:
- displayName: Example Device name 2
- platform: ANDROID
- manufacturer: Google
- model: Pixel 6
- osVersion: 13:2023-05-05
- registered: true
- secureHardwarePresent: true
- diskEncryptionType: USER
- resourceType: UDDevice
- resourceDisplayName:
- value: Example Device name 2
- sensitive: false
- resourceAlternateId: null
- resourceId: guo4a5u7YAHhjXrMK0g5
- _links:
- activate:
- href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g5/lifecycle/activate
- hints:
- allow:
- - POST
- self:
- href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g5
- hints:
- allow:
- - GET
- - PATCH
- - PUT
- users:
- href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g5/users
- hints:
- allow:
- - GET
- APIDevicesListAllUsersResponse:
- summary: Response example
- value:
- created: '2021-08-20T17:13:35.000Z'
- managementStatus: NOT_MANAGED
- screenLockType: BIOMETRIC
- user:
- id: 00u17vh0q8ov8IU881d7
- status: ACTIVE
- created: '2021-08-20T16:08:25.000Z'
- activated: null
- statusChanged: '2021-08-20T16:39:41.000Z'
- lastLogin: '2023-04-18T17:54:12.000Z'
- lastUpdated: '2021-12-20T18:27:30.000Z'
- passwordChanged: '2021-12-20T18:27:30.000Z'
- type:
- id: oty17vh0n2EHVnbYF1d7
- profile:
- firstName: Bunk
- lastName: Moreland
- mobilePhone: null
- secondEmail: null
- login: bunk.moreland@example.com
- email: bunk.moreland@example.com
- credentials:
- password: null
- provider:
- type: OKTA
- name: OKTA
- _links:
- suspend:
- href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/suspend
- method: POST
- schema:
- href: https://{yourOktaDomain}/api/v1/meta/schemas/user/osc17vh0n2EHVnbYF1d7
- resetPassword:
- href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/reset_password
- method: POST
- forgotPassword:
- href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/credentials/forgot_password
- method: POST
- expirePassword:
- href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/expire_password
- method: POST
- changeRecoveryQuestion:
- href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/credentials/change_recovery_question
- method: POST
- self:
- href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7
- resetFactors:
- href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/reset_factors
- method: POST
- type:
- href: https://{yourOktaDomain}/api/v1/meta/types/user/oty17vh0n2EHVnbYF1d7
- changePassword:
- href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/credentials/change_password
- method: POST
- deactivate:
- href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/deactivate
- method: POST
- APIServiceIntegrationInstanceSecretListResponse:
- summary: Secrets list response example
- value:
- - id: ocs2f4zrZbs8nUa7p0g4
- status: INACTIVE
- client_secret: '***DhOW'
- secret_hash: yk4SVx4sUWVJVbHt6M-UPA
- created: '2023-02-21T20:08:24.000Z'
- lastUpdated: '2023-02-21T20:08:24.000Z'
- _links:
- activate:
- href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4/lifecycle/activate
- hints:
- allow:
- - POST
- delete:
- href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4
- hints:
- allow:
- - DELETE
- - id: ocs2f50kZB0cITmYU0g4
- status: ACTIVE
- client_secret: '***MQGQ'
- secret_hash: 0WOOvBSzV9clc4Nr7Rbaug
- created: '2023-04-06T21:32:33.000Z'
- lastUpdated: '2023-04-06T21:32:33.000Z'
- _links:
- deactivate:
- href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f50kZB0cITmYU0g4/lifecycle/deactivate
- hints:
- allow:
- - POST
- APIServiceIntegrationListResponse:
- summary: List response example
- value:
- - id: 0oa72lrepvp4WqEET1d9
- type: my_app_cie
- name: My App Cloud Identity Engine
- createdAt: '2023-02-21T20:08:24.000Z'
- createdBy: 00uu3u0ujW1P6AfZC2d5
- configGuideUrl: https://{docDomain}/my-app-cie/configuration-guide
- grantedScopes:
- - okta.logs.read
- - okta.groups.read
- - okta.users.read
- _links:
- self:
- href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa72lrepvp4WqEET1d9
- hints:
- allow:
- - GET
- - DELETE
- client:
- href: https://{yourOktaDomain}/oauth2/v1/clients/0oa72lrepvp4WqEET1d9
- hints:
- allow:
- - GET
- logo:
- name: small
- href: https://{logoDomain}/{logoPath}/my_app_cie_small_logo
- APIServiceIntegrationResponse:
- summary: Response example
- value:
- id: 0oa72lrepvp4WqEET1d9
- type: my_app_cie
- name: My App Cloud Identity Engine
- createdAt: '2023-02-21T20:08:24.000Z'
- createdBy: 00uu3u0ujW1P6AfZC2d5
- configGuideUrl: https://{docDomain}/my-app-cie/configuration-guide
- grantedScopes:
- - okta.logs.read
- - okta.groups.read
- - okta.users.read
- _links:
- self:
- href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa72lrepvp4WqEET1d9
- hints:
- allow:
- - GET
- - DELETE
- client:
- href: https://{yourOktaDomain}/oauth2/v1/clients/0oa72lrepvp4WqEET1d9
- hints:
- allow:
- - GET
- logo:
- name: small
- href: https://{logoDomain}/{logoPath}/my_app_cie_small_logo
- ActivateNetworkZone:
- summary: Activated Network Zone response
- value:
- type: IP
- id: nzowc1U5Jh5xuAK0o0g3
- name: LegacyIpZone
- status: ACTIVE
- usage: POLICY
- created: '2019-05-17T18:44:31.000Z'
- lastUpdated: '2019-05-21T13:50:49.000Z'
- system: true
- gateways:
- - type: CIDR
- value: 1.2.3.4/24
- proxies:
- - type: RANGE
- value: 3.3.4.5-3.3.4.15
- _links:
- self:
- href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3
- hints:
- allow:
- - GET
- - PUT
- - DELETE
- deactivate:
- href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/deactivate
- hints:
- allow:
- - POST
- AddMappingBody:
- summary: Update an existing profile mapping by adding one or more properties
- value:
- properties:
- additionalProperties:
- fullName:
- expression: user.firstName + user.lastName
- pushStatus: PUSH
- nickName:
- expression: user.nickName
- pushStatus: PUSH
- AddMappingResponse:
- summary: Update an existing profile mapping by adding one or more properties
- value:
- id: prm1k47ghydIQOTBW0g4
- source:
- id: otysbePhQ3yqt4cVv0g3
- name: user
- type: user
- _links:
- self:
- href: https://{yourOktaDomain}/api/v1/meta/types/user/otysbePhQ3yqt4cVv0g3
- schema:
- href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscsbePhQ3yqt4cVv0g3
- target:
- id: 0oa1qmn4LZQQEH0wZ0g4
- name: okta_org2org
- type: appuser
- _links:
- self:
- href: https://{yourOktaDomain}/api/v1/apps/0oa1qmn4LZQQEH0wZ0g4
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /integrations/api/v1/submissions/{submissionId}:
+ parameters:
+ - $ref: '#/components/parameters/pathSubmissionId'
+ /integrations/api/v1/submissions/{submissionId}/submit:
+ parameters:
+ - $ref: '#/components/parameters/pathSubmissionId'
+ /integrations/api/v1/submissions/{submissionId}/testing:
+ parameters:
+ - $ref: '#/components/parameters/pathSubmissionId'
+ /oauth2/v1/clients/{clientId}/roles:
+ parameters:
+ - $ref: '#/components/parameters/pathClientId'
+ get:
+ summary: List all Client Role Assignments
+ description: Lists all roles assigned to a Client Application identified by `clientId`
+ operationId: listRolesForClient
+ responses:
+ '200':
+ description: Success
+ content:
+ application/json:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/StandardRole'
+ - $ref: '#/components/schemas/CustomRole'
+ examples:
+ Standard Roles:
+ $ref: '#/components/examples/StandardRolesListResponseClient'
+ Custom Roles:
+ $ref: '#/components/examples/CustomRolesListResponseClient'
+ IAM-based Standard Roles:
+ $ref: '#/components/examples/IAMStandardRolesListResponseClient'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.roles.read
+ tags:
+ - RoleAssignmentClient
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ post:
+ summary: Assign a Client Role
+ description: |-
+ Assigns a [standard role](/openapi/okta-management/guides/roles/#standard-roles) to a Client Application.
+
+ You can also assign a custom role to a Client Application, but the preferred method to assign a custom role to a client is to create a binding between the Custom Role, the Resource Set, and the Client Application. See [Create a Role Resource Set Binding](/openapi/okta-management/management/tag/RoleDResourceSetBinding/#tag/RoleDResourceSetBinding/operation/createResourceSetBinding).
+
+ > **Notes:**
+ > * The request payload is different for standard and custom role assignments.
+ > * For IAM-based standard role assignments, use the request payload for standard roles. However, the response payload for IAM-based role assignments is similar to the custom role's assignment response.
+ operationId: assignRoleToClient
+ requestBody:
+ required: true
+ content:
+ application/json:
schema:
- href: https://{yourOktaDomain}/api/v1/meta/schemas/apps/0oa1qmn4LZQQEH0wZ0g4/default
- properties:
- fullName:
- expression: user.firstName + user.lastName
- pushStatus: PUSH
- nickName:
- expression: user.nickName
- pushStatus: PUSH
- _links:
- self:
- href: https://{yourOktaDomain}/api/v1/mappings/prm1k48weFSOnEUnw0g4
- ApiTokenListMetadataResponse:
- value:
- - name: My API Token
- userId: 00uabcdefg1234567890
- tokenWindow: P30D
- id: 00Tabcdefg1234567890
- clientName: Okta API
- expiresAt: 2021-12-11T20:38:10.000Z
- created: 2021-11-09T20:38:10.000Z
- lastUpdated: 2021-11-11T20:38:10.000Z
- _links:
- self:
- href: https://{yourOktaDomain}/api/v1/api-tokens/00Tabcdefg1234567890
- hints:
- allow:
+ oneOf:
+ - $ref: '#/components/schemas/StandardRoleAssignmentSchema'
+ - $ref: '#/components/schemas/CustomRoleAssignmentSchema'
+ examples:
+ Standard Role:
+ $ref: '#/components/examples/StandardRoleAssignmentRequest'
+ Custom Role Assignment:
+ $ref: '#/components/examples/CustomRoleAssignmentRequest'
+ responses:
+ '200':
+ description: Success
+ content:
+ application/json:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/StandardRole'
+ - $ref: '#/components/schemas/CustomRole'
+ examples:
+ Standard Role:
+ $ref: '#/components/examples/StandardRoleResponseClient'
+ Custom Role Assignment:
+ $ref: '#/components/examples/CustomRoleResponseClient'
+ IAM-based Role Assignment:
+ $ref: '#/components/examples/IAMStandardRolesListResponseClient'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.roles.manage
+ tags:
+ - RoleAssignmentClient
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /oauth2/v1/clients/{clientId}/roles/{roleAssignmentId}:
+ parameters:
+ - $ref: '#/components/parameters/pathClientId'
+ - $ref: '#/components/parameters/pathRoleAssignmentId'
+ get:
+ summary: Retrieve a Client Role
+ description: Retrieves a Role Assignment (identified by `roleAssignmentId`) for a Client Application (identified by `clientId`)
+ operationId: retrieveClientRole
+ responses:
+ '200':
+ description: Success
+ content:
+ application/json:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/StandardRole'
+ - $ref: '#/components/schemas/CustomRole'
+ examples:
+ Standard Role:
+ $ref: '#/components/examples/StandardRoleResponseClient'
+ Custom Role Assignment:
+ $ref: '#/components/examples/CustomRoleResponseClient'
+ IAM-based Standard Role Assignment:
+ $ref: '#/components/examples/IAMStandardRoleResponseClient'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.roles.read
+ tags:
+ - RoleAssignmentClient
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ delete:
+ summary: Unassign a Client Role
+ description: Unassigns a Role Assignment (identified by `roleAssignmentId`) from a Client Application (identified by `clientId`)
+ operationId: deleteRoleFromClient
+ responses:
+ '204':
+ description: No Content
+ content: {}
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.roles.manage
+ tags:
+ - RoleAssignmentClient
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /oauth2/v1/clients/{clientId}/roles/{roleAssignmentId}/targets/catalog/apps:
+ parameters:
+ - $ref: '#/components/parameters/pathClientId'
+ - $ref: '#/components/parameters/pathRoleAssignmentId'
+ get:
+ summary: List all Client Role Application Targets
+ description: Lists all OIN app targets for an `APP_ADMIN` Role that's assigned to a client Application (by `clientId`).
+ operationId: listAppTargetRoleToClient
+ parameters:
+ - $ref: '#/components/parameters/queryAfter'
+ - $ref: '#/components/parameters/queryLimit'
+ responses:
+ '200':
+ description: Success
+ content:
+ application/json:
+ schema:
+ type: array
+ items:
+ $ref: '#/components/schemas/CatalogApplication'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.roles.read
+ tags:
+ - RoleBTargetClient
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /oauth2/v1/clients/{clientId}/roles/{roleAssignmentId}/targets/catalog/apps/{appName}:
+ parameters:
+ - $ref: '#/components/parameters/pathClientId'
+ - $ref: '#/components/parameters/pathRoleAssignmentId'
+ - $ref: '#/components/parameters/pathAppName'
+ put:
+ summary: Assign a Client Role Application Target
+ description: |-
+ Assigns an OIN app target for an `APP_ADMIN` Role Assignment to a client Application. When you assign an app target from the OIN catalog, you reduce the scope of the Role Assignment.
+ The Role applies to only app instances that are included in the specified OIN app target.
+
+ An assigned OIN app target overrides any existing app instance targets.
+ For example, if a user is assigned to administer a specific Facebook instance, a successful request to add an OIN app target with `facebook` for `appName` makes that user the administrator for all Facebook instances.
+ operationId: assignAppTargetRoleToClient
+ responses:
+ '204':
+ description: No Content
+ content: {}
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.roles.manage
+ tags:
+ - RoleBTargetClient
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ delete:
+ summary: Unassign a Client Role Application Target
+ description: |-
+ Unassigns an OIN app target for a Role Assignment to a client Application
+
+ > **Note:** You can't remove the last OIN app target from a Role Assignment since operation causes an exception.
+ > If you need a Role assignment that applies to all apps, delete the Role Assignment and recreate a new one. See [Unassign a Client Role](/openapi/okta-management/management/tag/RoleAssignmentClient/#tag/RoleAssignmentClient/operation/deleteRoleFromClient).
+ operationId: removeAppTargetRoleFromClient
+ responses:
+ '204':
+ description: No Content
+ content: {}
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.roles.manage
+ tags:
+ - RoleBTargetClient
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /oauth2/v1/clients/{clientId}/roles/{roleAssignmentId}/targets/catalog/apps/{appName}/{appId}:
+ parameters:
+ - $ref: '#/components/parameters/pathClientId'
+ - $ref: '#/components/parameters/pathRoleAssignmentId'
+ - $ref: '#/components/parameters/pathAppName'
+ - $ref: '#/components/parameters/pathAppId'
+ put:
+ summary: Assign a Client Role Application Instance Target
+ description: |-
+ Assigns an app instance target to an `APP_ADMIN` Role Assignment to a client Application. When you assign the first OIN app or app instance target, you reduce the scope of the Role Assignment.
+ The Role no longer applies to all app targets, but applies only to the specified target.
+
+ > **Note:** You can target a mixture of both OIN app and app instance targets, but you can't assign permissions to manage all instances of an OIN app and then assign a subset of permissions to the same app.
+ For example, you can't specify that an admin has access to manage all instances of the Salesforce app and then also manage only specific configurations of the Salesforce app.
+ operationId: assignAppTargetInstanceRoleForClient
+ responses:
+ '204':
+ description: No Content
+ content: {}
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.roles.manage
+ tags:
+ - RoleBTargetClient
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ delete:
+ summary: Unassign a Client Role Application Instance Target
+ description: |-
+ Unassigns an OIN app instance target from a Role Assignment to a client Application
+
+ > **Note:** You can't remove the last app instance target from a Role Assignment since this causes an exception.
+ > If you need a Role Assignment that applies to all the apps, delete the Role Assignment and recreate a new one. See [Unassign a Client Role](/openapi/okta-management/management/tag/RoleAssignmentClient/#tag/RoleAssignmentClient/operation/deleteRoleFromClient).
+ operationId: removeAppTargetInstanceRoleForClient
+ responses:
+ '204':
+ description: No Content
+ content: {}
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.roles.manage
+ tags:
+ - RoleBTargetClient
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /oauth2/v1/clients/{clientId}/roles/{roleAssignmentId}/targets/groups:
+ parameters:
+ - $ref: '#/components/parameters/pathClientId'
+ - $ref: '#/components/parameters/pathRoleAssignmentId'
+ get:
+ summary: List all Client Role Group Targets
+ description: Lists all Group targets for a `USER_ADMIN`, `HELP_DESK_ADMIN`, or `GROUP_MEMBERSHIP_ADMIN` Role Assignment to a client. If the Role isn't scoped to specific Group targets, an empty array `[]` is returned.
+ operationId: listGroupTargetRoleForClient
+ parameters:
+ - $ref: '#/components/parameters/queryAfter'
+ - $ref: '#/components/parameters/queryLimit'
+ responses:
+ '200':
+ description: Success
+ content:
+ application/json:
+ schema:
+ type: array
+ items:
+ $ref: '#/components/schemas/Group'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.roles.read
+ tags:
+ - RoleBTargetClient
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /oauth2/v1/clients/{clientId}/roles/{roleAssignmentId}/targets/groups/{groupId}:
+ parameters:
+ - $ref: '#/components/parameters/pathClientId'
+ - $ref: '#/components/parameters/pathRoleAssignmentId'
+ - $ref: '#/components/parameters/pathGroupId'
+ put:
+ summary: Assign a Client Role Group Target
+ description: Assigns a Group target to a `USER_ADMIN`, `HELP_DESK_ADMIN`, or `GROUP_MEMBERSHIP_ADMIN` Role Assignment to a client Application. When you assign the first Group target, you reduce the scope of the Role Assignment. The Role no longer applies to all targets, but applies only to the specified target.
+ operationId: assignGroupTargetRoleForClient
+ responses:
+ '204':
+ description: No Content
+ content: {}
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.roles.manage
+ tags:
+ - RoleBTargetClient
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ delete:
+ summary: Unassign a Client Role Group Target
+ description: |-
+ Unassigns a Group target from a `USER_ADMIN`, `HELP_DESK_ADMIN`, or `GROUP_MEMBERSHIP_ADMIN` Role Assignment to a client Application.
+
+ > **Note:** You can't remove the last Group target from a Role Assignment, as it causes an exception. If you need a Role Assignment that applies to all Groups, delete the Role Assignment and recreate a new one. See [Unassign a Client Role](/openapi/okta-management/management/tag/RoleAssignmentClient/#tag/RoleAssignmentClient/operation/deleteRoleFromClient).
+ operationId: removeGroupTargetRoleFromClient
+ responses:
+ '204':
+ description: No Content
+ content: {}
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.roles.manage
+ tags:
+ - RoleBTargetClient
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /okta-personal-settings/api/v1/edit-feature:
+ put:
+ summary: Replace the Okta Personal admin settings
+ description: Replaces Okta Personal admin settings in a Workforce org
+ operationId: replaceOktaPersonalAdminSettings
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/OktaPersonalAdminFeatureSettings'
+ examples:
+ exampleSettings:
+ $ref: '#/components/examples/editFeatureExample'
+ required: true
+ responses:
+ '204':
+ description: No Content
+ content: {}
+ '401':
+ $ref: '#/components/responses/Error-FF-NotEnabled-Response-401'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.personal.adminSettings.manage
+ tags:
+ - OktaPersonalSettings
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /okta-personal-settings/api/v1/export-blocklists:
+ get:
+ summary: List all blocked email domains
+ description: Lists all blocked email domains which are excluded from app migration
+ operationId: listPersonalAppsExportBlockList
+ responses:
+ '200':
+ description: OK
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/PersonalAppsBlockList'
+ examples:
+ exampleSettings:
+ $ref: '#/components/examples/getBlockListExample'
+ '401':
+ $ref: '#/components/responses/Error-FF-NotEnabled-Response-401'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.personal.adminSettings.read
+ tags:
+ - OktaPersonalSettings
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ put:
+ summary: Replace the blocked email domains
+ description: Replaces the list of blocked email domains which are excluded from app migration
+ operationId: replaceBlockedEmailDomains
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/PersonalAppsBlockList'
+ examples:
+ exampleSettings:
+ $ref: '#/components/examples/getBlockListExample'
+ required: true
+ responses:
+ '204':
+ description: No Content
+ content: {}
+ '401':
+ $ref: '#/components/responses/Error-FF-NotEnabled-Response-401'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.personal.adminSettings.manage
+ tags:
+ - OktaPersonalSettings
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ /privileged-access/api/v1/accounts/{id}:
+ parameters:
+ - $ref: '#/components/parameters/privilegedAccountId'
+ /privileged-access/api/v1/resources/{id}:
+ parameters:
+ - $ref: '#/components/parameters/privilegedResourceId'
+ /privileged-access/api/v1/resources/{id}/claim:
+ parameters:
+ - $ref: '#/components/parameters/privilegedResourceId'
+ /privileged-access/api/v1/resources/{id}/rotate-password:
+ parameters:
+ - $ref: '#/components/parameters/privilegedResourceId'
+ /security/api/v1/security-events:
+ post:
+ summary: Publish a Security Event Token
+ description: Publishes a Security Event Token (SET) sent by a Security Events Provider. After the token is verified, Okta ingests the event and performs any appropriate action.
+ operationId: publishSecurityEventTokens
+ x-codegen-request-body-name: Security Event Token
+ requestBody:
+ required: true
+ description: |
+ The request body is a signed [SET](https://datatracker.ietf.org/doc/html/rfc8417), which is a type of JSON Web Token (JWT).
+
+ For SET JWT header and body descriptions, see [SET JWT header](/openapi/okta-management/management/tag/SSFSecurityEventToken/#tag/SSFSecurityEventToken/schema/SecurityEventTokenRequestJwtHeader) and [SET JWT body payload](/openapi/okta-management/management/tag/SSFSecurityEventToken/#tag/SSFSecurityEventToken/schema/SecurityEventTokenRequestJwtBody).
+ content:
+ application/secevent+jwt:
+ schema:
+ type: string
+ examples:
+ SET:
+ value: eyJraWQiOiJzYW1wbGVfa2lkIiwidHlwIjoic2ZXZlbnQra ... mrtmw
+ responses:
+ '202':
+ description: Accepted
+ '400':
+ description: Bad Request
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/SecurityEventTokenError'
+ security: []
+ tags:
+ - SSFSecurityEventToken
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
+ /webauthn-registration/api/v1/activate:
+ post:
+ summary: Activate a Preregistered WebAuthn Factor
+ description: Activates a preregistered WebAuthn Factor. As part of this operation, Okta first decrypts and verifies the Factor PIN and enrollment data sent by the fulfillment provider.
+ operationId: activatePreregistrationEnrollment
+ x-codegen-request-body-name: body
+ requestBody:
+ description: Enrollment Activation Request
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/EnrollmentActivationRequest'
+ responses:
+ '200':
+ description: Success
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/EnrollmentActivationResponse'
+ '400':
+ description: PIN or Cred Requests Generation Failed
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Error'
+ examples:
+ NoDisable:
+ $ref: '#/components/examples/ErrorPinOrCredResponsesProcessingFailure'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.users.manage
+ tags:
+ - WebAuthnPreregistration
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
+ /webauthn-registration/api/v1/enroll:
+ post:
+ summary: Enroll a Preregistered WebAuthn Factor
+ description: Enrolls a preregistered WebAuthn Factor. This WebAuthn Factor has a longer challenge timeout period to accommodate the fulfillment request process. As part of this operation, Okta generates EC key-pairs used to encrypt the Factor PIN and enrollment data sent by the fulfillment provider.
+ operationId: enrollPreregistrationEnrollment
+ x-codegen-request-body-name: body
+ requestBody:
+ description: Enrollment Initialization Request
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/EnrollmentInitializationRequest'
+ responses:
+ '200':
+ description: Success
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/EnrollmentInitializationResponse'
+ '400':
+ description: PIN or Cred Requests Generation Failed
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Error'
+ examples:
+ NoDisable:
+ $ref: '#/components/examples/ErrorPinOrCredRequestsGenerationFailure'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.users.manage
+ tags:
+ - WebAuthnPreregistration
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
+ /webauthn-registration/api/v1/initiate-fulfillment-request:
+ post:
+ summary: Generate a Fulfillment Request
+ description: Generates a fulfillment request by sending a WebAuthn Preregistration event to start the flow. The Okta Workflows WebAuthn preregistration integration uses this to populate the fulfillment request.
+ operationId: generateFulfillmentRequest
+ x-codegen-request-body-name: body
+ requestBody:
+ description: Fulfillment Request
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/FulfillmentRequest'
+ responses:
+ '204':
+ description: No Content
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.users.manage
+ tags:
+ - WebAuthnPreregistration
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
+ /webauthn-registration/api/v1/send-pin:
+ post:
+ summary: Send a PIN to user
+ description: Sends the decoded PIN for the specified WebAuthn Preregistration Enrollment. PINs are sent to the user's email. To resend the PIN, call this operation again.
+ operationId: sendPin
+ x-codegen-request-body-name: body
+ requestBody:
+ description: Send PIN Request
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/PinRequest'
+ responses:
+ '204':
+ description: No Content
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.users.manage
+ tags:
+ - WebAuthnPreregistration
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
+ /webauthn-registration/api/v1/users/{userId}/enrollments:
+ parameters:
+ - $ref: '#/components/parameters/pathUserId'
+ get:
+ summary: List all WebAuthn Preregistration Factors
+ description: Lists all WebAuthn Preregistration Factors for the specified user
+ operationId: listWebAuthnPreregistrationFactors
+ responses:
+ '200':
+ description: Success
+ content:
+ application/json:
+ schema:
+ type: array
+ items:
+ $ref: '#/components/schemas/WebAuthnPreregistrationFactor'
+ example:
+ - id: fwf23789dfs9asdf782
+ factorType: webauthn
+ provider: FIDO
+ vendorName: FIDO
+ fulfillmentProvider: yubico
+ status: ACTIVE
+ created: '2018-05-24T20:43:19.000Z'
+ lastUpdated: '2018-05-24T21:43:32.000Z'
+ profile:
+ credentialId: l3Br0n-7H3g047NqESqJynFtIgf3Ix9OfaRoNwLoloso99Xl2zS_O7EXUkmPeAIzTVtEL4dYjicJWBz7NpqhGA
+ authenticatorName: YubiKey 5C
+ presetPinAvailable: true
+ _links:
+ self:
+ href: https://example.okta.com/webauthn-registration/api/v1/users/00u15s1KDETTQMQYABRL/enrollments/fwf23789dfs9asdf782
+ hints:
+ allow:
+ - DELETE
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.users.read
+ tags:
+ - WebAuthnPreregistration
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
+ /webauthn-registration/api/v1/users/{userId}/enrollments/{authenticatorEnrollmentId}:
+ parameters:
+ - $ref: '#/components/parameters/pathUserId'
+ - $ref: '#/components/parameters/authenticatorEnrollmentId'
+ delete:
+ summary: Delete a WebAuthn Preregistration Factor
+ description: Deletes a specific WebAuthn Preregistration Factor for a user
+ operationId: deleteWebAuthnPreregistrationFactor
+ responses:
+ '204':
+ description: No Content
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ '404':
+ $ref: '#/components/responses/ErrorResourceNotFound404'
+ '429':
+ $ref: '#/components/responses/ErrorTooManyRequests429'
+ security:
+ - apiToken: []
+ - oauth2:
+ - okta.users.manage
+ tags:
+ - WebAuthnPreregistration
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
+x-webhooks:
+ CreateTelephonyInlineHook:
+ post:
+ summary: Create a Telephony Inline Hook
+ description: |-
+ Creates an Okta Telephony inline hook request. This is an automated request from Okta to your third-party service endpoint.
+
+ The objects that you return in the JSON payload of your response to this Okta request are an array of one or more objects,
+ which specify the Okta commands to execute.
+
+ >**Note:** The size of your response payload must be less than 256 KB.
+
+ See also:
+ * For a general introduction to Okta inline hooks, see [Inline hooks](https://developer.okta.com/docs/concepts/inline-hooks/)
+ * For information on the API for registering external service endpoints with Okta, see [Inline Hooks Management API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/)
+ * For an example implementation of a telephony inline hook, see [Telephony inline hook ](https://developer.okta.com/docs/guides/telephony-inline-hook)
+
+ ### About
+
+ The Okta telephony inline hook allows you to integrate your own custom code into Okta flows that send SMS or voice call messages. You can integrate this hook with enrollment, authentication, and recovery flows that involve the phone authenticator. Okta uses your external provider to deliver the one-time passcode (OTP) to the Requester. The provider can respond with commands that indicate if the delivery was successful or not.
+
+ You can have only one active telephony inline hook per org.
+
+ When you create a telephony inline hook, you must include the `authScheme` parameter. See [Create inline hook](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createInlineHook) and the [authScheme object](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createInlineHook!path=channel/0/config/authScheme&t=request)
+
+ ### Time-out behavior
+
+ If the provider response times out, Okta attempts to send the OTP using the Okta telephony providers. See [Troubleshoot](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createTelephonyInlineHook/#troubleshoot).
+
+ >**Note:** The failover mechanism that uses the Okta telephony providers is heavily rate-limited.
+
+ ### Troubleshoot
+
+ This section explains several common causes of failure for telephony inline hooks.
+
+ Note: Administrators can use the [Okta System Log](https://developer.okta.com/docs/reference/api/system-log/) to view errors. See the Troubleshooting section in the inline hooks topic for details on events captured by the Okta System Log.
+
+ | Issue | Impact | Error Visibility |
+ |-------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------|-------------------------------------------|
+ |External service fails to communicate or times out | Inline hook operation is skipped, OTP is sent to the Requester using an Okta telephony provider | Administrators only |
+ |External service responds with any HTTP status code besides `200` | Inline hook operation is skipped, OTP is sent to the Requester using an Okta telephony provider | Administrators only |
+ |External service returns an error object | Inline hook operation fails, OTP is sent to the Requester using an Okta telephony provider | Administrators, developers, and end users |
+ |Hook response is malformed or can't be mapped to the expected API response | Inline hook operation is skipped | Administrators only |
+ |Request header doesn't include an `authScheme` | Inline hook operation is skipped | Administrators only |
+ |Response uses an invalid status | Inline hook operation is skipped | Administrators only |
+ |Operation adds an active telephony inline hook when a hook exists | Inline hook operation is skipped | Administrators only |
+ operationId: createTelephonyInlineHook
+ requestBody:
+ required: true
+ content:
+ application/json:
+ schema:
+ allOf:
+ - $ref: '#/components/schemas/InlineHookBasePayload'
+ - $ref: '#/components/schemas/TelephonyRequest'
+ examples:
+ TelephonyPayloadExample:
+ $ref: '#/components/examples/TelephonyPayloadExample'
+ responses:
+ '200':
+ description: Successful response
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/TelephonyResponse'
+ examples:
+ TelephonySuccessResponse:
+ $ref: '#/components/examples/TelephonySuccessResponse'
+ TelephonyFailureResponse:
+ $ref: '#/components/examples/TelephonyFailureResponse'
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ security:
+ - apiToken: []
+ - oauth2: []
+ tags:
+ - InlineHook
+ CreatePasswordImportInlineHook:
+ post:
+ summary: Create a Password Import Inline Hook
+ description: |-
+ Creates a password import inline hook request, one type of inline hook supported by Okta. This is an automated request from Okta to your third-party service endpoint. This reference provides sample JSON objects that are contained in the outbound request from Okta to your external service,
+ and sample JSON objects that you can include in your response. The objects that you return in the JSON payload of your response to this Okta request are an array of one or more objects,
+ which specify the Okta commands to execute.
+
+ >**Note:** The size of your response payload must be less than 256 KB.
+
+ The password import inline hook allows you to migrate users from another data store where you want the users to retain their current passwords.
+ Use this hook with the [Create user with password import inline hook flow](/openapi/okta-management/management/tag/User/#create-user-with-password-import-inline-hook) that's described in the [Users API](/openapi/okta-management/management/tag/User/).
+
+ The password import inline hook is triggered when the user tries to sign in to Okta for the first time. Okta sends your external service the password that the user supplied. Your external service then needs to send a response to Okta indicating whether the password supplied by the end user is valid.
+
+ If your service returns a response that indicates that the password is valid, Okta sets the password for the user. The password import inline hook won't need to call your service again.
+ However, if the Okta service is in read-only mode, it might not be possible to set the password. Okta then needs to call your service again the next time the user attempts to sign in.
+ See [Password inline hook and Okta read-only mode](#password-inline-hook-and-okta-read-only-mode) and [Removing password from existing user store](#password-removal-from-an-existing-user-store).
+
+ >**Notes:**
+ > * Password policies don't apply to the password import inline hook. That is, if your external service validates the password, the password is imported even if it doesn't meet the Okta password policy requirements.
+ > * You can create only one password import inline hook per org.
+
+ See also:
+
+ * [Inline hooks](https://developer.okta.com/docs/concepts/inline-hooks/) for a general introduction to Okta inline hooks
+ * [Inline Hooks Management API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/) for information on the API for registering external service endpoints with Okta
+ * [Add an inline hook](https://help.okta.com/okta_help.htm?type=oie&id=ext-add-inline-hook) for steps to enable this inline hook in the Admin Console
+ * [Password import inline hook](https://developer.okta.com/docs/guides/password-import-inline-hook/nodejs/main/) for an example implementation of this inline hook
+
+ ### Enable a password import inline hook
+
+ To enable a password import inline hook, you first need to register your external service endpoint with Okta and configure it as an inline hook of type `com.okta.user.credential.password.import`.
+ You can enable the hook using the Admin Console, see [Add an inline hook](https://help.okta.com/okta_help.htm?type=oie&id=ext-add-inline-hook) or through the [Inline Hooks management API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/).
+ When creating a user with the Users API, you need to use the [Create User with password import inline hook](/openapi/okta-management/management/tag/User/#create-user-with-password-import-inline-hook) use case.
+ This involves specifying a `credentials.password.hook` property in the request body.
+
+ When the user that you have added attempts to sign in to Okta for the first time, the hook is triggered and Okta calls your external service. The call sends the credentials that the end user provided. Your service can check
+ the credentials and respond with a command to indicate whether the credentials are valid or not.
+
+ ### Password inline hook and Okta read-only mode
+
+ If your external service responds to Okta indicating that the credentials are valid, Okta saves the password and can authenticate the user independently from then on. However, if your Okta org is in a special [read-only mode](https://support.okta.com/help/s/article/What-is-Oktas-Readonly-Mode)
+ at the time the user signs in, then saving the password might not be possible. The next time the end user attempts to sign in, the password import inline hook needs to be called again.
+
+ ### Password removal from an existing user store
+
+ Because of the possibility of your org being in a special service mode, you shouldn't attempt to permanently delete user passwords from your existing user store until you can verify the success of the password import . An Okta System Log Event, `user.import.password`, is available for this purpose. An event of this type is created every time a password import inline hook is fired, with its `Event.Outcome` property providing a status of `FAILURE` or `SUCCESS` for the password import operation.
+ If the status is `SUCCESS`, Okta has successfully saved the end user's password, and it's safe to delete it from your previous user store.
+
+ You can configure an [Event hook](https://developer.okta.com/docs/concepts/event-hooks/) to send this event type to you for use when triggering automated cleanup of end-user
+ passwords after successful migration.
+ operationId: createPasswordImportInlineHook
+ requestBody:
+ required: true
+ content:
+ application/json:
+ schema:
+ allOf:
+ - $ref: '#/components/schemas/InlineHookBasePayload'
+ - $ref: '#/components/schemas/PasswordImportRequest'
+ examples:
+ PasswordImportPayloadExample:
+ $ref: '#/components/examples/PasswordImportPayloadExample'
+ responses:
+ '200':
+ description: Successful response
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/PasswordImportResponse'
+ examples:
+ PasswordImportVerifiedResponse:
+ $ref: '#/components/examples/PasswordImportVerifiedResponse'
+ PasswordImportUnVerifiedResponse:
+ $ref: '#/components/examples/PasswordImportUnVerifiedResponse'
+ '204':
+ description: No content - Unverified user response
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ security:
+ - apiToken: []
+ - oauth2: []
+ tags:
+ - InlineHook
+ create-registration-hook:
+ post:
+ summary: Create a Registration Inline Hook
+ description: |-
+ Creates a registration inline hook request, one type of inline hook supported by Okta. This is an automated request from Okta to your third-party service endpoint. This reference provides sample JSON objects that are contained in the outbound request from Okta to your external service,
+ and sample JSON objects that you can include in your response. The objects that you return in the JSON payload of your response to this Okta request are an array of one or more objects,
+ which specify the Okta commands to execute.
+
+ The Okta registration inline hook allows you to integrate your own custom code into Okta's [Profile Enrollment](https://help.okta.com/okta_help.htm?type=oie&id=ext-create-profile-enrollment) flow. The hook is triggered after Okta receives the registration or profile update request. Your custom code can:
+ - Allow or deny the registration attempt, based on your own validation of the information the user has submitted
+ - Set or override the values that are populated in attributes of the user's Okta profile
+ > **Note:** Profile Enrollment and self-service registration (SSR) inline hooks only work with the [Okta Sign-In Widget](https://developer.okta.com/code/javascript/okta_sign-in_widget/) version 4.5 or later.
+
+ See also:
+ * [Inline hooks](https://developer.okta.com/docs/concepts/inline-hooks/) for a general introduction to Okta inline hooks
+ * [Inline Hooks Management API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/) for information on the API for registering external service endpoints with Okta
+ * [Add an inline hook](https://help.okta.com/okta_help.htm?type=oie&id=ext-add-inline-hook) for steps to enable this inline hook in the Admin Console
+ * [Registration inline hook](https://developer.okta.com/docs/guides/registration-inline-hook) for an example implementation of this inline hook
+ operationId: create-registration-hook
+ requestBody:
+ required: true
+ content:
+ application/json:
+ schema:
+ allOf:
+ - $ref: '#/components/schemas/RegistrationInlineHookRequest'
+ examples:
+ ProfileEnrollmentRequest:
+ $ref: '#/components/examples/ProfileEnrollmentRequest'
+ ProgressiveProfileRequest:
+ $ref: '#/components/examples/ProgressiveProfileRequest'
+ responses:
+ '200':
+ description: Successful response
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/RegistrationResponse'
+ examples:
+ ProfileEnrollmentResponse:
+ $ref: '#/components/examples/ProfileEnrollmentResponse'
+ ProgressiveProfileResponse:
+ $ref: '#/components/examples/ProgressiveProfileResponse'
+ ProfileEnrollmentResponseDeny:
+ $ref: '#/components/examples/ProfileEnrollmentResponseDeny'
+ ProgressiveProfileResponseDeny:
+ $ref: '#/components/examples/ProgressiveProfileResponseDeny'
+ '204':
+ description: No content - Allow registration to proceed without any update.
+ tags:
+ - InlineHook
+ security:
+ - apiToken: []
+ - oauth2: []
+ x-okta-no-scope-required: true
+ CreateUserImportInlineHook:
+ post:
+ summary: Create a User Import Inline Hook
+ description: |-
+ Creates a user import inline hook request, one type of inline hook supported by Okta. This is an automated request from Okta to your third-party service endpoint.
+ This reference provides sample JSON objects that are contained in the outbound request from Okta to your external service, and sample JSON objects that you can include
+ in your response. The objects that you return in the JSON payload of your response to this Okta request are an array of one or more objects, which specify the Okta commands to execute.
+
+ The user import inline hook enables you to add custom logic to the process of importing new users into Okta from an app. You can resolve conflicts in user name or other profile attributes,
+ modify values of profile attributes, and control whether the imported user is treated as a match for an existing user or not. The hook is invoked for each user being imported,
+ at the point immediately after any applicable profile attribute mappings have been applied, and any potential matches with existing users have been found, but before the Okta user profile is created.
+
+ >**Note:** If the external service times out after receiving an Okta request, the Okta process flow continues and the user is created.
+
+ See also:
+ * [Inline hooks](https://developer.okta.com/docs/concepts/inline-hooks/) for a general introduction to Okta inline hooks
+ * [Inline Hooks Management API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/) for information on the API for registering external service endpoints with Okta
+ * [Add an inline hook](https://help.okta.com/okta_help.htm?type=oie&id=ext-add-inline-hook) for steps to enable this inline hook in the Admin Console
+
+ >**Note:** The procedure for associating a user import inline hook with an app using the Admin Console can't be used with AD or LDAP.
+ operationId: createUserImportInlineHook
+ requestBody:
+ required: true
+ content:
+ application/json:
+ schema:
+ allOf:
+ - $ref: '#/components/schemas/InlineHookBasePayload'
+ - $ref: '#/components/schemas/UserImportRequest'
+ examples:
+ UserImportPayloadExample:
+ $ref: '#/components/examples/UserImportPayloadExample'
+ responses:
+ '200':
+ description: Successful response
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/UserImportResponse'
+ examples:
+ UserImportChangeAppUserProfileExample:
+ $ref: '#/components/examples/UserImportChangeAppUserProfileExample'
+ UserImportChangeUserProfileExample:
+ $ref: '#/components/examples/UserImportChangeUserProfileExample'
+ UserImportCreateANewUserExample:
+ $ref: '#/components/examples/UserImportCreateANewUserExample'
+ UserImportMatchExample:
+ $ref: '#/components/examples/UserImportMatchExample'
+ UserImportErrorExample:
+ $ref: '#/components/examples/UserImportErrorExample'
+ '204':
+ description: No content - Use the default action
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ security:
+ - apiToken: []
+ - oauth2: []
+ tags:
+ - InlineHook
+ create-saml-hook:
+ post:
+ summary: Create a SAML Assertion Inline Hook
+ description: |-
+ Creates a SAML Assertion inline hook request, one type of inline hook supported by Okta. This is an automated request from Okta to your third-party service endpoint. This reference provides sample JSON objects that are contained in the outbound request from Okta to your external service, and sample JSON objects that you can include in your response. The objects that you return in the JSON payload of your response to this Okta request are an array of one or more objects, which specify the Okta commands to execute.
+
+ This type of inline hook is triggered when Okta generates a SAML assertion in response to an authentication request. Before sending the SAML assertion to the app that will consume it, Okta calls out to your external service. Your external service can respond with commands to add attributes to the assertion or to modify its existing attributes.
+
+ You can use this functionality to add data to assertions, which might be data that is sensitive, calculated at runtime, or complexly-structured and not appropriate for storing in Okta user profiles. Data added this way is never logged or stored by Okta. As an example, SAML assertions generated for a medical app could be augmented with confidential patient data provided by your external service and not stored in Okta.
+
+ This inline hook works only when using custom SAML apps, not apps from the OIN.
+
+ See also:
+ * [Inline hooks](https://developer.okta.com/docs/concepts/inline-hooks/) for a general introduction to Okta inline hooks
+ * [Inline Hooks Management API](/openapi/okta-management/management/tag/InlineHook/) for information on the API for registering external service endpoints with Okta
+ * For a use case example of how to implement a SAML assertion inline hook, see [SAML assertion inline hook](https://developer.okta.com/docs/guides/saml-inline-hook)
+ * For steps to enable this inline hook, see [Add an inline hook](https://help.okta.com/okta_help.htm?type=oie&id=ext-add-inline-hook).
+
+ ### Specify location within the assertion
+
+ Specify the location within the assertion where you want to apply your operation using a slash-delimited path, which follows JSON Patch conventions.
+
+ When you perform an `add` op to add a new attribute statement, begin with `/claims/` and follow that with the name of the new attribute that you're adding.
+
+ When you modify an existing assertions statement, begin the path with `/subject/`, `/authentication/`, `/conditions/`, or `/claims/`, depending on which part of the assertion you want to modify. You then look deeper within the child elements using slash-delimited element names, for example, `/claims/array/attributeValues/1/value`. (The `/1/` in the path indicates the index of the array, using zero-based indexing.)
+
+ ### URI claims
+
+ Okta supports URI claims with SAML assertion hooks. When you need to replace or add a URI claim, encode the claim name within the command per the [JavaScript Object Notation (JSON) Pointer](https://tools.ietf.org/html/rfc6901) specification. Specifically, this replaces `~` with `~0` and `/` with `~1`.
+
+ ### SessionNotOnOrAfter support
+
+ In some scenarios, your service provider may require the `SessionNotOnOrAfter` attribute for the `` in the SAML assertion, which sets the provider session time correctly. Use `add` op with the path `/authentication/sessionLifetime` and a value for session lifetime in seconds to add this attribute. Okta calculates `SessionNotOnOrAfter` by adding the `/authentication/sessionLifetime` value to the `issueInstant` attribute and returns it in the SAML `data.assertion.
+ operationId: createSAMLAssertionInlineHook
+ requestBody:
+ required: true
+ content:
+ application/json:
+ schema:
+ allOf:
+ - $ref: '#/components/schemas/InlineHookBasePayload'
+ - $ref: '#/components/schemas/SAMLPayLoad'
+ examples:
+ SAMLPayloadExample:
+ $ref: '#/components/examples/SAMLPayLoadExample'
+ responses:
+ '200':
+ description: Successful response
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/SAMLHookResponse'
+ examples:
+ SAMLHookResponseExample:
+ $ref: '#/components/examples/SAMLHookResponseExample'
+ SAMLHookResponseWithURIFormat:
+ $ref: '#/components/examples/SAMLHookResponseWithURIFormat'
+ '204':
+ description: No content - Use the default action
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ security:
+ - apiToken: []
+ - oauth2: []
+ tags:
+ - InlineHook
+ create-token-hook:
+ post:
+ summary: Create a Token inline hook
+ description: |-
+ Creates a Token inline hook request, one type of inline hook supported by Okta. This is an automated request from Okta to your third-party service endpoint. This reference provides sample JSON objects that are contained in the outbound request from Okta to your external service, and sample JSON objects that you can include in your response.
+
+ This type of inline hook is triggered when OAuth 2.0 and OpenID Connect (OIDC) tokens are minted by your Okta custom authorization server. Before sending the token to the requester, Okta calls out to your external service. Your service can then respond with commands to add custom claims to the token or to modify existing claims.
+
+ Use this functionality to add data that is sensitive, calculated at runtime, or complexly structured and not appropriate for storing in Okta user profiles. Okta never logs nor stores data that is added this way. As an example, tokens minted for a medical app could be augmented with confidential patient data provided by your external service and not stored in Okta.
+
+ In addition to adding custom claims, you can modify or remove an existing custom claim or an OIDC standard profile claim. You can also update how long an access token or an ID token is valid.
+
+ This inline hook works only when using an [Okta custom authorization server](https://developer.okta.com/docs/guides/customize-authz-server/main/#create-an-authorization-server), not the built-in Okta org authorization server.
+
+ See also:
+ * [Inline hooks](https://developer.okta.com/docs/concepts/inline-hooks/) for a general introduction to Okta inline hooks
+ * [Inline Hooks Management API](/openapi/okta-management/management/tag/InlineHook/) for information on the API for registering external service endpoints with Okta
+ * For an example implementation of this inline hook, see [Token inline hook](https://developer.okta.com/docs/guides/token-inline-hook)
+
+ ### Timeout behavior
+ After receiving the Okta request, if there's a response timeout, the Okta process flow proceeds with the original token returned.
+
+ ### Enabling a token inline hook
+ To activate the inline hook, you first need to register your external service endpoint with Okta using the [Inline Hooks Management API](/openapi/okta-management/management/tag/InlineHook).
+ You then need to associate the registered inline hook with a custom authorization server policy rule by completing the following steps:
+ 1. Go to **Security** > **API** > **Authorization Servers.**
+ 2. Select a custom authorization server from the list.
+ 3. Select **Access Policies** and select a policy to use with the hook. In most cases, pick the Default Policy.
+ 4. One of the policy's rules needs to trigger the inline hook. Click the pencil icon for a rule to edit it. If you only have one rule, edit the Default Policy Rule.
+ 5. Click the **Use this Inline Hook** dropdown menu. Any inline hooks that you have registered are listed. Select the hook that you would like to use.
+ 6. Click **Update Rule**.
+
+ > **Note:** You can associate only one inline hook with each rule.
+
+ ### Troubleshoot
+ This section covers what happens when a token inline hook flow fails either due to the external inline hook service returning an error object or not returning a successful response, or the inline hook patch fails.
+ > **Note:** Administrators can use the [Okta System Log](https://developer.okta.com/docs/reference/api/system-log/) to view errors. See the [Troubleshooting](https://developer.okta.com/docs/concepts/inline-hooks/#troubleshooting) section in the inline hooks concept piece for more information on the events related to inline hooks that the Okta System Log captures.
+ - When there's a communication failure with the external service, a timeout for example, the inline hook operation is skipped. The token is generated without any modification from the inline hook.
+
+ **Who can see this error?** Administrators
+
+ - When the external service returns a response with any other HTTP status code besides `200`, the inline hook operation is skipped. The token is generated without any modification from the inline hook.
+
+ **Who can see this error?** Administrators
+
+ - When the external service returns an error object in the response, the entire token inline hook flow fails with no token generated.
+
+ **Who can see this error?** Administrators, developers, and end users. When the OAuth 2.0 client receives the error, the client developer can see that error if the client has the debug information. What the end user sees depends on how errors are handled within the client.
+ > **Note:** See the [error](https://developer.okta.com/docs/reference/token-hook/#error) section on this page for more information on what to include in the error object of your response and what the OAuth 2.0 error includes that Okta returns to the requestor of the token.
+
+ - When a hook command (for example, updating, adding, and deleting claims) can't be performed, the inline hook operation is skipped. The token is generated without any modification from the inline hook.
+
+ **Who can see this error?** Administrators
+
+ The following actions result in an error:
+ - Using an invalid command. For example, if only an ID token is requested, the `commands` array shouldn't contain commands of the type `com.okta.access.patch`.
+ - Using an invalid operation
+ - Attempting to remove a system-specific claim
+ - Attempting to update a claim that doesn't exist
+ - Attempting to update an element within an array that doesn't exist or specifying an invalid index
+ - Attempting to remove a claim that doesn't exist
+ operationId: createTokenInlineHook
+ requestBody:
+ required: true
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/TokenRequest'
+ examples:
+ TokenPayLoadExample:
+ $ref: '#/components/examples/TokenPayLoadExample'
+ responses:
+ '200':
+ description: Successful response
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/TokenHookResponse'
+ examples:
+ TokenHookResponse:
+ $ref: '#/components/examples/TokenHookResponse'
+ TokenHookResponseWithURIFormat:
+ $ref: '#/components/examples/TokenHookResponseWithURIFormat'
+ TokenHookResponseAppendArray:
+ $ref: '#/components/examples/TokenHookResponseAppendArray'
+ TokenHookReplaceExisting:
+ $ref: '#/components/examples/TokenHookReplaceExisting'
+ TokenHookReplaceInPath:
+ $ref: '#/components/examples/TokenHookReplaceInPath'
+ TokenHookModifyLifetime:
+ $ref: '#/components/examples/TokenHookModifyLifetime'
+ TokenHookRemoveClaim:
+ $ref: '#/components/examples/TokenHookRemoveClaim'
+ TokenHookRemoveFromArray:
+ $ref: '#/components/examples/TokenHookRemoveFromArray'
+ TokenHookRemoveFromObject:
+ $ref: '#/components/examples/TokenHookRemoveFromObject'
+ TokenHookErrorExample:
+ $ref: '#/components/examples/TokenHookErrorExample'
+ '204':
+ description: No content - Unverified user response
+ '403':
+ $ref: '#/components/responses/ErrorAccessDenied403'
+ security:
+ - apiToken: []
+ - oauth2: []
+ tags:
+ - InlineHook
+components:
+ examples:
+ APIDevicesListAllResponse:
+ summary: List all devices with embedded users
+ value:
+ - id: guo4a5u7YAHhjXrMK0g4
+ status: CREATED
+ created: '2019-10-02T18:03:07.000Z'
+ lastUpdated: '2019-10-02T18:03:07.000Z'
+ profile:
+ displayName: Example Device name 1
+ platform: WINDOWS
+ serialNumber: XXDDRFCFRGF3M8MD6D
+ sid: S-1-11-111
+ registered: true
+ secureHardwarePresent: false
+ diskEncryptionType: ALL_INTERNAL_VOLUMES
+ resourceType: UDDevice
+ resourceDisplayName:
+ value: Example Device name 1
+ sensitive: false
+ resourceAlternateId: null
+ resourceId: guo4a5u7YAHhjXrMK0g4
+ _links:
+ activate:
+ href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g4/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g4
+ hints:
+ allow:
+ - GET
+ - PATCH
+ - PUT
+ users:
+ href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g4/users
+ hints:
+ allow:
+ - GET
+ _embedded:
+ users: []
+ - id: guo4a5u7YAHhjXrMK0g5
+ status: ACTIVE
+ created: '2023-06-21T23:24:02.000Z'
+ lastUpdated: '2023-06-21T23:24:02.000Z'
+ profile:
+ displayName: Example Device name 2
+ platform: ANDROID
+ manufacturer: Google
+ model: Pixel 6
+ osVersion: 13:2023-05-05
+ registered: true
+ secureHardwarePresent: true
+ diskEncryptionType: USER
+ resourceType: UDDevice
+ resourceDisplayName:
+ value: Example Device name 2
+ sensitive: false
+ resourceAlternateId: null
+ resourceId: guo4a5u7YAHhjXrMK0g5
+ _links:
+ activate:
+ href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g5/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g5
+ hints:
+ allow:
+ - GET
+ - PATCH
+ - PUT
+ users:
+ href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g5/users
+ hints:
+ allow:
+ - GET
+ _embedded:
+ users:
+ - managementStatus: MANAGED
+ created: '2021-10-01T16:52:41.000Z'
+ screenLockType: BIOMETRIC
+ user:
+ id: 00u17vh0q8ov8IU881d7
+ status: ACTIVE
+ created: '2020-08-12T06:46:50.000Z'
+ activated: '2020-08-12T06:46:50.000Z'
+ statusChanged: '2021-01-27T21:05:32.000Z'
+ lastLogin: '2021-10-14T09:04:48.000Z'
+ lastUpdated: '2021-01-27T21:05:32.000Z'
+ passwordChanged: '2020-08-12T06:46:50.000Z'
+ type:
+ id: oty7ut9Uu76oHVUZc0w4
+ profile:
+ firstName: fname
+ lastName: lname
+ mobilePhone: null
+ secondEmail: null
+ login: email@email.com
+ email: email@email.com
+ credentials:
+ password: {}
+ recovery_question:
+ question: What is the food you least liked as a child?
+ provider:
+ type: OKTA
+ name: OKTA
+ _links:
+ suspend:
+ href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/suspend
+ method: POST
+ schema:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/user/osc7ut9Uu76oHVUZc0w4
+ resetPassword:
+ href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/reset_password
+ method: POST
+ forgotPassword:
+ href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/credentials/forgot_password
+ method: POST
+ expirePassword:
+ href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/expire_password
+ method: POST
+ changeRecoveryQuestion:
+ href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/credentials/change_recovery_question
+ method: POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7
+ type:
+ href: https://{yourOktaDomain}/api/v1/meta/types/user/oty7ut9Uu76oHVUZc0w4
+ changePassword:
+ href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/credentials/change_password
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/deactivate
+ APIDevicesListAllUserSummaryResponse:
+ summary: List all devices with embedded user summaries
+ value:
+ - id: guo4a5u7YAHhjXrMK0g4
+ status: CREATED
+ created: '2019-10-02T18:03:07.000Z'
+ lastUpdated: '2019-10-02T18:03:07.000Z'
+ profile:
+ displayName: Example Device name 1
+ platform: WINDOWS
+ serialNumber: XXDDRFCFRGF3M8MD6D
+ sid: S-1-11-111
+ registered: true
+ secureHardwarePresent: false
+ diskEncryptionType: ALL_INTERNAL_VOLUMES
+ resourceType: UDDevice
+ resourceDisplayName:
+ value: Example Device name 1
+ sensitive: false
+ resourceAlternateId: null
+ resourceId: guo4a5u7YAHhjXrMK0g4
+ _links:
+ activate:
+ href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g4/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g4
+ hints:
+ allow:
+ - GET
+ - PATCH
+ - PUT
+ users:
+ href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g4/users
+ hints:
+ allow:
+ - GET
+ _embedded:
+ users: []
+ - id: guo4a5u7YAHhjXrMK0g5
+ status: ACTIVE
+ created: '2023-06-21T23:24:02.000Z'
+ lastUpdated: '2023-06-21T23:24:02.000Z'
+ profile:
+ displayName: Example Device name 2
+ platform: ANDROID
+ manufacturer: Google
+ model: Pixel 6
+ osVersion: 13:2023-05-05
+ registered: true
+ secureHardwarePresent: true
+ diskEncryptionType: USER
+ resourceType: UDDevice
+ resourceDisplayName:
+ value: Example Device name 2
+ sensitive: false
+ resourceAlternateId: null
+ resourceId: guo4a5u7YAHhjXrMK0g5
+ _links:
+ activate:
+ href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g5/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g5
+ hints:
+ allow:
+ - GET
+ - PATCH
+ - PUT
+ users:
+ href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g5/users
+ hints:
+ allow:
+ - GET
+ _embedded:
+ users:
+ - managementStatus: MANAGED
+ created: '2021-10-01T16:52:41.000Z'
+ screenLockType: BIOMETRIC
+ user:
+ id: 00u17vh0q8ov8IU881d7
+ realmId: 00u17vh0q8ov8IU8T0g5
+ profile:
+ firstName: fname
+ lastName: lname
+ login: email@email.com
+ email: email@email.com
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7
+ APIDevicesListAllUsersResponse:
+ summary: Response example
+ value:
+ - created: '2021-08-20T17:13:35.000Z'
+ managementStatus: NOT_MANAGED
+ screenLockType: BIOMETRIC
+ user:
+ id: 00u17vh0q8ov8IU881d7
+ status: ACTIVE
+ created: '2021-08-20T16:08:25.000Z'
+ activated: null
+ statusChanged: '2021-08-20T16:39:41.000Z'
+ lastLogin: '2023-04-18T17:54:12.000Z'
+ lastUpdated: '2021-12-20T18:27:30.000Z'
+ passwordChanged: '2021-12-20T18:27:30.000Z'
+ type:
+ id: oty17vh0n2EHVnbYF1d7
+ profile:
+ firstName: Bunk
+ lastName: Moreland
+ mobilePhone: null
+ secondEmail: null
+ login: bunk.moreland@example.com
+ email: bunk.moreland@example.com
+ credentials:
+ password: null
+ provider:
+ type: OKTA
+ name: OKTA
+ _links:
+ suspend:
+ href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/suspend
+ method: POST
+ schema:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/user/osc17vh0n2EHVnbYF1d7
+ resetPassword:
+ href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/reset_password
+ method: POST
+ forgotPassword:
+ href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/credentials/forgot_password
+ method: POST
+ expirePassword:
+ href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/expire_password
+ method: POST
+ changeRecoveryQuestion:
+ href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/credentials/change_recovery_question
+ method: POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7
+ resetFactors:
+ href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/reset_factors
+ method: POST
+ type:
+ href: https://{yourOktaDomain}/api/v1/meta/types/user/oty17vh0n2EHVnbYF1d7
+ changePassword:
+ href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/credentials/change_password
+ method: POST
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/deactivate
+ method: POST
+ APIPushProvidersListAllResponse:
+ value:
+ - id: ppchvbeucdTgqeiGxR0g4
+ providerType: APNS
+ name: Example Push Provider 1
+ lastUpdatedDate: '2022-01-00T00:00:00.000Z'
+ configuration:
+ keyId: ABC123DEFG
+ teamId: DEF123GHIJ
+ fileName: fileName.p8
+ _links:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/push-providers/{pushProviderId}
+ hints:
+ allow:
+ - DELETE
+ - GET
+ - PUT
+ - id: ppctekcmngGaqeiBxB0g4
+ providerType: FCM
+ name: Example Push Provider 2
+ lastUpdatedDate: '2022-01-00T00:00:00.000Z'
+ configuration:
+ projectId: PROJECT_ID
+ fileName: fileName.json
+ _links:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/push-providers/{pushProviderId}
+ hints:
+ allow:
+ - DELETE
+ - GET
+ - PUT
+ APIServiceIntegrationInstanceSecretListResponse:
+ summary: Secrets list response example
+ value:
+ - id: ocs2f4zrZbs8nUa7p0g4
+ status: INACTIVE
+ client_secret: '***DhOW'
+ secret_hash: yk4SVx4sUWVJVbHt6M-UPA
+ created: '2023-02-21T20:08:24.000Z'
+ lastUpdated: '2023-02-21T20:08:24.000Z'
+ _links:
+ activate:
+ href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ delete:
+ href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4
+ hints:
+ allow:
+ - DELETE
+ - id: ocs2f50kZB0cITmYU0g4
+ status: ACTIVE
+ client_secret: '***MQGQ'
+ secret_hash: 0WOOvBSzV9clc4Nr7Rbaug
+ created: '2023-04-06T21:32:33.000Z'
+ lastUpdated: '2023-04-06T21:32:33.000Z'
+ _links:
+ deactivate:
+ href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f50kZB0cITmYU0g4/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ APIServiceIntegrationListResponse:
+ summary: List response example
+ value:
+ - id: 0oa72lrepvp4WqEET1d9
+ type: my_app_cie
+ name: My App Cloud Identity Engine
+ createdAt: '2023-02-21T20:08:24.000Z'
+ createdBy: 00uu3u0ujW1P6AfZC2d5
+ configGuideUrl: https://{docDomain}/my-app-cie/configuration-guide
+ grantedScopes:
+ - okta.logs.read
+ - okta.groups.read
+ - okta.users.read
+ _links:
+ self:
+ href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa72lrepvp4WqEET1d9
+ hints:
+ allow:
+ - GET
+ - DELETE
+ client:
+ href: https://{yourOktaDomain}/oauth2/v1/clients/0oa72lrepvp4WqEET1d9
+ hints:
+ allow:
+ - GET
+ logo:
+ name: small
+ href: https://{logoDomain}/{logoPath}/my_app_cie_small_logo
+ APIServiceIntegrationResponse:
+ summary: Response example
+ value:
+ id: 0oa72lrepvp4WqEET1d9
+ type: my_app_cie
+ name: My App Cloud Identity Engine
+ createdAt: '2023-02-21T20:08:24.000Z'
+ createdBy: 00uu3u0ujW1P6AfZC2d5
+ configGuideUrl: https://{docDomain}/my-app-cie/configuration-guide
+ grantedScopes:
+ - okta.logs.read
+ - okta.groups.read
+ - okta.users.read
+ _links:
+ self:
+ href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa72lrepvp4WqEET1d9
+ hints:
+ allow:
+ - GET
+ - DELETE
+ client:
+ href: https://{yourOktaDomain}/oauth2/v1/clients/0oa72lrepvp4WqEET1d9
+ hints:
+ allow:
+ - GET
+ logo:
+ name: small
+ href: https://{logoDomain}/{logoPath}/my_app_cie_small_logo
+ ActivateFactorCallResponse:
+ summary: call
+ value:
+ id: clf1o51EADOTFXHHBXBP
+ factorType: call
+ provider: OKTA
+ vendorName: OKTA
+ status: ACTIVE
+ created: '2014-08-06T16:56:31.000Z'
+ lastUpdated: '2014-08-06T16:56:31.000Z'
+ profile:
+ phoneNumber: +1-555-415-1337
+ phoneExtension: '1234'
+ _links:
+ verify:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/clf1o51EADOTFXHHBXBP/verify
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/clf1o51EADOTFXHHBXBP
+ hints:
+ allow:
+ - GET
+ - DELETE
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL
+ hints:
+ allow:
+ - GET
+ ActivateFactorEmailResponse:
+ summary: email
+ value:
+ id: emfnf3gSScB8xXoXK0g3
+ factorType: email
+ provider: OKTA
+ vendorName: OKTA
+ status: ACTIVE
+ profile:
+ email: changed@clouditude.net
+ _links:
+ verify:
+ href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3/factors/emfnf3gSScB8xXoXK0g3/verify
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3/factors/emfnf3gSScB8xXoXK0g3
+ hints:
+ allow:
+ - GET
+ - DELETE
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3
+ hints:
+ allow:
+ - GET
+ ActivateFactorPushResponse:
+ summary: push
+ value:
+ id: opf3hkfocI4JTLAju0g4
+ factorType: push
+ provider: OKTA
+ vendorName: OKTA
+ status: ACTIVE
+ created: '2015-03-16T18:01:28.000Z'
+ lastUpdated: '2015-08-27T14:25:17.000Z'
+ profile:
+ credentialId: dade.murphy@example.com
+ deviceType: SmartPhone_IPhone
+ name: Gibson
+ platform: IOS
+ version: '9.0'
+ _links:
+ verify:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opf3hkfocI4JTLAju0g4/verify
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opf3hkfocI4JTLAju0g4
+ hints:
+ allow:
+ - GET
+ - DELETE
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL
+ hints:
+ allow:
+ - GET
+ ActivateFactorSmsResponse:
+ summary: sms
+ value:
+ id: sms1o51EADOTFXHHBXBP
+ factorType: sms
+ provider: OKTA
+ vendorName: OKTA
+ status: ACTIVE
+ created: '2014-08-06T16:56:31.000Z'
+ lastUpdated: '2014-08-06T16:56:31.000Z'
+ profile:
+ phoneNumber: +1-555-415-1337
+ _links:
+ verify:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/sms1o51EADOTFXHHBXBP/verify
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/sms1o51EADOTFXHHBXBP
+ hints:
+ allow:
+ - GET
+ - DELETE
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL
+ hints:
+ allow:
+ - GET
+ ActivateFactorTotpResponse:
+ summary: token:software:totp
+ value:
+ id: ostf1fmaMGJLMNGNLIVG
+ factorType: token:software:totp
+ provider: OKTA
+ vendorName: OKTA
+ status: ACTIVE
+ created: '2014-07-16T16:13:56.000Z'
+ lastUpdated: '2014-08-06T00:31:07.000Z'
+ profile:
+ credentialId: dade.murphy@example.com
+ _links:
+ verify:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG/verify
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG
+ hints:
+ allow:
+ - GET
+ - DELETE
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL
+ hints:
+ allow:
+ - GET
+ ActivateFactorU2fRequest:
+ summary: u2f
+ value:
+ registrationData: BQTEMUyOM8h1TiZG4DL-RdMr-tYgTYSf62Y52AmwEFTiSYWIRVO5L-MwWdRJOthmV3J3JrqpmGfmFb820-awx1YIQFlTvkMhxItHlpkzahEqicpw7SIH9yMfTn2kaDcC6JaLKPfV5ds0vzuxF1JJj3gCM01bRC-HWI4nCVgc-zaaoRgwggEcMIHDoAMCAQICCwD52fCSMoNczORdMAoGCCqGSM49BAMCMBUxEzARBgNVBAMTClUyRiBJc3N1ZXIwGhcLMDAwMTAxMDAwMFoXCzAwMDEwMTAwMDBaMBUxEzARBgNVBAMTClUyRiBEZXZpY2UwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQFKJupuUgPQcRHUphaW5JPfLvkkwlEwlHKk_ntSp7MS4aTHJyGnpziqncrjiTC_oUVtb-wN-y_t_IMIjueGkhxMAoGCCqGSM49BAMCA0gAMEUCIQDBo6aOLxanIUYnBX9iu3KMngPnobpi0EZSTkVtLC8_cwIgC1945RGqGBKfbyNtkhMifZK05n7fU-gW37Bdnci5D94wRQIhAJv3VvclbRkHAQhaUR8rr8qFTg9iF-GtHoXU95vWaQdyAiAbEr-440U4dQAZF-Sj8G2fxgh5DkgkkWpyUHZhz7N9ew
+ clientData: eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZmluaXNoRW5yb2xsbWVudCIsImNoYWxsZW5nZSI6IlhxR0h0RTBoUkxuVEoxYUF5U1oyIiwib3JpZ2luIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6MzAwMCIsImNpZF9wdWJrZXkiOiJ1bnVzZWQifQ
+ ActivateFactorU2fResponse:
+ summary: u2f
+ value:
+ id: fuf2rovRxogXJ0nDy0g4
+ factorType: u2f
+ provider: FIDO
+ vendorName: FIDO
+ status: ACTIVE
+ created: '2018-05-24T20:43:19.000Z'
+ lastUpdated: '2018-05-24T21:43:32.000Z'
+ profile:
+ credentialId: WVO-QyHEi0eWmTNqESqJynDtIgf3Ix9OfaRoNwLoloso99Xl2zS_O7EXUkmPeAIzTVtEL4dYjicJWBz7NpqhGA
+ version: U2F_V2
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fuf2rovRxogXJ0nDy0g4
+ hints:
+ allow:
+ - GET
+ - DELETE
+ verify:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fuf2rovRxogXJ0nDy0g4/verify
+ hints:
+ allow:
+ - POST
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL
+ hints:
+ allow:
+ - GET
+ ActivateFactorWebauthnRequest:
+ summary: webAuthn
+ value:
+ attestation: o2NmbXRmcGFja2VkZ2F0dFN0bXSiY2FsZyZjc2lnWEgwRgIhAMvf2+dzXlHZN1um38Y8aFzrKvX0k5dt/hnDu9lahbR4AiEAuwtMg3IoaElWMp00QrP/+3Po/6LwXfmYQVfsnsQ+da1oYXV0aERhdGFYxkgb9OHGifjS2dG03qLRqvXrDIRyfGAuc+GzF1z20/eVRV2wvl6tzgACNbzGCmSLCyXx8FUDAEIBvWNHOcE3QDUkDP/HB1kRbrIOoZ1dR874ZaGbMuvaSVHVWN2kfNiO4D+HlAzUEFaqlNi5FPqKw+mF8f0XwdpEBlClAQIDJiABIVgg0a6oo3W0JdYPu6+eBrbr0WyB3uJLI3ODVgDfQnpgafgiWCB4fFo/5iiVrFhB8pNH2tbBtKewyAHuDkRolcCnVaCcmQ==
+ clientData: eyJjaGFsbGVuZ2UiOiJVSk5wYW9sVWt0dF9vcEZPNXJMYyIsIm9yaWdpbiI6Imh0dHBzOi8vcmFpbi5va3RhMS5jb20iLCJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIn0=
+ ActivateFactorWebauthnResponse:
+ summary: webAuthn
+ value:
+ id: fwf2rovRxogXJ0nDy0g4
+ factorType: webauthn
+ provider: FIDO
+ vendorName: FIDO
+ status: ACTIVE
+ created: '2018-05-24T20:43:19.000Z'
+ lastUpdated: '2018-05-24T21:43:32.000Z'
+ profile:
+ credentialId: l3Br0n-7H3g047NqESqJynFtIgf3Ix9OfaRoNwLoloso99Xl2zS_O7EXUkmPeAIzTVtEL4dYjicJWBz7NpqhGA
+ authenticatorName: MacBook Touch ID
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fwf2rovRxogXJ0nDy0g4
+ hints:
+ allow:
+ - GET
+ - DELETE
+ verify:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fwf2rovRxogXJ0nDy0g4/verify
+ hints:
+ allow:
+ - POST
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL
+ hints:
+ allow:
+ - GET
+ ActivateIdPResponse:
+ summary: Activate an Identity Provider
+ value:
+ id: 0oa62bfdiumsUndnZ0h7
+ type: GOOGLE
+ name: Google
+ status: ACTIVE
+ created: '2016-03-24T23:21:49.000Z'
+ lastUpdated: '2016-03-25T19:14:23.000Z'
+ protocol:
+ type: OIDC
+ endpoints:
+ authorization:
+ url: https://accounts.google.com/o/oauth2/auth
+ binding: HTTP-REDIRECT
+ token:
+ url: https://www.googleapis.com/oauth2/v3/token
+ binding: HTTP-POST
+ scopes:
+ - profile
+ - email
+ - openid
+ credentials:
+ client:
+ client_id: your-client-id
+ client_secret: your-client-secret
+ policy:
+ provisioning:
+ action: AUTO
+ profileMaster: true
+ groups:
+ action: NONE
+ conditions:
+ deprovisioned:
+ action: NONE
+ suspended:
+ action: NONE
+ accountLink:
+ filter: null
+ action: AUTO
+ subject:
+ userNameTemplate:
+ template: idpuser.email
+ filter: null
+ matchType: USERNAME
+ mapAMRClaims: false
+ maxClockSkew: 0
+ _links:
+ authorize:
+ href: |-
+ https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa62bfdiumsUndnZ0h7&
+ client_id={clientId}&response_type={responseType}&response_mode={responseMode}&
+ scope={scopes}&redirect_uri={redirectUri}&state={state}
+ templated: true
+ hints:
+ allow:
+ - GET
+ clientRedirectUri:
+ href: https://{yourOktaDomain}/oauth2/v1/authorize/callback
+ hints:
+ allow:
+ - POST
+ ActivateNetworkZone:
+ summary: Activated Network Zone
+ value:
+ type: IP
+ id: nzowc1U5Jh5xuAK0o0g3
+ name: MyIpZone
+ status: ACTIVE
+ usage: POLICY
+ created: '2021-06-24T20:37:32.000Z'
+ lastUpdated: '2021-06-24T20:37:32.000Z'
+ system: false
+ gateways:
+ - type: CIDR
+ value: 1.2.3.4/24
+ proxies:
+ - type: RANGE
+ value: 3.3.4.5-3.3.4.15
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ ActiveAuthorizationServerKey:
+ summary: Active Authorization Server Key
+ value:
+ status: ACTIVE
+ alg: RS256
+ e: AQAB
+ 'n': g0MirhrysJMPm_wK45jvMbbyanfhl-jmTBv0o69GeifPaISaXGv8LKn3-CyJvUJcjjeHE17KtumJWVxUDRzFqtIMZ1ctCZyIAuWO0n LKilg7_EIDXJrS8k14biqkPO1lXGFwtjo3zLHeFSLw6sWf-CEN9zv6Ff3IAXb-RMYpfh-bVrxIgWsWCxjLW-UKI3la-gs0nWHH2PJr5HLJuI JIOL5HLJuIJIOLWahqTnm_r1LSCSYr6N4C-fh--w2_BW8DzTHalBYe76bNr0d7AqtR4tGazmrvrc79Wa2bjyxmhhN1u9jSaZQqq-3VZEod8q3, WHH2PJ5v1LoXniJQ4a2W8nDVqb6h4E8MUKYOpljTfQ
+ kid: RQ8DuhdxCczyMvy7GNJb4Ka3lQ99vrSo3oFBUiZjzzc
+ kty: RSA
+ use: sig
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/keys/RQ8DuhdxCczyMvy7GNJb4Ka3lQ99vrSo3oFBUiZjzzc
+ hints:
+ allow:
+ - GET
+ AddMappingBody:
+ summary: Update an existing profile mapping by adding one or more properties
+ value:
+ properties:
+ additionalProperties:
+ fullName:
+ expression: user.firstName + user.lastName
+ pushStatus: PUSH
+ nickName:
+ expression: user.nickName
+ pushStatus: PUSH
+ AddMappingResponse:
+ summary: Update an existing profile mapping by adding one or more properties
+ value:
+ id: prm1k47ghydIQOTBW0g4
+ source:
+ id: otysbePhQ3yqt4cVv0g3
+ name: user
+ type: user
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/meta/types/user/otysbePhQ3yqt4cVv0g3
+ schema:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscsbePhQ3yqt4cVv0g3
+ target:
+ id: 0oa1qmn4LZQQEH0wZ0g4
+ name: okta_org2org
+ type: appuser
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/apps/0oa1qmn4LZQQEH0wZ0g4
+ schema:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/apps/0oa1qmn4LZQQEH0wZ0g4/default
+ properties:
+ fullName:
+ expression: user.firstName + user.lastName
+ pushStatus: PUSH
+ nickName:
+ expression: user.nickName
+ pushStatus: PUSH
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/mappings/prm1k48weFSOnEUnw0g4
+ AdminConsoleSettingsExample:
+ summary: Default Okta Admin Console Settings
+ value:
+ sessionMaxLifetimeMinutes: 720
+ sessionIdleTimeoutMinutes: 15
+ AerialConsentDetails:
+ description: Example response of consent details
+ value:
+ accountId: 0200bs0617vvhv2v675mch1cukp
+ grantDate: '2023-04-06T21:32:33.000Z'
+ grantedBy: 00uabcdefg1234567890
+ AerialConsentInvalidAccountIdResponse:
+ description: Aerial account ID is invalid
+ value:
+ errorCode: E0000001
+ errorSummary: 'API validation failed: account'
+ errorLink: E0000001
+ errorId: oaewjePjfdBT7m71KkPz0Ipaw
+ errorCauses:
+ - errorSummary: Invalid aerial account ID.
+ AerialConsentOrgAlreadyLinkedResponse:
+ description: The revoke operation isn't possible when the org is already linked
+ value:
+ errorCode: E0000001
+ errorSummary: 'API validation failed: account'
+ errorLink: E0000001
+ errorId: oae_wheRkaxRT-EFAXwBmBKLg
+ errorCauses:
+ - errorSummary: The org is already linked to an Account.
+ AerialGrantAlreadyPresentErrorResponse:
+ description: Grant is already present
+ value:
+ errorCode: E0000001
+ errorSummary: 'Api validation failed: account'
+ errorLink: E0000001
+ errorId: oaewjePjfdBT7m71KkPz0Ipaw
+ errorCauses:
+ - errorSummary: The org already has a consent grant added to Aerial.
+ AerialGrantNotFoundResponse:
+ description: No grant found for org
+ value:
+ errorCode: E0000007
+ errorSummary: 'Not found: Resource not found: grant (String)'
+ errorLink: E0000007
+ errorId: sampleFYH_dTSSTdpPYIAdHJw
+ errorCauses: []
+ AllAssignmentsOperationResponse:
+ value:
+ id: rre4mje4ez7B2a7B60g7
+ type: realm:assignment
+ status: COMPLETED
+ created: '2023-10-25T21:02:54.000Z'
+ started: '2023-10-25T21:02:54.000Z'
+ completed: '2023-10-25T21:02:54.000Z'
+ assignmentOperation:
+ configuration:
+ id: ALL
+ name: All Assignments
+ numUserMoved: 50
+ _links:
+ self:
+ rel: self
+ href: http://your-subdomain.okta.com/api/v1/operations/rre4mje4ez7B2a7B60g7
+ method: GET
+ ApiTokenListMetadataResponse:
+ value:
+ - name: My API Token
+ userId: 00uabcdefg1234567890
+ tokenWindow: P30D
+ network:
+ connection: ANYWHERE
+ id: 00Tabcdefg1234567890
+ clientName: Okta API
+ expiresAt: '2021-12-11T20:38:10.000Z'
+ created: '2021-11-09T20:38:10.000Z'
+ lastUpdated: '2021-11-11T20:38:10.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/api-tokens/00Tabcdefg1234567890
+ hints:
+ allow:
+ - GET
+ - DELETE
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00uabcdefg1234567890
+ hints:
+ allow:
+ - GET
+ - name: Another API Token
+ userId: 00uabcdefg1234567890
+ tokenWindow: PT5M
+ id: 00T1234567890abcdefg
+ clientName: Okta API
+ expiresAt: '2021-11-11T20:43:10.000Z'
+ created: '2021-11-09T20:38:10.000Z'
+ lastUpdated: '2021-11-11T20:38:10.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/api-tokens/00T1234567890abcdefg
+ hints:
+ allow:
+ - GET
+ - DELETE
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00uabcdefg1234567890
+ hints:
+ allow:
+ - GET
+ ApiTokenMetadataResponse:
+ value:
+ name: My API Token
+ userId: 00uXXXXXXXXXXXXXXXXX
+ tokenWindow: P30D
+ network:
+ connection: ANYWHERE
+ id: 00Tabcdefg1234567890
+ clientName: Okta API
+ expiresAt: '2021-12-11T20:38:10.000Z'
+ created: '2021-11-09T20:38:10.000Z'
+ lastUpdated: '2021-11-11T20:38:10.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/api-tokens/00Tabcdefg1234567890
+ hints:
+ allow:
+ - GET
+ - DELETE
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00uXXXXXXXXXXXXXXXXX
+ hints:
+ allow:
+ - GET
+ AppCsrJsonResponse:
+ summary: CSR object in JSON format
+ value:
+ id: h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50
+ created: '2017-03-28T01:11:10.000Z'
+ csr: MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9/tKvvbFN59T4raoCs/78KRm4fSefHQOv1TKLXo4wTLbsqYWRWc5u0sd5orUMQgPQOyj3i6qh13mALY4BzrT057EG1BUNjGg29QgYlnOk2iX890e5BIDMQQEIKFrvOi2V8cLUkLvE2ydRn0VO1Q1frbUkYeStJYC5Api2JQsYRwa+1ZeDH1ITnIzUaugWhW2WB2lSnwZkenne5KtffxMPYVu+IhNRHoKaRA6Z51YNhMJIx17JM2hs/H4Ka3drk6kzDf7ofk/yBpb9yBWyU7CTSQhdoHidxqFprMDaT66W928t3AeOENHBuwn8c2K9WeGG+bELNyQRJVmawIDAQABoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggxkZXYub2t0YS5jb20wDQYJKoZIhvcNAQELBQADggEBAA2hsVJRVM+A83X9MekjTnIbt19UNT8wX7wlE9jUKirWsxceLiZBpVGn9qfKhhVIpvdaIRSeoFYS2Kg/m1G6bCvjmZLcrQ5FcEBjZH2NKfNppGVnfC2ugtUkBtCB+UUzOhKhRKJtGugenKbP33zRWWIqnd2waF6Cy8TIuqQVPbwEDN9bCbAs7ND6CFYNguY7KYjWzQOeAR716eqpEEXuPYAS4nx/ty4ylonR8cv+gpq51rvq80A4k/36aoeM0Y6I4w64vhTfuvWW2UYFUD+/+y2FA2CSP4JfctySrf1s525v6fzTFZ3qZbB5OZQtP2b8xYWktMzywsxGKDoVDB4wkH4=
+ kty: RSA
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50
+ hints:
+ allow:
+ - GET
+ - DELETE
+ publish:
+ href: https://{yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50/lifecycle/publish
+ hints:
+ allow:
+ - POST
+ AppCsrPkcs10Response:
+ summary: CSR in DER format
+ value: MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9
+ AppFeatureListResponseEx:
+ summary: List app Feature response
+ value:
+ - name: USER_PROVISIONING
+ status: ENABLED
+ description: User provisioning settings from Okta to a downstream application
+ capabilities:
+ create:
+ lifecycleCreate:
+ status: DISABLED
+ update:
+ profile:
+ status: DISABLED
+ lifecycleDeactivate:
+ status: DISABLED
+ password:
+ status: DISABLED
+ seed: RANDOM
+ change: KEEP_EXISTING
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/apps/${appId}/features/USER_PROVISIONING
+ hints:
+ allow:
+ - GET
+ - PUT
+ AppFeatureResponseEx:
+ summary: App Feature response
+ value:
+ name: USER_PROVISIONING
+ status: ENABLED
+ description: User provisioning settings from Okta to a downstream application
+ capabilities:
+ create:
+ lifecycleCreate:
+ status: DISABLED
+ update:
+ profile:
+ status: DISABLED
+ lifecycleDeactivate:
+ status: DISABLED
+ password:
+ status: DISABLED
+ seed: RANDOM
+ change: KEEP_EXISTING
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/apps/${appId}/features/USER_PROVISIONING
+ hints:
+ allow:
+ - GET
+ - PUT
+ AppGrantsEx:
+ summary: App Grants example
+ value:
+ id: oag91n9ruw3dsaXzP0h6
+ status: ACTIVE
+ created: '2023-02-21T16:54:00.000Z'
+ createdBy:
+ id: 00u6eltha0nrSc47i0h7
+ type: User
+ lastUpdated: '2023-02-21T16:54:00.000Z'
+ issuer: '{yourOktaDomain}'
+ clientId: '{clientId}'
+ scopeId: okta.users.read
+ source: ADMIN
+ _embedded:
+ scope:
+ id: okta.users.read
+ _links:
+ app:
+ href: https://{yourOktaDomain}/api/v1/apps/{appId}
+ title: Application name
+ self:
+ href: https://{yourOktaDomain}/api/v1/apps/{appId}/grants/oag91n9ruw3dsaXzP0h6
+ hints:
+ allow:
+ - GET
+ - DELETE
+ client:
+ href: https://{yourOktaDomain}/oauth2/v1/clients/{clientId}
+ title: Client name
+ AppGrantsPostEx:
+ summary: App Grants example
+ value:
+ issuer: '{yourOktaDomain}'
+ scopeId: okta.users.read
+ AppResponseBaseEx:
+ value:
+ id: 0oafxqCAJWWGELFTYASJ
+ status: ACTIVE
+ lastUpdated: '2023-01-21T14:11:24.000Z'
+ created: '2023-01-21T14:11:24.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
+ _links:
+ uploadLogo:
+ href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo
+ hints:
+ allow:
+ - POST
+ appLinks:
+ - name: customswaapp_link
+ href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4
+ type: text/html
+ groups:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups
+ logo:
+ - name: medium
+ href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png
+ type: image/png
+ users:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate
+ AppUserAssignProvRequest:
+ summary: SSO and provisioning Application User request example
+ value:
+ id: 00u15s1KDETTQMQYABRL
+ scope: USER
+ credentials:
+ username: saml.jackson@example.com
+ profile:
+ salesforceGroups:
+ - Employee
+ role: Developer
+ profile: Standard User
+ AppUserAssignSSORequest:
+ summary: SSO Application User request example
+ value:
+ id: 00ud4tVDDXYVKPXKVLCO
+ scope: USER
+ credentials:
+ username: rae.cloud@example.com
+ AppUserCredUpdateResponse:
+ summary: Application User credential update
+ value:
+ id: 00ud4tVDDXYVKPXKVLCO
+ externalId: null
+ created: '2024-01-27T03:52:45.000Z'
+ lastUpdated: '2024-01-27T05:15:30.000Z'
+ scope: USER
+ status: ACTIVE
+ statusChanged: '2024-01-27T03:52:45.000Z'
+ passwordChanged: '2024-01-27T05:15:30.000Z'
+ syncState: DISABLED
+ credentials":
+ userName: rae.cloud@example.com
+ password: {}
+ profile:
+ street_address: null
+ country: null
+ website: null
+ zoneinfo: America/Los_Angeles
+ birthdate: null
+ gender: null
+ formatted: null
+ profile: null
+ locality: null
+ given_name: Rae
+ middle_name: null
+ locale: en_US
+ picture: null
+ name: Rae Cloud
+ nickname: null
+ phone_number: null
+ region: null
+ postal_code: null
+ family_name: Cloud
+ email: rae.cloud@example.com
+ _links:
+ app:
+ href: https://{yourOktaDomain}/api/v1/apps/{appId}
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00ud4tVDDXYVKPXKVLCO
+ AppUserListEx:
+ summary: List Application User example
+ value:
+ - id: 00u1dnq5S0CfjlkpABCD
+ externalId: 00u5edt3PNbbjzvIABCD
+ created: '2024-01-31T18:25:01.000Z'
+ lastUpdated: '2024-01-31T18:25:03.000Z'
+ scope: USER
+ status: PROVISIONED
+ statusChanged: '2024-01-31T18:25:03.000Z'
+ passwordChanged: null
+ syncState: SYNCHRONIZED
+ lastSync: '2024-01-31T18:25:03.000Z'
+ credentials:
+ userName: saml.test@example.com
+ profile:
+ secondEmail: null
+ lastName: Test
+ mobilePhone: null
+ displayName: Saml O Test
+ email: saml.test@example.com
+ salesforceGroups: []
+ role: Tester
+ firstName: Saml
+ streetAddress: null
+ profile: Standard Platform User
+ _links:
+ app:
+ href: https://{yourOktaDomain}/api/v1/apps/0oajiqIRNXPPJBNZMGYL
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD
+ _embedded:
+ user:
+ id: 00u1dnq5S0CfjlkpABCD
+ status: ACTIVE
+ created: '2024-01-09T15:36:04.000Z'
+ activated: '2024-01-09T15:36:05.000Z'
+ statusChanged: '2024-01-09T15:36:05.000Z'
+ lastLogin: null
+ lastUpdated: '2024-01-09T15:36:05.000Z'
+ passwordChanged: '2024-01-09T15:36:05.000Z'
+ type:
+ id: otyzhh29g7Python90g3
+ profile:
+ firstName: Saml
+ lastName: Test
+ mobilePhone: null
+ secondEmail: null
+ login: saml.test@example.com
+ email: saml.test@example.com
+ credentials:
+ password: {}
+ provider:
+ type: OKTA
+ name: OKTA
+ _links:
+ suspend:
+ href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/lifecycle/suspend
+ method: POST
+ schema:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscarho9g7PythoN23z9
+ resetPassword:
+ href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/lifecycle/reset_password
+ method: POST
+ expirePassword:
+ href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/lifecycle/expire_password
+ method: POST
+ changeRecoveryQuestion:
+ href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/credentials/change_recovery_question
+ method: POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD
+ type:
+ href: https://{yourOktaDomain}/api/v1/meta/types/user/otyzhh29g7Python90g3
+ changePassword:
+ href: https://rain.okta1.com/api/v1/users/00u1dnq5S0CfjlkpABCD/credentials/change_password
+ method: POST
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/lifecycle/deactivate
+ method: POST
+ AppUserProfUpdateResponse:
+ summary: Application User profile update
+ value:
+ id: 00ud4tVDDXYVKPXKVLCO
+ externalId: null
+ created: '2024-01-27T03:52:45.000Z'
+ lastUpdated: '2024-01-27T05:05:32.000Z'
+ scope: USER
+ status: ACTIVE
+ statusChanged: '2024-01-27T03:52:45.000Z'
+ passwordChanged: null
+ syncState: DISABLED
+ credentials":
+ userName: rae.cloud@example.com
+ profile:
+ street_address: null
+ country: null
+ website: null
+ zoneinfo: America/Los_Angeles
+ birthdate: null
+ gender: null
+ formatted: null
+ profile: null
+ locality: null
+ given_name: Rae
+ middle_name: Mae
+ locale: en_US
+ picture: null
+ name: Rae Mae Cloud
+ nickname: null
+ phone_number: null
+ region: null
+ postal_code: null
+ family_name: Cloud
+ email: rae.cloud@example.com
+ _links:
+ app:
+ href: https://{yourOktaDomain}/api/v1/apps/{appId}
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00ud4tVDDXYVKPXKVLCO
+ AppUserProvExpandResponse:
+ summary: Application User expand example
+ value:
+ id: 00u1dnq5S0CfjlkpABCD
+ externalId: 00u5edt3PNbbjzvIABCD
+ created: '2024-01-31T18:25:01.000Z'
+ lastUpdated: '2024-01-31T18:25:03.000Z'
+ scope: USER
+ status: PROVISIONED
+ statusChanged: '2024-01-31T18:25:03.000Z'
+ passwordChanged: null
+ syncState: SYNCHRONIZED
+ lastSync: '2024-01-31T18:25:03.000Z'
+ credentials:
+ userName: saml.test@example.com
+ profile:
+ secondEmail: null
+ lastName: Test
+ mobilePhone: null
+ displayName: Saml O Test
+ email: saml.test@example.com
+ salesforceGroups: []
+ role: Tester
+ firstName: Saml
+ streetAddress: null
+ profile: Standard Platform User
+ _links:
+ app:
+ href: https://{yourOktaDomain}/api/v1/apps/0oajiqIRNXPPJBNZMGYL
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD
+ _embedded:
+ user:
+ id: 00u1dnq5S0CfjlkpABCD
+ status: ACTIVE
+ created: '2024-01-09T15:36:04.000Z'
+ activated: '2024-01-09T15:36:05.000Z'
+ statusChanged: '2024-01-09T15:36:05.000Z'
+ lastLogin: null
+ lastUpdated: '2024-01-09T15:36:05.000Z'
+ passwordChanged: '2024-01-09T15:36:05.000Z'
+ type:
+ id: otyzhh29g7Python90g3
+ profile:
+ firstName: Saml
+ lastName: Test
+ mobilePhone: null
+ secondEmail: null
+ login: saml.test@example.com
+ email: saml.test@example.com
+ credentials:
+ password: {}
+ provider:
+ type: OKTA
+ name: OKTA
+ _links:
+ suspend:
+ href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/lifecycle/suspend
+ method: POST
+ schema:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscarho9g7PythoN23z9
+ resetPassword:
+ href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/lifecycle/reset_password
+ method: POST
+ expirePassword:
+ href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/lifecycle/expire_password
+ method: POST
+ changeRecoveryQuestion:
+ href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/credentials/change_recovery_question
+ method: POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD
+ type:
+ href: https://{yourOktaDomain}/api/v1/meta/types/user/otyzhh29g7Python90g3
+ changePassword:
+ href: https://rain.okta1.com/api/v1/users/00u1dnq5S0CfjlkpABCD/credentials/change_password
+ method: POST
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/lifecycle/deactivate
+ method: POST
+ AppUserProvResponse:
+ summary: SSO and provisioning Application User response example
+ value:
+ id: 00u15s1KDETTQMQYABRL
+ externalId: 005o0000000ogQ9AAI
+ created: '2014-08-16T02:35:14.000Z'
+ lastUpdated: '2014-08-16T02:56:49.000Z'
+ scope: USER
+ status: PROVISIONED
+ statusChanged: '2014-08-16T02:56:49.000Z'
+ passwordChanged: null
+ syncState: SYNCHRONIZED
+ lastSync: '2014-08-16T02:56:49.000Z'
+ credentials:
+ userName: saml.jackson@example.com
+ profile:
+ secondEmail: null
+ lastName: Jackson
+ mobilePhone: null
+ email: saml.jackson@example.com
+ salesforceGroups:
+ - Employee
+ role: Developer
+ firstName: Saml
+ profile: Standard User
+ _links:
+ app:
+ href: https://{yourOktaDomain}/api/v1/apps/{appId}
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL
+ AppUserSSOResponse:
+ summary: SSO Application User response example
+ value:
+ id: 00ud4tVDDXYVKPXKVLCO
+ externalId: null
+ created: '2024-01-27T03:52:45.000Z'
+ lastUpdated: '2024-01-27T03:52:45.000Z'
+ scope: USER
+ status: ACTIVE
+ statusChanged: '2024-01-27T03:52:45.000Z'
+ passwordChanged: null
+ syncState: DISABLED
+ credentials":
+ userName: rae.cloud@example.com
+ profile:
+ street_address: null
+ country: null
+ website: null
+ zoneinfo: America/Los_Angeles
+ birthdate: null
+ gender: null
+ formatted: null
+ profile: null
+ locality: null
+ given_name: Rae
+ middle_name: null
+ locale: en_US
+ picture: null
+ name: Rae Cloud
+ nickname: null
+ phone_number: null
+ region: null
+ postal_code: null
+ family_name: Cloud
+ email: rae.cloud@example.com
+ _links:
+ app:
+ href: https://{yourOktaDomain}/api/v1/apps/{appId}
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00ud4tVDDXYVKPXKVLCO
+ AppUserSchemaAddRequest:
+ value:
+ definitions:
+ custom:
+ id: '#custom'
+ type: object
+ properties:
+ twitterUserName:
+ title: Twitter username
+ externalName: twitterUserName
+ description: User's username for twitter.com
+ type: string
+ required: false
+ minLength: 1
+ maxLength: 20
+ required: []
+ AppUserSchemaResponse:
+ value:
+ id: https://{yourOktaDomain}/meta/schemas/apps/0oa25gejWwdXNnFH90g4/default
+ $schema: http://json-schema.org/draft-04/schema#
+ name: Example App
+ title: Example App User
+ lastUpdated: '2017-07-18T23:18:43.000Z'
+ created: '2017-07-18T22:35:30.000Z'
+ definitions:
+ base:
+ id: '#base'
+ type: object
+ properties:
+ userName:
+ title: Username
+ type: string
+ required: true
+ scope: NONE
+ maxLength: 100
+ required:
+ - userName
+ custom:
+ id: '#custom'
+ type: object
+ properties:
+ twitterUserName:
+ title: Twitter username
+ externalName: twitterUserName
+ description: User's username for twitter.com
+ type: string
+ scope: NONE
+ minLength: 1
+ maxLength: 20
+ required: []
+ type: object
+ properties:
+ profile:
+ allOf:
+ - $ref: '#/definitions/base'
+ - $ref: '#/definitions/custom'
+ AppUserUpdateCredRequest:
+ summary: Application User credentials update
+ value:
+ credentials:
+ userName: rae.cloud@example.com
+ password:
+ value: updatedP@55word
+ AppUserUpdateProfileRequest:
+ summary: Application User profile update
+ value:
+ profile:
+ name: Rae Mae Cloud
+ middle_name: Mae
+ AppleIdPResponse:
+ summary: Apple Identity Provider
+ value:
+ id: 0oa18hsHsG3boVejU0g4
+ type: APPLE
+ issuerMode: ORG_URL
+ name: Apple Identity Provider
+ status: ACTIVE
+ created: '2020-06-05T20:57:51.000Z'
+ lastUpdated: '2020-06-05T20:57:51.000Z'
+ protocol:
+ type: OIDC
+ endpoints:
+ authorization:
+ url: https://appleid.apple.com/auth/authorize
+ binding: HTTP-REDIRECT
+ token:
+ url: https://appleid.apple.com/auth/token
+ binding: HTTP-POST
+ scopes:
+ - openid
+ - email
+ - name
+ credentials:
+ client:
+ client_id: your-client-id
+ signing:
+ teamId: test team ID
+ privateKey: MIGTAgEAMBM........Cb9PnybCnzDv+3cWSGWqpAIsQQZ
+ kid: test key ID
+ policy:
+ provisioning:
+ action: AUTO
+ profileMaster: true
+ groups:
+ action: NONE
+ conditions:
+ deprovisioned:
+ action: NONE
+ suspended:
+ action: NONE
+ accountLink:
+ filter: null
+ action: AUTO
+ subject:
+ userNameTemplate:
+ template: idpuser.email
+ filter: null
+ matchType: USERNAME
+ matchAttribute: null
+ mapAMRClaims: false
+ maxClockSkew: 0
+ _links:
+ authorize:
+ href: https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa18hsHsG3boVejU0g4&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri=${redirectUri}&state={state}&nonce={nonce}
+ templated: true
+ hints:
+ allow:
+ - GET
+ clientRedirectUri:
+ href: https://{yourOktaDomain}/oauth2/v1/authorize/callback
+ hints:
+ allow:
+ - POST
+ AssignGroupOwnerRequest:
+ summary: Assign a group owner request example
+ value:
+ id: 00u1cmc03xjzePoWD0h8
+ type: USER
+ AssignGroupOwnerResponse:
+ summary: Assign a group owner response example
+ value:
+ id: 00u1cmc03xjzePoWD0h8
+ type: USER
+ resolved: true
+ originId: null
+ originType: OKTA_DIRECTORY
+ displayName: Oliver Putnam
+ lastUpdated: Wed Mar 29 18:34:31 UTC 2023
+ AuthenticatorMethodInactiveVoice:
+ value:
+ type: voice
+ status: INACTIVE
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/voice
+ hints:
+ allow:
+ - GET
+ - PUT
+ activate:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/voice/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ AuthenticatorMethodPhone:
+ value:
+ - type: sms
+ status: ACTIVE
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/sms
+ hints:
+ allow:
+ - GET
+ - PUT
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/sms/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ - type: voice
+ status: INACTIVE
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/voice
+ hints:
+ allow:
+ - GET
+ - PUT
+ activate:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/voice/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ AuthenticatorMethodSms:
+ value:
+ type: sms
+ status: ACTIVE
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/sms
+ hints:
+ allow:
+ - GET
+ - PUT
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/sms/lifecycle/deactivate
+ hints:
+ allow":
+ - POST
+ AuthenticatorMethodWebauth:
+ value:
+ type: webauthn
+ status: ACTIVE
+ settings:
+ userVerification: DISCOURAGED
+ attachment: ANY
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/webauthn
+ hints:
+ allow:
+ - GET
+ - PUT
+ AuthenticatorRequestDuo:
+ value:
+ key: duo
+ name: Duo Security
+ provider:
+ type: DUO
+ configuration:
+ userNameTemplate:
+ template: oktaId
+ integrationKey: testIntegrationKey
+ secretKey: testSecretKey
+ host: https://api-xxxxxxxx.duosecurity.com
+ AuthenticatorResponseDuo:
+ value:
+ type: app
+ id: aut9gnvcjUHIWb37J0g4
+ key: duo
+ status: ACTIVE
+ name: Duo Security
+ created: '2022-07-15T21:14:02.000Z'
+ lastUpdated: '2022-07-15T21:14:02.000Z'
+ settings: {}
+ provider:
+ type: DUO
+ configuration:
+ host: https://api-xxxxxxxx.duosecurity.com
+ userNameTemplate:
+ template: oktaId
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut5gnvcjUHIWb25J0g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut5gnvcjUHIWb25J0g4/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ methods:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut5gnvcjUHIWb25J0g4/methods
+ hints:
+ allow:
+ - GET
+ AuthenticatorResponseEmail:
+ value:
+ type: email
+ id: aut1nbsPHh7jNjjyP0g4
+ key: okta_email
+ status: ACTIVE
+ name: Email
+ created: '2020-07-26T21:05:23.000Z'
+ lastUpdated: '2020-07-28T21:45:52.000Z'
+ settings:
+ allowedFor: any
+ tokenLifetimeInMinutes: 5
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbsPHh7jNjjyP0g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ methods:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbsPHh7jNjjyP0g4/methods
+ hints:
+ allow:
+ - GET
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbsPHh7jNjjyP0g4/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ AuthenticatorResponseInactiveWebAuthn:
+ value:
+ type: security_key
+ id: aut1nd8PQhGcQtSxB0g4
+ key: webauthn
+ status: INACTIVE
+ name: Security Key or Biometric
+ created: '2020-07-26T21:16:37.000Z'
+ lastUpdated: '2020-07-27T18:59:30.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ methods:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods
+ hints:
+ allow:
+ - GET
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ AuthenticatorResponsePassword:
+ value:
+ type: password
+ id: aut1nbtrJKKA9m45a0g4
+ key: okta_password
+ status: ACTIVE
+ name: Password
+ created: '2020-07-26T21:05:23.000Z'
+ lastUpdated: '2020-07-26T21:05:23.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbtrJKKA9m45a0g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ methods:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbtrJKKA9m45a0g4/methods
+ hints:
+ allow:
+ - GET
+ AuthenticatorResponsePhone:
+ value:
+ type: phone
+ id: aut1nbuyD8m1ckAYc0g4
+ key: phone_number
+ status: INACTIVE
+ name: Phone
+ created: '2020-07-26T21:05:23.000Z'
+ lastUpdated: '2020-07-29T00:21:29.000Z'
+ settings:
+ allowedFor: none
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbuyD8m1ckAYc0g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ methods:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbuyD8m1ckAYc0g4/methods
+ hints:
+ allow:
+ - GET
+ activate:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbuyD8m1ckAYc0g4/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ AuthenticatorResponseSecurityQuestion:
+ summary: Security Question
+ value:
+ type: security_question
+ id: aut1nbvIgEenhwE6c0g4
+ key: security_question
+ status: ACTIVE
+ name: Security Question
+ created: '2020-07-26T21:05:23.000Z'
+ lastUpdated: '2020-07-26T21:05:23.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbvIgEenhwE6c0g4
+ hints:
+ allow:
+ - GET
+ methods:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbvIgEenhwE6c0g4/methods
+ hints:
+ allow:
+ - GET
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbvIgEenhwE6c0g4/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ AuthenticatorResponseWebAuthn:
+ value:
+ type: security_key
+ id: aut1nd8PQhGcQtSxB0g4
+ key: webauthn
+ status: ACTIVE
+ name: Security Key or Biometric
+ created: '2020-07-26T21:16:37.000Z'
+ lastUpdated: '2020-07-27T18:59:30.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ methods:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods
+ hints:
+ allow:
+ - GET
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ AuthenticatorsResponse:
+ summary: Org Authenticators
+ value:
+ - type: email
+ id: aut1nbsPHh7jNjjyP0g4
+ key: okta_email
+ status: ACTIVE
+ name: Email
+ created: '2020-07-26T21:05:23.000Z'
+ lastUpdated: '2020-07-28T21:45:52.000Z'
+ settings:
+ allowedFor: any
+ tokenLifetimeInMinutes: 5
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbsPHh7jNjjyP0g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ methods:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbsPHh7jNjjyP0g4/methods
+ hints:
+ allow:
+ - GET
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbsPHh7jNjjyP0g4/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ - type: password
+ id: aut1nbtrJKKA9m45a0g4
+ key: okta_password
+ status: ACTIVE
+ name: Password
+ created: '2020-07-26T21:05:23.000Z'
+ lastUpdated: '2020-07-26T21:05:23.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbtrJKKA9m45a0g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ methods:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbtrJKKA9m45a0g4/methods
+ hints:
+ allow:
+ - GET
+ - type: phone
+ id: aut1nbuyD8m1ckAYc0g4
+ key: phone_number
+ status: INACTIVE
+ name: Phone
+ created: '2020-07-26T21:05:23.000Z'
+ lastUpdated: '2020-07-29T00:21:29.000Z'
+ settings:
+ allowedFor: none
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbuyD8m1ckAYc0g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ methods:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbuyD8m1ckAYc0g4/methods
+ hints:
+ allow:
+ - GET
+ activate:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbuyD8m1ckAYc0g4/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ - type: security_key
+ id: aut1nd8PQhGcQtSxB0g4
+ key: webauthn
+ status: ACTIVE
+ name: Security Key or Biometric
+ created: '2020-07-26T21:16:37.000Z'
+ lastUpdated: '2020-07-27T18:59:30.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ methods:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods
+ hints:
+ allow:
+ - GET
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ AuthorizationServerPolicy:
+ summary: Authorization Server Policy
+ value:
+ type: OAUTH_AUTHORIZATION_POLICY
+ id: 00palyaappA22DPkj0h7
+ status: ACTIVE
+ name: Vendor2 Policy
+ description: Vendor2 policy description
+ priority: 1
+ system: false
+ conditions:
+ clients:
+ include:
+ - ALL_CLIENTS
+ created: '2017-05-26T19:43:53.000Z'
+ lastUpdated: '2017-06-07T15:28:17.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies/00palyaappA22DPkj0h7
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies/00palyaappA22DPkj0h7/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ rules:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies/00palyaappA22DPkj0h7/rules
+ hints:
+ allow:
+ - GET
+ AuthorizationServerPolicyRule:
+ summary: Authorization Server Policy Rule
+ value:
+ type: RESOURCE_ACCESS
+ id: 0prbsjfyl01zfSZ9K0h7
+ status: ACTIVE
+ name: Default Policy Rule
+ priority: 1
+ created: '2017-08-25T16:57:02.000Z'
+ lastUpdated: '2017-08-30T14:51:05.000Z'
+ system: false
+ conditions:
+ people:
+ users:
+ include: []
+ exclude: []
+ groups:
+ include:
+ - EVERYONE
+ exclude: []
+ grantTypes:
+ include:
+ - implicit
+ - client_credentials
+ - authorization_code
+ - password
+ scopes:
+ include:
+ - '*'
+ actions:
+ token:
+ accessTokenLifetimeMinutes: 60
+ refreshTokenLifetimeMinutes: 0
+ refreshTokenWindowMinutes: 10080
+ inlineHook:
+ id: cal4egvp1mbMldrYN0g7
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/0prbsjfyl01zfSZ9K0h7
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/0prbsjfyl01zfSZ9K0h7/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ AutoLoginAppResponseEx:
+ summary: AUTO_LOGIN
+ value:
+ id: 0oafxqCAJWWGELFTYASJ
+ status: ACTIVE
+ lastUpdated: '2023-01-21T14:11:24.000Z'
+ created: '2023-01-21T14:11:24.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
+ _links:
+ uploadLogo:
+ href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo
+ hints:
+ allow:
+ - POST
+ appLinks:
+ - name: customswaapp_link
+ href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4
+ type: text/html
+ groups:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups
+ logo:
+ - name: medium
+ href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png
+ type: image/png
+ users:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate
+ visibility:
+ autoLaunch: false
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ customswaapp_link: true
+ name: customswaapp
+ label: Custom SWA App
+ features: []
+ signOnMode: AUTO_LOGIN
+ credentials:
+ scheme: EDIT_USERNAME_AND_PASSWORD
+ userNameTemplate:
+ template: ${source.email}
+ type: BUILT_IN
+ revealPassword: false
+ signing: {}
+ settings:
+ app: {}
+ notifications:
+ vpn:
+ network:
+ connection: DISABLED
+ message: null
+ helpUrl: null
+ manualProvisioning: false
+ implicitAssignment: false
+ notes:
+ admin: null
+ enduser: null
+ signOn:
+ redirectUrl: http://swasecondaryredirecturl.okta.com
+ loginUrl: http://swaprimaryloginurl.okta.com
+ AutoLoginEx:
+ summary: AUTO_LOGIN
+ value:
+ label: Custom SWA App
+ signOnMode: AUTO_LOGIN
+ visibility:
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ settings:
+ signOn:
+ redirectUrl: http://swasecondaryredirecturl.okta.com
+ loginUrl: http://swaprimaryloginurl.okta.com
+ AutoLoginPutEx:
+ summary: AUTO_LOGIN
+ value:
+ label: Custom SWA App updated
+ status: ACTIVE
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
+ visibility:
+ autoLaunch: false
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ features: []
+ signOnMode: AUTO_LOGIN
+ credentials:
+ scheme: ADMIN_SETS_CREDENTIALS
+ userNameTemplate:
+ template: ${source.email}
+ type: BUILT_IN
+ settings:
+ signOn:
+ redirectUrl: http://swasecondaryredirecturlupdated.okta.com
+ loginUrl: http://swaprimaryloginurl.okta.com
+ AutoLoginPutResponseEx:
+ summary: AUTO_LOGIN
+ value:
+ id: 0oafxqCAJWWGELFTYASJ
+ status: ACTIVE
+ lastUpdated: '2023-01-21T14:11:24.000Z'
+ created: '2023-01-21T14:11:24.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
+ _links:
+ uploadLogo:
+ href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo
+ hints:
+ allow:
+ - POST
+ appLinks:
+ - name: customswaapp_link
+ href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4
+ type: text/html
+ groups:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups
+ logo:
+ - name: medium
+ href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png
+ type: image/png
+ users:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate
+ visibility:
+ autoLaunch: false
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ customswaapp_link: true
+ name: customswaapp
+ label: Custom SWA App updated
+ features: []
+ signOnMode: AUTO_LOGIN
+ credentials:
+ scheme: ADMIN_SETS_CREDENTIALS
+ userNameTemplate:
+ template: ${source.email}
+ type: BUILT_IN
+ revealPassword: false
+ signing: {}
+ settings:
+ app: {}
+ notifications:
+ vpn:
+ network:
+ connection: DISABLED
+ message: null
+ helpUrl: null
+ manualProvisioning: false
+ implicitAssignment: false
+ notes:
+ admin: null
+ enduser: null
+ signOn:
+ redirectUrl: http://swasecondaryredirecturlupdated.okta.com
+ loginUrl: http://swaprimaryloginurl.okta.com
+ BaseSignOnModeEx:
+ value:
+ status: ACTIVE
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
+ visibility:
+ autoLaunch: false
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ features: []
+ BasicAuthEx:
+ summary: BASIC_AUTH
+ value:
+ name: template_basic_auth
+ label: Sample Basic Auth App
+ signOnMode: BASIC_AUTH
+ settings:
+ app:
+ url: https://example.com/login.html
+ authURL: https://example.com/auth.html
+ BasicAuthPutEx:
+ summary: BASIC_AUTH
+ value:
+ label: Sample Basic Auth App updated
+ signOnMode: BASIC_AUTH
+ settings:
+ app:
+ url: https://example.com/loginUpdated.html
+ authURL: https://example.com/auth.html
+ BasicAuthPutResponseEx:
+ summary: BASIC_AUTH
+ value:
+ id: 0oafxqCAJWWGELFTYASJ
+ status: ACTIVE
+ lastUpdated: '2023-01-21T14:11:24.000Z'
+ created: '2023-01-21T14:11:24.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
+ _links:
+ uploadLogo:
+ href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo
+ hints:
+ allow:
+ - POST
+ appLinks:
+ - name: customswaapp_link
+ href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4
+ type: text/html
+ groups:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups
+ logo:
+ - name: medium
+ href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png
+ type: image/png
+ users:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate
+ visibility:
+ autoLaunch: false
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ login: true
+ name: template_basic_auth
+ label: Sample Basic Auth App updated
+ features: []
+ signOnMode: BASIC_AUTH
+ credentials:
+ scheme: EDIT_USERNAME_AND_PASSWORD
+ userNameTemplate:
+ template: ${source.email}
+ type: BUILT_IN
+ revealPassword: false
+ signing: {}
+ settings:
+ app:
+ loginUrlRegex: null
+ url: https://example.com/loginUpdated.html
+ authURL: https://example.com/auth.html
+ notifications:
+ vpn:
+ network:
+ connection: DISABLED
+ message: null
+ helpUrl: null
+ manualProvisioning: false
+ implicitAssignment: false
+ notes:
+ admin: null
+ enduser: null
+ BasicAuthResponseEx:
+ summary: BASIC_AUTH
+ value:
+ id: 0oafxqCAJWWGELFTYASJ
+ status: ACTIVE
+ lastUpdated: '2023-01-21T14:11:24.000Z'
+ created: '2023-01-21T14:11:24.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
+ _links:
+ uploadLogo:
+ href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo
+ hints:
+ allow:
+ - POST
+ appLinks:
+ - name: customswaapp_link
+ href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4
+ type: text/html
+ groups:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups
+ logo:
+ - name: medium
+ href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png
+ type: image/png
+ users:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate
+ visibility:
+ autoLaunch: false
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ login: true
+ name: template_basic_auth
+ label: Sample Basic Auth App
+ features: []
+ signOnMode: BASIC_AUTH
+ credentials:
+ scheme: EDIT_USERNAME_AND_PASSWORD
+ userNameTemplate:
+ template: ${source.email}
+ type: BUILT_IN
+ revealPassword: false
+ signing: {}
+ settings:
+ app:
+ loginUrlRegex: null
+ url: https://example.com/login.html
+ authURL: https://example.com/auth.html
+ notifications:
+ vpn:
+ network:
+ connection: DISABLED
+ message: null
+ helpUrl: null
+ manualProvisioning: false
+ implicitAssignment: false
+ notes:
+ admin: null
+ enduser: null
+ BehaviorRuleRequest:
+ value:
+ name: My Behavior Rule
+ type: VELOCITY
+ BehaviorRuleResponse:
+ value:
+ id: abcd1234
+ name: My Behavior Rule
+ type: VELOCITY
+ settings:
+ velocityKph: 805
+ status: ACTIVE
+ created: '2021-11-09T20:38:10.000Z'
+ lastUpdated: '2021-11-11T20:38:10.000Z'
+ _link:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/behaviors/abcd1234
+ hints:
+ allow:
+ - GET
+ - POST
+ - PUT
+ - DELETE
+ BookmarkAppResponseEx:
+ summary: BOOKMARK
+ value:
+ id: 0oafxqCAJWWGELFTYASJ
+ status: ACTIVE
+ lastUpdated: '2023-01-21T14:11:24.000Z'
+ created: '2023-01-21T14:11:24.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
+ _links:
+ uploadLogo:
+ href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo
+ hints:
+ allow:
+ - POST
+ appLinks:
+ - name: customswaapp_link
+ href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4
+ type: text/html
+ groups:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups
+ logo:
+ - name: medium
+ href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png
+ type: image/png
+ users:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate
+ visibility:
+ autoLaunch: false
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ login: true
+ name: bookmark
+ label: Sample Bookmark App
+ features: []
+ signOnMode: BOOKMARK
+ credentials:
+ userNameTemplate:
+ template: ${source.email}
+ type: BUILT_IN
+ signing: {}
+ settings:
+ app:
+ requestIntegration: false
+ url: https://example.com/bookmark.html
+ notifications:
+ vpn:
+ network:
+ connection: DISABLED
+ message: null
+ helpUrl: null
+ manualProvisioning: false
+ implicitAssignment: false
+ notes:
+ admin: null
+ enduser: null
+ BookmarkEx:
+ summary: BOOKMARK
+ value:
+ name: bookmark
+ label: Sample Bookmark App
+ signOnMode: BOOKMARK
+ settings:
+ app:
+ url: https://example.com/bookmark.html
+ BookmarkPutEx:
+ summary: BOOKMARK
+ value:
+ name: bookmark
+ label: Sample Bookmark App updated
+ signOnMode: BOOKMARK
+ settings:
+ app:
+ requestIntegration: true
+ url: https://example.com/bookmark.html
+ BookmarkPutResponseEx:
+ summary: BOOKMARK
+ value:
+ id: 0oafxqCAJWWGELFTYASJ
+ status: ACTIVE
+ lastUpdated: '2023-01-21T14:11:24.000Z'
+ created: '2023-01-21T14:11:24.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
+ _links:
+ uploadLogo:
+ href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo
+ hints:
+ allow:
+ - POST
+ appLinks:
+ - name: customswaapp_link
+ href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4
+ type: text/html
+ groups:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups
+ logo:
+ - name: medium
+ href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png
+ type: image/png
+ users:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate
+ visibility:
+ autoLaunch: false
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ login: true
+ name: bookmark
+ label: Sample Bookmark App updated
+ features: []
+ signOnMode: BOOKMARK
+ credentials:
+ userNameTemplate:
+ template: ${source.email}
+ type: BUILT_IN
+ signing: {}
+ settings:
+ app:
+ requestIntegration: true
+ url: https://example.com/bookmark.html
+ notifications:
+ vpn:
+ network:
+ connection: DISABLED
+ message: null
+ helpUrl: null
+ manualProvisioning: false
+ implicitAssignment: false
+ notes:
+ admin: null
+ enduser: null
+ BrowserPluginEx:
+ summary: BROWSER_PLUGIN
+ value:
+ name: template_swa
+ label: Sample Plugin App
+ signOnMode: BROWSER_PLUGIN
+ settings:
+ app:
+ buttonField: btn-login
+ passwordField: txtbox-password
+ usernameField: txtbox-username
+ url: https://example.com/login.html
+ BrowserPluginPutEx:
+ summary: BROWSER_PLUGIN
+ value:
+ name: template_swa
+ label: Sample Plugin App updated
+ signOnMode: BROWSER_PLUGIN
+ settings:
+ app:
+ buttonField: btn-login
+ passwordField: txtbox-password
+ usernameField: txtbox-username
+ url: https://example_updated.com/login.html
+ BrowserPluginPutResponseEx:
+ summary: BROWSER_PLUGIN
+ value:
+ id: 0oafxqCAJWWGELFTYASJ
+ status: ACTIVE
+ lastUpdated: '2023-01-21T14:11:24.000Z'
+ created: '2023-01-21T14:11:24.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
+ _links:
+ uploadLogo:
+ href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo
+ hints:
+ allow:
+ - POST
+ appLinks:
+ - name: customswaapp_link
+ href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4
+ type: text/html
+ groups:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups
+ logo:
+ - name: medium
+ href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png
+ type: image/png
+ users:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate
+ visibility:
+ autoLaunch: false
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ login: true
+ name: template_swa
+ label: Sample Plugin App updated
+ features: []
+ signOnMode: BROWSER_PLUGIN
+ credentials:
+ scheme: EDIT_USERNAME_AND_PASSWORD
+ userNameTemplate:
+ template: ${source.email}
+ type: BUILT_IN
+ revealPassword: false
+ signing: {}
+ settings:
+ app:
+ loginUrlRegex: null
+ usernameField: txtbox-username
+ buttonField: btn-login
+ passwordField: txtbox-password
+ url: https://example_updated.com/login.html
+ notifications:
+ vpn:
+ network:
+ connection: DISABLED
+ message: null
+ helpUrl: null
+ manualProvisioning: false
+ implicitAssignment: false
+ notes:
+ admin: null
+ enduser: null
+ BrowserPluginResponseEx:
+ summary: BROWSER_PLUGIN
+ value:
+ id: 0oafxqCAJWWGELFTYASJ
+ status: ACTIVE
+ lastUpdated: '2023-01-21T14:11:24.000Z'
+ created: '2023-01-21T14:11:24.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
+ _links:
+ uploadLogo:
+ href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo
+ hints:
+ allow:
+ - POST
+ appLinks:
+ - name: customswaapp_link
+ href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4
+ type: text/html
+ groups:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups
+ logo:
+ - name: medium
+ href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png
+ type: image/png
+ users:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate
+ visibility:
+ autoLaunch: false
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ login: true
+ name: template_swa
+ label: Sample Plugin App
+ features: []
+ signOnMode: BROWSER_PLUGIN
+ credentials:
+ scheme: EDIT_USERNAME_AND_PASSWORD
+ userNameTemplate:
+ template: ${source.email}
+ type: BUILT_IN
+ revealPassword: false
+ signing: {}
+ settings:
+ app:
+ loginUrlRegex: null
+ usernameField: txtbox-username
+ buttonField: btn-login
+ passwordField: txtbox-password
+ url: https://example.com/login.html
+ notifications:
+ vpn:
+ network:
+ connection: DISABLED
+ message: null
+ helpUrl: null
+ manualProvisioning: false
+ implicitAssignment: false
+ notes:
+ admin: null
+ enduser: null
+ BrowserPluginSwa3FieldEx:
+ summary: BROWSER_PLUGIN with three CSS selectors
+ value:
+ name: template_swa3field
+ label: Sample Plugin App
+ signOnMode: BROWSER_PLUGIN
+ settings:
+ app:
+ buttonSelector: '#btn-login'
+ passwordSelector: '#txtbox-password'
+ userNameSelector: '#txtbox-username'
+ targetURL: https://example.com/login.html
+ extraFieldSelector: .login
+ extraFieldValue: SOMEVALUE
+ BrowserPluginSwa3FieldPutEx:
+ summary: BROWSER_PLUGIN with three CSS selectors
+ value:
+ name: template_swa3field
+ label: Sample Plugin App updated
+ signOnMode: BROWSER_PLUGIN
+ settings:
+ app:
+ buttonSelector: '#btn-login'
+ passwordSelector: '#txtbox-password'
+ userNameSelector: '#txtbox-username'
+ targetURL: https://exampleupdated.com/login.html
+ extraFieldSelector: .login
+ extraFieldValue: SOMEVALUE
+ BrowserPluginSwa3FieldPutResponseEx:
+ summary: BROWSER_PLUGIN with three CSS selectors
+ value:
+ id: 0oafxqCAJWWGELFTYASJ
+ status: ACTIVE
+ lastUpdated: '2023-01-21T14:11:24.000Z'
+ created: '2023-01-21T14:11:24.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
+ _links:
+ uploadLogo:
+ href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo
+ hints:
+ allow:
+ - POST
+ appLinks:
+ - name: customswaapp_link
+ href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4
+ type: text/html
+ groups:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups
+ logo:
+ - name: medium
+ href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png
+ type: image/png
+ users:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate
+ visibility:
+ autoLaunch: false
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ login: true
+ name: template_swa3field
+ label: Sample Plugin App updated
+ features: []
+ signOnMode: BROWSER_PLUGIN
+ credentials:
+ scheme: EDIT_USERNAME_AND_PASSWORD
+ userNameTemplate:
+ template: ${source.email}
+ type: BUILT_IN
+ revealPassword: false
+ signing: {}
+ settings:
+ app:
+ loginUrlRegex: null
+ extraFieldSelector: .login
+ extraFieldValue: SOMEVALUE
+ userNameSelector: '#txtbox-username'
+ passwordSelector: '#txtbox-password'
+ buttonSelector: '#btn-login'
+ targetURL: https://exampleupdated.com/login.html
+ notifications:
+ vpn:
+ network:
+ connection: DISABLED
+ message: null
+ helpUrl: null
+ manualProvisioning: false
+ implicitAssignment: false
+ notes:
+ admin: null
+ enduser: null
+ BrowserPluginSwa3FieldResponseEx:
+ summary: BROWSER_PLUGIN with three CSS selectors
+ value:
+ id: 0oafxqCAJWWGELFTYASJ
+ status: ACTIVE
+ lastUpdated: '2023-01-21T14:11:24.000Z'
+ created: '2023-01-21T14:11:24.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
+ _links:
+ uploadLogo:
+ href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo
+ hints:
+ allow:
+ - POST
+ appLinks:
+ - name: customswaapp_link
+ href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4
+ type: text/html
+ groups:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups
+ logo:
+ - name: medium
+ href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png
+ type: image/png
+ users:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate
+ visibility:
+ autoLaunch: false
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ login: true
+ name: template_swa3field
+ label: Sample Plugin App
+ features: []
+ signOnMode: BROWSER_PLUGIN
+ credentials:
+ scheme: EDIT_USERNAME_AND_PASSWORD
+ userNameTemplate:
+ template: ${source.email}
+ type: BUILT_IN
+ revealPassword: false
+ signing: {}
+ settings:
+ app:
+ loginUrlRegex: null
+ extraFieldSelector: .login
+ extraFieldValue: SOMEVALUE
+ userNameSelector: '#txtbox-username'
+ passwordSelector: '#txtbox-password'
+ buttonSelector: '#btn-login'
+ targetURL: https://example.com/login.html
+ notifications:
+ vpn:
+ network:
+ connection: DISABLED
+ message: null
+ helpUrl: null
+ manualProvisioning: false
+ implicitAssignment: false
+ notes:
+ admin: null
+ enduser: null
+ BundleEntitlementsResponse:
+ summary: List of governance bundle entitlements
+ value:
+ entitlements:
+ - id: espfxqCAJWWGELFTYASJ
+ role: GROUP_MEMBERSHIP_ADMIN
+ name: Group Membership Admin
+ description: Perform all admin activities for groups in the org
+ _links:
+ values: http://your-subdomain.okta.com/api/v1/iam/governance/bundles/0bbfxqCAJWWGELFTYAAA/entitlements/espfxqCAJWWGELFTYASJ/values
+ _links:
+ self:
+ href: http://your-subdomain.okta.com/api/v1/iam/governance/bundles?limit=2&after=10
+ next:
+ href: http://your-subdomain.okta.com/api/v1/iam/governance/bundles?after=bundleId12
+ bundle:
+ href: http://your-subdomain.okta.com/api/v1/iam/governance/bundles/0bbfxqCAJWWGELFTYAAA
+ CAPTCHAInstanceRequestHCaptcha:
+ value:
+ name: myHCaptcha
+ secretKey: xxxxxxxxxxx
+ siteKey: xxxxxxxxxxx
+ type: HCAPTCHA
+ CAPTCHAInstanceRequestReCaptcha:
+ value:
+ name: myReCaptcha
+ secretKey: xxxxxxxxxxx
+ siteKey: yyyyyyyyyyyyyyy
+ type: RECAPTCHA_V2
+ CAPTCHAInstanceResponseHCaptcha:
+ value:
+ id: abcd1234
+ name: myHCaptcha
+ siteKey: xxxxxxxxxxx
+ type: HCAPTCHA
+ _links:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/captchas/abcd1234
+ hints:
+ allow:
+ - GET
+ - POST
+ - PUT
+ - DELETE
+ CAPTCHAInstanceResponseReCaptcha:
+ value:
+ id: abcd4567
+ name: myReCaptcha
+ siteKey: yyyyyyyyyyyyyyy
+ type: RECAPTCHA_V2
+ _links:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/captchas/abcd4567
+ hints:
+ allow:
+ - GET
+ - POST
+ - PUT
+ - DELETE
+ ChangePwdRequest:
+ value:
+ oldPassword:
+ value: tlpWENT2m
+ newPassword:
+ value: uTVM,TPw55
+ revokeSessions: true
+ ChangePwdResponse:
+ value:
+ password: {}
+ recovery_question:
+ question: Who's a major player in the cowboy scene?
+ provider:
+ type: OKTA
+ name: OKTA
+ CreateAnEventHook:
+ summary: Create an event hook
+ value:
+ name: Event Hook Test
+ events:
+ type: EVENT_TYPE
+ items:
+ - group.user_membership.add
+ channel:
+ type: HTTP
+ version: 1.0.0
+ config:
+ uri: https://example_external_service/userAdded
+ headers:
+ - key: X-Other-Header
+ value: my-header-value
+ authScheme:
+ type: HEADER
+ key: Authorization
+ value: my-shared-secret
+ CreateAnEventHookWithFilter:
+ summary: Create an event hook with a filter
+ value:
+ name: Event Hook with Filter
+ description: An event hook using an Okta Expression Language filter
+ events:
+ type: EVENT_TYPE
+ items:
+ - group.user_membership.add
+ filter:
+ type: EXPRESSION_LANGUAGE
+ eventFilterMap:
+ - event: group.user_membership.add
+ condition:
+ expression: event.target.?[type eq 'UserGroup'].size()>0 && event.target.?[displayName eq 'Sales'].size()>0
+ channel:
+ type: HTTP
+ version: 1.0.0
+ config:
+ uri: https://example_external_service/userAdded
+ authScheme:
+ type: HEADER
+ key: Authorization
+ value: my-shared-secret
+ CreateAppleIdPRequest:
+ summary: Create Apple Identity Provider
+ value:
+ type: APPLE
+ name: Apple Identity Provider
+ protocol:
+ type: OIDC
+ scopes:
+ - openid
+ - email
+ - name
+ credentials:
+ client:
+ client_id: your-client-id
+ signing:
+ privateKey: MIGTAgEAMBM........Cb9PnybCnzDv+3cWSGWqpAIsQQZ
+ kid: test key ID
+ teamId: test team ID
+ policy:
+ provisioning:
+ action: AUTO
+ profileMaster: true
+ groups:
+ action: NONE
+ conditions:
+ deprovisioned:
+ action: NONE
+ suspended:
+ action: NONE
+ accountLink:
+ action: AUTO
+ subject:
+ userNameTemplate:
+ template: idpuser.email
+ matchType: USERNAME
+ CreateAssocAuthServerBody:
+ summary: Create a trusted relationship between authorization servers
+ value:
+ - trusted: '{authorizationServerId}'
+ CreateAssocAuthServerResponse:
+ summary: Create a trusted relationship between authorization servers
+ value:
+ - id: '{authorizationServerId}'
+ name: Sample Authorization Server
+ description: Sample Authorization Server description
+ audiences:
+ - https://api.resource.com
+ issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId}
+ issuerMode: CUSTOM_URL
+ status: ACTIVE
+ created: '2023-05-17T22:25:57.000Z'
+ lastUpdated: '2023-05-17T22:25:57.000Z'
+ credentials:
+ signing:
+ rotationMode: AUTO
+ lastRotated: '2023-05-17T22:25:57.000Z'
+ nextRotation: '2023-08-15T22:25:57.000Z'
+ kid: WYQxoK4XAwGFn5Zw5AzLxFvqEKLP79BbsKmWeuc5TB4
+ use: sig
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}
+ hints:
+ allow:
+ - DELETE
+ CreateAuthServerBody:
+ summary: Create a custom authorization server
+ value:
+ name: Sample Authorization Server
+ description: Sample Authorization Server description
+ audiences:
+ - api://default
+ CreateAuthServerResponse:
+ summary: Create a custom authorization server
+ value:
+ id: '{authorizationServerId}'
+ name: Sample Authorization Server
+ description: Sample Authorization Server description
+ audiences:
+ - https://api.resource.com
+ issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId}
+ issuerMode: ORG_URL
+ status: ACTIVE
+ created: '2023-05-17T22:25:57.000Z'
+ lastUpdated: '2023-05-17T22:25:57.000Z'
+ credentials:
+ signing:
+ rotationMode: AUTO
+ lastRotated: '2023-05-17T22:25:57.000Z'
+ nextRotation: '2023-08-15T22:25:57.000Z'
+ kid: WYQxoK4XAwGFn5Zw5AzLxFvqEKLP79BbsKmWeuc5TB4
+ _links:
+ scopes:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes
+ hints:
+ allow:
+ - GET
+ claims:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims
+ hints:
+ allow:
+ - GET
+ policies:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies
+ hints:
+ allow:
+ - GET
+ self:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}
+ hints:
+ allow:
+ - GET
+ - DELETE
+ - PUT
+ metadata:
+ - name: oauth-authorization-server
+ href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/oauth-authorization-server
+ hints:
+ allow:
+ - GET
+ - name: openid-configuration
+ href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/openid-configuration
+ hints:
+ allow:
+ - GET
+ rotateKey:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/lifecycle/keyRotate
+ hints:
+ allow:
+ - POST
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ CreateAuthorizationServerPolicyRequest:
+ summary: Create Authorization Server Policy
+ value:
+ type: OAUTH_AUTHORIZATION_POLICY
+ status: ACTIVE
+ name: Default Policy
+ description: Default policy description
+ priority: 1
+ system: false
+ conditions:
+ clients":
+ include":
+ - ALL_CLIENTS
+ CreateAuthorizationServerPolicyRuleRequest:
+ summary: Create Authorization Server Policy Rule
+ value:
+ type: RESOURCE_ACCESS
+ name: Default Policy Rule
+ priority: 1
+ conditions:
+ people:
+ groups:
+ include:
+ - EVERYONE
+ grantTypes:
+ include:
+ - implicit
+ - client_credentials
+ - authorization_code
+ - password
+ scopes:
+ include:
+ - '*'
+ actions:
+ token:
+ accessTokenLifetimeMinutes: 60
+ refreshTokenLifetimeMinutes: 0
+ refreshTokenWindowMinutes: 10080
+ inlineHook:
+ id: cal4egvp1mbMldrYN0g7
+ CreateBrandRequest:
+ value:
+ name: My Awesome Brand
+ CreateBrandResponse:
+ value:
+ id: bnd114iNkrcN6aR680g5
+ removePoweredByOkta: false
+ customPrivacyPolicyUrl: null,
+ agreeToCustomPrivacyPolicy: false,
+ name: My Awesome Brand
+ locale: en
+ defaultApp:
+ appInstanceId: null
+ appLinkName: null
+ classicApplicationUri: null
+ isDefault: false
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g5
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ themes:
+ href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g5/themes
+ hints:
+ allow:
+ - GET
+ CreateChildOrgRequestEx:
+ summary: Create org request
+ value:
+ subdomain: my-child-org-1
+ name: My Child Org 1
+ website: http://www.examplecorp.com
+ edition: SKU
+ admin:
+ profile:
+ firstName: First
+ lastName: Last
+ email: FirstLast@example.com
+ login: FirstLast@example.com
+ mobilePhone: null
+ credentials:
+ password:
+ value: XXXX
+ CreateChildOrgResponseEx:
+ summary: Create org response
+ value:
+ id: 00o1n8sbwArJ7OQRw406
+ subdomain: my-child-org-1
+ name: My Child Org 1
+ website: http://www.examplecorp.com
+ status: ACTIVE
+ edition: SKU
+ expiresAt: null
+ created: '2024-08-27T15:42:52.000Z'
+ lastUpdated: '2024-08-27T15:42:56.000Z'
+ licensing:
+ apps: []
+ settings:
+ app:
+ errorRedirectUrl: null
+ interstitialUrl: null
+ interstitialMinWaitTime: 1200
+ userAccount:
+ attributes:
+ secondaryEmail: true
+ secondaryImage: true
+ portal:
+ errorRedirectUrl: null
+ signOutUrl: null
+ logs:
+ level: INFO
+ token: XXXXXXXXXXXXX
+ tokenType: SSWS
+ _links:
+ administrator:
+ href: https://my-child-org-1.oktapreview.com/api/v1/users/00u1n8sheI1WBQlDV406
+ uploadLogo:
+ href: https://my-child-org-1.oktapreview.com/api/v1/org/logo
+ organization:
+ href: https://my-child-org-1.oktapreview.com/api/v1/orgs/my-child-org-1
+ contacts:
+ href: https://my-child-org-1.oktapreview.com/api/v1/orgs/my-child-org-1/contacts
+ policy:
+ href: https://my-child-org-1.oktapreview.com/api/v1/orgs/my-child-org-1/policy
+ CreateCustomRoleResponseGroup:
+ value:
+ id: irb1q92TFAHzySt3x0g4
+ role: cr0Yq6IJxGIr0ouum0g3
+ label: UserCreatorRole
+ type: CUSTOM
+ status: ACTIVE
+ created: '2019-02-06T16:20:57.000Z'
+ lastUpdated: '2019-02-06T16:20:57.000Z'
+ assignmentType: GROUP
+ resource-set: iamoJDFKaJxGIr0oamd9g
+ _links:
+ assignee:
+ href": https://{yourOktaDomain}/api/v1/groups/00gsr2IepS8YhHRFf0g3
+ resource-set:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g
+ role:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3
+ permissions:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions
+ CreateCustomTokenClaimBody:
+ summary: Create a custom token Claim
+ value:
+ - alwaysIncludeInToken: true
+ claimType: IDENTITY
+ conditions:
+ scopes:
+ - profile
+ group_filter_type: CONTAINS
+ name: Support
+ status: ACTIVE
+ system: false
+ value: Support
+ valueType: GROUPS
+ CreateCustomTokenClaimResponse:
+ summary: Create a custom token Claim response
+ value:
+ - id: '{claimId}'
+ name: Support
+ status: ACTIVE
+ claimType: IDENTITY
+ valueType: GROUPS
+ value: Support
+ conditions:
+ scopes:
+ - profile
+ system: false
+ alwaysIncludeInToken: true
+ apiResourceId: null
+ group_filter_type: CONTAINS
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims/{claimId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ CreateEDNZRequest:
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
+ summary: Create an Enhanced Dynamic Network Zone
+ value:
+ type: DYNAMIC_V2
+ name: testZone106
+ status: ACTIVE
+ usage: BLOCKLIST
+ locations:
+ include: []
+ exclude: []
+ asns:
+ include: []
+ exclude: []
+ ipServiceCategories:
+ include:
+ - ALL_ANONYMIZERS
+ exclude: []
+ CreateEDNZResponse:
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
+ summary: Enhanced Dynamic Network Zone
+ value:
+ type: DYNAMIC_V2
+ id: nzok0oz2xYHOZtIch0g4
+ name: testZone106
+ status: ACTIVE
+ usage: BLOCKLIST
+ create: '2024-05-13T16:33:44.000Z'
+ lastUpdated: '2024-05-13T16:33:44.000Z'
+ system: false
+ locations:
+ include: []
+ exclude: []
+ asns:
+ include: []
+ exclude: []
+ ipServiceCategories:
+ include:
+ - ALL_ANONYMIZERS
+ exclude: []
+ _links:
+ self:
+ href: http://{yourOktaDomain}/api/v1/zones/nzok0oz2xYHOZtIch0g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: http://{yourOktaDomain}/api/v1/zones/nzok0oz2xYHOZtIch0g4/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ CreateEmailDomainRequest:
+ value:
+ displayName: Admin
+ userName: admin
+ domain: example.com
+ brandId: bnd100iSrkcN6aR680g1
+ validationSubdomain: mail
+ CreateFacebookIdPRequest:
+ summary: Create Facebook Identity Provider
+ value:
+ type: FACEBOOK
+ name: Facebook
+ protocol:
+ type: OAUTH2
+ scopes:
+ - public_profile
+ - email
+ credentials:
+ client:
+ client_id: your-client-id
+ client_secret: your-client-secret
+ policy:
+ provisioning:
+ action: AUTO
+ profileMaster: true
+ groups:
+ action: NONE
+ conditions:
+ deprovisioned:
+ action: NONE
+ suspended:
+ action: NONE
+ accountLink:
+ filter: null
+ action: AUTO
+ subject:
+ userNameTemplate:
+ template: idpuser.userPrincipalName
+ filter: null
+ matchType: USERNAME
+ mapAMRClaims: false
+ maxClockSkew: 0
+ CreateGenericOidcIdPRequest:
+ summary: Create Generic OpenID Connect Identity Provider
+ value:
+ type: OIDC
+ name: Example OpenID Connect IdP
+ protocol:
+ algorithms:
+ request:
+ signature:
+ algorithm: HS256
+ scope: REQUEST
+ endpoints:
+ acs:
+ binding: HTTP-POST
+ type: INSTANCE
+ authorization:
+ binding: HTTP-REDIRECT
+ url: https://idp.example.com/authorize
+ token:
+ binding: HTTP-POST
+ url: https://idp.example.com/token
+ userInfo:
+ binding: HTTP-REDIRECT
+ url: https://idp.example.com/userinfo
+ jwks:
+ binding: HTTP-REDIRECT
+ url: https://idp.example.com/keys
+ scopes:
+ - openid
+ - profile
+ - email
+ type: OIDC
+ credentials:
+ client:
+ client_id: your-client-id
+ client_secret: your-client-secret
+ pkce_required: 'true'
+ issuer:
+ url: https://idp.example.com
+ policy:
+ accountLink:
+ action: AUTO
+ filter: null
+ provisioning:
+ action: AUTO
+ conditions:
+ deprovisioned:
+ action: NONE
+ suspended:
+ action: NONE
+ groups:
+ action: NONE
+ mapAMRClaims: false
+ maxClockSkew: 120000
+ subject:
+ userNameTemplate:
+ template: idpuser.email
+ matchType: USERNAME
+ CreateGoogleIdPRequest:
+ summary: Create Google Identity Provider
+ value:
+ type: GOOGLE
+ name: Google
+ protocol:
+ type: OAUTH2
+ scopes:
+ - profile
+ - email
+ - openid
+ credentials:
+ client:
+ client_id: your-client-id
+ client_secret: your-client-secret
+ policy:
+ provisioning:
+ action: AUTO
+ profileMaster: true
+ groups:
+ action: NONE
+ conditions:
+ deprovisioned:
+ action: NONE
+ suspended:
+ action: NONE
+ accountLink:
+ filter: null
+ action: AUTO
+ subject:
+ userNameTemplate:
+ template: idpuser.userPrincipalName
+ filter: null
+ matchType: USERNAME
+ mapAMRClaims: false
+ maxClockSkew: 0
+ CreateHookKeyResponse:
+ summary: Create a key response example
+ value:
+ id: HKY1p7jWLndGQV9M60g4
+ keyId: 7fbc27fd-e3df-4522-86bf-1930110256ad
+ name: My new key
+ created: '2022-08-31T18:09:58.000Z'
+ lastUpdated: '2022-08-31T18:09:58.000Z'
+ isUsed: 'false'
+ _embedded:
+ kty: RSA
+ alg: RSA
+ kid: 7fbc27fd-e3df-4522-86bf-1930110256ad
+ use: 'null'
+ e: AQAB
+ 'n': 2naqCnv6r4xNQs7207lRtKQvdtnlVND-8k5iYBIiqoKGY3CqUmRm1jleoOniiQoMkFX8Wj2DmVqr002efF3vOQ7_gjtTatBTVUNbNIQLybun4dkVoUtfP7pRc5SLpcP3eGPRVar734ZrpQXzmCEdpqBt3jrVjwYjNE5DqOjbYXFJtMsy8CWE9LRJ3kyHEoHPzo22dG_vMrXH0_sAQoCk_4TgNCbvyzVmGVYXI_BkUnp0hv2pR4bQVRYzGB9dKJdctOh8zULqc_EJ8tiYsS05YnF7whrWEyARK0rH-e4d4W-OmBTga_zhY4kJ4NsoQ4PyvcatZkxjPO92QHQOFDnf3w`
+ CreateIAMStandardRoleResponseGroup:
+ value:
+ id: irb1q92TFAHzySt3x0g4
+ role: ACCESS_REQUESTS_ADMIN
+ label: Access Requests Administrator
+ type: ACCESS_REQUESTS_ADMIN
+ status: ACTIVE
+ created: '2019-02-06T16:20:57.000Z'
+ lastUpdated: '2019-02-06T16:20:57.000Z'
+ assignmentType: GROUP
+ resource-set: ACCESS_CERTIFICATIONS_IAM_POLICY
+ _links:
+ assignee:
+ href: https://{yourOktaDomain}/api/v1/groups/00gsr2IepS8YhHRFf0g3
+ resource-set:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY
+ role:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_REQUESTS_ADMIN
+ permissions:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_REQUESTS_ADMIN/permissions
+ member:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY/bindings/ACCESS_REQUESTS_ADMIN/members/irb4jlomnnDBuBDyJ0g7
+ CreateIPPolicyBlockListNetworkZone:
+ summary: Create an IP Blocklist Network Zone
+ value:
+ type: IP
+ name: newBlockListNetworkZone
+ status: ACTIVE
+ usage: BLOCKLIST
+ gateways:
+ - type: CIDR
+ value: 1.2.3.4/24
+ - type: CIDR
+ value: 2.3.4.5/24
+ proxies: null
+ CreateIPPolicyBlockListNetworkZoneResponse:
+ summary: IP Blocklist Network Zone
+ value:
+ type: IP
+ id: nzo1qasnPb1kqEq0e0g4
+ name: newBlockListNetworkzone
+ status: ACTIVE
+ usage: BLOCKLIST
+ created: '2021-08-09T20:22:09.000Z'
+ lastUpdated: '2021-08-09T20:22:09.000Z'
+ system: false
+ gateways:
+ - type: CIDR
+ value: 1.2.3.4/24
+ - type: CIDR
+ value: 2.3.4.5/24
+ proxies: null
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/zones/nzo1qasnPb1kqEq0e0g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/zones/nzo1qasnPb1kqEq0e0g4/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ CreateIPPolicyNetworkZone:
+ summary: Create an IP Policy Network Zone
+ value:
+ type: IP
+ name: newNetworkZone
+ gateways:
+ - type: CIDR
+ value: 1.2.3.4/24
+ - type: CIDR
+ value: 2.3.4.5/24
+ proxies:
+ - type: CIDR
+ value: 2.2.3.4/24
+ - type: CIDR
+ value: 3.3.4.5/24
+ CreateIPPolicyNetworkZoneResponse:
+ summary: IP Policy Network Zone
+ value:
+ type: IP
+ id: nzowb8T5Jh5xuAJ0o0g7
+ name: newNetworkZone
+ status: ACTIVE
+ usage: POLICY
+ created: '2021-08-09T21:32:01.000Z'
+ lastUpdated: '2021-08-09T21:32:01.000Z'
+ system: false
+ gateways:
+ - type: CIDR
+ value: 1.2.3.4/24'
+ - type: CIDR
+ value: 2.3.4.5/24
+ proxies:
+ - type: CIDR
+ value: 2.2.3.4/24
+ - type: CIDR
+ value: 3.3.4.5/24
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/zones/nzowb8T5Jh5xuAJ0o0g7
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/zones/nzowb8T5Jh5xuAJ0o0g7/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ CreateLinkedObjectRequest:
+ summary: Create manager-subordinate link request
+ value:
+ primary:
+ name: manager
+ title: manager
+ description: Manager link property
+ type: USER
+ associated:
+ name: subordinate
+ title: subordinate
+ description: Subordinate link property
+ type: USER
+ CreateLinkedObjectResponse:
+ summary: Create manager-subordinate link property response
+ value:
+ primary:
+ name: manager
+ title: manager
+ description: Manager link property
+ type: USER
+ associated:
+ name: subordinate
+ title: subordinate
+ description: Subordinate link property
+ type: USER
+ _links:
+ self:
+ href: http://your-subdomain.okta.com/api/v1/meta/schemas/user/linkedObjects/manager
+ CreateMicrosoftIdPRequest:
+ summary: Create Microsoft Identity Provider
+ value:
+ type: MICROSOFT
+ name: Microsoft
+ protocol:
+ type: OIDC
+ scopes:
+ - openid
+ - email
+ - profile
+ - https://graph.microsoft.com/User.Read
+ credentials:
+ client:
+ client_id: your-client-id
+ client_secret: your-client-secret
+ policy:
+ provisioning:
+ action: AUTO
+ profileMaster: true
+ groups:
+ action: NONE
+ conditions:
+ deprovisioned:
+ action: NONE
+ suspended:
+ action: NONE
+ accountLink:
+ filter: null
+ action: AUTO
+ subject:
+ userNameTemplate:
+ template: idpuser.userPrincipalName
+ filter: null
+ matchType: USERNAME
+ mapAMRClaims: false
+ maxClockSkew: 0
+ CreateOAuth2ScopeRequest:
+ summary: Example scope
+ value:
+ name: car:drive
+ description: Drive car
+ consent: REQUIRED
+ displayName: Saml Jackson
+ CreateOrReplaceSMSTemplateRequest:
+ value:
+ name: Custom
+ type: SMS_VERIFY_CODE
+ template: '${org.name}: your verification code is ${code}'
+ translations:
+ es: '${org.name}: el código de verificación es ${code}'
+ fr: '${org.name}: votre code de vérification est ${code}'
+ it: '${org.name}: il codice di verifica è ${code}'
+ CreateOrReplaceSMSTemplateResponse:
+ value:
+ id: 6NQUJ5yR3bpgEiYmq8IC
+ name: Custom
+ type: SMS_VERIFY_CODE
+ template: '${org.name}: your verification code is ${code}'
+ translations:
+ es: '${org.name}: el código de verificación es ${code}'
+ fr: '${org.name}: votre code de vérification est ${code}'
+ it: '${org.name}: il codice di verifica è ${code}'
+ created: '2024-04-25T17:35:02.000Z'
+ lastUpdated: '2024-04-25T17:35:02.000Z'
+ CreateSamlIdPRequest:
+ summary: Create SAML 2.0 Identity Provider
+ value:
+ type: SAML2
+ name: Example SAML IdP
+ protocol:
+ type: SAML2
+ endpoints:
+ sso:
+ url: https://idp.example.com
+ binding: HTTP-POST
+ destination: https://idp.example.com
+ acs:
+ binding: HTTP-POST
+ type: INSTANCE
+ algorithms:
+ request:
+ signature:
+ algorithm: SHA-256
+ scope: REQUEST
+ response:
+ signature:
+ algorithm: SHA-256
+ scope: ANY
+ credentials:
+ trust:
+ issuer: https://idp.example.com
+ audience: http://www.okta.com/123
+ kid: your-key-id
+ policy:
+ provisioning:
+ action: AUTO
+ profileMaster: true
+ groups:
+ action: NONE
+ conditions:
+ deprovisioned:
+ action: NONE
+ suspended:
+ action: NONE
+ accountLink:
+ filter: null
+ action: AUTO
+ subject:
+ userNameTemplate:
+ template: saml.subjectNameId
+ format:
+ - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+ filter: (\S+@example\.com)
+ matchType: USERNAME
+ CreateSessionBody:
+ summary: Create a new Session with a valid session token
+ value:
+ sessionToken: 00HiohZYpJgMSHwmL9TQy7RRzuY-q9soKp1SPmYYow
+ CreateSessionResponse:
+ summary: Create a new Session with a valid session token
+ value:
+ amr:
+ - pwd
+ createdAt: '2019-08-24T14:15:22Z'
+ expiresAt: '2019-08-24T14:15:22Z'
+ id: l7FbDVqS8zHSy65uJD85
+ idp:
+ id: 01a2bcdef3GHIJKLMNOP
+ type: ACTIVE_DIRECTORY
+ lastFactorVerification: '2019-08-24T14:15:22Z'
+ lastPasswordVerification: '2019-08-24T14:15:22Z'
+ login: user@example.com
+ status: ACTIVE
+ userId: 00u0abcdefGHIJKLMNOP
+ _links:
+ self:
+ hints:
+ allow:
+ - DELETE
+ href: https://{yourOktaDomain}/api/v1/sessions/l7FbDVqS8zHSy65uJD85
+ CreateSmartCardIdPRequest:
+ summary: Create SmartCard Identity Provider
+ value:
+ type: X509
+ status: ACTIVE
+ name: Smart Card IDP Name
+ properties:
+ additionalAmr:
+ - sc
+ - hwk
+ - pin
+ - mfa
+ protocol:
+ type: MTLS
+ credentials:
+ trust:
+ revocation: CRL
+ revocationCacheLifetime: 2880
+ issuer: your-issuer
+ kid: your-kid
+ policy:
+ provisioning:
+ action: DISABLED
+ mapAMRClaims: false
+ maxClockSkew: 120000
+ subject:
+ matchType: EMAIL
+ matchAttribute: ''
+ userNameTemplate:
+ template: idpuser.subjectAltNameEmail
+ CreateStandardRoleAssignmentResponseGroup:
+ value:
+ id: grasraHPx7i79ajaJ0g3
+ label: Organization Administrator
+ type: ORG_ADMIN
+ status: ACTIVE
+ created: '2019-02-27T14:56:55.000Z'
+ lastUpdated: '2019-02-27T14:56:55.000Z'
+ assignmentType: GROUP
+ _links:
+ assignee:
+ href: https://{yourOktaDomain}/api/v1/groups/00gsr2IepS8YhHRFf0g3
+ CreateUISchemaBody:
+ summary: UI Schema body request
+ value:
+ uiSchema:
+ type: Group
+ elements:
+ - type: Control
+ scope: '#/properties/firstName'
+ label: First Name
+ options:
+ format: text
+ - type: Control
+ scope: '#/properties/lastName'
+ label: Last Name
+ options:
+ format: text
+ - type: Control
+ scope: '#/properties/email'
+ label: Primary email
+ options:
+ format: text
+ buttonLabel: Submit
+ label: Sign in
+ CreateUISchemaResponse:
+ summary: Returns full UI Schema body
+ value:
+ id: uis4a7liocgcRgcxZ0g7
+ uiSchema:
+ type: Group
+ label: Sign in
+ buttonLabel: Submit
+ elements:
+ - type: Control
+ scope: '#/properties/firstName'
+ label: First name
+ options:
+ format: text
+ - type: Control
+ scope: '#/properties/lastName'
+ label: Last name
+ options:
+ format: text
+ - type: Control
+ scope: '#/properties/email'
+ label: Primary email
+ options:
+ format: text
+ created: '2022-07-25T12:56:31.000Z'
+ lastUpdated: '2022-07-26T11:53:59.000Z'
+ _links:
+ self:
+ href: https://exmaple.com/api/v1/meta/uischemas/uis4a7liocgcRgcxZ0g7
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ CreateUpdateEmailCustomizationRequest:
+ value:
+ language: fr
+ subject: Bienvenue dans ${org.name}!
+ body: Bonjour ${user.profile.firstName}. Activer le compte
+ isDefault: false
+ CreateUpdateEmailCustomizationResponse:
+ value:
+ language: fr
+ subject: Bienvenue dans ${org.name}!
+ body: Bonjour ${user.profile.firstName}. Activer le compte
+ isDefault: false
+ id: oel11u6DqUiMbQkpl0g4
+ created: '2021-11-09T20:38:10.000Z'
+ lastUpdated: '2021-11-11T20:38:10.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ template:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation
+ hints:
+ allow:
+ - GET
+ preview:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4/preview
+ hints:
+ allow:
+ - GET
+ test:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test
+ hints:
+ allow:
+ - POST
+ CreateUpdateIamRolePermissionRequestExampleWithExclude:
+ value:
+ conditions:
+ exclude:
+ okta:ResourceAttribute/User/Profile:
+ - zipCode
+ CreateUpdateIamRolePermissionRequestExampleWithInclude:
+ value:
+ conditions:
+ include:
+ okta:ResourceAttribute/User/Profile:
+ - city
+ - state
+ CreateUserRequest:
+ summary: Create a user type request
+ value:
+ description: A new custom user type
+ displayName: New User Type
+ name: newUserType
+ CreateUserResponse:
+ summary: Create a user type response
+ value:
+ id: otyfnly5cQjJT9PnR0g4
+ displayName: New User Type
+ name: newUserType
+ description: A new custom user type
+ createdBy: sprz9fj1ycBcsgopy1d6
+ lastUpdatedBy: sprz9fj1ycBcsgopy1d6
+ created: '2021-07-05T20:40:38.000Z'
+ lastUpdated: '2021-07-05T20:40:38.000Z'
+ default: false
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6
+ schema:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6
+ CsrJsonResponse:
+ summary: CSR object in JSON format
+ value:
+ id: h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50
+ created: '2017-03-28T01:11:10.000Z'
+ csr: MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9/tKvvbFN59T4raoCs/78KRm4fSefHQOv1TKLXo4wTLbsqYWRWc5u0sd5orUMQgPQOyj3i6qh13mALY4BzrT057EG1BUNjGg29QgYlnOk2iX890e5BIDMQQEIKFrvOi2V8cLUkLvE2ydRn0VO1Q1frbUkYeStJYC5Api2JQsYRwa+1ZeDH1ITnIzUaugWhW2WB2lSnwZkenne5KtffxMPYVu+IhNRHoKaRA6Z51YNhMJIx17JM2hs/H4Ka3drk6kzDf7ofk/yBpb9yBWyU7CTSQhdoHidxqFprMDaT66W928t3AeOENHBuwn8c2K9WeGG+bELNyQRJVmawIDAQABoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggxkZXYub2t0YS5jb20wDQYJKoZIhvcNAQELBQADggEBAA2hsVJRVM+A83X9MekjTnIbt19UNT8wX7wlE9jUKirWsxceLiZBpVGn9qfKhhVIpvdaIRSeoFYS2Kg/m1G6bCvjmZLcrQ5FcEBjZH2NKfNppGVnfC2ugtUkBtCB+UUzOhKhRKJtGugenKbP33zRWWIqnd2waF6Cy8TIuqQVPbwEDN9bCbAs7ND6CFYNguY7KYjWzQOeAR716eqpEEXuPYAS4nx/ty4ylonR8cv+gpq51rvq80A4k/36aoeM0Y6I4w64vhTfuvWW2UYFUD+/+y2FA2CSP4JfctySrf1s525v6fzTFZ3qZbB5OZQtP2b8xYWktMzywsxGKDoVDB4wkH4=
+ kty: RSA
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/idps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50
+ hints:
+ allow:
+ - GET
+ - DELETE
+ publish:
+ href: https://{yourOktaDomain}/api/v1/idps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50/lifecycle/publish
+ hints:
+ allow:
+ - POST
+ CsrPkcs10Response:
+ summary: CSR in DER format
+ value: MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9
+ CustomRoleAssignmentRequest:
+ value:
+ type: CUSTOM
+ role: cr04cxy6yzSCtNciD0g7
+ resource-set: iam4cxy6z7hhaZCSk0g7
+ CustomRoleResponseClient:
+ value:
+ id: irb4ey26fpFI3vQ8y0g7
+ label: view_minimal
+ type: CUSTOM
+ status: ACTIVE
+ created: '2023-05-01T15:16:47.000Z'
+ lastUpdated: '2023-05-01T15:16:47.000Z'
+ assignmentType: CLIENT
+ resource-set: iam4cxy6z7hhaZCSk0g7
+ role: cr04cxy6yzSCtNciD0g7
+ _links:
+ role:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr04cxy6yzSCtNciD0g7
+ resource-set:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iam4cxy6z7hhaZCSk0g7
+ permissions:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr04cxy6yzSCtNciD0g7/permissions
+ member:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iam4cxy6z7hhaZCSk0g7/bindings/cr04cxy6yzSCtNciD0g7/members/irb4ey26fpFI3vQ8y0g7
+ assignee:
+ href: https://{yourOktaDomain}/oauth2/v1/clients/0oa4ee9vgbIuqTUvd0g7
+ CustomRoleResponseUser:
+ value:
+ id: irb1q92TFAHzySt3x0g4
+ role: cr0Yq6IJxGIr0ouum0g3
+ label: UserCreatorRole
+ type: CUSTOM
+ status: ACTIVE
+ created: '2019-02-06T16:20:57.000Z'
+ lastUpdated: '2019-02-06T16:20:57.000Z'
+ assignmentType: USER
+ resource-set: iamoJDFKaJxGIr0oamd9g
+ _links:
+ assignee:
+ href": https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR
+ resource-set:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g
+ role:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3
+ permissions:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions
+ CustomRolesListResponseClient:
+ value:
+ - id: irb4ey26fpFI3vQ8y0g7
+ label: view_minimal
+ type: CUSTOM
+ status: ACTIVE
+ created: '2023-05-01T15:16:47.000Z'
+ lastUpdated: '2023-05-01T15:16:47.000Z'
+ assignmentType: CLIENT
+ resource-set: iam4cxy6z7hhaZCSk0g7
+ role: cr04cxy6yzSCtNciD0g7
+ _links:
+ role:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr04cxy6yzSCtNciD0g7
+ resource-set:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iam4cxy6z7hhaZCSk0g7
+ permissions:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr04cxy6yzSCtNciD0g7/permissions
+ member:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iam4cxy6z7hhaZCSk0g7/bindings/cr04cxy6yzSCtNciD0g7/members/irb4ey26fpFI3vQ8y0g7
+ assignee:
+ href: https://{yourOktaDomain}/oauth2/v1/clients/0oa4ee9vgbIuqTUvd0g7
+ CustomRolesListResponseGroup:
+ value:
+ - id: irb1q92TFAHzySt3x0g4
+ role: cr0Yq6IJxGIr0ouum0g3
+ label: UserCreatorRole
+ type: CUSTOM
+ status: ACTIVE
+ created: '2019-02-06T16:20:57.000Z'
+ lastUpdated: '2019-02-06T16:20:57.000Z'
+ assignmentType: GROUP
+ resource-set: iamoJDFKaJxGIr0oamd9g
+ _links:
+ assignee:
+ href": https://{yourOktaDomain}/api/v1/groups/00g1emaKYZTWRYYRRTSK
+ resource-set:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g
+ member:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3/members/irb1qe6PGuMc7Oh8N0g4
+ role:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3
+ permissions:
+ href: https://{yourOktaDomain}/api/v1/iam/permission-sets/cr0Yq6IJxGIr0ouum0g3/permissions
+ DeactivateIdPResponse:
+ summary: Deactivate an Identity Provider
+ value:
+ id: 0oa62bfdiumsUndnZ0h7
+ type: GOOGLE
+ name: Google
+ status: INACTIVE
+ created: '2016-03-24T23:21:49.000Z'
+ lastUpdated: '2016-03-25T19:16:53.000Z'
+ protocol:
+ type: OIDC
+ endpoints:
+ authorization:
+ url: https://accounts.google.com/o/oauth2/auth
+ binding: HTTP-REDIRECT
+ token:
+ url: https://www.googleapis.com/oauth2/v3/token
+ binding: HTTP-POST
+ scopes:
+ - profile
+ - email
+ - openid
+ credentials:
+ client:
+ client_id: your-client-id
+ client_secret: your-client-secret
+ policy:
+ provisioning:
+ action: AUTO
+ profileMaster: true
+ groups:
+ action: NONE
+ conditions:
+ deprovisioned:
+ action: NONE
+ suspended:
+ action: NONE
+ accountLink:
+ filter: null
+ action: AUTO
+ subject:
+ userNameTemplate:
+ template: idpuser.userPrincipalName
+ filter: null
+ matchType: USERNAME
+ mapAMRClaims: false
+ maxClockSkew: 0
+ _links:
+ authorize:
+ href: |-
+ https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa62bfdiumsUndnZ0h7&
+ client_id={clientId}&response_type={responseType}&response_mode={responseMode}&
+ scope={scopes}&redirect_uri={redirectUri}&state={state}
+ templated: true
+ hints:
+ allow:
+ - GET
+ clientRedirectUri:
+ href: https://{yourOktaDomain}/oauth2/v1/authorize/callback
+ hints:
+ allow:
+ - POST
+ DeactivateNetworkZone:
+ summary: Deactivated Network Zone
+ value:
+ type: IP
+ id: nzowc1U5Jh5xuAK0o0g3
+ name: MyIpZone
+ status: INACTIVE
+ usage: POLICY
+ created: '2021-06-24T20:37:32.000Z'
+ lastUpdated: '2021-06-24T20:37:32.000Z'
+ system: false
+ gateways:
+ - type: CIDR
+ value: 1.2.3.4/24
+ proxies:
+ - type: RANGE
+ value: 3.3.4.5-3.3.4.15
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ activate:
+ href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ DeactivatedSecurityEventsProviderResponse:
+ summary: Inactive Security Events Provider
+ value:
+ id: sse1qg25RpusjUP6m0g5
+ name: Security Events Provider with well-known URL
+ type: okta
+ status: INACTIVE
+ settings:
+ well_known_url: https://example.okta.com/.well-known/ssf-configuration
+ issuer: Issuer
+ jwks_url: https://example.okta.com/jwks/path
+ _links:
+ self:
+ href: https://example.okta.com/api/v1/security-events-providers/sse1qg25RpusjUP6m0g5
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ activate:
+ href: https://example.okta.com/api/v1/security-events-providers/sse1qg25RpusjUP6m0g5/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ DefaultEnhancedDynamicNetworkZone:
+ summary: Default Enhanced Dynamic Network Zone
+ value:
+ type: DYNAMIC_V2
+ id: nzohcnxFrSgsiwyHp0g4
+ name: DefaultEnhancedDynamicZone
+ status: ACTIVE
+ usage: BLOCKLIST
+ created: '2024-05-06T19:12:29.000Z'
+ lastUpdated: '2024-05-09T21:02:31.000Z'
+ system: true
+ locations:
+ include: []
+ exclude: []
+ ipServiceCategories:
+ include:
+ - ALL_ANONYMIZERS
+ exclue: []
+ asns:
+ include: []
+ exclude: []
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/zones/nzou3u0stMCmgOzXK1d6
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/zones/nzou3u0stMCmgOzXK1d6/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ DefaultIpBlocklistNetworkZone:
+ summary: Default IP Blocklist Network Zone
+ value:
+ type: IP
+ id: nzou3u0stMCmgOzXK1d6
+ name: BlockedIpZone
+ status: ACTIVE
+ usage: BLOCKLIST
+ created: '2021-06-09T21:32:46.000Z'
+ lastUpdated: '2021-06-09T21:32:46.000Z'
+ system: true
+ gateways: null
+ proxies: null
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/zones/nzou3u0stMCmgOzXK1d6
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/zones/nzou3u0stMCmgOzXK1d6/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ DefaultIpNetworkZone:
+ summary: Default IP Network Zone
+ value:
+ type: IP
+ id: nzou3u0ssJfZjYsWL1d6
+ name: LegacyIpZone
+ status: ACTIVE
+ usage: POLICY
+ created: '2021-06-09T21:32:46.000Z'
+ lastUpdated: '2021-06-09T21:32:46.000Z'
+ system: true
+ gateways: null
+ proxies: null
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/zones/nzou3u0ssJfZjYsWL1d6
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/zones/nzou3u0ssJfZjYsWL1d6/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ DefaultRealmAssignment:
+ value:
+ id: rul2jy7jLUlnO5ng00g4
+ status: ACTIVE
+ name: Catch-all
+ created: '2022-04-04T15:56:05.000Z'
+ lastUpdated: '2022-05-05T18:15:44.000Z'
+ isDefault: true
+ conditions:
+ profileSourceId: 0oa4enoRyjwSCy6hx0g4,
+ expression:
+ value: string
+ actions:
+ assignUserToRealm:
+ realmId: 00g1b7rvh0xPLKXFf2g5
+ priority: 499
+ _links:
+ self:
+ rel: self
+ href: http://your-subdomain.okta.com/api/v1/realm-assignments/rul2jy7jLUlnO5ng00g4
+ method: GET
+ DefaultRealmResponse:
+ value:
+ id: guox9jQ16k9V8IQWL0g3
+ created: '2022-04-04T15:56:05.000Z'
+ lastUpdated: '2022-05-05T18:15:44.000Z'
+ isDefault: true
+ profile:
+ name: Default Realm
+ _links:
+ self:
+ rel: self
+ href: http://your-subdomain.okta.com/api/v1/realms/guox9jQ16k9V8IQWL0g3
+ method: GET
+ DeviceAssuranceAndroidRequest:
+ summary: Android request
+ value:
+ name: Device assurance Android
+ osVersion:
+ minimum: 12
+ diskEncryptionType:
+ include:
+ - USER
+ - FULL
+ jailbreak: false
+ platform: ANDROID
+ screenLockType:
+ include:
+ - BIOMETRIC
+ secureHardwarePresent: true
+ DeviceAssuranceAndroidResponse:
+ summary: Android response
+ value:
+ id: dae3m8o4rWhwReDeM1c5
+ name: Device assurance Android
+ lastUpdate: '2022-01-01T00:00:00.000Z'
+ createdUpdate: '2022-01-01T00:00:00.000Z'
+ lastUpdatedBy: 00u217pyf72CdUrBt1c5
+ createdBy: 00u217pyf72CdUrBt1c5
+ osVersion:
+ minimum: 12.4.5
+ diskEncryptionType:
+ include:
+ - USER
+ - FULL
+ jailbreak: false
+ platform: ANDROID
+ screenLockType:
+ include:
+ - BIOMETRIC
+ secureHardwarePresent: true
+ _links:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5
+ hints:
+ allow:
+ - DELETE
+ - GET
+ - PUT
+ DeviceAssuranceAndroidWithDynamicVersionRequirementRequest:
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
+ summary: Android with dynamic version requirement request
+ value:
+ name: Device assurance Android
+ osVersion:
+ dynamicVersionRequirement:
+ type: MINIMUM
+ distanceFromLatestMajor: 0
+ diskEncryptionType:
+ include:
+ - USER
+ - FULL
+ jailbreak: false
+ platform: ANDROID
+ screenLockType:
+ include:
+ - BIOMETRIC
+ secureHardwarePresent: true
+ DeviceAssuranceAndroidWithDynamicVersionRequirementResponse:
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
+ summary: Android with dynamic version requirement response
+ value:
+ id: dae3m8o4rWhwReDeM1c5
+ name: Device assurance Android
+ lastUpdate: '2022-01-01T00:00:00.000Z'
+ createdUpdate: '2022-01-01T00:00:00.000Z'
+ lastUpdatedBy: 00u217pyf72CdUrBt1c5
+ createdBy: 00u217pyf72CdUrBt1c5
+ osVersion:
+ dynamicVersionRequirement:
+ type: MINIMUM
+ distanceFromLatestMajor: 0
+ diskEncryptionType:
+ include:
+ - USER
+ - FULL
+ jailbreak: false
+ platform: ANDROID
+ screenLockType:
+ include:
+ - BIOMETRIC
+ secureHardwarePresent: true
+ _links:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5
+ hints:
+ allow:
+ - DELETE
+ - GET
+ - PUT
+ DeviceAssuranceChromeOSWithThirdPartySignalProvidersRequest:
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
+ summary: ChromeOS with third-party signal providers request
+ value:
+ name: Device assurance ChromeOS
+ platform: CHROMEOS
+ thirdPartySignalProviders:
+ dtc:
+ osVersion:
+ minimum: 10.0.19041.1110
+ diskEncrypted: true
+ osFirewall: true
+ screenLockSecured: true
+ allowScreenLock: true
+ browserVersion:
+ minimum: 15393.27.0
+ deviceEnrollmentDomain: testDomain
+ builtInDnsClientEnabled: true
+ chromeRemoteDesktopAppBlocked: true
+ safeBrowsingProtectionLevel: ENHANCED_PROTECTION
+ siteIsolationEnabled: true
+ passwordProtectionWarningTrigger: PASSWORD_PROTECTION_OFF
+ realtimeUrlCheckMode: true
+ keyTrustLevel: CHROME_OS_VERIFIED_MODE
+ DeviceAssuranceChromeOSWithThirdPartySignalProvidersResponse:
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
+ summary: ChromeOS with third-party signal providers response
+ value:
+ id: dae3m8o4rWhwReDeM1c5
+ name: Device assurance ChromeOS
+ lastUpdate: '2022-01-01T00:00:00.000Z'
+ createdUpdate: '2022-01-01T00:00:00.000Z'
+ lastUpdatedBy: 00u217pyf72CdUrBt1c5
+ createdBy: 00u217pyf72CdUrBt1c5
+ platform: CHROMEOS
+ thirdPartySignalProviders:
+ dtc:
+ osVersion:
+ minimum: 10.0.19041.1110
+ diskEncrypted: true
+ osFirewall: true
+ screenLockSecured: true
+ allowScreenLock: true
+ browserVersion:
+ minimum: 15393.27.0
+ deviceEnrollmentDomain: testDomain
+ builtInDnsClientEnabled: true
+ chromeRemoteDesktopAppBlocked: true
+ safeBrowsingProtectionLevel: ENHANCED_PROTECTION
+ siteIsolationEnabled: true
+ passwordProtectionWarningTrigger: PASSWORD_PROTECTION_OFF
+ realtimeUrlCheckMode: true
+ keyTrustLevel: CHROME_OS_VERIFIED_MODE
+ _links:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5
+ hints:
+ allow:
+ - DELETE
+ - GET
+ - PUT
+ DeviceAssuranceIosRequest:
+ summary: iOS request
+ value:
+ name: Device assurance iOS
+ osVersion:
+ minimum: 12.4.5
+ jailbreak: false
+ platform: IOS
+ screenLockType:
+ include:
+ - BIOMETRIC
+ DeviceAssuranceIosResponse:
+ summary: iOS response
+ value:
+ id: dae3m8o4rWhwReDeM1c5
+ name: Device assurance iOS
+ lastUpdate: '2022-01-01T00:00:00.000Z'
+ createdUpdate: '2022-01-01T00:00:00.000Z'
+ lastUpdatedBy: 00u217pyf72CdUrBt1c5
+ createdBy: 00u217pyf72CdUrBt1c5
+ osVersion:
+ minimum: 12.4.5.9
+ jailbroken: false
+ platform: IOS
+ screenLockType:
+ include:
+ - BIOMETRIC
+ _links:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5
+ hints:
+ allow:
+ - DELETE
+ - GET
+ - PUT
+ DeviceAssuranceIosWithDynamicVersionRequirementRequest:
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
+ summary: iOS with dynamic version requirement request
+ value:
+ name: Device assurance iOS
+ osVersion:
+ dynamicVersionRequirement:
+ type: EXACT_ANY_SUPPORTED
+ latestSecurityPatch: true
+ jailbreak: false
+ platform: IOS
+ screenLockType:
+ include:
+ - BIOMETRIC
+ DeviceAssuranceIosWithDynamicVersionRequirementResponse:
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
+ summary: iOS with dynamic version requirement response
+ value:
+ id: dae3m8o4rWhwReDeM1c5
+ name: Device assurance iOS
+ lastUpdate: '2022-01-01T00:00:00.000Z'
+ createdUpdate: '2022-01-01T00:00:00.000Z'
+ lastUpdatedBy: 00u217pyf72CdUrBt1c5
+ createdBy: 00u217pyf72CdUrBt1c5
+ osVersion:
+ dynamicVersionRequirement:
+ type: EXACT_ANY_SUPPORTED
+ latestSecurityPatch: true
+ jailbroken: false
+ platform: IOS
+ screenLockType:
+ include:
+ - BIOMETRIC
+ _links:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5
+ hints:
+ allow:
+ - DELETE
+ - GET
+ - PUT
+ DeviceAssuranceMacOSRequest:
+ summary: macOS request
+ value:
+ name: Device assurance macOS
+ osVersion:
+ minimum: 12.4.5
+ diskEncryptionType:
+ include:
+ - ALL_INTERNAL_VOLUMES
+ platform: MACOS
+ screenLockType:
+ include:
+ - PASSCODE
+ - BIOMETRIC
+ secureHardwarePresent: true
+ DeviceAssuranceMacOSResponse:
+ summary: macOS response
+ value:
+ id: dae3m8o4rWhwReDeM1c5
+ name: Device assurance macOS
+ lastUpdate: '2022-01-01T00:00:00.000Z'
+ createdUpdate: '2022-01-01T00:00:00.000Z'
+ lastUpdatedBy: 00u217pyf72CdUrBt1c5
+ createdBy: 00u217pyf72CdUrBt1c5
+ osVersion:
+ minimum: 12.4.5
+ diskEncryptionType:
+ include:
+ - ALL_INTERNAL_VOLUMES
+ platform: MACOS
+ screenLockType:
+ include:
+ - PASSCODE
+ - BIOMETRIC
+ secureHardwarePresent: true
+ _links:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5
+ hints:
+ allow:
+ - DELETE
+ - GET
+ - PUT
+ DeviceAssuranceMacOSWithDynamicVersionRequirementRequest:
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
+ summary: macOS with dynamic version requirement request
+ value:
+ name: Device assurance macOS
+ osVersion:
+ dynamicVersionRequirement:
+ type: EXACT
+ distanceFromLatestMajor: 0
+ latestSecurityPatch: true
+ diskEncryptionType:
+ include:
+ - ALL_INTERNAL_VOLUMES
+ platform: MACOS
+ screenLockType:
+ include:
+ - PASSCODE
+ - BIOMETRIC
+ secureHardwarePresent: true
+ DeviceAssuranceMacOSWithDynamicVersionRequirementResponse:
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
+ summary: macOS with dynamic version requirement response
+ value:
+ id: dae3m8o4rWhwReDeM1c5
+ name: Device assurance macOS
+ lastUpdate: '2022-01-01T00:00:00.000Z'
+ createdUpdate: '2022-01-01T00:00:00.000Z'
+ lastUpdatedBy: 00u217pyf72CdUrBt1c5
+ createdBy: 00u217pyf72CdUrBt1c5
+ osVersion:
+ dynamicVersionRequirement:
+ type: EXACT
+ distanceFromLatestMajor: 0
+ latestSecurityPatch: true
+ diskEncryptionType:
+ include:
+ - ALL_INTERNAL_VOLUMES
+ platform: MACOS
+ screenLockType:
+ include:
+ - PASSCODE
+ - BIOMETRIC
+ secureHardwarePresent: true
+ _links:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5
+ hints:
+ allow:
+ - DELETE
+ - GET
+ - PUT
+ DeviceAssuranceMacOSWithThirdPartySignalProvidersRequest:
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
+ summary: macOS with third-party signal providers request
+ value:
+ name: Device assurance macOS
+ osVersion:
+ minimum: 12.4.5
+ diskEncryptionType:
+ include:
+ - ALL_INTERNAL_VOLUMES
+ platform: MACOS
+ screenLockType:
+ include:
+ - PASSCODE
+ - BIOMETRIC
+ secureHardwarePresent: true
+ thirdPartySignalProviders:
+ dtc:
+ osVersion:
+ minimum: 10.0.19041.1110
+ diskEncrypted: true
+ osFirewall: true
+ screenLockSecured: true
+ browserVersion:
+ minimum: 15393.27.0
+ deviceEnrollmentDomain": testDomain
+ builtInDnsClientEnabled": true
+ chromeRemoteDesktopAppBlocked": true
+ safeBrowsingProtectionLevel": true
+ siteIsolationEnabled": true
+ passwordProtectionWarningTrigger": PASSWORD_PROTECTION_OFF
+ realtimeUrlCheckMode": true
+ DeviceAssuranceMacOSWithThirdPartySignalProvidersResponse:
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
+ summary: macOS with third-party signal providers response
+ value:
+ id: dae3m8o4rWhwReDeM1c5
+ name: Device assurance macOS
+ lastUpdate: '2022-01-01T00:00:00.000Z'
+ createdUpdate: '2022-01-01T00:00:00.000Z'
+ lastUpdatedBy: 00u217pyf72CdUrBt1c5
+ createdBy: 00u217pyf72CdUrBt1c5
+ osVersion:
+ minimum: 12.4.5.9
+ diskEncryptionType:
+ include:
+ - ALL_INTERNAL_VOLUMES
+ platform: MACOS
+ screenLockType:
+ include:
+ - PASSCODE
+ - BIOMETRIC
+ secureHardwarePresent: true
+ thirdPartySignalProviders:
+ dtc:
+ osVersion:
+ minimum: 10.0.19041.1110
+ diskEncrypted: true
+ osFirewall: true
+ screenLockSecured: true
+ browserVersion:
+ minimum: 15393.27.0
+ deviceEnrollmentDomain: testDomain
+ builtInDnsClientEnabled: true
+ chromeRemoteDesktopAppBlocked: true
+ safeBrowsingProtectionLevel: ENHANCED_PROTECTION
+ siteIsolationEnabled: true
+ passwordProtectionWarningTrigger: PASSWORD_PROTECTION_OFF
+ realtimeUrlCheckMode: true
+ keyTrustLevel: CHROME_BROWSER_HW_KEY
+ _links:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5
+ hints:
+ allow:
+ - DELETE
+ - GET
+ - PUT
+ DeviceAssuranceWindowsRequest:
+ summary: Windows request
+ value:
+ name: Device assurance Windows
+ osVersion:
+ minimum: 12.4.5.9
+ diskEncryptionType:
+ include:
+ - ALL_INTERNAL_VOLUMES
+ platform: WINDOWS
+ screenLockType:
+ include:
+ - PASSCODE
+ - BIOMETRIC
+ secureHardwarePresent: true
+ DeviceAssuranceWindowsResponse:
+ summary: Windows response
+ value:
+ id: dae3m8o4rWhwReDeM1c5
+ name: Device assurance Windows
+ lastUpdate: '2022-01-01T00:00:00.000Z'
+ createdUpdate: '2022-01-01T00:00:00.000Z'
+ lastUpdatedBy: 00u217pyf72CdUrBt1c5
+ createdBy: 00u217pyf72CdUrBt1c5
+ osVersion:
+ minimum: 12.4.5.9
+ diskEncryptionType:
+ include:
+ - ALL_INTERNAL_VOLUMES
+ platform: WINDOWS
+ screenLockType:
+ include:
+ - PASSCODE
+ - BIOMETRIC
+ secureHardwarePresent: true
+ _links:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5
+ hints:
+ allow:
+ - DELETE
+ - GET
+ - PUT
+ DeviceAssuranceWindowsWithDynamicVersionRequirementsRequest:
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
+ summary: Windows with Windows 11 and Windows 10 dynamic version requirements request
+ value:
+ name: Device assurance Windows
+ osVersionConstraints:
+ - majorVersionConstraint: WINDOWS_11
+ dynamicVersionRequirement:
+ type: MINIMUM
+ distanceFromLatestMajor: 1
+ latestSecurityPatch: true
+ - majorVersionConstraint: WINDOWS_10
+ dynamicVersionRequirement:
+ type: EXACT_ANY_SUPPORTED
+ diskEncryptionType:
+ include:
+ - ALL_INTERNAL_VOLUMES
+ platform: WINDOWS
+ screenLockType:
+ include:
+ - PASSCODE
+ - BIOMETRIC
+ secureHardwarePresent: true
+ DeviceAssuranceWindowsWithDynamicVersionRequirementsResponse:
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
+ summary: Windows with Windows 11 and Windows 10 dynamic version requirements response
+ value:
+ id: dae3m8o4rWhwReDeM1c5
+ name: Device assurance Windows
+ lastUpdate: '2022-01-01T00:00:00.000Z'
+ createdUpdate: '2022-01-01T00:00:00.000Z'
+ lastUpdatedBy: 00u217pyf72CdUrBt1c5
+ createdBy: 00u217pyf72CdUrBt1c5
+ osVersionConstraints:
+ - majorVersionConstraint: WINDOWS_11
+ dynamicVersionRequirement:
+ type: MINIMUM
+ distanceFromLatestMajor: 1
+ latestSecurityPatch: true
+ - majorVersionConstraint: WINDOWS_10
+ dynamicVersionRequirement:
+ type: EXACT_ANY_SUPPORTED
+ diskEncryptionType:
+ include:
+ - ALL_INTERNAL_VOLUMES
+ platform: WINDOWS
+ screenLockType:
+ include:
+ - PASSCODE
+ - BIOMETRIC
+ secureHardwarePresent: true
+ _links:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5
+ hints:
+ allow:
+ - DELETE
+ - GET
+ - PUT
+ DeviceAssuranceWindowsWithThirdPartySignalProvidersRequest:
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
+ summary: Windows with third-party signal providers request
+ value:
+ name: Device assurance Windows
+ osVersion:
+ minimum: 12.4.5.9
+ diskEncryptionType:
+ include:
+ - ALL_INTERNAL_VOLUMES
+ platform: WINDOWS
+ screenLockType:
+ include:
+ - PASSCODE
+ - BIOMETRIC
+ secureHardwarePresent: true
+ thirdPartySignalProviders:
+ dtc:
+ osVersion:
+ minimum: 10.0.19041.1110
+ diskEncrypted: true
+ osFirewall: true
+ screenLockSecured: true
+ browserVersion:
+ minimum: 15393.27.0
+ deviceEnrollmentDomain: testDomain
+ builtInDnsClientEnabled: true
+ chromeRemoteDesktopAppBlocked: true
+ safeBrowsingProtectionLevel: ENHANCED_PROTECTION
+ siteIsolationEnabled: true
+ passwordProtectionWarningTrigger: PASSWORD_PROTECTION_OFF
+ realtimeUrlCheckMode: true
+ secureBootEnabled: true
+ windowsMachineDomain: testMachineDomain
+ windowsUserDomain: testUserDomain
+ thirdPartyBlockingEnabled: true
+ crowdStrikeCustomerId: testCustomerId
+ crowdStrikeAgentId": testAgentId
+ keyTrustLevel: CHROME_BROWSER_HW_KEY
+ DeviceAssuranceWindowsWithThirdPartySignalProvidersResponse:
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
+ summary: Windows with third-party signal providers response
+ value:
+ id: dae3m8o4rWhwReDeM1c5
+ name: Device assurance Windows
+ lastUpdate: '2022-01-01T00:00:00.000Z'
+ createdUpdate: '2022-01-01T00:00:00.000Z'
+ lastUpdatedBy: 00u217pyf72CdUrBt1c5
+ createdBy: 00u217pyf72CdUrBt1c5
+ osVersion:
+ minimum: 12.4.5.9
+ diskEncryptionType:
+ include:
+ - ALL_INTERNAL_VOLUMES
+ platform: WINDOWS
+ screenLockType:
+ include:
+ - PASSCODE
+ - BIOMETRIC
+ secureHardwarePresent: true
+ thirdPartySignalProviders:
+ dtc:
+ osVersion:
+ minimum: 10.0.19041.1110
+ diskEncrypted: true
+ osFirewall: true
+ screenLockSecured: true
+ browserVersion:
+ minimum: 15393.27.0
+ deviceEnrollmentDomain: testDomain
+ builtInDnsClientEnabled: true
+ chromeRemoteDesktopAppBlocked: true
+ safeBrowsingProtectionLevel: ENHANCED_PROTECTION
+ siteIsolationEnabled: true
+ passwordProtectionWarningTrigger: PASSWORD_PROTECTION_OFF
+ realtimeUrlCheckMode: true
+ secureBootEnabled: true
+ windowsMachineDomain: testMachineDomain
+ windowsUserDomain: testUserDomain
+ thirdPartyBlockingEnabled: true
+ crowdStrikeCustomerId: testCustomerId
+ crowdStrikeAgentId": testAgentId
+ keyTrustLevel: CHROME_BROWSER_HW_KEY
+ _links:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5
+ hints:
+ allow:
+ - DELETE
+ - GET
+ - PUT
+ DeviceAssuranceWindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionStringRequest:
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
+ summary: Windows with Windows 11 dynamic version requirement and Windows 10 minimum version request
+ value:
+ name: Device assurance Windows
+ osVersionConstraints:
+ - majorVersionConstraint: WINDOWS_11
+ dynamicVersionRequirement:
+ type: EXACT
+ distanceFromLatestMajor: 1
+ - majorVersionConstraint: WINDOWS_10
+ minimum: 10.0.19045.0
+ diskEncryptionType:
+ include:
+ - ALL_INTERNAL_VOLUMES
+ platform: WINDOWS
+ screenLockType:
+ include:
+ - PASSCODE
+ - BIOMETRIC
+ secureHardwarePresent: true
+ DeviceAssuranceWindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionStringResponse:
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
+ summary: Windows with Windows 11 dynamic version requirement and Windows 10 minimum version response
+ value:
+ id: dae3m8o4rWhwReDeM1c5
+ name: Device assurance Windows
+ lastUpdate: '2022-01-01T00:00:00.000Z'
+ createdUpdate: '2022-01-01T00:00:00.000Z'
+ lastUpdatedBy: 00u217pyf72CdUrBt1c5
+ createdBy: 00u217pyf72CdUrBt1c5
+ osVersionConstraints:
+ - majorVersionConstraint: WINDOWS_11
+ dynamicVersionRequirement:
+ type: EXACT
+ distanceFromLatestMajor: 1
+ - majorVersionConstraint: WINDOWS_10
+ minimum: 10.0.19045.0
+ diskEncryptionType:
+ include:
+ - ALL_INTERNAL_VOLUMES
+ platform: WINDOWS
+ screenLockType:
+ include:
+ - PASSCODE
+ - BIOMETRIC
+ secureHardwarePresent: true
+ _links:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5
+ hints:
+ allow:
+ - DELETE
+ - GET
+ - PUT
+ DeviceAssuranceWindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirementRequest:
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
+ summary: Windows with Windows 11 minimum version and a Windows 10 dynamic version requirement request
+ value:
+ name: Device assurance Windows
+ osVersionConstraints:
+ - majorVersionConstraint: WINDOWS_11
+ minimum: 10.0.22000.0
+ - majorVersionConstraint: WINDOWS_10
+ dynamicVersionRequirement:
+ type: NOT_ALLOWED
+ diskEncryptionType:
+ include:
+ - ALL_INTERNAL_VOLUMES
+ platform: WINDOWS
+ screenLockType:
+ include:
+ - PASSCODE
+ - BIOMETRIC
+ secureHardwarePresent: true
+ DeviceAssuranceWindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirementResponse:
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
+ summary: Windows with Windows 11 minimum version and Windows 10 dynamic version requirement response
+ value:
+ id: dae3m8o4rWhwReDeM1c5
+ name: Device assurance Windows
+ lastUpdate: '2022-01-01T00:00:00.000Z'
+ createdUpdate: '2022-01-01T00:00:00.000Z'
+ lastUpdatedBy: 00u217pyf72CdUrBt1c5
+ createdBy: 00u217pyf72CdUrBt1c5
+ osVersionConstraints:
+ - majorVersionConstraint: WINDOWS_11
+ minimum: 10.0.22000.0
+ - majorVersionConstraint: WINDOWS_10
+ dynamicVersionRequirement:
+ type: NOT_ALLOWED
+ diskEncryptionType:
+ include:
+ - ALL_INTERNAL_VOLUMES
+ platform: WINDOWS
+ screenLockType:
+ include:
+ - PASSCODE
+ - BIOMETRIC
+ secureHardwarePresent: true
+ _links:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5
+ hints:
+ allow:
+ - DELETE
+ - GET
+ - PUT
+ DeviceChecksMacOSRequest:
+ summary: macOS request
+ value:
+ name: Device Check macOS
+ description: Query macOS devices to check if firewall is enabled
+ variableName: macOSFirewall
+ platform: MACOS
+ query: SELECT CASE WHEN global_state = 0 THEN 0 ELSE 1 END AS firewall_enabled FROM alf;
+ DeviceChecksMacOSResponse:
+ summary: macOS response
+ value:
+ id: dch3m8o4rWhwReDeM1c5
+ name: Device Check macOS
+ lastUpdate: '2022-01-01T00:00:00.000Z'
+ createdUpdate: '2022-01-01T00:00:00.000Z'
+ lastUpdatedBy: 00u217pyf72CdUrBt1c5
+ createdBy: 00u217pyf72CdUrBt1c5
+ description: Query macOS devices to check if firewall is enabled
+ variableName: macOSFirewall
+ query: SELECT CASE WHEN global_state = 0 THEN 0 ELSE 1 END AS firewall_enabled FROM alf;
+ platform: MACOS
+ _links:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/device-checks/dch3m8o4rWhwReDeM1c5
+ hints:
+ allow:
+ - DELETE
+ - GET
+ - PUT
+ DeviceChecksWindowsRequest:
+ summary: Windows request
+ value:
+ name: Device Check Windows
+ description: Query Windows devices to check if firewall is enabled
+ variableName: windowsFirewall
+ platform: WINDOWS
+ query: SELECT CASE WHEN enabled = 1 THEN 1 ELSE 0 END AS firewall_enabled FROM windows_firewall_profiles;
+ DeviceChecksWindowsResponse:
+ summary: Windows response
+ value:
+ id: dch3m8o4rWhwReDeM1c5
+ name: Device Check Windows
+ lastUpdate: '2022-01-01T00:00:00.000Z'
+ createdUpdate: '2022-01-01T00:00:00.000Z'
+ lastUpdatedBy: 00u217pyf72CdUrBt1c5
+ createdBy: 00u217pyf72CdUrBt1c5
+ description: Query Windows devices to check if firewall is enabled
+ variableName: windowsFirewall
+ query: SELECT CASE WHEN enabled = 1 THEN 1 ELSE 0 END AS firewall_enabled FROM windows_firewall_profiles;
+ platform: WINDOWS
+ _links:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/device-checks/dch3m8o4rWhwReDeM1c5
+ hints:
+ allow:
+ - DELETE
+ - GET
+ - PUT
+ DeviceResponse:
+ value:
+ id: guo8jx5vVoxfvJeLb0w4
+ status: ACTIVE
+ created: '2020-11-03T21:47:01.000Z'
+ lastUpdated: '2020-11-03T23:46:27.000Z'
+ profile:
+ displayName: DESKTOP-EHAD3IE
+ platform: WINDOWS
+ manufacturer: International Corp
+ model: VMware7,1
+ osVersion: 10.0.18362
+ serialNumber: 56 4d 4f 95 74 c5 d3 e7-fc 3a 57 9c c2 f8 5d ce
+ udid: 954F4D56-C574-E7D3-FC3A-579CC2F85DCE
+ sid: S-1-5-21-3992267483-1860856704-2413701314-500
+ registered: true
+ secureHardwarePresent: false
+ diskEncryptionType: NONE
+ resourceId: guo8jx5vVoxfvJeLb0w4
+ resourceDisplayName:
+ value: DESKTOP-EHAD3IE
+ sensitive: false
+ resourceType: UDDevice
+ resourceAlternateId: null
+ _links:
+ suspend:
+ href: https://{yourOktaDomain}/api/v1/devices/guo8jx5vVoxfvJeLb0w4/lifecycle/suspend
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/devices/guo8jx5vVoxfvJeLb0w4
+ hints:
+ allow:
+ - GET
+ - PATCH
+ - PUT
+ users:
+ href: https://{yourOktaDomain}/api/v1/devices/guo8jx5vVoxfvJeLb0w4/users
+ hints:
+ allow:
+ - GET
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/devices/guo8jx5vVoxfvJeLb0w4/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ EmailCustomizationResponse:
+ value:
+ language: en
+ isDefault: true
+ subject: Welcome to ${org.name}!
+ body: Hello, ${user.profile.firstName}. Click here to activate your account.
+ id: oel11u6DqUiMbQkpl0g4
+ created: '2021-11-09T20:38:10.000Z'
+ lastUpdated: '2021-11-11T20:38:10.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ template:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation
+ hints:
+ allow:
+ - GET
+ preview:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4/preview
+ hints:
+ allow:
+ - GET
+ test:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test
+ hints:
+ allow:
+ - POST
+ EmailDomainResponse:
+ value:
+ id: OeD114iNkrcN6aR680g4
+ validationStatus: NOT_STARTED
+ displayName: Admin
+ userName: admin
+ domain: example.com
+ validationSubdomain: mail
+ dnsValidationRecords:
+ - recordType: TXT
+ fqdn: _oktaverification.example.com
+ verificationValue: 759080212bda43e3bc825a7d73b4bb64
+ - recordType: CNAME
+ fqdn: mail.example.com
+ verificationValue: u22224444.wl024.sendgrid.net
+ - recordType: CNAME
+ fqdn: t02._domainkey.example.com
+ verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net
+ - recordType: CNAME
+ fqdn: t022._domainkey.example.com
+ verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net
+ EmailSettingsRequest:
+ value:
+ recipients: ALL_USERS
+ EmailSettingsResponse:
+ value:
+ recipients: ALL_USERS
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/settings
+ hints:
+ allow:
+ - GET
+ - PUT
+ template:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation
+ hints:
+ allow:
+ - GET
+ EmailTemplateDefaultContentResponse:
+ value:
+ subject: Welcome to ${org.name}!
+ body:
Hello, ${user.profile.firstName}. Click here to activate your account.
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/default-content
+ hints:
+ allow:
+ - GET
+ template:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation
+ hints:
+ allow:
+ - GET
+ preview:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/default-content/preview
+ hints:
+ allow:
+ - GET
+ EmbeddedGroupAssignmentSampleResponse:
+ summary: Application Group with an embedded Group
+ value:
+ id: 00g15acRUy0SYb9GT0g4
+ priority: 0
+ lastUpdated: '2024-06-02T13:17:57.000Z'
+ profile:
+ preferredLanguage: English
+ manager: Donald Glover
+ securityQuestion: Who is the footballer to have played the game
+ securityAnswer: Ronaldinho
+ timezone: Canada/Eastern
+ initialStatus: active_with_pass
+ managerId: ike.ogb@gmail.com
+ locale: en_US
+ division: top
+ organization: wazobia
+ userType: null
+ department: marketing
+ _links:
+ app:
+ href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4
+ self:
+ href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4/groups/00g15acRUy0SYb9GT0g4
+ group:
+ href: http://{yourOktaDomain}/api/v1/groups/00g15acRUy0SYb9GT0g4
+ _embedded:
+ group:
+ id: 00g15acRUy0SYb9GT0g4
+ created: '2024-06-02T13:02:12.000Z'
+ lastUpdated: '2024-06-02T13:02:12.000Z'
+ lastMembershipUpdated: '2024-06-02T13:03:13.000Z'
+ objectClass:
+ - okta:user_group
+ type: OKTA_GROUP
+ profile:
+ name: Football Group
+ description: Group with professional footballers
+ _links:
+ logo:
+ - name: medium
+ href: http://{yourOktaDomain}/assets/img/logos/groups/odyssey/okta-medium.30ce6d4085dff29412984e4c191bc874.png
+ type: image/png
+ - name: large
+ href: http://{yourOktaDomain}/assets/img/logos/groups/odyssey/okta-large.c3cb8cda8ae0add1b4fe928f5844dbe3.png
+ type: image/png
+ users:
+ href: http://{yourOktaDomain}/api/v1/groups/00g15acRUy0SYb9GT0g4/users
+ apps:
+ href: http://{yourOktaDomain}/api/v1/groups/00g15acRUy0SYb9GT0g4/apps
+ EmbeddedMetadataGroupAssignmentSampleResponse:
+ summary: Application Group with embedded metadata
+ value:
+ id: 00g15acRUy0SYb9GT0g4
+ priority: 0
+ lastUpdated: '2024-06-02T13:17:57.000Z'
+ profile:
+ preferredLanguage: English
+ manager: Donald Glover
+ securityQuestion: Who is the footballer to have played the game
+ securityAnswer: Ronaldinho
+ timezone: Canada/Eastern
+ initialStatus: active_with_pass
+ managerId: ike.ogb@gmail.com
+ locale: en_US
+ division: top
+ organization: wazobia
+ userType: null
+ department: marketing
+ _links:
+ app:
+ href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4
+ self:
+ href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4/groups/00g15acRUy0SYb9GT0g4
+ group:
+ href: http://{yourOktaDomain}/api/v1/groups/00g15acRUy0SYb9GT0g4
+ _embedded:
+ metadata:
+ credentials: {}
+ profile:
+ division:
+ source:
+ type: USER
+ value:
+ - id: 00uzojLwDGgUynjJS0g3
+ self:
+ href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3
+ lastUpdated: null
+ preferredLanguage:
+ source:
+ type: USER
+ value:
+ - id: 00uzojLwDGgUynjJS0g3
+ self:
+ href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3
+ lastUpdated: null
+ manager:
+ source:
+ type: MAPPING
+ value:
+ - id: null
+ lastUpdated: null
+ securityQuestion:
+ source:
+ type: USER
+ value:
+ - id: 00uzojLwDGgUynjJS0g3
+ self:
+ href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3
+ lastUpdated: null
+ securityAnswer:
+ source:
+ type: USER
+ value:
+ - id: 00uzojLwDGgUynjJS0g3
+ self:
+ href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3
+ lastUpdated: null
+ timezone:
+ source:
+ type: USER
+ value:
+ - id: 00uzojLwDGgUynjJS0g3
+ self:
+ href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3
+ lastUpdated: null
+ organization:
+ source:
+ type: USER
+ value:
+ - id: 00uzojLwDGgUynjJS0g3
+ self:
+ href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3
+ lastUpdated: null
+ initialStatus:
+ source:
+ type: USER
+ value:
+ - id: 00uzojLwDGgUynjJS0g3
+ self:
+ href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3
+ lastUpdated: null
+ managerId:
+ source:
+ type: MAPPING
+ value:
+ - id: null
+ lastUpdated: null
+ userType:
+ source:
+ type: MAPPING
+ value:
+ - id: null
+ lastUpdated: null
+ locale:
+ source:
+ type: USER
+ value:
+ - id: 00uzojLwDGgUynjJS0g3
+ self:
+ href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3
+ lastUpdated: null
+ department:
+ source:
+ type: MAPPING
+ value:
+ - id: null
+ lastUpdated: null
+ EnrollFactorCallRequest:
+ summary: call
+ value:
+ factorType: call
+ provider: OKTA
+ profile:
+ phoneNumber: +1-555-415-1337
+ honeExtension: '1234'
+ EnrollFactorCallResponse:
+ summary: call
+ value:
+ id: clf1nz9JHJGHWRKMTLHP
+ factorType: call
+ provider: OKTA
+ vendorName: OKTA
+ status: PENDING_ACTIVATION
+ created: '2014-08-05T20:59:49.000Z'
+ lastUpdated: '2014-08-06T03:59:49.000Z'
+ profile:
+ phoneNumber: +1-555-415-1337
+ phoneExtension: '1234'
+ _links:
+ activate:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/clf1nz9JHJGHWRKMTLHP/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ resend:
+ - name: call
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/clf1nz9JHJGHWRKMTLHP/resend
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/clf1nz9JHJGHWRKMTLHP
+ hints:
+ allow:
+ - GET
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL
+ hints:
+ allow:
+ - GET
+ EnrollFactorCustomTotpRequest:
+ summary: custom totp
+ value:
+ factorType: token:hotp
+ provider: CUSTOM
+ factorProfileId: fpr20l2mDyaUGWGCa0g4
+ profile:
+ sharedSecret: 484f97be3213b117e3a20438e291540a
+ EnrollFactorCustomTotpResponse:
+ summary: custom totp
+ value:
+ id: chf20l33Ks8U2Zjba0g4
+ factorType: token:hotp
+ provider: CUSTOM
+ vendorName: Entrust Datacard
+ status: ACTIVE
+ created: '2019-07-22T23:22:36.000Z'
+ lastUpdated: '2019-07-22T23:22:36.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00utf43LCCmTJVcsK0g3/factors/chf20l33Ks8U2Zjba0g4
+ hints:
+ allow:
+ - GET
+ - DELETE
+ verify:
+ href: https://{yourOktaDomain}/api/v1/users/00utf43LCCmTJVcsK0g3/factors/chf20l33Ks8U2Zjba0g4/verify
+ hints:
+ allow:
+ - POST
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00utf43LCCmTJVcsK0g3
+ hints:
+ allow:
+ - GET
+ EnrollFactorEmailRequest:
+ summary: email
+ value:
+ factorType: email
+ provider: OKTA
+ profile:
+ email: test@gmail.com
+ EnrollFactorEmailResponse:
+ summary: email
+ value:
+ id: emfnf3gSScB8xXoXK0g3
+ factorType: email
+ provider: OKTA
+ vendorName: OKTA
+ status: PENDING_ACTIVATION
+ _links:
+ activate:
+ href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3/factors/emfnf3gSScB8xXoXK0g3/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ resend:
+ - name: email
+ href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3/factors/emfnf3gSScB8xXoXK0g3/resend
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3/factors/emfnf3gSScB8xXoXK0g3
+ hints:
+ allow:
+ - GET
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3
+ hints:
+ allow:
+ - GET
+ EnrollFactorGoogleRequest:
+ summary: google token:software:totp
+ value:
+ factorType: token:software:totp
+ provider: GOOGLE
+ EnrollFactorGoogleResponse:
+ value:
+ id: ostf1fmaMGJLMNGNLIVG
+ factorType: token:software:totp
+ provider: GOOGLE
+ vendorName: GOOGLE
+ status: PENDING_ACTIVATION
+ created: '2014-07-16T16:13:56.000Z'
+ lastUpdated: '2014-07-16T16:13:56.000Z'
+ profile:
+ credentialId: dade.murphy@example.com
+ _links:
+ activate:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG
+ hints:
+ allow:
+ - GET
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL
+ hints:
+ allow:
+ - GET
+ _embedded:
+ activation:
+ timeStep: 30
+ sharedSecret: JBTWGV22G4ZGKV3N
+ encoding: base32
+ keyLength: 16
+ _links:
+ qrcode:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG/qr/00fukNElRS_Tz6k-CFhg3pH4KO2dj2guhmaapXWbc4
+ type: image/png
+ EnrollFactorOVPushRequest:
+ summary: token:software:totp push
+ value:
+ factorType: push
+ provider: OKTA
+ EnrollFactorOVPushResponse:
+ summary: token:software:totp
+ value:
+ id: opfbtzzrjgwauUsxO0g4
+ factorType: push
+ provider: OKTA
+ vendorName: OKTA
+ status: PENDING_ACTIVATION
+ created: '2015-11-13T07:34:22.000Z'
+ lastUpdated: '2015-11-13T07:34:22.000Z'
+ _links:
+ poll:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfbtzzrjgwauUsxO0g4/lifecycle/activate/poll
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfbtzzrjgwauUsxO0g4
+ hints:
+ allow:
+ - GET
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL
+ hints:
+ allow:
+ - GET
+ _embedded:
+ activation:
+ expiresAt: '2015-11-13T07:44:22.000Z'
+ factorResult: WAITING
+ _links:
+ send:
+ - name: email
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfbtzzrjgwauUsxO0g4/lifecycle/activate/email
+ hints:
+ allow:
+ - POST
+ - name: sms
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfbtzzrjgwauUsxO0g4/lifecycle/activate/sms
+ hints:
+ allow:
+ - POST
+ qrcode:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfbtzzrjgwauUsxO0g4/qr/00Ji8qVBNJD4LmjYy1WZO2VbNqvvPdaCVua-1qjypa
+ type: image/png
+ EnrollFactorOVTotpRequest:
+ summary: token:software:totp
+ value:
+ factorType: token:software:totp
+ provider: OKTA
+ EnrollFactorOVTotpResponse:
+ summary: token:software:totp
+ value:
+ id: ostf1fmaMGJLMNGNLIVG
+ factorType: token:software:totp
+ provider: OKTA
+ vendorName: OKTA
+ status: PENDING_ACTIVATION
+ created: '2014-07-16T16:13:56.000Z'
+ lastUpdated: '2014-07-16T16:13:56.000Z'
+ profile:
+ credentialId: dade.murphy@example.com
+ _links:
+ activate:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG
+ hints:
+ allow:
+ - GET
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL
+ hints:
+ allow:
+ - GET
+ _embedded:
+ activation:
+ timeStep: 30
+ sharedSecret: JBTWGV22G4ZGKV3N
+ encoding: base32
+ keyLength: 6
+ _links:
+ qrcode:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG/qr/00fukNElRS_Tz6k-CFhg3pH4KO2dj2guhmaapXWbc4
+ type: image/png
+ EnrollFactorQuestionRequest:
+ summary: question
+ value:
+ question:
+ summary: question factor
+ value:
+ factorType: question
+ provider: OKTA
+ profile:
+ question: disliked_food
+ answer: mayonnaise
+ EnrollFactorQuestionResponse:
+ summary: question
+ value:
+ id: ufs1o01OTMGHLAJPVHDZ
+ factorType: question
+ provider: OKTA
+ vendorName: OKTA
+ status: ACTIVE
+ created: '2014-08-05T22:58:49.000Z'
+ lastUpdated: '2014-08-05T22:58:49.000Z'
+ profile:
+ question: disliked_food
+ questionText: What is the food you least liked as a child?
+ _links:
+ questions:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/questions
+ hints:
+ allow:
+ - GET
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ufs1o01OTMGHLAJPVHDZ
+ hints:
+ allow:
+ - GET
+ - DELETE
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL
+ hints:
+ allow:
+ - GET
+ EnrollFactorRsaSecurIdRequest:
+ summary: RSA SecurID
+ value:
+ factorType: token
+ provider: RSA
+ profile:
+ credentialId: dade.murphy@example.com
+ verify:
+ passCode: '5275875498'
+ EnrollFactorRsaSecurIdResponse:
+ summary: RSA SecurID
+ value:
+ id: rsabtznMn6cp94ez20g4
+ factorType: token
+ provider: RSA
+ vendorName: RSA
+ status: ACTIVE
+ created: '2015-11-13T07:05:53.000Z'
+ lastUpdated: '2015-11-13T07:05:53.000Z'
+ profile:
+ credentialId: dade.murphy@example.com
+ _links:
+ verify:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/rsabtznMn6cp94ez20g4/verify
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/rsabtznMn6cp94ez20g4
+ hints:
+ allow:
+ - GET
+ - DELETE
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL
+ hints:
+ allow:
+ - GET
+ EnrollFactorSmsRequest:
+ summary: sms
+ value:
+ factorType: sms
+ provider: OKTA
+ profile:
+ phoneNumber: +1-555-415-1337
+ EnrollFactorSmsResponse:
+ summary: sms
+ value:
+ id: mbl1nz9JHJGHWRKMTLHP
+ factorType: sms
+ provider: OKTA
+ vendorName: OKTA
+ status: PENDING_ACTIVATION
+ created: '2014-08-05T20:59:49.000Z'
+ lastUpdated: '2014-08-06T03:59:49.000Z'
+ profile:
+ phoneNumber: +1-555-415-1337
+ _links:
+ activate:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/mbl1nz9JHJGHWRKMTLHP/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ resend:
+ - name: sms
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/mbl1nz9JHJGHWRKMTLHP/resend
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/mbl1nz9JHJGHWRKMTLHP
+ hints:
+ allow:
+ - GET
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL
+ hints:
+ allow:
+ - GET
+ EnrollFactorSymantecVipRequest:
+ summary: Symantec VIP
+ value:
+ factorType: token
+ provider: SYMANTEC
+ profile:
+ credentialId: VSMT14393584
+ verify:
+ passCode: '875498'
+ nextPassCode: '678195'
+ EnrollFactorSymantecVipResponse:
+ summary: Symantec VIP
+ value:
+ id: ufvbtzgkYaA7zTKdQ0g4
+ factorType: token
+ provider: SYMANTEC
+ vendorName: SYMANTEC
+ status: ACTIVE
+ created: '2015-11-13T06:52:08.000Z'
+ lastUpdated: '2015-11-13T06:52:08.000Z'
+ profile:
+ credentialId: VSMT14393584
+ _links:
+ verify:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ufvbtzgkYaA7zTKdQ0g4/verify
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ufvbtzgkYaA7zTKdQ0g4
+ hints:
+ allow:
+ - GET
+ - DELETE
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL
+ hints:
+ allow:
+ - GET
+ EnrollFactorU2fRequest:
+ summary: u2f
+ value:
+ factorType: u2f
+ provider: FIDO
+ EnrollFactorU2fResponse:
+ summary: u2f
+ value:
+ id: fuf2rovRxogXJ0nDy0g4
+ factorType: u2f
+ provider: FIDO
+ vendorName: FIDO
+ status: PENDING_ACTIVATION
+ created: '2018-05-24T20:43:19.000Z'
+ lastUpdated: '2018-05-24T20:43:19.000Z'
+ _links:
+ activate:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fuf2rovRxogXJ0nDy0g4/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fuf2rovRxogXJ0nDy0g4
+ hints:
+ allow:
+ - GET
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL
+ hints:
+ allow:
+ - GET
+ _embedded:
+ activation:
+ version: U2F_V2
+ nonce: 9DmGJDLvaU6KWxJbfrZ0
+ timeoutSeconds: 20
+ EnrollFactorWebauthnRequest:
+ summary: webAuthn
+ value:
+ factorType: webauthn
+ provider: FIDO
+ EnrollFactorWebauthnResponse:
+ summary: webAuthn
+ value:
+ id: fwf2rovRxogXJ0nDy0g4
+ factorType: webauthn
+ provider: FIDO
+ vendorName: FIDO
+ status: PENDING_ACTIVATION
+ created: '2018-05-24T20:43:19.000Z'
+ lastUpdated: '2018-05-24T20:43:19.000Z'
+ _links:
+ activate:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fwf2rovRxogXJ0nDy0g4/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fwf2rovRxogXJ0nDy0g4
+ hints:
+ allow:
+ - GET
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL
+ hints:
+ allow:
+ - GET
+ _embedded:
+ activation:
+ attestation: direct
+ authenticatorSelection:
+ userVerification: preferred
+ requireResidentKey: false
+ challenge: cdsZ1V10E0BGE4GcG3IK
+ excludeCredentials: []
+ pubKeyCredParams:
+ - type: public-key
+ alg: -7
+ - type: public-key
+ alg: -257
+ rp:
+ name: Rain-Cloud59
+ user:
+ displayName: First Last
+ name: first.last@gmail.com
+ id: 00u15s1KDETTQMQYABRL
+ EnrollFactorYubikeyRequest:
+ summary: yubikey
+ value:
+ factorType: token:hardware
+ provider: YUBICO
+ verify:
+ passCode: cccccceukngdfgkukfctkcvfidnetljjiknckkcjulji
+ EnrollFactorYubikeyResponse:
+ value:
+ id: ykfbty3BJeBgUi3750g4
+ factorType: token:hardware
+ provider: YUBICO
+ vendorName: YUBICO
+ status: ACTIVE
+ created: '2015-11-13T05:27:49.000Z'
+ lastUpdated: '2015-11-13T05:27:49.000Z'
+ profile:
+ credentialId: '000004102994'
+ _links:
+ verify:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ykfbty3BJeBgUi3750g4/verify
+ hints:
+ allow:
+ - POST
+ self:
+ href: hhttps://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ykfbty3BJeBgUi3750g4
+ hints:
+ allow:
+ - GET
+ - DELETE
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL
+ hints:
+ allow:
+ - GET
+ EntitlementValuesResponse:
+ summary: List of bundle entitlement values
+ value:
+ entitlementValues:
+ - id: entfxqCAJWWGELFTYAAA
+ value: orn:okta:00o5rb5mt2H3d1TJd0h7:groups:00guaxWZ0AOa5NFAj0g3
+ name: Restricted users group
+ _links:
+ group: http://your-subdomain.okta.com/api/v1/groups/00guaxWZ0AOa5NFAj0g3
+ _links:
+ self:
+ href: http://your-subdomain.okta.com/api/v1/iam/governance/bundles?limit=2&after=10
+ bundle:
+ href: http://your-subdomain.okta.com/api/v1/iam/governance/bundles/0bbfxqCAJWWGELFTYAAA
+ entitlements:
+ href: http://your-subdomain.okta.com/api/v1/iam/governance/bundles/0bbfxqCAJWWGELFTYAAA/entitlements
+ ErrorAccessDenied:
+ summary: Access Denied
+ value:
+ errorCode: E0000006
+ errorSummary: You do not have permission to perform the requested action
+ errorLink: E0000006
+ errorId: sampleNUSD_8fdkFd8fs8SDBK
+ errorCauses: []
+ ErrorAgentTimeOut:
+ value:
+ errorCode: E0000237
+ errorSummary: Timed out waiting for agent.
+ errorLink: E0000237
+ errorId: sampleMlLvGUj_YD5v16vkYWY
+ errorCauses: []
+ ErrorApiValidationFailed:
+ summary: API Validation Failed
+ value:
+ errorCode: E0000001
+ errorSummary: 'Api validation failed: {0}'
+ errorLink: E0000001
+ errorId: sampleiCF-8D5rLW6myqiPItW
+ errorCauses: []
+ ErrorAppFeatureAPIValidationFailed:
+ summary: API Validation Failed
+ value:
+ errorCode: E0000001
+ errorSummary: 'Api validation failed: feature'
+ errorLink: E0000001
+ errorId: oaeZLxeiHUUQomPkM8xOqvu1A
+ errorCauses:
+ - errorSummary: Provisioning is not enabled for the app instance.
+ ErrorAppUserForbiddenAction:
+ summary: Forbidden action
+ description: If the `PUSH_NEW_USERS` or `PUSH_PROFILE_UPDATES` feature is enabled and the request specifies a value for a profile-mapped (Universal Directory) attribute that doesn't match the mapped value, then a 403 error is returned.
+ value:
+ errorCode: E0000075
+ errorSummary: Cannot modify the firstName attribute because it has a field mapping and profile push is enabled.
+ errorLink: E0000075
+ errorId: sampleWXiR_K-WwaTKhlgBQ
+ errorCauses: []
+ ErrorAppUserUpdateBadRequest:
+ summary: Bad request
+ description: If you attempt to assign a username or password to an app with an incompatible authentication scheme, then a 400 error is returned.
+ value:
+ errorCode: E0000041
+ errorSummary: Credentials should not be set on this resource based on the scheme.
+ errorLink: E0000041
+ errorId: oaeUM77NBynQQu4C_qT5ngjGQ
+ errorCauses:
+ errorSummary: User level credentials should not be provided for this scheme.
+ ErrorCAPTCHALimitOfOne:
+ value:
+ errorCode: E0000165
+ errorSummary: CAPTCHA count limit reached. At most one CAPTCHA instance is allowed per Org.
+ errorLink: E0000165
+ errorId: oaejrB1fWL1S7mc-2KcG-SOtw
+ errorCauses: []
+ ErrorCAPTCHAOrgWideSetting:
+ value:
+ errorCode: E0000149
+ errorSummary: Current CAPTCHA is associated with org-wide settings, cannot be removed.
+ errorLink: E0000149
+ errorId: samplezsusshPdiTWiITwqBt8
+ errorCauses: []
+ ErrorCAPTCHAOrgWideSettingNull:
+ summary: captchaId is null, but enabledPages is defined
+ value:
+ errorCode: E0000001
+ errorSummary: 'Api validation failed: captchaId'
+ errorLink: E0000001
+ errorId: oae-hk3rssXQmOWDRsaFfxe8A
+ errorCauses:
+ errorSummary: 'captchaId: Invalid CAPTCHA ID. The value of captchaId cannot be blank when enabledPages is not empty. Please resubmit with an existing CAPTCHA ID or disable CAPTCHA support on all supported pages.'
+ ErrorClientJsonWebKeyDuplicateKid:
+ value:
+ errorCode: E0000001
+ errorSummary: 'Api validation failed: JsonWebKey'
+ errorLink: E0000001
+ errorId: sampleQPivGUj_ND5v78vbYWW
+ errorCauses:
+ - errorSummary: All keys in the 'jwks' must have a unique `kid`.
+ ErrorClientJsonWebKeyKidLengthTooShort:
+ value:
+ errorCode: E0000001
+ errorSummary: 'Api validation failed: JsonWebKey'
+ errorLink: E0000001
+ errorId: sampleQPivGUj_ND5v78vbYWW
+ errorCauses:
+ - errorSummary: RSA key length in the 'jwks' is less than '2,048' bits for the given key.
+ ErrorClientJsonWebKeyNonUniqueKid:
+ value:
+ errorCode: E0000001
+ errorSummary: 'Api validation failed: JsonWebKey'
+ errorLink: E0000001
+ errorId: sampleQPivGUj_ND5v78vbYWW
+ errorCauses:
+ - errorSummary: Each key should have a unique kid when adding multiple keys. Use the Apps API to update the JWKS to add a kid for the existing key, or delete the existing key and re-add the key with a kid using the JWKS APIs.
+ ErrorClientJsonWebKeyTooManyKids:
+ value:
+ errorCode: E0000001
+ errorSummary: 'Api validation failed: JsonWebKey'
+ errorLink: E0000001
+ errorId: sampleQPivGUj_ND5v78vbYWW
+ errorCauses:
+ - errorSummary: You can't create a new key. You have reached the maximum number of keys allowed (50). To add another key, you must first delete an existing one.
+ ErrorClientSecretNonAscii:
+ summary: Client secret allows only ASCII error
+ value:
+ errorCode: E0000001
+ errorSummary: 'Api validation failed: client_secret'
+ errorLink: E0000001
+ errorId: sampleQPivGUj_ND5v78vbYWW
+ errorCauses:
+ - errorSummary: 'client_secret: ''''client_secret'''' must only contain printable ASCII: [x20-x7E]+'
+ ErrorClientSecretTooLong:
+ summary: Client secret too long error
+ value:
+ errorCode: E0000001
+ errorSummary: 'Api validation failed: client_secret'
+ errorLink: E0000001
+ errorId: sampleQPivGUj_ND5v78vbYWW
+ errorCauses:
+ - errorSummary: 'client_secret: ''client_secret'' can''t be more than ''100'' characters long.'
+ ErrorClientSecretTooShort:
+ summary: Client secret too short error
+ value:
+ errorCode: E0000001
+ errorSummary: 'Api validation failed: client_secret'
+ errorLink: E0000001
+ errorId: sampleQPivGUj_ND5v78vbYWW
+ errorCauses:
+ - errorSummary: 'client_secret: ''client_secret'' must be at least ''14'' characters long.'
+ ErrorClientSecretTooShortWithClientSecretJWT:
+ summary: Client secret is too short for JWT error
+ value:
+ errorCode: E0000001
+ errorSummary: 'Api validation failed: client_secret'
+ errorLink: E0000001
+ errorId: sampleQPivGUj_ND5v78vbYWW
+ errorCauses:
+ - errorSummary: 'client_secret: ''client_secret'' must be at least ''32'' characters long when ''token_endpoint_auth_method'' is ''client_secret_jwt''.'
+ ErrorClientSecretWithPrivateKeyJWT:
+ summary: Client secret can't be used for private key JWT error
+ value:
+ errorCode: E0000001
+ errorSummary: 'Api validation failed: client_secret'
+ errorLink: E0000001
+ errorId: sampleQPivGUj_ND5v78vbYWW
+ errorCauses:
+ - errorSummary: '''client_secret'' can''t be used when ''token_endpoint_auth_method'' is ''private_key_jwt''.'
+ ErrorCreateBrandExists:
+ value:
+ errorCode: E0000202
+ errorSummary: Brand name already exists.
+ errorLink: E0000202
+ errorId: oaeKABuesTdRvCXeCTpSpXAcQ
+ errorCauses: []
+ ErrorCreateUserWithExpiredPasswordWithNullPassword:
+ value:
+ errorCode: E0000124
+ errorSummary: Could not create user. To create a user and expire their password immediately, a password must be specified.
+ errorLink: E0000124
+ errorId: oaeXxuZgXBySvqi1FvtkwoYCA
+ errorCauses:
+ - errorSummary: Could not create user. To create a user and expire their password immediately, a password must be specified.
+ ErrorCreateUserWithExpiredPasswordWithoutActivation:
+ value:
+ errorCode: E0000125
+ errorSummary: Could not create user. To create a user and expire their password immediately, `activate` must be true.
+ errorLink: E0000125
+ errorId: oaeDd77L9R-TJaD7j_rXsQ31w
+ errorCauses:
+ - errorSummary: Could not create user. To create a user and expire their password immediately, `activate` must be true.
+ ErrorCreateUserWithTooManyManyGroupsResponse:
+ value:
+ errorCode: E0000093
+ errorSummary: Target count limit exceeded
+ errorLink: E0000093
+ errorId: oaePVSLIYnIQsC0B-ptBIllVA
+ errorCauses:
+ - errorSummary: The number of group targets is too large
+ ErrorDeactivateTheOnlyClientSecret:
+ value:
+ errorCode: E0000001
+ errorSummary: 'Api validation failed: OAuth2ClientSecretMediated'
+ errorLink: E0000001
+ errorId: sampleQPivGUj_ND5v78vbYWW
+ errorCauses:
+ - errorSummary: You can't deactivate the only active client secret.
+ ErrorDeactivateTheOnlyKeyWithPrivateKeyJwtAuthMethod:
+ value:
+ errorCode: E0000001
+ errorSummary: 'Api validation failed: JsonWebKey'
+ errorLink: E0000001
+ errorId: sampleQPivGUj_ND5v78vbYWW
+ errorCauses:
+ - errorSummary: Can't deactivate the only active JSON Web Key when the value for `token_endpoint_auth_method` is `private_key_jwt`.
+ ErrorDeactivateTheOnlyKeyWithRequestObjectSignAlgorithm:
+ value:
+ errorCode: E0000001
+ errorSummary: 'Api validation failed: JsonWebKey'
+ errorLink: E0000001
+ errorId: sampleQPivGUj_ND5v78vbYWW
+ errorCauses:
+ - errorSummary: The `jwks` must contain at least one key with an algorithm matching the `request_object_signature_algorithm`.
+ ErrorDeleteActiveJsonWebKey:
+ value:
+ errorCode: E0000001
+ errorSummary: 'Api validation failed: JsonWebKey'
+ errorLink: E0000001
+ errorId: sampleQPivGUj_ND5v78vbYWW
+ errorCauses:
+ - errorSummary: You can't delete an active JSON Web key. Deactivate the key before deleting it.
+ ErrorDeleteActiveSecret:
+ value:
+ errorCode: E0000001
+ errorSummary: 'Api validation failed: OAuth2ClientSecretMediated'
+ errorLink: E0000001
+ errorId: sampleQPivGUj_ND5v78vbYWW
+ errorCauses:
+ - errorSummary: You can't delete an active client secret. Deactivate the secret before deleting it.
+ ErrorDeleteBrandAssociatedWithDomain:
+ value:
+ errorCode: E0000201
+ errorSummary: A brand associated with a domain cannot be deleted
+ errorLink: E0000201
+ errorId: oaeAdRqprFuTyKokyYPbURJkA
+ errorCauses: []
+ ErrorDeleteDefaultBrand:
+ value:
+ errorCode: E0000200
+ errorSummary: A default brand cannot be deleted
+ errorLink: E0000200
+ errorId: oaeAdRqprFuTyKokyYPbURJkA
+ errorCauses: []
+ ErrorDeviceAssuranceInUse:
+ summary: Can't delete device assurance policy in use by authentication policies
+ value:
+ errorSummary: Device assurance is in use and cannot be deleted.
+ errorId: oaenwA1ra80S9W-pvbh4m6haA
+ errorCauses: []
+ ErrorDeviceCheckInUse:
+ summary: Can't delete device check in use by device assurance policies
+ value:
+ errorSummary: Device check is in use and can't be deleted.
+ errorId: oaenwA1ra80S9W-pvbh4m6haA
+ errorCauses: []
+ ErrorEmailCustomizationCannotClearDefault:
+ value:
+ errorCode: E0000185
+ errorSummary: The isDefault parameter of the default email template customization can't be set to false.
+ errorLink: E0000185
+ errorId: oaejrB1fWL1S7mc-2KcG-SOtw
+ errorCauses: []
+ ErrorEmailCustomizationCannotDeleteDefault:
+ value:
+ errorCode: E0000184
+ errorSummary: A default email template customization can't be deleted.
+ errorLink: E0000184
+ errorId: oaeAdRqprFuTyKokyYPbURJkA
+ errorCauses: []
+ ErrorEmailCustomizationDefaultAlreadyExists:
+ value:
+ errorCode: E0000182
+ errorSummary: A default email template customization already exists.
+ errorLink: E0000182
+ errorId: oaeXYwTiMvASsC3O4HCzjFaCA
+ errorCauses: []
+ ErrorEmailCustomizationLanguageAlreadyExists:
+ value:
+ errorCode: E0000183
+ errorSummary: An email template customization for that language already exists.
+ errorLink: E0000183
+ errorId: oaeUcGELffqRay0u1OPdnPypw
+ errorCauses: []
+ ErrorEmailDomainAlreadyExists:
+ value:
+ errorCode: E0000197
+ errorSummary: Email domain already exists.
+ errorLink: E0000197
+ errorId: oaeEdRqprFuTyKokyYPbURJkA
+ errorCauses: []
+ ErrorEmailDomainInUse:
+ value:
+ errorCode: E0000216
+ errorSummary: Email domain can't be deleted due to mail provider restrictions.
+ errorLink: E0000216
+ errorId: oaeEdRqprFuTyKokyYPbURJkB
+ errorCauses: []
+ ErrorEmailDomainInvalidStatus:
+ value:
+ errorCode: E0000217
+ errorSummary: Invalid status. Can't validate email domain with current status.
+ errorLink: E0000217
+ errorId: oaeEdRqprFuTyKokyYPbURJkD
+ errorCauses: []
+ ErrorEmailDomainNotVerified:
+ value:
+ errorCode: E0000218
+ errorSummary: Email domain couldn't be verified by mail provider.
+ errorLink: E0000218
+ errorId: oaeEdRqprFuTyKokyYPbURJkC
+ errorCauses: []
+ ErrorInternalServer:
+ summary: Internal Server Error
+ value:
+ errorCode: E0000009
+ errorSummary: Internal Server Error
+ errorLink: E0000000
+ errorId: sampleAlJ82XS2SDB_vaNIWgcA
+ errorCauses: []
+ ErrorInvalidEmailTemplateRecipients:
+ value:
+ errorCode: E0000189
+ errorSummary: This template does not support the recipients value.
+ errorLink: E0000189
+ errorId: oae8L1-UkcNTeGi5xVQ28_lww
+ errorCauses: []
+ ErrorInvalidLinkedObjectDef:
+ summary: Invalid linked objection definition
+ value:
+ errorCode: E0000127
+ errorSummary: Invalid linked objection definition. Linked object identifier is already in use.
+ errorLink: E0000127
+ errorId: oaeh5FICFF2RnqakoNofPadhw
+ errorCauses:
+ - errorSummary: Linked object identifier for primary is already in use.
+ reason: UNIQUE_CONSTRAINT
+ locationType: body
+ domain: linkedObjects
+ - errorSummary: Linked object identifier for associated is already in use.
+ reason: UNIQUE_CONSTRAINT
+ locationType: body
+ domain: linkedObjects
+ ErrorInvalidTokenProvided:
+ summary: Invalid Token Provided
+ value:
+ errorCode: E0000011
+ errorSummary: Invalid token provided
+ errorLink: E0000011
+ errorId: sampleQPivGUj_ND5v78vbYWW
+ errorCauses: []
+ ErrorKeyCredentialCloneDuplicateKey:
+ summary: Duplicate key credential error
+ value:
+ errorCode: E0000001
+ errorSummary: 'Api validation failed: cloneKey'
+ errorLink: E0000001
+ errorId: sampleQPivGUj_ND5v78vbYWW
+ errorCauses:
+ - errorSummary: Key already exists in the list of key credentials for the target app.
+ ErrorKeyCredentialInvalidValidity:
+ summary: Key credential invalid year error
+ value:
+ errorCode: E0000001
+ errorSummary: 'Api validation failed: generateKey'
+ errorLink: E0000001
+ errorId: sampleQPivGUj_ND5v78vbYWW
+ errorCauses:
+ - errorSummary: Validity years out of range. It should be 2 - 10 years.
+ ErrorMaxNumberOfSecrets:
+ summary: Maximum client secrets reached error
+ value:
+ errorCode: E0000001
+ errorSummary: 'Api validation failed: OAuth2ClientSecretMediated'
+ errorLink: E0000001
+ errorId: sampleQPivGUj_ND5v78vbYWW
+ errorCauses:
+ - errorSummary: You've reached the maximum number of client secrets per client.
+ ErrorMissingRequiredParameter:
+ summary: Missing Required Parameter
+ value:
+ errorCode: E0000028
+ errorSummary: The request is missing a required parameter.
+ errorLink: E0000028
+ errorId: sampleiCF-l7mr9XqM1NQ
+ errorCauses: []
+ ErrorNoConnectedAgents:
+ value:
+ errorCode: E0000236
+ errorSummary: There are no connected agents.
+ errorLink: E0000236
+ errorId: sampleMlLvGUj_YD5v16vkYWY
+ errorCauses: []
+ ErrorPinOrCredRequestsGenerationFailure:
+ summary: PIN or Cred Requests Generation Failed
+ value:
+ errorCode: E0000001
+ errorSummary: 'Api validation failed: pinRequest|credRequests'
+ errorLink: E0000001
+ errorId: oaehk3rssXQmOWDRsaFfxe8A
+ errorCauses:
+ errorSummary: There was a problem generating the pinRequest|credRequests.
+ ErrorPinOrCredResponsesProcessingFailure:
+ summary: PIN or Cred Response Processing Failed
+ value:
+ errorCode: E0000001
+ errorSummary: 'Api validation failed: pinResponse|credResponses'
+ errorLink: E0000001
+ errorId: oaehk3rssXQmOWDRsaFfxe8B
+ errorCauses:
+ errorSummary: There was a problem generating the pinResponse|credResponses.
+ ErrorPublishCSRCertDoesNotMatchCSR:
+ summary: Mismatch certificate and CSR error
+ value:
+ errorCode: E0000001
+ errorSummary: 'Api validation failed: certificate'
+ errorLink: E0000001
+ errorId: sampleQPivGUj_ND5v78vbYWW
+ errorCauses:
+ - errorSummary: The certificate doesn't match the CSR.
+ ErrorPublishCSRCertValidityLessThan90Days:
+ summary: Certificate valid for 90 days error
+ value:
+ errorCode: E0000001
+ errorSummary: 'Api validation failed: certificate'
+ errorLink: E0000001
+ errorId: sampleQPivGUj_ND5v78vbYWW
+ errorCauses:
+ - errorSummary: The certificate must be valid for more than 90 days.
+ ErrorPushProviderUsedByCustomAppAuthenticator:
+ value:
+ errorCode: E0000187
+ errorSummary: Cannot delete push provider because it is being used by a custom app authenticator.
+ errorLink: E0000187
+ errorId: oaenwA1ra80S9W-pvbh4m6haA
+ errorCauses: []
+ ErrorResourceNotFound:
+ summary: Resource Not Found
+ value:
+ errorCode: E0000007
+ errorSummary: 'Not found: {0}'
+ errorLink: E0000007
+ errorId: sampleMlLvGUj_YD5v16vkYWY
+ errorCauses: []
+ ErrorTooManyRequests:
+ summary: Too Many Requests
+ value:
+ errorCode: E0000047
+ errorSummary: API call exceeded rate limit due to too many requests.
+ errorLink: E0000047
+ errorId: sampleQPivGUj_ND5v78vbYWW
+ errorCauses: []
+ ExampleOAuth2Scope:
+ summary: Example scope
+ value:
+ id: scp5yu8kLOnDzo7lh0g4
+ name: car:drive
+ description: Drive car
+ system: false
+ default: false
+ displayName: Saml Jackson
+ consent: REQUIRED
+ optional: false
+ metadataPublish: NO_CLIENTS
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes/scp5yu8kLOnDzo7lh0g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ ExampleOAuth2Scopes:
+ summary: All scopes
+ value:
+ - id: scp5yu8kLOnDzo7lh0g4
+ name: car:drive
+ description: Drive car
+ system: false
+ default: false
+ displayName: Saml Jackson
+ consent: REQUIRED
+ optional: false
+ metadataPublish: NO_CLIENTS
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes/scp5yu8kLOnDzo7lh0g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ ExpirePwdResponse:
+ value:
+ id: 00ub0oNGTSWTBKOLGLNR
+ status: PASSWORD_EXPIRED
+ created: '2013-06-24T16:39:18.000Z'
+ activated: '2013-06-24T16:39:19.000Z'
+ statusChanged: '2013-06-24T16:39:19.000Z'
+ lastLogin: '2013-06-24T17:39:19.000Z'
+ lastUpdated: '2013-06-27T16:35:28.000Z'
+ passwordChanged: '2013-06-24T16:39:19.000Z'
+ profile:
+ firstName: Isaac
+ lastName: Brock
+ email: isaac.brock@example.com
+ login: isaac.brock@example.com
+ mobilePhone: 555-415-1337
+ credentials:
+ password: {}
+ recovery_question:
+ question: Who's a major player in the cowboy scene?
+ provider:
+ type: OKTA
+ name: OKTA
+ _links:
+ resetPassword:
+ href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/reset_password
+ resetFactors:
+ href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/reset_factors
+ expirePassword:
+ href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/expire_password
+ forgotPassword:
+ href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/credentials/forgot_password
+ changeRecoveryQuestion:
+ href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/credentials/change_recovery_question
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/deactivate
+ changePassword:
+ href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/credentials/change_password
+ ExpirePwdWithTempPwdResponse:
+ value:
+ tempPassword: F46gy7X4
+ ExpiredAuthorizationServerKey:
+ summary: Expired Authorization Server Key
+ value:
+ status: EXPIRED
+ alg: RS256
+ e: AQAB
+ 'n': lC4ehVB6W0OCtNPnz8udYH9Ao83B6EKnHA5eTcMOap_lQZ-nKtS1lZwBj4wXRVc1XmS0d2OQFA1VMQ-dHLDE3CiGfsGqWbaiZFdW7U GLO1nAwfDdH6xp3xwpKOMewDXbAHJlXdYYAe2ap - CE9c5WLTUBU6JROuWcorHCNJisj1aExyiY5t3JQQVGpBz2oUIHo7NRzQoKimvp dMvMzcYnTlk1dhlG11b1GTkBclprm1BmOP7Ltjd7aEumOJWS67nKcAZzl48Zyg5KtV11V9F9dkGt25qHauqFKL7w3wu - DYhT0hmyFc wn - tXS6e6HQbfHhR_MQxysLtDGOk2ViWv8AQ
+ kid: h5Sr3LXcpQiQlAUVPdhrdLFoIvkhRTAVs_h39bQnxlU
+ kty: RSA
+ use: sig
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/keys/h5Sr3LXcpQiQlAUVPdhrdLFoIvkhRTAVs_h39bQnxlU
+ hints:
+ allow:
+ - GET
+ FacebookIdPResponse:
+ summary: Facebook Identity Provider
+ value:
+ id: 0oa62b57p7c8PaGpU0h7
+ type: FACEBOOK
+ name: Facebook
+ status: ACTIVE
+ created: '2016-03-24T23:18:27.000Z'
+ lastUpdated: '2016-03-24T23:18:27.000Z'
+ protocol:
+ type: OAUTH2
+ endpoints:
+ authorization:
+ url: https://www.facebook.com/dialog/oauth
+ binding: HTTP-REDIRECT
+ token:
+ url: https://graph.facebook.com/v2.5/oauth/access_token
+ binding: HTTP-POST
+ scopes:
+ - public_profile
+ - email
+ credentials:
+ client:
+ client_id: your-client-id
+ client_secret: your-client-secret
+ policy:
+ provisioning:
+ action: AUTO
+ profileMaster: true
+ groups:
+ action: NONE
+ conditions:
+ deprovisioned:
+ action: NONE
+ suspended:
+ action: NONE
+ accountLink:
+ filter: null
+ action: AUTO
+ subject:
+ userNameTemplate:
+ template: idpuser.userPrincipalName
+ filter: null
+ matchType: USERNAME
+ mapAMRClaims: false
+ maxClockSkew: 0
+ _links:
+ authorize:
+ href: |-
+ https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa62b57p7c8PaGpU0h7&
+ client_id={clientId}&response_type={responseType}&response_mode={responseMode}&
+ scope={scopes}&redirect_uri={redirectUri}&state={state}
+ templated: true
+ hints:
+ allow:
+ - GET
+ clientRedirectUri:
+ href: https://{yourOktaDomain}/oauth2/v1/authorize/callback
+ hints:
+ allow:
+ - POST
+ FactorEmail:
+ value:
+ id: emfnf3gSScB8xXoXK0g3
+ factorType: email
+ provider: OKTA
+ vendorName: OKTA
+ status: ACTIVE
+ profile:
+ email: changed@clouditude.net
+ _links:
+ verify:
+ href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3/factors/emfnf3gSScB8xXoXK0g3/verify
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3/factors/emfnf3gSScB8xXoXK0g3
+ hints:
+ allow:
+ - GET
+ - DELETE
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3
+ hints:
+ allow:
+ - GET
+ FactorPasscodeRequest:
+ value:
+ passCode: '123456'
+ FactorResponseSms:
+ value:
+ id: sms2gt8gzgEBPUWBIFHN
+ factorType: sms
+ provider: OKTA
+ vendorName: OKTA
+ status: ACTIVE
+ created: '2014-06-27T20:27:26.000Z'
+ lastUpdated: '2014-06-27T20:27:26.000Z'
+ profile:
+ phoneNumber: +1-555-415-1337
+ _links:
+ verify:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/sms2gt8gzgEBPUWBIFHN/verify
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/sms2gt8gzgEBPUWBIFHN
+ hints:
+ allow:
+ - GET
+ - DELETE
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL
+ hints:
+ allow:
+ - GET
+ ForgotPwdRecoveryQuestionRequest:
+ value:
+ password:
+ value: uTVM,TPw55
+ recovery_question:
+ answer: Annie Oakley
+ ForgotPwdRecoveryQuestionResponse:
+ value:
+ password: {}
+ recovery_question:
+ question: Who's a major player in the cowboy scene?
+ provider:
+ type: OKTA
+ name: OKTA
+ ForgotPwdResponse:
+ value:
+ resetPasswordUrl: https://{yourOktaDomain}/signin/reset-password/XE6wE17zmphl3KqAPFxO
+ GenericOidcIdpResponse:
+ summary: Generic OpenID Connect Identity Provider
+ value:
+ id: 0oaulob4BFVa4zQvt0g3
+ type: OIDC
+ name: Example OpenID Connect IdP
+ status: ACTIVE
+ created: '2019-02-07T20:07:47.000Z'
+ lastUpdated: '2019-02-07T20:07:47.000Z'
+ protocol:
+ type: OIDC
+ endpoints:
+ authorization:
+ url: https://idp.example.com/authorize
+ binding: HTTP-REDIRECT
+ token:
+ url: https://idp.example.com/token
+ binding: HTTP-POST
+ userInfo:
+ url: https://idp.example.com/userinfo
+ binding: HTTP-REDIRECT
+ jwks:
+ url: https://idp.example.com/keys
+ binding: HTTP-REDIRECT
+ algorithms:
+ request:
+ signature:
+ algorithm: HS256
+ scope: REQUEST
+ scopes:
+ - openid
+ issuer:
+ url: https://idp.example.com
+ credentials:
+ client:
+ client_id: your-client-id
+ client_secret: your-client-secret
+ pkce_required: 'true'
+ policy:
+ provisioning:
+ action: AUTO
+ profileMaster: false
+ groups:
+ action: NONE
+ conditions:
+ deprovisioned:
+ action: NONE
+ suspended:
+ action: NONE
+ accountLink:
+ filter: null
+ action: AUTO
+ subject:
+ userNameTemplate:
+ template: idpuser.email
+ filter: null
+ matchType: USERNAME
+ matchAttribute: null
+ mapAMRClaims: false
+ maxClockSkew: 0
+ _links:
+ authorize:
+ href: https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oaulob4BFVa4zQvt0g3&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri={redirectUri}&state={state}&nonce={nonce}
+ templated: true
+ hints:
+ allow:
+ - GET
+ clientRedirectUri:
+ href: https://{yourOktaDomain}/oauth2/v1/authorize/callback
+ hints:
+ allow:
+ - POST
+ GetApplicationsByGroupResponseEx:
+ summary: Retrieve apps assigned to a group
+ value:
+ - id: 0oa7vicdkRNrz59R80w6
+ name: workday
+ label: hrportal2
+ status: ACTIVE
+ lastUpdated: '2021-05-17T23:10:50.000Z'
+ created: '2021-05-17T23:10:49.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
+ visibility:
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ login: true
+ features: []
+ signOnMode: SAML_2_0
+ credentials:
+ userNameTemplate:
+ template: ${source.login}
+ type: BUILT_IN
+ signing:
+ kid: wRejFXWxFlK9nnLozx5qKWQa3fg-JRXw7dvdlTjs5Pg
+ settings:
+ app:
+ siteURL: https://acme.workday.com
+ notifications:
+ vpn:
+ network:
+ connection: DISABLED
+ message: null
+ helpUrl: null
+ signOn:
+ defaultRelayState: null
+ ssoAcsUrlOverride: null
+ audienceOverride: null
+ recipientOverride: null
+ destinationOverride: null
+ attributeStatements: []
+ _links:
+ help:
+ href: https://testorgone-admin.okta.com/app/workday/0oa7vicdkRNrz59R80w6/setup/help/SAML_2_0/external-doc
+ type: text/html
+ metadata:
+ href: https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/sso/saml/metadata
+ type: application/xml
+ appLinks:
+ - name: login
+ href: https://testorgone.okta.com/home/workday/0oa7vicdkRNrz59R80w6/30
+ type: text/html
+ groups:
+ href: https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/groups
+ logo:
+ - name: medium
+ href: https://tc2static.oktacdn.com/fs/bcg/4/gfs1wwhrwJR4LpB5X0w6
+ type: image/png
+ users:
+ href: https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/users
+ deactivate:
+ href: https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/lifecycle/deactivate
+ - id: 0oa7vicvor8YSr9Hc0w6
+ name: workday
+ label: hrportal1
+ status: ACTIVE
+ lastUpdated: '2021-05-17T23:10:22.000Z'
+ created: '2021-05-17T23:10:22.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
+ visibility:
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ login: true
+ features: []
+ signOnMode: SAML_2_0
+ credentials:
+ userNameTemplate:
+ template: ${source.login}
+ type: BUILT_IN
+ signing:
+ kid: wRejFXWxFlK9nnLozx5qKWQa3fg-JRXw7dvdlTjs5Pg
+ settings:
+ app:
+ siteURL: https://acme.workday.com
+ notifications:
+ vpn:
+ network:
+ connection: DISABLED
+ message: null
+ helpUrl: null
+ signOn:
+ defaultRelayState: null
+ ssoAcsUrlOverride: null
+ audienceOverride: null
+ recipientOverride: null
+ destinationOverride: null
+ attributeStatements: []
+ _links:
+ help:
+ href: https://testorgone-admin.okta.com/app/workday/0oa7vicvor8YSr9Hc0w6/setup/help/SAML_2_0/external-doc
+ type: text/html
+ metadata:
+ href: https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/sso/saml/metadata
+ type: application/xml
+ appLinks:
+ - name: login
+ href: https://testorgone.okta.com/home/workday/0oa7vicvor8YSr9Hc0w6/30
+ type: text/html
+ groups:
+ href: https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/groups
+ logo:
+ - name: medium
+ href: https://tc2static.oktacdn.com/fs/bcg/4/gfs1wwhrwJR4LpB5X0w6
+ type: image/png
+ users:
+ href: https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/users
+ deactivate:
+ href: https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/lifecycle/deactivate
+ - id: 0oabkvBLDEKCNXBGYUAS
+ name: template_swa
+ label: Sample Plugin App
+ status: ACTIVE
+ lastUpdated: '2013-09-11T17:58:54.000Z'
+ created: '2013-09-11T17:46:08.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ visibility:
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ login: true
+ features: []
+ signOnMode: BROWSER_PLUGIN
+ credentials:
+ scheme: EDIT_USERNAME_AND_PASSWORD
+ userNameTemplate:
+ template: ${source.login}
+ type: BUILT_IN
+ settings:
+ app:
+ buttonField: btn-login
+ passwordField: txtbox-password
+ usernameField: txtbox-username
+ url: https://example.com/login.html
+ _links:
+ logo:
+ - href: https:/example.okta.com/img/logos/logo_1.png
+ name: medium
+ type: image/png
+ users:
+ href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/users
+ groups:
+ href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/groups
+ self:
+ href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/lifecycle/deactivate
+ GetApplicationsByKeyResponseEx:
+ summary: Retrieve apps using a key
+ value:
+ - id: 0oa1gjh63g214q0Hq0g4
+ name: testorgone_customsaml20app_1
+ label: Custom Saml 2.0 App
+ status: ACTIVE
+ lastUpdated: '2016-08-09T20:12:19.000Z'
+ created: '2016-08-09T20:12:19.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
+ visibility:
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ testorgone_customsaml20app_1_link: true
+ features: []
+ signOnMode: SAML_2_0
+ credentials:
+ userNameTemplate:
+ template: ${fn:substringBefore(source.login, "@")}
+ type: BUILT_IN
+ signing: {}
+ settings:
+ app: {}
+ notifications:
+ vpn:
+ network:
+ connection: DISABLED
+ message: null
+ helpUrl: null
+ signOn:
+ defaultRelayState: ''
+ ssoAcsUrl: https://{yourOktaDomain}
+ idpIssuer: https://www.okta.com/${org.externalKey}
+ audience: https://example.com/tenant/123
+ recipient: https://recipient.okta.com
+ destination: https://destination.okta.com
+ subjectNameIdTemplate: ${user.userName}
+ subjectNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
+ responseSigned: true
+ assertionSigned: true
+ signatureAlgorithm: RSA_SHA256
+ digestAlgorithm: SHA256
+ honorForceAuthn: true
+ authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+ slo:
+ enabled: true
+ spIssuer: https://testorgone.okta.com
+ logoutUrl: https://testorgone.okta.com/logout
+ participateSlo:
+ enabled: true
+ logoutRequestUrl: https://testorgone.okta.com/logout/participate
+ sessionIndexRequired: true
+ bindingType: REDIRECT
+ spCertificate:
+ x5c:
+ - "MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV\r\n"
+ requestCompressed: false
+ allowMultipleAcsEndpoints: false
+ acsEndpoints: []
+ attributeStatements: []
+ _links:
+ logo:
+ - name: medium
+ href: https://testorgone.okta.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png
+ type: image/png
+ appLinks:
+ - name: testorgone_customsaml20app_1_link
+ href: https://testorgone.okta.com/home/testorgone_customsaml20app_1/0oa1gjh63g214q0Hq0g4/aln1gofChJaerOVfY0g4
+ type: text/html
+ help:
+ href: https://testorgone-admin.okta.com/app/testorgone_customsaml20app_1/0oa1gjh63g214q0Hq0g4/setup/help/SAML_2_0/instructions
+ type: text/html
+ users:
+ href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/users
+ deactivate:
+ href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/lifecycle/deactivate
+ groups:
+ href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/groups
+ metadata:
+ href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/sso/saml/metadata
+ type: application/xml
+ _embedded:
+ user:
+ id: 00ucw2RPGIUNTDQOYPOF
+ externalId: null
+ created: '2014-03-21T23:31:35.000Z'
+ lastUpdated: '2014-03-21T23:31:35.000Z'
+ scope: USER
+ status: ACTIVE
+ statusChanged: '2014-03-21T23:31:35.000Z'
+ passwordChanged: null
+ syncState: DISABLED
+ lastSync: null
+ credentials:
+ userName: user@example.com
+ _links:
+ app:
+ href: https://{yourOktaDomain}/api/v1/apps/0oabizCHPNYALCHDUIOD
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00ucw2RPGIUNTDQOYPOF
+ id: 0oabkvBLDEKCNXBGYUAS
+ name: template_swa
+ label: Sample Plugin App
+ status: ACTIVE
+ lastUpdated: '2013-09-11T17:58:54.000Z'
+ created: '2013-09-11T17:46:08.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ visibility:
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ login: true
+ features: []
+ signOnMode: BROWSER_PLUGIN
+ credentials:
+ scheme: EDIT_USERNAME_AND_PASSWORD
+ userNameTemplate:
+ template: ${source.login}
+ type: BUILT_IN
+ settings:
+ app:
+ buttonField: btn-login
+ passwordField: txtbox-password
+ usernameField: txtbox-username
+ url: https://example.com/login.html
+ _links:
+ logo:
+ - href: https://example.okta.com/img/logos/logo_1.png
+ name: medium
+ type: image/png
+ users:
+ href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/users
+ groups:
+ href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/groups
+ self:
+ href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/lifecycle/deactivate
+ _embedded:
+ user:
+ id: 00ucw2RPGIUNTDQOYPOF
+ externalId: null
+ created: '2014-06-10T15:16:01.000Z'
+ lastUpdated: '2014-06-10T15:17:38.000Z'
+ scope: USER
+ status: ACTIVE
+ statusChanged: '2014-06-10T15:16:01.000Z'
+ passwordChanged: '2014-06-10T15:17:38.000Z'
+ syncState: DISABLED
+ lastSync: null
+ credentials:
+ userName: user@example.com
+ password: {}
+ _links:
+ app:
+ href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00ucw2RPGIUNTDQOYPOF
+ GetApplicationsByNameResponseEx:
+ summary: Retrieve apps by name
+ value:
+ - id: 0oa7vicdkRNrz59R80w6
+ name: workday
+ label: hrportal2
+ status: ACTIVE
+ lastUpdated: '2021-05-17T23:10:50.000Z'
+ created: '2021-05-17T23:10:49.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
+ visibility:
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ login: true
+ features: []
+ signOnMode: SAML_2_0
+ credentials:
+ userNameTemplate:
+ template: ${source.login}
+ type: BUILT_IN
+ signing:
+ kid: wRejFXWxFlK9nnLozx5qKWQa3fg-JRXw7dvdlTjs5Pg
+ settings:
+ app:
+ siteURL: https://acme.workday.com
+ notifications:
+ vpn:
+ network:
+ connection: DISABLED
+ message: null
+ helpUrl: null
+ signOn:
+ defaultRelayState: null
+ ssoAcsUrlOverride: null
+ audienceOverride: null
+ recipientOverride: null
+ destinationOverride: null
+ attributeStatements: []
+ _links:
+ help:
+ href: https://testorgone-admin.okta.com/app/workday/0oa7vicdkRNrz59R80w6/setup/help/SAML_2_0/external-doc
+ type: text/html
+ metadata:
+ href: https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/sso/saml/metadata
+ type: application/xml
+ appLinks:
+ - name: login
+ href: https://testorgone.okta.com/home/workday/0oa7vicdkRNrz59R80w6/30
+ type: text/html
+ groups:
+ href: https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/groups
+ logo:
+ - name: medium
+ href: https://tc2static.oktacdn.com/fs/bcg/4/gfs1wwhrwJR4LpB5X0w6
+ type: image/png
+ users:
+ href: https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/users
+ deactivate:
+ href: https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/lifecycle/deactivate
+ - id: 0oa7vicvor8YSr9Hc0w6
+ name: workday
+ label: hrportal1
+ status: ACTIVE
+ lastUpdated: '2021-05-17T23:10:22.000Z'
+ created: '2021-05-17T23:10:22.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
+ visibility:
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ login: true
+ features: []
+ signOnMode: SAML_2_0
+ credentials:
+ userNameTemplate:
+ template: ${source.login}
+ type: BUILT_IN
+ signing:
+ kid: wRejFXWxFlK9nnLozx5qKWQa3fg-JRXw7dvdlTjs5Pg
+ settings:
+ app:
+ siteURL: https://acme.workday.com
+ notifications:
+ vpn:
+ network:
+ connection: DISABLED
+ message: null
+ helpUrl: null
+ signOn:
+ defaultRelayState: null
+ ssoAcsUrlOverride: null
+ audienceOverride: null
+ recipientOverride: null
+ destinationOverride: null
+ attributeStatements: []
+ _links:
+ help:
+ href: https://testorgone-admin.okta.com/app/workday/0oa7vicvor8YSr9Hc0w6/setup/help/SAML_2_0/external-doc
+ type: text/html
+ metadata:
+ href: https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/sso/saml/metadata
+ type: application/xml
+ appLinks:
+ - name: login
+ href: https://testorgone.okta.com/home/workday/0oa7vicvor8YSr9Hc0w6/30
+ type: text/html
+ groups:
+ href: https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/groups
+ logo:
+ - name: medium
+ href: https://tc2static.oktacdn.com/fs/bcg/4/gfs1wwhrwJR4LpB5X0w6
+ type: image/png
+ users:
+ href: https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/users
+ deactivate:
+ href: https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/lifecycle/deactivate
+ GetApplicationsByUserResponseEx:
+ summary: Retrieve apps assigned to a user
+ value:
+ - id: 0oa1gjh63g214q0Hq0g4
+ name: testorgone_customsaml20app_1
+ label: Custom Saml 2.0 App
+ status: ACTIVE
+ lastUpdated: '2016-08-09T20:12:19.000Z'
+ created: '2016-08-09T20:12:19.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
+ visibility:
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ testorgone_customsaml20app_1_link: true
+ features: []
+ signOnMode: SAML_2_0
+ credentials:
+ userNameTemplate:
+ template: ${fn:substringBefore(source.login, "@")}
+ type: BUILT_IN
+ signing: {}
+ settings:
+ app: {}
+ notifications:
+ vpn:
+ network:
+ connection: DISABLED
+ message: null
+ helpUrl: null
+ signOn:
+ defaultRelayState: ''
+ ssoAcsUrl: https://{yourOktaDomain}
+ idpIssuer: https://www.okta.com/${org.externalKey}
+ audience: https://example.com/tenant/123
+ recipient: https://recipient.okta.com
+ destination: https://destination.okta.com
+ subjectNameIdTemplate: ${user.userName}
+ subjectNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
+ responseSigned: true
+ assertionSigned: true
+ signatureAlgorithm: RSA_SHA256
+ digestAlgorithm: SHA256
+ honorForceAuthn: true
+ authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+ slo:
+ enabled: true
+ spIssuer: https://testorgone.okta.com
+ logoutUrl: https://testorgone.okta.com/logout
+ participateSlo:
+ enabled: true
+ logoutRequestUrl: https://testorgone.okta.com/logout/participate
+ sessionIndexRequired: true
+ bindingType: REDIRECT
+ spCertificate:
+ x5c:
+ - "MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV\r\n"
+ requestCompressed: false
+ allowMultipleAcsEndpoints: false
+ acsEndpoints: []
+ attributeStatements: []
+ _links:
+ logo:
+ - name: medium
+ href: https://testorgone.okta.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png
+ type: image/png
+ appLinks:
+ - name: testorgone_customsaml20app_1_link
+ href: https://testorgone.okta.com/home/testorgone_customsaml20app_1/0oa1gjh63g214q0Hq0g4/aln1gofChJaerOVfY0g4
+ type: text/html
+ help:
+ href: https://testorgone-admin.okta.com/app/testorgone_customsaml20app_1/0oa1gjh63g214q0Hq0g4/setup/help/SAML_2_0/instructions
+ type: text/html
+ users:
+ href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/users
+ deactivate:
+ href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/lifecycle/deactivate
+ groups:
+ href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/groups
+ metadata:
+ href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/sso/saml/metadata
+ type: application/xml
+ _embedded:
+ user:
+ id: 00ucw2RPGIUNTDQOYPOF
+ externalId: null
+ created: '2014-03-21T23:31:35.000Z'
+ lastUpdated: '2014-03-21T23:31:35.000Z'
+ scope: USER
+ status: ACTIVE
+ statusChanged: '2014-03-21T23:31:35.000Z'
+ passwordChanged: null
+ syncState: DISABLED
+ lastSync: null
+ credentials:
+ userName: user@example.com
+ _links:
+ app:
+ href: https://{yourOktaDomain}/api/v1/apps/0oabizCHPNYALCHDUIOD
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00ucw2RPGIUNTDQOYPOF
+ id: 0oabkvBLDEKCNXBGYUAS
+ name: template_swa
+ label: Sample Plugin App
+ status: ACTIVE
+ lastUpdated: '2013-09-11T17:58:54.000Z'
+ created: '2013-09-11T17:46:08.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ visibility:
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ login: true
+ features: []
+ signOnMode: BROWSER_PLUGIN
+ credentials:
+ scheme: EDIT_USERNAME_AND_PASSWORD
+ userNameTemplate:
+ template: ${source.login}
+ type: BUILT_IN
+ settings:
+ app:
+ buttonField: btn-login
+ passwordField: txtbox-password
+ usernameField: txtbox-username
+ url: https://example.com/login.html
+ _links:
+ logo:
+ - href: https://example.okta.com/img/logos/logo_1.png
+ name: medium
+ type: image/png
+ users:
+ href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/users
+ groups:
+ href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/groups
+ self:
+ href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/lifecycle/deactivate
+ _embedded:
+ user:
+ id: 00ucw2RPGIUNTDQOYPOF
+ externalId: null
+ created: '2014-06-10T15:16:01.000Z'
+ lastUpdated: '2014-06-10T15:17:38.000Z'
+ scope: USER
+ status: ACTIVE
+ statusChanged: '2014-06-10T15:16:01.000Z'
+ passwordChanged: '2014-06-10T15:17:38.000Z'
+ syncState: DISABLED
+ lastSync: null
+ credentials:
+ userName: user@example.com
+ password: {}
+ _links:
+ app:
+ href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00ucw2RPGIUNTDQOYPOF
+ GetApplicationsResponseEx:
+ summary: Retrieve an app
+ value:
+ id: 0oa1gjh63g214q0Hq0g4
+ name: testorgone_customsaml20app_1
+ label: Custom Saml 2.0 App
+ status: ACTIVE
+ lastUpdated: '2016-08-09T20:12:19.000Z'
+ created: '2016-08-09T20:12:19.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
+ visibility:
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ testorgone_customsaml20app_1_link: true
+ features: []
+ signOnMode: SAML_2_0
+ credentials:
+ userNameTemplate:
+ template: ${fn:substringBefore(source.login, "@")}
+ type: BUILT_IN
+ signing: {}
+ settings:
+ app: {}
+ notifications:
+ vpn:
+ network:
+ connection: DISABLED
+ message: null
+ helpUrl: null
+ signOn:
+ defaultRelayState: ''
+ ssoAcsUrl: https://{yourOktaDomain}
+ idpIssuer: https://www.okta.com/${org.externalKey}
+ audience: https://example.com/tenant/123
+ recipient: https://recipient.okta.com
+ destination: https://destination.okta.com
+ subjectNameIdTemplate: ${user.userName}
+ subjectNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
+ responseSigned: true
+ assertionSigned: true
+ signatureAlgorithm: RSA_SHA256
+ digestAlgorithm: SHA256
+ honorForceAuthn: true
+ authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+ slo:
+ enabled: true
+ spIssuer: https://testorgone.okta.com
+ logoutUrl: https://testorgone.okta.com/logout
+ participateSlo:
+ enabled: true
+ logoutRequestUrl: https://testorgone.okta.com/logout/participate
+ sessionIndexRequired: true
+ bindingType: REDIRECT
+ spCertificate:
+ x5c:
+ - "MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV\r\n"
+ requestCompressed: false
+ allowMultipleAcsEndpoints: false
+ acsEndpoints: []
+ attributeStatements: []
+ inlineHooks:
+ - id: cal3ughy17pylLxQB357
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/inlineHooks/cal3ughy17pylLxQB357
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ _links:
+ logo:
+ - name: medium
+ href: https://testorgone.okta.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png
+ type: image/png
+ appLinks:
+ - name: testorgone_customsaml20app_1_link
+ href: https://testorgone.okta.com/home/testorgone_customsaml20app_1/0oa1gjh63g214q0Hq0g4/aln1gofChJaerOVfY0g4
+ type: text/html
+ help:
+ href: https://testorgone-admin.okta.com/app/testorgone_customsaml20app_1/0oa1gjh63g214q0Hq0g4/setup/help/SAML_2_0/instructions
+ type: text/html
+ users:
+ href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/users
+ deactivate:
+ href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/lifecycle/deactivate
+ groups:
+ href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/groups
+ metadata:
+ href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/sso/saml/metadata
+ type: application/xml
+ GetAssociatedLinkedObjectsResponse:
+ summary: Retrieve all associated Linked Object values response
+ value:
+ - _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u5zex6ztMbOZhF50h7
+ - _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u1tsf0nQKavLDUh0g5
+ GetBrandResponse:
+ value:
+ id: bnd114iNkrcN6aR680g4
+ agreeToCustomPrivacyPolicy: false
+ removePoweredByOkta: false
+ customPrivacyPolicyUrl: null
+ name: Okta Default
+ isDefault: true
+ locale: en
+ emailDomainId: OeD114iNkrcN6aR680g4
+ defaultApp:
+ appInstanceId: 0oa114iNkrcN6aR680g4
+ appLinkName: null
+ classicApplicationUri: null
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ themes:
+ href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4/themes
+ hints:
+ allow:
+ - GET
+ emailDomain:
+ href: https://{yourOktaDomain}/api/v1/email-domains/OeD114iNkrcN6aR680g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ GetEmailTemplateResponse:
+ value:
+ name: UserActivation
+ _embedded:
+ customizationCount: 0
+ settings:
+ recipients: ALL_USERS
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/settings
+ hints:
+ allow:
+ - GET
+ - PUT
+ template:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation
+ hints:
+ allow:
+ - GET
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation
+ hints:
+ allow:
+ - GET
+ settings:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/settings
+ hints:
+ allow:
+ - GET
+ - PUT
+ defaultContent:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/default-content
+ hints:
+ allow:
+ - GET
+ customizations:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations
+ hints:
+ allow:
+ - GET
+ - POST
+ - DELETE
+ test:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test
+ hints:
+ allow:
+ - POST
+ GetPrimaryLinkedObjectResponse:
+ summary: Retrieve primary Linked Object value response
+ value:
+ - _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7
+ GetRealmAssignmentResponse:
+ value:
+ id: rul2jy7jLUlnO3ng00g4
+ status: ACTIVE
+ name: Realm Assignment 1
+ created: '2022-04-04T15:56:05.000Z'
+ lastUpdated: '2022-05-05T18:15:44.000Z'
+ isDefault: false
+ conditions:
+ profileSourceId: 0oa4enoRyjwSCy5hx0g4
+ expression:
+ value: string
+ actions:
+ assignUserToRealm:
+ realmId: 00g1b7rvh0xPLKXFf0g5
+ priority: 0
+ _links:
+ self:
+ rel: self
+ href: http://your-subdomain.okta.com/api/v1/realm-assignments/rul2jy7jLUlnO3ng00g4
+ method: GET
+ GetRoleAssignmentGovernanceGrantResources:
+ value:
+ resources:
+ - resource: orn:okta:directory:00ozmkUsqWxsUxhGO0g3:groups:00g114290ar1oCC5A0g5
+ label: test-group-1
+ - resource: orn:okta:directory:00ozmkUsqWxsUxhGO0g3:groups:00g118990hl1oCC5B0g5
+ label: test-group-2
+ _links:
+ next:
+ href: https://{yourOktaDomain}/api/v1/users/00u15r0i2hC4jeTne0g5/roles/KVJUKUS7IFCE2SKO/governance/grai2556vZgWesWf10g4/resources?after=orn:okta:directory:00ozmkUsqWxsUxhGO0g3:groups:00g118990hl1oCC5A0g5
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u15r0i2hC4jeTne0g5/roles/KVJUKUS7IFCE2SKO/governance/grai2556vZgWesWf10g4/resources
+ GetRoleAssignmentGovernanceGrantResponse:
+ value:
+ type: ENTITLEMENT-BUNDLE
+ grantId: grai2556vZgWesWf10g4
+ bundleId: enbhz2pAwtts9UBes0g4
+ expirationDate: '2024-12-09 14:17:22.0'
+ _links:
+ resources:
+ href: https://{yourOktaDomain}/api/v1/users/00u15r0i2hC4jeTne0g5/roles/KVJUKUS7IFCE2SKO/governance/grai2556vZgWesWf10g4/resources
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u15r0i2hC4jeTne0g5/roles/KVJUKUS7IFCE2SKO/governance/grai2556vZgWesWf10g4
+ GetSessionResponse:
+ value:
+ id: aps1qqonvr2SZv6o70h8
+ identitySourceId: 0oa3l6l6WK6h0R0QW0g4
+ status: CREATED
+ importType: INCREMENTAL
+ created: '2022-04-04T15:56:05.000Z'
+ lastUpdated: '2022-05-05T16:15:44.000Z'
+ GetThemeResponse:
+ value:
+ id: thdul904tTZ6kWVhP0g3
+ logo: https://{yourOktaDomain}/assets/img/logos/okta-logo.47066819ac7db5c13f4c431b2687cef6.png
+ favicon: https://{yourOktaDomain}/favicon.ico
+ backgroundImage: null
+ primaryColorHex: '#1662dd'
+ primaryColorContrastHex: '#000000'
+ secondaryColorHex: '#ebebed'
+ secondaryColorContrastHex: '#000000'
+ signInPageTouchPointVariant: OKTA_DEFAULT
+ endUserDashboardTouchPointVariant: OKTA_DEFAULT
+ errorPageTouchPointVariant: OKTA_DEFAULT
+ emailTemplateTouchPointVariant: OKTA_DEFAULT
+ loadingPageTouchPointVariant: OKTA_DEFAULT
+ GetUseRoleGovernanceResponse:
+ value:
+ grants:
+ - type: CUSTOM
+ grantId: grai24zWTjnDazeOI0g4
+ _links:
+ resources:
+ href: https://{yourOktaDomain}/api/v1/users/00u15r0i2hC4jeTne0g5/roles/KVJUKUS7IFCE2SKO/governance/grai24zWTjnDazeOI0g4/resources
+ - type: ENTITLEMENT-BUNDLE
+ grantId: grai2556vZgWesWf10g4
+ bundleId: enbhz2pAwtts9UBes0g4
+ expirationDate: '2024-12-09 14:17:22.0'
+ _links:
+ resources:
+ href: https://{yourOktaDomain}//api/v1/users/00u15r0i2hC4jeTne0g5/roles/KVJUKUS7IFCE2SKO/governance/grai2556vZgWesWf10g4/resources
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u15r0i2hC4jeTne0g5/roles/KVJUKUS7IFCE2SKO/governance
+ assignee:
+ href: https://{yourOktaDomain}/api/v1/users/00u15r0i2hC4jeTne0g5"
+ GetUserLinkedObjectResponse:
+ summary: Retrieve user linked object value
+ value:
+ - _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7
+ GetUserResponse:
+ summary: Retrieve a user type response
+ value:
+ id: otyfnly5cQjJT9PnR0g4
+ displayName: New User Type
+ name: newUserType
+ description: A new custom user type
+ createdBy: sprz9fj1ycBcsgopy1d6
+ lastUpdatedBy: sprz9fj1ycBcsgopy1d6
+ created: '2021-07-05T20:40:38.000Z'
+ lastUpdated: '2021-07-05T20:40:38.000Z'
+ default: false
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6
+ schema:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6
+ GetYubikeyOptTokenResponse:
+ summary: Get Yubikey OPT Token response
+ value:
+ id: ykkxdtCA1fKVxyu6R0g3
+ created: '2020-06-09T23:42:05.000Z'
+ activated: '2020-06-09T23:47:29.000Z'
+ lastVerified: '2020-06-09T23:47:29.000Z'
+ lastUpdated: '2020-06-09T23:47:29.000Z'
+ status: ACTIVE
+ profile:
+ serial: '000009508427'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/org/factors/yubikey_token/tokens/ykkxdtCA1fKVxyu6R0g3
+ hints:
+ allow:
+ - GET
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00uu0x8sxTr9HcHOo0g3
+ hints:
+ allow:
+ - GET
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/users/00uu0x8sxTr9HcHOo0g3/factors/ykfxduQAhl89YyPrV0g3
+ hints:
+ allow:
+ - DELETE
+ GoogleIdPResponse:
+ summary: Google Identity Provider
+ value:
+ id: 0oa62bfdiumsUndnZ0h7
+ type: GOOGLE
+ name: Google
+ status: ACTIVE
+ created: '2016-03-24T23:21:49.000Z'
+ lastUpdated: '2016-03-24T23:21:49.000Z'
+ protocol:
+ type: OIDC
+ endpoints:
+ authorization:
+ url: https://accounts.google.com/o/oauth2/auth
+ binding: HTTP-REDIRECT
+ token:
+ url: https://www.googleapis.com/oauth2/v3/token
+ binding: HTTP-POST
+ scopes:
+ - profile
+ - email
+ - openid
+ credentials:
+ client:
+ client_id: your-client-id
+ client_secret: your-client-secret
+ policy:
+ provisioning:
+ action: AUTO
+ profileMaster: true
+ groups:
+ action: NONE
+ conditions:
+ deprovisioned:
+ action: NONE
+ suspended:
+ action: NONE
+ accountLink:
+ filter: null
+ action: AUTO
+ subject:
+ userNameTemplate:
+ template: idpuser.userPrincipalName
+ filter: null
+ matchType: USERNAME
+ mapAMRClaims: false
+ maxClockSkew: 0
+ _links:
+ authorize:
+ href: |-
+ https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa62bfdiumsUndnZ0h7&
+ client_id={clientId}&response_type={responseType}&response_mode={responseMode}&
+ scope={scopes}&redirect_uri={redirectUri}&state={state}
+ templated: true
+ hints:
+ allow:
+ - GET
+ clientRedirectUri:
+ href: https://{yourOktaDomain}/oauth2/v1/authorize/callback
+ hints:
+ allow:
+ - POST
+ GovernanceBundle:
+ summary: Governance Bundle
+ value:
+ id: 0bbfxqCAJWWGELFTYAAA
+ name: Group admin bundle
+ description: Group bundle for administrative access
+ status: ACTIVE
+ orn: orn:okta:governance:00o5rb5mt2H3d1TJd0h7:bundles:0bbfxqCAJWWGELFTYAAA
+ _links:
+ self: http://your-subdomain.okta.com/api/v1/iam/governance/bundles/0bbfxqCAJWWGELFTYAAA
+ entitlements: http://your-subdomain.okta.com/api/v1/iam/governance/bundles/0bbfxqCAJWWGELFTYAAA/entitlements
+ GovernanceBundleCreateRequestCustomRole:
+ summary: Create governance bundle with custom role
+ value:
+ name: Custom admin bundle
+ description: Custom bundle for administrative access
+ entitlements:
+ role: cr0WxyzJxGIr0ouum0g4
+ resourceSets:
+ - iamoJDFKaJxGIr0oamd9g
+ GovernanceBundleCreateRequestScopedStandardRole:
+ summary: Create governance bundle with scoped standard role
+ value:
+ name: Group admin bundle
+ description: Group bundle for administrative access
+ entitlements:
+ role: GROUP_MEMBERSHIP_ADMIN
+ targets:
+ - 00guaxWZ0AOa5NFAj0g3
+ GovernanceBundleCreateRequestStandardRole:
+ summary: Create governance bundle with non-scoped standard role
+ value:
+ name: Group admin bundle
+ description: Group bundle for administrative access
+ entitlements:
+ role: GROUP_MEMBERSHIP_ADMIN
+ GovernanceBundleUpdateRequestCustomRole:
+ summary: Update governance bundle with custom role
+ value:
+ name: Custom admin bundle
+ description: Custom bundle for administrative access
+ entitlements:
+ role: cr0WxyzJxGIr0ouum0g4
+ resourceSets:
+ - iamoJDFKaJxGIr0oamd9g
+ GovernanceBundleUpdateRequestScopedStandardRole:
+ summary: Update governance bundle with scoped standard role
+ value:
+ name: Group admin bundle
+ description: Group bundle for administrative access
+ entitlements:
+ role: GROUP_MEMBERSHIP_ADMIN
+ targets:
+ - 00guaxWZ0AOa5NFAj0g3
+ GovernanceBundleUpdateRequestStandardRole:
+ summary: Update governance bundle with non-scoped standard role
+ value:
+ name: Group admin bundle
+ description: Group bundle for administrative access
+ entitlements:
+ role: GROUP_MEMBERSHIP_ADMIN
+ GovernanceBundlesResponse:
+ summary: List of governance bundles
+ value:
+ bundles:
+ - id: 0bbfxqCAJWWGELFTYAAA
+ name: Group admin bundle
+ description: Group bundle for administrative access
+ status: ACTIVE
+ orn: orn:okta:governance:00o5rb5mt2H3d1TJd0h7:bundles:0bbfxqCAJWWGELFTYAAA
+ _links:
+ entitlements: http://your-subdomain.okta.com/api/v1/iam/governance/bundles/0bbfxqCAJWWGELFTYAAA/entitlements
+ _links:
+ self:
+ href: http://your-subdomain.okta.com/api/v1/iam/governance/bundles?limit=2&after=10
+ next:
+ href: http://your-subdomain.okta.com/api/v1/iam/governance/bundles?after=bundleId12
+ GroupAssignmentExListResponse:
+ summary: Application Groups list with embedded metadata
+ value:
+ - id: 00g15acRUy0SYb9GT0g4
+ priority: 0
+ lastUpdated: '2024-06-02T13:17:57.000Z'
+ profile:
+ preferredLanguage: English
+ manager: Donald Glover
+ securityQuestion: Who is the footballer to have played the game
+ securityAnswer: Ronaldinho
+ timezone: Canada/Eastern
+ initialStatus: active_with_pass
+ managerId: ike.ogb@gmail.com
+ locale: en_US
+ division: top
+ organization: wazobia
+ userType: null
+ department: marketing
+ _links:
+ app:
+ href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4
+ self:
+ href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4/groups/00g15acRUy0SYb9GT0g4
+ group:
+ href: http://{yourOktaDomain}/api/v1/groups/00g15acRUy0SYb9GT0g4
+ _embedded:
+ metadata:
+ credentials: {}
+ profile:
+ division:
+ source:
+ type: USER
+ value:
+ - id: 00uzojLwDGgUynjJS0g3
+ self:
+ href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3
+ lastUpdated: null
+ preferredLanguage:
+ source:
+ type: USER
+ value:
+ - id: 00uzojLwDGgUynjJS0g3
+ self:
+ href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3
+ lastUpdated: null
+ manager:
+ source:
+ type: MAPPING
+ value:
+ - id: null
+ lastUpdated: null
+ securityQuestion:
+ source:
+ type: USER
+ value:
+ - id: 00uzojLwDGgUynjJS0g3
+ self:
+ href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3
+ lastUpdated: null
+ securityAnswer:
+ source:
+ type: USER
+ value:
+ - id: 00uzojLwDGgUynjJS0g3
+ self:
+ href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3
+ lastUpdated: null
+ timezone:
+ source:
+ type: USER
+ value:
+ - id: 00uzojLwDGgUynjJS0g3
+ self:
+ href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3
+ lastUpdated: null
+ organization:
+ source:
+ type: USER
+ value:
+ - id: 00uzojLwDGgUynjJS0g3
+ self:
+ href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3
+ lastUpdated: null
+ initialStatus:
+ source:
+ type: USER
+ value:
+ - id: 00uzojLwDGgUynjJS0g3
+ self:
+ href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3
+ lastUpdated: null
+ managerId:
+ source:
+ type: MAPPING
+ value:
+ - id: null
+ lastUpdated: null
+ userType:
+ source:
+ type: MAPPING
+ value:
+ - id: null
+ lastUpdated: null
+ locale:
+ source:
+ type: USER
+ value:
+ - id: 00uzojLwDGgUynjJS0g3
+ self:
+ href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3
+ lastUpdated: null
+ department:
+ source:
+ type: MAPPING
+ value:
+ - id: null
+ lastUpdated: null
+ GroupAssignmentExResponse:
+ summary: Application Group response
+ value:
+ id: 00g15acRUy0SYb9GT0g4
+ priority: 0
+ lastUpdated: '2024-06-02T13:17:57.000Z'
+ profile:
+ preferredLanguage: English
+ manager: Donald Glover
+ securityQuestion: Who is the footballer to have played the game
+ securityAnswer: Ronaldinho
+ timezone: Canada/Eastern
+ initialStatus: active_with_pass
+ managerId: ike.ogb@gmail.com
+ locale: en_US
+ division: top
+ organization: wazobia
+ userType: null
+ department: marketing
+ _links:
+ app:
+ href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4
+ self:
+ href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4/groups/00g15acRUy0SYb9GT0g4
+ group:
+ href: http://{yourOktaDomain}/api/v1/groups/00g15acRUy0SYb9GT0g4
+ GroupAssignmentPatchRequestExample:
+ summary: Update app group request
+ value:
+ - op: replace
+ path: /profile/manager
+ value: Carlo Ancelotti
+ GroupAssignmentPatchResponseExample:
+ summary: Update Application Group response
+ value:
+ id: 00g15acRUy0SYb9GT0g4
+ priority: 0
+ lastUpdated: '2024-06-03T13:42:20.000Z'
+ profile:
+ preferredLanguage: English
+ securityQuestion: Who is the footballer to have played the game
+ securityAnswer: Jay Jay Okocha
+ timezone: Canada/Eastern
+ initialStatus: active_with_pass
+ managerId: ike.ogb@gmail.com
+ locale: en_US
+ division: top
+ organization: null
+ userType: null
+ department: Accounting
+ manager: Carlo Ancelotti
+ _links:
+ app:
+ href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4
+ self:
+ href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4/groups/00g15acRUy0SYb9GT0g4
+ group:
+ href: http://{yourOktaDomain}/api/v1/groups/00g15acRUy0SYb9GT0g4
+ GroupAssignmentPutRequestExample:
+ summary: Assign Application Group request
+ value:
+ id: 00g15acRUy0SYb9GT0g4
+ profile:
+ preferredLanguage: English
+ manager: Arsene Wenger
+ securityQuestion: Who is the footballer to have played the game
+ securityAnswer: Jay Jay Okocha
+ timezone: Canada/Eastern
+ initialStatus: active_with_pass
+ managerId: ike.ogb@gmail.com
+ locale: en_US
+ division: top
+ organization: null
+ userType: null
+ department: Accounting
+ GroupAssignmentPutResponseExample:
+ summary: Assign Application Group response
+ value:
+ id: 00g15acRUy0SYb9GT0g4
+ priority: 0
+ lastUpdated: '2024-06-03T13:52:07.000Z'
+ profile:
+ preferredLanguage: English
+ manager: Arsene Wenger
+ securityQuestion: Who is the footballer to have played the game
+ securityAnswer: Jay Jay Okocha
+ timezone: Canada/Eastern
+ initialStatus: active_with_pass
+ managerId: ike.ogb@gmail.com
+ locale: en_US
+ division: top
+ organization: null
+ userType: null
+ department: Accounting
+ _links:
+ app:
+ href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4
+ self:
+ href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4/groups/00g15acRUy0SYb9GT0g4
+ group:
+ href: http://{yourOktaDomain}/api/v1/groups/00g15acRUy0SYb9GT0g4
+ GroupSchemaAddRequest:
+ value:
+ definitions:
+ custom:
+ id: '#custom'
+ type: object
+ properties:
+ groupContact:
+ title: Group administrative contact
+ description: Group administrative contact
+ type: string
+ required: false
+ minLength: 1
+ maxLength: 20
+ permissions:
+ - principal: SELF
+ action: READ_WRITE
+ required: []
+ GroupSchemaResponse:
+ value:
+ $schema: http://json-schema.org/draft-04/schema#
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/group/default
+ method: GET
+ rel: self
+ created: '2021-01-30T00:18:24.000Z'
+ definitions:
+ base:
+ id: '#base'
+ properties: {}
+ required:
+ - name
+ type: object
+ custom:
+ id: '#custom'
+ properties:
+ groupContact:
+ description: Group administrative contact
+ master:
+ type: PROFILE_MASTER
+ mutability: READ_WRITE
+ permissions:
+ - action: READ_WRITE
+ principal: SELF
+ scope: NONE
+ title: Group administrative contact
+ type: string
+ required: []
+ type: object
+ description: Okta group profile template
+ id: https://{yourOktaDomain}/meta/schemas/group/default
+ lastUpdated: '2021-02-25T23:05:31.000Z'
+ name: group
+ properties:
+ profile:
+ allOf:
+ - $ref: '#/definitions/custom'
+ - $ref: '#/definitions/base'
+ title: Okta group
+ type: object
+ IAMStandardRoleResponseClient:
+ value:
+ id: irb4jlodtdN4yJ88b0g7
+ role: ACCESS_REQUESTS_ADMIN
+ label: Access Requests Administrator
+ type: ACCESS_REQUESTS_ADMIN
+ status: ACTIVE
+ created: '2023-07-06T21:52:48.000Z'
+ lastUpdated: '2023-07-06T21:52:48.000Z'
+ assignmentType: CLIENT
+ resource-set: ACCESS_CERTIFICATIONS_IAM_POLICY
+ _links:
+ assignee:
+ href: https://{yourOktaDomain}/api/v1/client/0oa5vymVNCe2cPEeZ0g4
+ resource-set:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY
+ role:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_REQUESTS_ADMIN
+ permissions:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_REQUESTS_ADMIN/permissions
+ member:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY/bindings/ACCESS_REQUESTS_ADMIN/members/irb4jlomnnDBuBDyJ0g7
+ IAMStandardRoleResponseUser:
+ value:
+ id: irb1q92TFAHzySt3x0g4
+ role: ACCESS_REQUESTS_ADMIN
+ label: Access Requests administrator
+ type: ACCESS_REQUESTS_ADMIN
+ status: ACTIVE
+ created: '2019-02-06T16:20:57.000Z'
+ lastUpdated: '2019-02-06T16:20:57.000Z'
+ assignmentType: USER
+ resource-set: ACCESS_CERTIFICATIONS_IAM_POLICY
+ _links:
+ assignee:
+ href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR
+ resource-set:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY
+ role:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_REQUESTS_ADMIN
+ permissions:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_REQUESTS_ADMIN/permissions
+ member:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY/bindings/ACCESS_REQUESTS_ADMIN/members/irb1q92TFAHzySt3x0g4
+ IAMStandardRolesListResponse:
+ value:
+ - id: IFIFAX2BIRGUSTQ
+ label: Application administrator
+ type: APP_ADMIN
+ status: ACTIVE
+ created: '2019-02-06T16:17:40.000Z'
+ lastUpdated: '2019-02-06T16:17:40.000Z'
+ assignmentType: USER
+ _links:
+ assignee:
+ href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3
+ - id: irb1q92TFAHzySt3x0g4
+ role: cr0Yq6IJxGIr0ouum0g3
+ label: UserCreatorRole
+ type: CUSTOM
+ status: ACTIVE
+ created: '2019-02-06T16:20:57.000Z'
+ lastUpdated: '2019-02-06T16:20:57.000Z'
+ assignmentType: USER
+ resource-set: iamoJDFKaJxGIr0oamd9g
+ _links:
+ assignee:
+ href: https://{yourOktaDomain}/api/v1/users/00u1gytb3XCr9Dkr18r2
+ resource-set:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g
+ member:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3/members/irb1qe6PGuMc7Oh8N0g4
+ role:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3
+ permissions:
+ href: https://{yourOktaDomain}/api/v1/iam/permission-sets/cr0Yq6IJxGIr0ouum0g3/permissions
+ - id: irb5e92YgBazyyQ3x1q5
+ role: ACCESS_CERTIFICATIONS_ADMIN
+ label: Access Certifications administrator
+ type: ACCESS_CERTIFICATIONS_ADMIN
+ status: ACTIVE
+ created: '2019-02-06T16:20:57.000Z'
+ lastUpdated: '2019-02-06T16:20:57.000Z'
+ assignmentType: USER
+ resource-set: ACCESS_CERTIFICATIONS_IAM_POLICY
+ _links:
+ assignee:
+ href: https://{yourOktaDomain}/api/v1/users/00u1gytb3XCr9Dkr18r2
+ resource-set:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY
+ member:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY/bindings/ACCESS_CERTIFICATIONS_ADMIN/members/irb1qe6PGuMc7Oh8N0g4
+ role:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_CERTIFICATIONS_ADMIN
+ permissions:
+ href: https://{yourOktaDomain}/api/v1/iam/permission-sets/OKTA_IAM_TEST_DELIVERED_ROLE/permissions
+ IAMStandardRolesListResponseClient:
+ value:
+ - id: irb5e92YgBazyyQ3x1q5
+ role: ACCESS_CERTIFICATIONS_ADMIN
+ label: Access Certifications Administrator
+ type: ACCESS_CERTIFICATIONS_ADMIN
+ status: ACTIVE
+ created: '2019-02-06T16:20:57.000Z'
+ lastUpdated: '2019-02-06T16:20:57.000Z'
+ assignmentType: CLIENT
+ resource-set: ACCESS_CERTIFICATIONS_IAM_POLICY
+ _links:
+ assignee:
+ href: https://{yourOktaDomain}/api/v1/clients/0oa4ee9vgbIuqTUvd0g7
+ resource-set:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY
+ member:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY/bindings/ACCESS_CERTIFICATIONS_ADMIN/members/irb1qe6PGuMc7Oh8N0g4
+ role:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_CERTIFICATIONS_ADMIN
+ permissions:
+ href: https://{yourOktaDomain}/api/v1/iam/permission-sets/OKTA_IAM_TEST_DELIVERED_ROLE/permissionsZ
+ IAMStandardRolesListResponseGroup:
+ value:
+ - id: irb5e92YgBazyyQ3x1q5
+ role: ACCESS_CERTIFICATIONS_ADMIN
+ label: Access Certifications Administrator
+ type: ACCESS_CERTIFICATIONS_ADMIN
+ status: ACTIVE
+ created: '2019-02-06T16:20:57.000Z'
+ lastUpdated: '2019-02-06T16:20:57.000Z'
+ assignmentType: Group
+ resource-set: ACCESS_CERTIFICATIONS_IAM_POLICY
+ _links:
+ assignee:
+ href: https://{yourOktaDomain}/api/v1/groups/00g1emaKYZTWRYYRRTSK
+ resource-set:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY
+ member:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY/bindings/ACCESS_CERTIFICATIONS_ADMIN/members/irb1qe6PGuMc7Oh8N0g4
+ role:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_CERTIFICATIONS_ADMIN
+ permissions:
+ href: https://{yourOktaDomain}/api/v1/iam/permission-sets/OKTA_IAM_TEST_DELIVERED_ROLE/permissions
+ IdPAppUserResponse:
+ summary: IdP User
+ value:
+ id: 00u5t60iloOHN9pBi0h7
+ externalId: externalId
+ created: '2017-12-19T17:30:16.000Z'
+ lastUpdated: '2017-12-19T17:30:16.000Z'
+ profile:
+ profileUrl: null
+ firstName: null
+ lastName: null
+ honorificSuffix: null
+ displayName: null
+ honorificPrefix: null
+ middleName: null
+ email: null
+ _links:
+ idp:
+ href: https://{yourOktaDomain}/api/v1/idps/0oa62bfdiumsUndnZ0h7
+ self:
+ href: https://{yourOktaDomain}/api/v1/idps/0oa62bfdiumsUndnZ0h7/users/00u5t60iloOHN9pBi0h7
+ hints:
+ allow:
+ - GET
+ - DELETE
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7
+ IdPKeyCredentialRequest:
+ summary: Identity Provider Key Credential
+ value:
+ e: '65537'
+ 'n': '101438407598598116085679865987760095721749307901605456708912786847324207000576780508113360584555007890315805735307890113536927352312915634368993759211767770602174860126854831344273970871509573365292777620005537635317282520456901584213746937262823585533063042033441296629204165064680610660631365266976782082747'
+ x5c:
+ - MIIDnjCCAoagAwIBAgIGAVG3MN+PMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB2V4YW1wbGUxHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMTUxMjE4MjIyMjMyWhcNMjUxMjE4MjIyMzMyWjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdleGFtcGxlMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtcnyvuVCrsFEKCwHDenS3Ocjed8eWDv3zLtD2K/iZfE8BMj2wpTfn6Ry8zCYey3mWlKdxIybnV9amrujGRnE0ab6Q16v9D6RlFQLOG6dwqoRKuZy33Uyg8PGdEudZjGbWuKCqqXEp+UKALJHV+k4wWeVH8g5d1n3KyR2TVajVJpCrPhLFmq1Il4G/IUnPe4MvjXqB6CpKkog1+ThWsItPRJPAM+RweFHXq7KfChXsYE7Mmfuly8sDQlvBmQyxZnFHVuiPfCvGHJjpvHy11YlHdOjfgqHRvZbmo30+y0X/oY/yV4YEJ00LL6eJWU4wi7ViY3HP6/VCdRjHoRdr5L/DwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCzzhOFkvyYLNFj2WDcq1YqD4sBy1iCia9QpRH3rjQvMKDwQDYWbi6EdOX0TQ/IYR7UWGj+2pXd6v0t33lYtoKocp/4lUvT3tfBnWZ5KnObi+J2uY2teUqoYkASN7F+GRPVOuMVoVgm05ss8tuMb2dLc9vsx93sDt+XlMTv/2qi5VPwaDtqduKkzwW9lUfn4xIMkTiVvCpe0X2HneD2Bpuao3/U8Rk0uiPfq6TooWaoW3kjsmErhEAs9bA7xuqo1KKY9CdHcFhkSsMhoeaZylZHtzbnoipUlQKSLMdJQiiYZQ0bYL83/Ta9fulr1EERICMFt3GUmtYaZZKHpWSfdJp9
+ x5t#S256: wzPVobIrveR1x-PCbjsFGNV-6zn7Rm9KuOWOG4Rk6jE
+ IdPKeyCredentialResponse:
+ summary: Identity Provider Key Credential
+ value:
+ kid: your-key-id
+ created: '2016-01-03T18:15:47.000Z'
+ lastUpdated: '2016-01-03T18:15:47.000Z'
+ e: '65537'
+ 'n': '101438407598598116085679865987760095721749307901605456708912786847324207000576780508113360584555007890315805735307890113536927352312915634368993759211767770602174860126854831344273970871509573365292777620005537635317282520456901584213746937262823585533063042033441296629204165064680610660631365266976782082747'
+ kty: RSA
+ use: sig
+ x5c:
+ - MIIDnjCCAoagAwIBAgIGAVG3MN+PMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB2V4YW1wbGUxHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMTUxMjE4MjIyMjMyWhcNMjUxMjE4MjIyMzMyWjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdleGFtcGxlMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtcnyvuVCrsFEKCwHDenS3Ocjed8eWDv3zLtD2K/iZfE8BMj2wpTfn6Ry8zCYey3mWlKdxIybnV9amrujGRnE0ab6Q16v9D6RlFQLOG6dwqoRKuZy33Uyg8PGdEudZjGbWuKCqqXEp+UKALJHV+k4wWeVH8g5d1n3KyR2TVajVJpCrPhLFmq1Il4G/IUnPe4MvjXqB6CpKkog1+ThWsItPRJPAM+RweFHXq7KfChXsYE7Mmfuly8sDQlvBmQyxZnFHVuiPfCvGHJjpvHy11YlHdOjfgqHRvZbmo30+y0X/oY/yV4YEJ00LL6eJWU4wi7ViY3HP6/VCdRjHoRdr5L/DwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCzzhOFkvyYLNFj2WDcq1YqD4sBy1iCia9QpRH3rjQvMKDwQDYWbi6EdOX0TQ/IYR7UWGj+2pXd6v0t33lYtoKocp/4lUvT3tfBnWZ5KnObi+J2uY2teUqoYkASN7F+GRPVOuMVoVgm05ss8tuMb2dLc9vsx93sDt+XlMTv/2qi5VPwaDtqduKkzwW9lUfn4xIMkTiVvCpe0X2HneD2Bpuao3/U8Rk0uiPfq6TooWaoW3kjsmErhEAs9bA7xuqo1KKY9CdHcFhkSsMhoeaZylZHtzbnoipUlQKSLMdJQiiYZQ0bYL83/Ta9fulr1EERICMFt3GUmtYaZZKHpWSfdJp9
+ x5t#S256: wzPVobIrveR1x-PCbjsFGNV-6zn7Rm9KuOWOG4Rk6jE
+ IdPSigningKeyCredentialResponse:
+ summary: Identity Provider Signing Key Credential
+ value:
+ created: '2015-12-10T18:56:23.000Z'
+ expiresAt: '2017-12-10T18:56:22.000Z'
+ kid: akm5hvbbevE341ovl0h7
+ kty: RSA
+ use: sig
+ x5c:
+ - MIIDnjCCAoagAwIBAgIGAVG3MN+PMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB2V4YW1wbGUxHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMTUxMjE4MjIyMjMyWhcNMjUxMjE4MjIyMzMyWjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdleGFtcGxlMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtcnyvuVCrsFEKCwHDenS3Ocjed8eWDv3zLtD2K/iZfE8BMj2wpTfn6Ry8zCYey3mWlKdxIybnV9amrujGRnE0ab6Q16v9D6RlFQLOG6dwqoRKuZy33Uyg8PGdEudZjGbWuKCqqXEp+UKALJHV+k4wWeVH8g5d1n3KyR2TVajVJpCrPhLFmq1Il4G/IUnPe4MvjXqB6CpKkog1+ThWsItPRJPAM+RweFHXq7KfChXsYE7Mmfuly8sDQlvBmQyxZnFHVuiPfCvGHJjpvHy11YlHdOjfgqHRvZbmo30+y0X/oY/yV4YEJ00LL6eJWU4wi7ViY3HP6/VCdRjHoRdr5L/DwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCzzhOFkvyYLNFj2WDcq1YqD4sBy1iCia9QpRH3rjQvMKDwQDYWbi6EdOX0TQ/IYR7UWGj+2pXd6v0t33lYtoKocp/4lUvT3tfBnWZ5KnObi+J2uY2teUqoYkASN7F+GRPVOuMVoVgm05ss8tuMb2dLc9vsx93sDt+XlMTv/2qi5VPwaDtqduKkzwW9lUfn4xIMkTiVvCpe0X2HneD2Bpuao3/U8Rk0uiPfq6TooWaoW3kjsmErhEAs9bA7xuqo1KKY9CdHcFhkSsMhoeaZylZHtzbnoipUlQKSLMdJQiiYZQ0bYL83/Ta9fulr1EERICMFt3GUmtYaZZKHpWSfdJp9
+ x5t#S256: wzPVobIrveR1x-PCbjsFGNV-6zn7Rm9KuOWOG4Rk6jE
+ InlineHookMgmtCreateHTTPRequest:
+ summary: Create an inline hook with HTTP authentication
+ value:
+ name: Token hook with HTTP authentication
+ type: com.okta.oauth2.tokens.transform
+ version: 1.0.0
+ channel:
+ type: HTTP
+ version: 1.0.0
+ config:
+ uri: https://example.com/tokenHook
+ headers:
+ - key: x-any-key
+ value: my-header-value
+ method: POST
+ authScheme:
+ type: HEADER
+ key: Authorization
+ value: my-shared-secret
+ InlineHookMgmtCreateHTTPResponse:
+ summary: Inline hook with HTTP authentication response
+ value:
+ id: calb7gacafgwgE7hc5e4
+ status: ACTIVE
+ name: Token hook with HTTP authentication
+ type: com.okta.oauth2.tokens.transform
+ version: 1.0.0
+ channel:
+ type: HTTP
+ version: 1.0.0
+ config:
+ uri: https://example.com/tokenHook
+ headers: []
+ method: POST
+ authScheme:
+ type: header
+ key: authorization
+ created: '2024-08-22T21:01:09.000Z'
+ lastUpdated: '2024-09-05T16:06:09.000Z'
+ _links:
+ activate:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4
+ delete:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4
+ hints:
+ allow:
+ - DELETE
+ InlineHookMgmtCreateOAuthClientSecretRequest:
+ summary: Create an inline hook with OAuth 2.0 Client Secret
+ value:
+ name: Registration hook with OAuth 2.0 Client Secret Post
+ type: com.okta.oauth2.tokens.transform
+ version: 1.0.0
+ channel:
+ type: OAUTH
+ version: 1.0.0
+ config:
+ authType: client_secret_post
+ clientId: 0oaj43vkrq7wKxZSI5e6
+ clientSecret: b-iATvTu7sIocvhWx95S9kF.....vfZhM6q6khSaojLBejF21cUn5bPm9abi
+ uri: https://example.com/tokenHook
+ headers: []
+ method: POST
+ tokenUrl: https://example.okta.com/oauth2/default/v1/token
+ InlineHookMgmtCreateOAuthClientSecretResponse:
+ summary: Inline hook with OAuth 2.0 Client Secret response
+ value:
+ id: calj4fythrqj5Bxol5e5
+ status: ACTIVE
+ name: Registration hook with OAuth 2.0 Client Secret Post
+ type: com.okta.user.pre-registration
+ version: 1.0.0
+ channel:
+ type: OAUTH
+ version: 1.0.0
+ config:
+ uri: https://example.com/registrationHook
+ headers: []
+ method: POST
+ authScheme: null
+ clientId: 0oaj43vkrq7wKxZSI5e6
+ tokenUrl: https:/subdomain.okta.com/oauth2/default/v1/token"
+ authType: client_secret_post
+ scope: null
+ created: '2024-08-22T21:01:09.000Z'
+ lastUpdated: '2024-09-05T16:06:09.000Z'
+ _links:
+ self:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5
+ execute:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5/execute
+ hints:
+ allow:
+ - POST
+ deactivate:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ InlineHookMgmtCreateOAuthPrivateKeyRequest:
+ summary: Create an inline hook with OAuth 2.0 Private Key
+ value:
+ name: Token hook with OAuth 2.0 Private Key authentication
+ type: com.okta.oauth2.tokens.transform
+ version: 1.0.0
+ channel:
+ type: OAUTH
+ version: 1.0.0
+ config:
+ authType: private_key_jwt
+ clientId: 0oaj43vkrq7wKxZSI5e6
+ hookKeyId: HKYj4ft1a3fjmwZg05e6
+ uri: https://example.com/tokenHook
+ headers:
+ - key: x-any-key
+ value: my-header-value
+ method: POST
+ tokenUrl: https://example.okta.com/oauth2/default/v1/token
+ InlineHookMgmtCreateOAuthPrivateKeyResponse:
+ summary: Inline hook with OAuth 2.0 Private Key response
+ value:
+ id: calj4fythrqj5Bxol4ai6
+ status: ACTIVE
+ name: Token Hook with OAuth 2.0 Private Key JWT
+ type: com.okta.oauth2.tokens.transform
+ version: 1.0.0
+ channel:
+ type: OAUTH
+ version: 1.0.0
+ config:
+ uri: https://example.com/tokenHook
+ headers: []
+ method: POST
+ authScheme: null
+ clientId: 0oaj43vkrq7wKxZSI5d7
+ tokenUrl: https:/subdomain.okta.com/oauth2/default/v1/token"
+ authType: private_key_jwt
+ scope: null
+ hookKeyId: HKYj4ft1a3fjmwZg05d6
+ created: '2024-08-22T21:01:09.000Z'
+ lastUpdated: '2024-09-05T16:06:09.000Z'
+ _links:
+ self:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6
+ execute:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6/execute
+ hints:
+ allow:
+ - POST
+ deactivate:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ InlineHookMgmtHTTPexample:
+ summary: An inline hook with HTTP authentication
+ value:
+ id: calb7gacafgwgE7hc5e4
+ status: ACTIVE
+ name: Token hook with HTTP authentication
+ type: com.okta.oauth2.tokens.transform
+ version: 1.0.0
+ channel:
+ type: HTTP
+ version: 1.0.0
+ config:
+ uri: https://example.com/tokenHook
+ headers: []
+ method: POST
+ authScheme:
+ type: header
+ key: authorization
+ created: '2024-08-22T21:01:09.000Z'
+ lastUpdated: '2024-09-05T16:06:09.000Z'
+ _links:
+ activate:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4
+ delete:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4
+ hints:
+ allow:
+ - DELETE
+ InlineHookMgmtHTTPexampleDeactivate:
+ value:
+ id: calb7gacafgwgE7hc5e4
+ status: INACTIVE
+ name: Token hook with HTTP authentication
+ type: com.okta.oauth2.tokens.transform
+ version: 1.0.0
+ channel:
+ type: HTTP
+ version: 1.0.0
+ config:
+ uri: https://example.com/tokenHook
+ headers: []
+ method: POST
+ authScheme:
+ type: header
+ key: authorization
+ created: '2024-08-22T21:01:09.000Z'
+ lastUpdated: '2024-09-05T16:06:09.000Z'
+ _links:
+ activate:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4
+ delete:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4
+ hints:
+ allow:
+ - DELETE
+ InlineHookMgmtOAuthCSPexample:
+ summary: An inline hook example with OAuth 2.0 Client Secret Post
+ value:
+ id: calj4fythrqj5Bxol5e5
+ status: ACTIVE
+ name: Registration hook with OAuth 2.0 Client Secret Post
+ type: com.okta.user.pre-registration
+ version: 1.0.0
+ channel:
+ type: OAUTH
+ version: 1.0.0
+ config:
+ uri: https://example.com/registrationHook
+ headers: []
+ method: POST
+ authScheme: null
+ clientId: 0oaj43vkrq7wKxZSI5e6
+ tokenUrl: https:/subdomain.okta.com/oauth2/default/v1/token"
+ authType: client_secret_post
+ scope: null
+ created: '2024-08-22T21:01:09.000Z'
+ lastUpdated: '2024-09-05T16:06:09.000Z'
+ _links:
+ self:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5
+ execute:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5/execute
+ hints:
+ allow:
+ - POST
+ deactivate:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ InlineHookMgmtOauthPKJexample:
+ summary: An inline hook example with OAuth 2.0 Private Key JWT
+ value:
+ id: calj4fythrqj5Bxol4ai6
+ status: ACTIVE
+ name: Token Hook with OAuth 2.0 Private Key JWT
+ type: com.okta.oauth2.tokens.transform
+ version: 1.0.0
+ channel:
+ type: OAUTH
+ version: 1.0.0
+ config:
+ uri: https://example.com/tokenHook
+ headers: []
+ method: POST
+ authScheme: null
+ clientId: 0oaj43vkrq7wKxZSI5d7
+ tokenUrl: https:/subdomain.okta.com/oauth2/default/v1/token"
+ authType: private_key_jwt
+ scope: null
+ hookKeyId: HKYj4ft1a3fjmwZg05d6
+ created: '2024-08-22T21:01:09.000Z'
+ lastUpdated: '2024-09-05T16:06:09.000Z'
+ _links:
+ self:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6
+ execute:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6/execute
+ hints:
+ allow:
+ - POST
+ deactivate:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ InlineHookMgmtPutHTTPRequest:
+ summary: Update an inline hook name
+ value:
+ name: New name token hook with HTTP authentication
+ version: 1.0.0
+ channel:
+ type: HTTP
+ version: 1.0.0
+ config:
+ uri: https://example.com/tokenHook
+ headers:
+ - key: x-any-key
+ value: my-header-value
+ method: POST
+ authScheme:
+ type: HEADER
+ key: Authorization
+ value: my-shared-secret
+ InlineHookMgmtPutResponse:
+ value:
+ id: calb7gacafgwgE7hc5e4
+ status: ACTIVE
+ name: New name token hook with HTTP authentication
+ type: com.okta.oauth2.tokens.transform
+ version: 1.0.0
+ channel:
+ type: HTTP
+ version: 1.0.0
+ config:
+ uri: https://example.com/tokenHook
+ headers: []
+ method: POST
+ authScheme:
+ type: header
+ key: authorization
+ created: '2024-08-22T21:01:09.000Z'
+ lastUpdated: '2024-09-05T16:06:09.000Z'
+ _links:
+ activate:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4
+ delete:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4
+ hints:
+ allow:
+ - DELETE
+ description: Inline hook response with a new name
+ InlineHookTelephony:
+ value:
+ channel:
+ type: HTTP
+ version: 1.0.0
+ config:
+ uri: https://your-external-webservice/sendOtp
+ headers: []
+ method: POST
+ authScheme:
+ type: HEADER
+ key: x-telephony-key
+ created: '2024-03-28T17:30:25.000Z'
+ id: caldpyulr3nbET2du1d7
+ lastUpdated: '2024-05-07T16:35:18.000Z'
+ name: testTelephonyHook
+ status: ACTIVE
+ type: com.okta.telephony.provider
+ version: null
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/inlineHooks/caldpyulr3nbET2du1d7
+ execute:
+ href: https://{yourOktaDomain}/api/v1/inlineHooks/caldpyulr3nbET2du1d7/execute
+ hints:
+ allow":
+ - POST
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/inlineHooks/caldpyulr3nbET2du1d7/lifecycle/deactivate
+ hints:
+ allow":
+ - POST
+ InlineHooktMgmtListAllexample:
+ summary: List all inline hooks response
+ value:
+ - id: calb7gacafgwgE7hc5e4
+ status: ACTIVE
+ name: Token hook with HTTP authentication
+ type: com.okta.oauth2.tokens.transform
+ version: 1.0.0
+ channel:
+ type: HTTP
+ version: 1.0.0
+ config:
+ uri: https://example.com/tokenHook
+ headers: []
+ method: POST
+ authScheme:
+ type: header
+ key: authorization
+ created: '2024-08-22T21:01:09.000Z'
+ lastUpdated: '2024-09-05T16:06:09.000Z'
+ _links:
+ activate:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4
+ delete:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4
+ hints:
+ allow:
+ - DELETE
+ - id: calj4fythrqj5Bxol5e5
+ status: ACTIVE
+ name: Registration hook with OAuth 2.0 Client Secret Post
+ type: com.okta.user.pre-registration
+ version: 1.0.0
+ channel:
+ type: OAUTH
+ version: 1.0.0
+ config:
+ uri: https://example.com/registrationHook
+ headers: []
+ method: POST
+ authScheme: null
+ clientId: 0oaj43vkrq7wKxZSI5e6
+ tokenUrl: https:/subdomain.okta.com/oauth2/default/v1/token"
+ authType: client_secret_post
+ scope: null
+ created: '2024-08-22T21:01:09.000Z'
+ lastUpdated: '2024-09-05T16:06:09.000Z'
+ _links:
+ self:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5
+ execute:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5/execute
+ hints:
+ allow:
+ - POST
+ deactivate:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ - id: calj4fythrqj5Bxol4ai6
+ status: ACTIVE
+ name: Token Hook with OAuth 2.0 Private Key JWT
+ type: com.okta.oauth2.tokens.transform
+ version: 1.0.0
+ channel:
+ type: OAUTH
+ version: 1.0.0
+ config:
+ uri: https://example.com/tokenHook
+ headers: []
+ method: POST
+ authScheme: null
+ clientId: 0oaj43vkrq7wKxZSI5d7
+ tokenUrl: https:/subdomain.okta.com/oauth2/default/v1/token"
+ authType: private_key_jwt
+ scope: null
+ hookKeyId: HKYj4ft1a3fjmwZg05d6
+ created: '2024-08-22T21:01:09.000Z'
+ lastUpdated: '2024-09-05T16:06:09.000Z'
+ _links:
+ self:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6
+ execute:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6/execute
+ hints:
+ allow:
+ - POST
+ deactivate:
+ href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ InvalidRotateUse:
+ summary: Invalid Use
+ value:
+ errorCode: E0000001
+ errorSummary: 'Api validation failed: rotateKeys'
+ errorLink: E0000001
+ errorId: oaeprak9qKHRlaWiclJ4oPJRQ
+ errorCauses:
+ - errorSummary: Invalid value specified for key 'use' parameter
+ KeyCredentialExample:
+ summary: Key Credential example
+ value:
+ created: '2015-12-10T18:56:23.000Z'
+ lastUpdated: '2024-08-13T18:26:57.000Z'
+ expiresAt: '2017-12-10T18:56:22.000Z'
+ x5c:
+ - MIIDqDCCApCgAwIBAgIGAVGNQFX5MA0GCSqGSIb3DQEBBQUAMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTAeFw0xNTEyMTAxODU1MjJaFw0xNzEyMTAxODU2MjJaMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJJjrcnI6cXBiXNq9YDgfYrQe2O5qEHG4MXP8Ue0sMeefFkFEHYHnHUeZCq6WTAGqR+1LFgOl+Eq9We5V+qNlGIfkFkQ3iHGBrIALKqLCd0Et76HicDiegz7j9DtN+lo0hG/gfcw5783L5g5xeQ7zVmCQMkFwoUA0uA3bsfUSrmfORHJL+EMNQT8XIXD8NkG4g6u7ylHVRTLgXbe+W/p04m3EP6l41xl+MhIpBaPxDsyUvcKCNwkZN3aZIin1O9Y4YJuDHxrM64/VtLLp0sC05iawAmfsLunF7rdJAkWUpPn+xkviyNQ3UpvwAYuDr+jKLUdh2reRnm1PezxMIXzBVMCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEARnFIjyitrCGbleFr3KeAwdOyeHiRmgeKupX5ZopgXtcseJoToUIinX5DVw2fVZPahqs0Q7/a0wcVnTRpw6946qZCwKd/PvZ1feVuVEA5Ui3+XvHuSH5xLp7NvYG1snNEvlbN3+NDUMlWj2NEbihowUBt9+UxTpQO3+N08q3aZk3hOZ+tHt+1Te7KEEL/4CM28GZ9MY7fSrS7MAgp1+ZXtn+kRlMrXnQ49qBda37brwDRqmSY9PwNMbev3r+9ZHwxr9W5wXW4Ev4C4xngA7RkVoyDbItSUho0I0M0u/LHuppclnXrw97xyO5Z883eIBvPVjfRcxsJxXJ8jx70ATDskw==
+ e: AQAB
+ 'n': mkC6yAJVvFwUlmM9gKjb2d-YK5qHFt-mXSsbjWKKs4EfNm-BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL_q7n0f_SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH-bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQ
+ kid: SIMcCQNY3uwXoW3y0vf6VxiBb5n9pf8L2fK8d-FIbm4
+ kty: RSA
+ use: sig
+ x5t#S256": 5GOpy9CQVtfvBmu2T8BHvpKE4OGtC3BuS046t7p9pps
+ LinkIdPAppUserResponse:
+ summary: Linked IdP User
+ value:
+ id: 00ub0oNGTSWTBKOLGLNR
+ externalId: '121749775026145'
+ created: '2017-03-30T02:19:51.000Z'
+ lastUpdated: '2017-03-30T02:19:51.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/idps/0oa62b57p7c8PaGpU0h7/users/00ub0oNGTSWTBKOLGLNR
+ hints:
+ allow:
+ - GET
+ - DELETE
+ idp:
+ href: https://{yourOktaDomain}/api/v1/idps/0oa62b57p7c8PaGpU0h7
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR
+ ListAllKeyCredentialsExample:
+ summary: List all Key Credentials example
+ value:
+ - created: '2015-12-10T18:56:23.000Z'
+ lastUpdated: '2024-08-13T18:26:57.000Z'
+ expiresAt: '2017-12-10T18:56:22.000Z'
+ x5c:
+ - MIIDqDCCApCgAwIBAgIGAVGNQFX5MA0GCSqGSIb3DQEBBQUAMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTAeFw0xNTEyMTAxODU1MjJaFw0xNzEyMTAxODU2MjJaMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJJjrcnI6cXBiXNq9YDgfYrQe2O5qEHG4MXP8Ue0sMeefFkFEHYHnHUeZCq6WTAGqR+1LFgOl+Eq9We5V+qNlGIfkFkQ3iHGBrIALKqLCd0Et76HicDiegz7j9DtN+lo0hG/gfcw5783L5g5xeQ7zVmCQMkFwoUA0uA3bsfUSrmfORHJL+EMNQT8XIXD8NkG4g6u7ylHVRTLgXbe+W/p04m3EP6l41xl+MhIpBaPxDsyUvcKCNwkZN3aZIin1O9Y4YJuDHxrM64/VtLLp0sC05iawAmfsLunF7rdJAkWUpPn+xkviyNQ3UpvwAYuDr+jKLUdh2reRnm1PezxMIXzBVMCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEARnFIjyitrCGbleFr3KeAwdOyeHiRmgeKupX5ZopgXtcseJoToUIinX5DVw2fVZPahqs0Q7/a0wcVnTRpw6946qZCwKd/PvZ1feVuVEA5Ui3+XvHuSH5xLp7NvYG1snNEvlbN3+NDUMlWj2NEbihowUBt9+UxTpQO3+N08q3aZk3hOZ+tHt+1Te7KEEL/4CM28GZ9MY7fSrS7MAgp1+ZXtn+kRlMrXnQ49qBda37brwDRqmSY9PwNMbev3r+9ZHwxr9W5wXW4Ev4C4xngA7RkVoyDbItSUho0I0M0u/LHuppclnXrw97xyO5Z883eIBvPVjfRcxsJxXJ8jx70ATDskw==
+ e: AQAB
+ 'n': mkC6yAJVvFwUlmM9gKjb2d-YK5qHFt-mXSsbjWKKs4EfNm-BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL_q7n0f_SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH-bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQ
+ kid: SIMcCQNY3uwXoW3y0vf6VxiBb5n9pf8L2fK8d-FIbm4
+ kty: RSA
+ use: sig
+ x5t#S256": 5GOpy9CQVtfvBmu2T8BHvpKE4OGtC3BuS046t7p9pps
+ - created: '2015-12-10T18:55:35.000Z'
+ lastUpdated: '2024-08-13T18:26:57.000Z'
+ expiresAt: '2045-01-23T02:15:23.000Z'
+ x5c:
+ - MIIDqDCCApCgAwIBAgIGAUsUkouzMA0GCSqGSIb3DQEBBQUAMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTAeFw0xNTAxMjMwMjE0MjNaFw00NTAxMjMwMjE1MjNaMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKhmkmKsu3FYeBiJg44aN6Ah3g9gof1cytXJVMnblDUWpLfe/FMUQCssh8Y8NCYRri5jni4efBgk6B3SkC7ymqsOXILIEHSwUYWnAaqDOTxO101mHzryowu1+0PldRNoyTthahpprvAPYlTin9zrDTqFT+WY/zwoaN8H+CfixlW1nM85qF18zYYekkW50MSoHPcfJKe2ywIhPXTYTSBEPcHh8dQEjBrZn7A4qOoDnfOXll8OL7j2O6EVyTtHA0tLJHVLpwI4gSPsXFwEnHltjN57odwYe9yds0BbM/YG9i+am1+3cmZ6Uyd16mLGclrr05o9BHcEZ4ZctV2hr6whbRsCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAnNlF27gRmhGTQ+GRAvbvYToFRgsIbBAPvRqB2LmEIiQ6UJd602w6uP1sv/zEzBYg4SnMLuVyWgOJ6d71dCvXdIO9mgAq6BaEPjlo0WhGyt+zGrpkMnIX5EwRa64kHydcPRHNA607wVYA96sJdyNJEMzBvjY9fJnfevzzDCN3NWpMS2T6rk6HP5IziI1VuFWY2OUC1kbCqLj1dUgp8koe3ftLL55ZpkAocnVMnrzBveNjgAOAiKTMcyS0bhESph9aVWvuHVZSfTnUjnTPb/4jA2YlB3ED+qaU3aqHwft1KXwZskNXBKXy7lyC+CMoeB3/ncFhSg/UllBooPPS3wYlNA==
+ e: AQAB
+ 'n': htbi5H5MN_oYaKcZ8vlWRZn2oTrPY0v8_2Br_VZPJgJ57dCgguq5dDk1Me_ax-B3kjBPdXcW8wEoUFaU30spyVeQjZrdqsSvF0nMW4OzrMOIqrGLwCrAoDBS8tutfk5Y7qc-5xABzxgu4BjgSK5nWXbCt_UR0DzVTknotmMGeT8tAej8F6GAphLa0YhIxWT7Jy-y_pdANsiUPRiZBoLueGI0rrCqgYHIQVjNoj4-si105KCXbQuyYM9_Cd-dyyu5KJ4Ic0cOW61gpx4pnecMgSy8OX57FEd06W2hExBd49ah6jra2KFMeOGe3rkIXirdkofl1mBgeQ77ruKO1wW9Qw
+ kid: mXtzOtml09Dg1ZCeKxTRBo3KrQuBWFkJ5oxhVagjTzo
+ kty: RSA
+ use: sig
+ x5t#S256": 7CCyXWwKzH4P6PoBP91B1S_iIZVzuGffVnUXu-BTYQQ
+ ListAllKeysResponse:
+ summary: List All Keys response example
+ value:
+ - id: HKY1i2htmXF5UNQhL0g4
+ keyId: bb5bed7d-6e4d-488f-9c86-59b93a2bb3fb
+ name: My new key
+ created: '2022-08-22T16:34:33.000Z'
+ lastUpdated: '2022-08-22T16:34:33.000Z'
+ isUsed: 'true'
+ - id: HKY1p7jWLndGQV9M60g4
+ keyId: 7fbc27fd-e3df-4522-86bf-1930110256ad
+ name: Test key
+ created: '2022-08-31T18:09:58.000Z'
+ lastUpdated: '2022-08-31T18:09:58.000Z'
+ isUsed: 'false'
+ ListAppGrantsEx:
+ summary: List all app Grants example
+ value:
+ - id: oag91n9ruw3dsaXzP0h6
+ status: ACTIVE
+ created: '2023-02-21T16:54:00.000Z'
+ createdBy:
+ id: 00u6eltha0nrSc47i0h7
+ type: User
+ lastUpdated: '2023-02-21T16:54:00.000Z'
+ issuer: '{yourOktaDomain}'
+ clientId: '{clientId}'
+ scopeId: okta.users.read
+ source: ADMIN
+ _embedded:
+ scope:
+ id: okta.users.read
+ _links:
+ app:
+ href: https://{yourOktaDomain}/api/v1/apps/{appId}
+ title: Application name
+ self:
+ href: https://{yourOktaDomain}/api/v1/apps/{appId}/grants/oag91n9ruw3dsaXzP0h6
+ hints:
+ allow:
+ - GET
+ - DELETE
+ client:
+ href: https://{yourOktaDomain}/oauth2/v1/clients/{clientId}
+ title: Client name
+ - id: oaghm3sh9ukdkvDmO0h6
+ status: ACTIVE
+ created: '2023-02-03T21:57:49.000Z'
+ createdBy:
+ id: 00u6eltha0nrSc47i0h7
+ type: User
+ lastUpdated: '2023-02-03T21:57:49.000Z'
+ issuer: '{yourOktaDomain}'
+ clientId: '{clientId}'
+ scopeId: okta.apps.manage
+ source: ADMIN
+ _embedded:
+ scope:
+ id: okta.apps.manage
+ _links:
+ app:
+ href: https://{yourOktaDomain}/api/v1/apps/{appId}
+ title: Application name
+ self:
+ href: https://{yourOktaDomain}/api/v1/apps/{appId}/grants/oaghm3sh9ukdkvDmO0h6
+ hints:
+ allow:
+ - GET
+ - DELETE
+ client:
+ href: https://{yourOktaDomain}/oauth2/v1/clients/{clientId}
+ title: Client name
+ ListAppLinks:
+ value:
+ - id: 00ub0oNGTSWTBKOLGLNR
+ label: Google Apps Mail
+ linkUrl: https://{yourOktaDomain}/home/google/0oa3omz2i9XRNSRIHBZO/50
+ logoUrl: https://{yourOktaDomain}/img/logos/google-mail.png
+ appName: google
+ appInstanceId: 0oa3omz2i9XRNSRIHBZO
+ appAssignmentId: 0ua3omz7weMMMQJERBKY
+ credentialsSetup: false
+ hidden: false
+ sortOrder: 0
+ - id: 00ub0oNGTSWTBKOLGLNR
+ label: Google Apps Calendar
+ linkUrl: https://{yourOktaDomain}/home/google/0oa3omz2i9XRNSRIHBZO/54
+ logoUrl: https://{yourOktaDomain}/img/logos/google-calendar.png
+ appName: google
+ appInstanceId: 0oa3omz2i9XRNSRIHBZO
+ appAssignmentId: 0ua3omz7weMMMQJERBKY
+ credentialsSetup: false
+ hidden: false
+ sortOrder: 1
+ - id: 00ub0oNGTSWTBKOLGLNR
+ label: Box
+ linkUrl: https://{yourOktaDomain}/home/boxnet/0oa3ompioiQCSTOYXVBK/72
+ logoUrl: https://{yourOktaDomain}/img/logos/box.png
+ appName: boxnet
+ appInstanceId: 0oa3ompioiQCSTOYXVBK
+ appAssignmentId: 0ua3omx46lYEZLPPRWBO
+ credentialsSetup: false
+ hidden: false
+ sortOrder: 3
+ - id: 00ub0oNGTSWTBKOLGLNR
+ label: Salesforce.com
+ linkUrl: https://{yourOktaDomain}/home/salesforce/0oa12ecnxtBQMKOXJSMF/46
+ logoUrl: https://{yourOktaDomain}/img/logos/salesforce_logo.png
+ appName: salesforce
+ appInstanceId: 0oa12ecnxtBQMKOXJSMF
+ appAssignmentId: 0ua173qgj5VAVOBQMCVB
+ credentialsSetup: true
+ hidden: false
+ sortOrder: 2
+ ListAssocAuthServerResponse:
+ summary: List associated Authorization Servers
+ value:
+ - id: '{authorizationServerId}'
+ name: Sample Authorization Server
+ description: Sample Authorization Server description
+ audiences:
+ - https://api.resource.com
+ issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId}
+ issuerMode: CUSTOM_URL
+ status: ACTIVE
+ created: '2023-05-17T22:25:57.000Z'
+ lastUpdated: '2023-05-17T22:25:57.000Z'
+ credentials:
+ signing:
+ rotationMode: DYNAMIC
+ lastRotated: '2023-05-17T22:25:57.000Z'
+ nextRotation: '2023-08-15T22:25:57.000Z'
+ kid: WYQxoK4XAwGFn5Zw5AzLxFvqEKLP79BbsKmWeuc5TB4
+ use: sig
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}
+ hints:
+ allow:
+ - DELETE
+ ListAuthServersResponse:
+ summary: List all custom authorization servers in your org
+ value:
+ - id: '{authorizationServerId}'
+ name: Sample Authorization Server
+ description: Sample Authorization Server description
+ audiences:
+ - https://api.resource.com
+ issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId}
+ issuerMode: ORG_URL
+ status: ACTIVE
+ created: '2023-05-17T22:25:57.000Z'
+ lastUpdated: '2023-05-17T22:25:57.000Z'
+ credentials:
+ signing:
+ rotationMode: AUTO
+ lastRotated: '2023-05-17T22:25:57.000Z'
+ nextRotation: '2023-08-15T22:25:57.000Z'
+ kid: WYQxoK4XAwGFn5Zw5AzLxFvqEKLP79BbsKmWeuc5TB4
+ _links:
+ scopes:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes
+ hints:
+ allow:
+ - GET
+ claims:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims
+ hints:
+ allow:
+ - GET
+ policies:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies
+ hints:
+ allow:
+ - GET
+ self:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}
+ hints:
+ allow:
+ - GET
+ - DELETE
+ - PUT
+ metadata:
+ - name: oauth-authorization-server
+ href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/oauth-authorization-server
+ hints:
+ allow:
+ - GET
+ - name: openid-configuration
+ href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/openid-configuration
+ hints:
+ allow:
+ - GET
+ rotateKey:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/lifecycle/keyRotate
+ hints:
+ allow:
+ - POST
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ ListAuthorizationServerKeys:
+ summary: All Credential Keys
+ value:
+ - status: ACTIVE
+ alg: RS256
+ e: AQAB
+ 'n': g0MirhrysJMPm_wK45jvMbbyanfhl-jmTBv0o69GeifPaISaXGv8LKn3-CyJvUJcjjeHE17KtumJWVxUDRzFqtIMZ1ctCZyIAuWO0n LKilg7_EIDXJrS8k14biqkPO1lXGFwtjo3zLHeFSLw6sWf-CEN9zv6Ff3IAXb-RMYpfh-bVrxIgWsWCxjLW-UKI3la-gs0nWHH2PJr5HLJuI JIOL5HLJuIJIOLWahqTnm_r1LSCSYr6N4C-fh--w2_BW8DzTHalBYe76bNr0d7AqtR4tGazmrvrc79Wa2bjyxmhhN1u9jSaZQqq-3VZEod8q3, WHH2PJ5v1LoXniJQ4a2W8nDVqb6h4E8MUKYOpljTfQ
+ kid: RQ8DuhdxCczyMvy7GNJb4Ka3lQ99vrSo3oFBUiZjzzc
+ kty: RSA
+ use: sig
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/keys/RQ8DuhdxCczyMvy7GNJb4Ka3lQ99vrSo3oFBUiZjzzc
+ hints:
+ allow:
+ - GET
+ - status: NEXT
+ alg: RS256
+ e: AQAB
+ 'n': l1hZ_g2sgBE3oHvu34T-5XP18FYJWgtul_nRNg-5xra5ySkaXEOJUDRERUG0HrR42uqf9jYrUTwg9fp-SqqNIdHRaN8EwRSDRsKAwK 3 HIJ2NJfgmrrO2ABkeyUq6rzHxAumiKv1iLFpSawSIiTEBJERtUCDcjbbqyHVFuivIFgH8L37 - XDIDb0XG - R8DOoOHLJPTpsgH - rJe M5w96VIRZInsGC5OGWkFdtgk6OkbvVd7_TXcxLCpWeg1vlbmX - 0 TmG5yjSj7ek05txcpxIqYu - 7 FIGT0KKvXge_BOSEUlJpBhLKU28 OtsOnmc3NLIGXB - GeDiUZiBYQdPR - myB4ZoQ
+ kid: Y3vBOdYT-l-I0j-gRQ26XjutSX00TeWiSguuDhW3ngo
+ kty: RSA
+ use: sig
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/keys/Y3vBOdYT-l-I0j-gRQ26XjutSX00TeWiSguuDhW3ngo
+ hints:
+ allow:
+ - GET
+ - status: EXPIRED
+ alg: RS256
+ e: AQAB
+ 'n': lC4ehVB6W0OCtNPnz8udYH9Ao83B6EKnHA5eTcMOap_lQZ-nKtS1lZwBj4wXRVc1XmS0d2OQFA1VMQ-dHLDE3CiGfsGqWbaiZFdW7U GLO1nAwfDdH6xp3xwpKOMewDXbAHJlXdYYAe2ap - CE9c5WLTUBU6JROuWcorHCNJisj1aExyiY5t3JQQVGpBz2oUIHo7NRzQoKimvp dMvMzcYnTlk1dhlG11b1GTkBclprm1BmOP7Ltjd7aEumOJWS67nKcAZzl48Zyg5KtV11V9F9dkGt25qHauqFKL7w3wu - DYhT0hmyFc wn - tXS6e6HQbfHhR_MQxysLtDGOk2ViWv8AQ
+ kid: h5Sr3LXcpQiQlAUVPdhrdLFoIvkhRTAVs_h39bQnxlU
+ kty: RSA
+ use: sig
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/keys/h5Sr3LXcpQiQlAUVPdhrdLFoIvkhRTAVs_h39bQnxlU
+ hints:
+ allow:
+ - GET
+ ListAuthorizationServerPolicies:
+ summary: List Authorization Server Policies
+ value:
+ - type: OAUTH_AUTHORIZATION_POLICY
+ id: 00palyaappA22DPkj0h7
+ status: ACTIVE
+ name: Vendor2 Policy
+ description: Vendor2 policy description
+ priority: 1
+ system: false
+ conditions:
+ clients:
+ include:
+ - ALL_CLIENTS
+ created: '2017-05-26T19:43:53.000Z'
+ lastUpdated: '2017-06-07T15:28:17.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies/00palyaappA22DPkj0h7
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies/00palyaappA22DPkj0h7/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ rules:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies/00palyaappA22DPkj0h7/rules
+ hints:
+ allow:
+ - GET
+ ListAuthorizationServerPolicyRules:
+ summary: List Authorization Server Policy Rules
+ value:
+ - type: RESOURCE_ACCESS
+ id: 0prbsjfyl01zfSZ9K0h7
+ status: ACTIVE
+ name: Default Policy Rule
+ priority: 1
+ created: '2017-08-25T16:57:02.000Z'
+ lastUpdated: '2017-08-30T14:51:05.000Z'
+ system: false
+ conditions:
+ people:
+ users:
+ include: []
+ exclude: []
+ groups:
+ include:
+ - EVERYONE
+ exclude: []
+ grantTypes:
+ include:
+ - implicit
+ - client_credentials
+ - authorization_code
+ - password
+ scopes:
+ include:
+ - '*'
+ actions:
+ token:
+ accessTokenLifetimeMinutes: 60
+ refreshTokenLifetimeMinutes: 0
+ refreshTokenWindowMinutes: 10080
+ inlineHook:
+ id: cal4egvp1mbMldrYN0g7
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/0prbsjfyl01zfSZ9K0h7
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/0prbsjfyl01zfSZ9K0h7/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ ListBrandsResponse:
+ value:
+ - id: bnd114iNkrcN6aR680g4
+ name: Okta Default
+ isDefault: true
+ agreeToCustomPrivacyPolicy: false
+ removePoweredByOkta: false
+ customPrivacyPolicyUrl: null
+ locale: en
+ emailDomainId: OeD114iNkrcN6aR680g4
+ defaultApp:
+ appInstanceId: 0oa114iNkrcN6aR680g4
+ appLinkName: null
+ classicApplicationUri: null
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ themes:
+ href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4/themes
+ hints:
+ allow:
+ - GET
+ emailDomain:
+ href: https://{yourOktaDomain}/api/v1/email-domains/OeD114iNkrcN6aR680g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ ListClientsResponse:
+ summary: List all Client resources for which an authorization server has tokens
+ value:
+ - client_id: '{clientId}'
+ client_name: My Web App
+ client_uri: null,
+ logo_uri: null,
+ _links:
+ client:
+ href: https://{yourOktaDomain}/oauth2/v1/clients/{clientId}
+ title: My Web App
+ tokens:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/clients/{clientId}/tokens
+ hints:
+ allow:
+ - GET
+ - DELETE
+ ListCustomTokenClaimsResponse:
+ summary: List all custom token Claims for an authorization server
+ value:
+ - id: '{claimId}'
+ name: sub
+ status: ACTIVE
+ claimType: RESOURCE
+ valueType: EXPRESSION
+ value: '(appuser != null) ? appuser.userName : app.clientId'
+ conditions:
+ scopes:
+ - profile
+ system: true
+ alwaysIncludeInToken: true
+ apiResourceId: null
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims/{claimId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ ListEmailCustomizationResponse:
+ value:
+ - language: en
+ isDefault: true
+ subject: Welcome to ${org.name}!
+ body:
Hello, ${user.profile.firstName}. Click here to activate your account.
+ id: oel11u6DqUiMbQkpl0g4
+ created: '2021-11-09T20:38:10.000Z'
+ lastUpdated: '2021-11-11T20:38:10.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ template:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation
+ hints:
+ allow:
+ - GET
+ preview:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4/preview
+ hints:
+ allow:
+ - GET
+ test:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test
+ hints:
+ allow:
+ - POST
+ ListEmailTemplateResponse:
+ value:
+ - name: UserActivation
+ _embedded:
+ customizationCount: 0
+ settings:
+ recipients: ALL_USERS
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/settings
+ hints:
+ allow:
+ - GET
+ - PUT
+ template:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation
+ hints:
+ allow:
+ - GET
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation
+ hints:
+ allow:
+ - GET
+ settings:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/settings
+ hints:
+ allow:
+ - GET
+ - PUT
+ defaultContent:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/default-content
+ hints:
+ allow:
+ - GET
+ customizations:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations
+ hints:
+ allow:
+ - GET
+ - POST
+ - DELETE
+ test:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test
+ hints:
+ allow:
+ - POST
+ ListFactorsResults:
+ summary: All of the enrolled Factors for the specified User
+ value:
+ - id: ufs2bysphxKODSZKWVCT
+ factorType: question
+ provider: OKTA
+ vendorName: OKTA
+ status: ACTIVE
+ created: '2014-04-15T18:10:06.000Z'
+ lastUpdated: '2014-04-15T18:10:06.000Z'
+ profile:
+ question: favorite_art_piece
+ questionText: What is your favorite piece of art?
+ _links:
+ questions:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/questions
+ hints:
+ allow:
+ - GET
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ufs2bysphxKODSZKWVCT
+ hints:
+ allow:
+ - GET
+ - DELETE
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL
+ hints:
+ allow:
+ - GET
+ - id: ostf2gsyictRQDSGTDZE
+ factorType: token:software:totp
+ provider: OKTA
+ status: PENDING_ACTIVATION
+ created: '2014-06-27T20:27:33.000Z'
+ lastUpdated: '2014-06-27T20:27:33.000Z'
+ profile:
+ credentialId: dade.murphy@example.com
+ _links:
+ next:
+ name: activate
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf2gsyictRQDSGTDZE/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf2gsyictRQDSGTDZE
+ hints:
+ allow:
+ - GET
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL
+ hints:
+ allow:
+ - GET
+ _embedded:
+ activation:
+ timeStep: 30
+ sharedSecret: HE64TMLL2IUZW2ZLB
+ encoding: base32
+ keyLength: 16
+ - id: sms2gt8gzgEBPUWBIFHN
+ factorType: sms
+ provider: OKTA
+ status: ACTIVE
+ created: '2014-06-27T20:27:26.000Z'
+ lastUpdated: '2014-06-27T20:27:26.000Z'
+ profile:
+ phoneNumber: +1-555-415-1337
+ _links:
+ verify:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/sms2gt8gzgEBPUWBIFHN/verify
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/sms2gt8gzgEBPUWBIFHN
+ hints:
+ allow:
+ - GET
+ - DELETE
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL
+ hints:
+ allow:
+ - GET
+ ListFeatureDependenciesResponse:
+ summary: List all dependencies for a feature
+ value:
+ - id: ftrZooGoT8b41iWRiQs7
+ description: Example feature description
+ name: Example feature name
+ stage:
+ state: OPEN
+ value: EA
+ status: ENABLED
+ type: self-service
+ _links:
+ self:
+ hints:
+ allow:
+ - POST
+ href: https://{yourOktaDomain}/api/v1/features/ftrZooGoT8b41iWRiQs7
+ dependents:
+ href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependents
+ dependencies:
+ href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependencies
+ ListFeatureDependentsResponse:
+ summary: List all feature dependents for the specified feature
+ value:
+ - id: ftrZooGoT8b41iWRiQs7
+ description: Example feature description
+ name: Example feature name
+ stage:
+ state: OPEN
+ value: EA
+ status: ENABLED
+ type: self-service
+ _links:
+ self:
+ hints:
+ allow:
+ - POST
+ href: https://{yourOktaDomain}/api/v1/features/ftrZooGoT8b41iWRiQs7
+ dependents:
+ href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependents
+ dependencies:
+ href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependencies
+ ListFeaturesResponse:
+ summary: List all self-service features for your org
+ value:
+ - id: ftrZooGoT8b41iWRiQs7
+ description: Example feature description
+ name: Example feature name
+ stage:
+ state: CLOSED
+ value: BETA
+ status: DISABLED
+ type: self-service
+ _links:
+ self:
+ hints:
+ allow:
+ - POST
+ href: https://{yourOktaDomain}/api/v1/features/ftrZooGoT8b41iWRiQs7
+ dependents:
+ href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependents
+ dependencies:
+ href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependencies
+ ListIdPUsersResponse:
+ summary: List of linked IdP Users
+ value:
+ - id: 00u5cl9lo7nMjHjPr0h7
+ externalId: '109912936038778'
+ created: '2015-11-03T19:10:11.000Z'
+ lastUpdated: '2015-11-03T19:11:49.000Z'
+ profile:
+ firstName: Carol
+ middleName: Lee
+ lastName: Johnson
+ email: carol_johnson@tfbnw.net
+ displayName: Carol Johnson
+ profile: https://www.facebook.com/app_scoped_user_id/109912936038778/
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/idps/0oa4lb6lbtmH355Hx0h7/users/00u5cl9lo7nMjHjPr0h7
+ hints:
+ allow:
+ - GET
+ - DELETE
+ idp:
+ href: https://{yourOktaDomain}/api/v1/idps/0oa4lb6lbtmH355Hx0h7
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00u5cl9lo7nMjHjPr0h7
+ ListLinkedObjects:
+ summary: List all Linked Object definitions
+ value:
+ - primary:
+ name: manager
+ title: manager
+ description: Manager link property
+ type: USER
+ associated:
+ name: subordinate
+ title: subordinate
+ description: Subordinate link property
+ type: USER
+ _links:
+ self:
+ href: http://your-subdomain.okta.com/api/v1/meta/schemas/user/linkedObjects/manager
+ ListLogs:
+ summary: List all system logs
+ value:
+ - actor:
+ id: 00uttidj01jqL21aM1d6
+ type: User
+ alternateId: john.doe@example.com
+ displayName: John Doe
+ detailEntry: null
+ client:
+ userAgent:
+ rawUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
+ os: Mac OS X
+ browser: CHROME
+ zone: null
+ device: Computer
+ id: null
+ ipAddress: 10.0.0.1
+ geographicalContext:
+ city: New York
+ state: New York
+ country: United States
+ postalCode: 10013
+ geolocation:
+ lat: 40.3157
+ lon: -74.01
+ device:
+ id: guofdhyjex1feOgbN1d9
+ name: Mac15,6
+ os_platform: OSX
+ os_version: 14.6.0
+ managed: false
+ registered: true
+ device_integrator: null
+ disk_encryption_type: ALL_INTERNAL_VOLUMES
+ screen_lock_type: BIOMETRIC
+ jailbreak: null
+ secure_hardware_present: true
+ authenticationContext:
+ authenticationProvider: null
+ credentialProvider: null
+ credentialType: null
+ issuer: null
+ interface: null
+ authenticationStep: 0
+ rootSessionId: idxBager62CSveUkTxvgRtonA
+ externalSessionId: idxBager62CSveUkTxvgRtonA
+ displayMessage: User login to Okta
+ eventType: user.session.start
+ outcome:
+ result: SUCCESS
+ reason: null
+ published: '2024-08-13T15:58:20.353Z'
+ securityContext:
+ asNumber: 394089
+ asOrg: ASN 0000
+ isp: google
+ domain: null
+ isProxy: false
+ severity: INFO
+ debugContext:
+ debugData:
+ requestId: ab609228fe84ce59cdcbfa690bcce016
+ requestUri: /idp/idx/authenticators/poll
+ url: /idp/idx/authenticators/poll
+ legacyEventType: core.user_auth.login_success
+ transaction:
+ type: WEB
+ id: ab609228fe84ce59cdcbfa690bgce016
+ detail: null
+ uuid: dc9fd3c0-598c-11ef-8478-2b7584bf8d5a
+ version: 0
+ request:
+ ipChain:
+ - ip: 10.0.0.1
+ geographicalContext:
+ city: New York
+ state: New York
+ country: United States
+ postalCode: 10013
+ geolocation:
+ lat: 40.3157
+ lon: -74.01
+ version: V4
+ source: null
+ target:
+ - id: pfdfdhyjf0HMbkP2e1d7
+ type: AuthenticatorEnrollment
+ alternateId: unknown
+ displayName: Okta Verify
+ detailEntry: null
+ - id: 0oatxlef9sQvvqInq5d6
+ type: AppInstance
+ alternateId: Okta Admin Console
+ displayName: Okta Admin Console
+ detailEntry: null
+ ListMappingsResponse:
+ summary: List all Profile Mappings response
+ value:
+ - id: prm1k47ghydIQOTBW0g4
+ source:
+ id: otysbePhQ3yqt4cVv0g3
+ name: user
+ type: user
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/meta/types/user/otysbePhQ3yqt4cVv0g3
+ schema:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscsbePhQ3yqt4cVv0g3
+ target:
+ id: 0oa1qmn4LZQQEH0wZ0g4
+ name: okta_org2org
+ type: appuser
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/apps/0oa1qmn4LZQQEH0wZ0g4
+ schema:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/apps/0oa1qmn4LZQQEH0wZ0g4/default
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/mappings/prm1k48weFSOnEUnw0g4
+ ListOfSecurityEventsProviderInstances:
+ summary: List of Security Events Providers
+ value:
+ - id: sse1qg25RpusjUP6m0g5
+ name: Security Events Provider with well-known URL
+ type: okta
+ status: ACTIVE
+ settings:
+ well_known_url: https://example.okta.com/.well-known/ssf-configuration
+ issuer: Issuer
+ jwks_url: https://example.okta.com/jwks/path
+ _links:
+ self:
+ href: https://example.okta.com/api/v1/security-events-providers/sse1qg25RpusjUP6m0g5
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://example.okta.com/api/v1/security-events-providers/sse1qg25RpusjUP6m0g5/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ - id: sse1qu4fUtsoD12iF0g5
+ name: Security Events Provider with an issuer and a JWKS URL
+ type: okta
+ status: ACTIVE
+ settings:
+ issuer: Issuer
+ jwks_url: https://example.okta.com/jwks/path
+ _links:
+ self:
+ href: https://example.okta.com/api/v1/security-events-providers/sse1qu4fUtsoD12iF0g5
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://example.okta.com/api/v1/security-events-providers/sse1qu4fUtsoD12iF0g5/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ ListPrivilegedAccounts:
+ summary: List Privileged Accounts with mixed account types
+ value:
+ - accountType: APP_ACCOUNT
+ description: This is for accessing AWS Prod-5
+ id: a747a818-a4c4-4446-8a87-704216495a08
+ name: AWS Prod-5 account
+ ownerGroupIds:
+ - 00g57qp78yZT2XBA40g7
+ ownerUserIds:
+ - 00u11s48P9zGW8yqm0g5
+ status: NO_ISSUES
+ statusDetail: ROTATED
+ created: '2023-04-04T15:56:05.000Z'
+ lastUpdated: '2023-05-05T18:15:44.000Z'
+ details:
+ credentials:
+ username: testuser@example.com
+ oktaApplicationId: aln1aqcs055ZRoizW0g8
+ appInstanceName: AWS Prod-5
+ appGlobalName: AWS Account Federation
+ - accountType: OKTA_USER_ACCOUNT
+ description: Shared admin account for managing AD integrations
+ id: d1b65a78-21ed-429b-8ea3-eec96f2748d6
+ name: AD Integrations Admin
+ ownerGroupIds:
+ - 00g57qp78yZT2XBA40g7
+ ownerUserIds:
+ - 00u11s48P9zGW8yqm0g5
+ status: INFO
+ statusDetail: ROTATING
+ created: '2023-04-04T15:56:05.000Z'
+ lastUpdated: '2023-05-05T18:15:44.000Z'
+ details:
+ credentials:
+ username: shr-ad-admin-01@example.com
+ email: shr-ad-admin-01@example.com
+ oktaUserId: 00u11s48P9zGW8yqm0g5
+ ListRealmAssignmentsResponse:
+ value:
+ - id: rul2jy7jLUlnO3ng00g4
+ status: ACTIVE
+ name: Realm Assignment 1
+ created: '2022-04-04T15:56:05.000Z'
+ lastUpdated: '2022-05-05T18:15:44.000Z'
+ isDefault: false
+ conditions:
+ profileSourceId: 0oa4enoRyjwSCy5hx0g4
+ expression:
+ value: user.profile.role ==\"Manager\"
+ actions:
+ assignUserToRealm:
+ realmId: 00g1b7rvh0xPLKXFf0g5
+ priority: 0
+ _links:
+ self:
+ rel: self
+ href: http://your-subdomain.okta.com/api/v1/realm-assignments/rul2jy7jLUlnO3ng00g4
+ method: GET
+ - id: rul2jy7jLUlnO5ng00g4
+ status: ACTIVE
+ name: Catch-all
+ created: '2022-04-04T15:56:05.000Z'
+ lastUpdated: '2022-05-05T18:15:44.000Z'
+ isDefault: true
+ conditions:
+ profileSourceId: 0oa4enoRyjwSCy6hx0g4,
+ expression:
+ value: string
+ actions:
+ assignUserToRealm:
+ realmId: 00g1b7rvh0xPLKXFf2g5
+ priority: 499
+ _links:
+ self:
+ rel: self
+ href: http://your-subdomain.okta.com/api/v1/realm-assignments/rul2jy7jLUlnO5ng00g4
+ method: GET
+ ListRealmAwareUsersResponse:
+ summary: List all users
+ value:
+ - id: 00u118oQYT4TBGuay0g4
+ status: ACTIVE
+ created: '2022-04-04T15:56:05.000Z'
+ activated: null
+ statusChanged: null
+ lastLogin: '2022-05-04T19:50:52.000Z'
+ lastUpdated: '2022-05-05T18:15:44.000Z'
+ passwordChanged: '2022-04-04T16:00:22.000Z'
+ type:
+ id: oty1162QAr8hJjTaq0g4
+ profile:
+ firstName: Alice
+ lastName: Smith
+ mobilePhone: null
+ secondEmail: null
+ login: alice.smith@example.com
+ email: alice.smith@example.com
+ realmId: guo1afiNtSnZYILxO0g4
+ credentials:
+ password: {}
+ provider:
+ type: OKTA
+ name: OKTA
+ _links:
+ self:
+ href: http://your-subdomain.okta.com/api/v1/users/00u118oQYT4TBGuay0g4
+ ListRealmsResponse:
+ value:
+ - id: guox9jQ16k9V8IFEL0g3
+ created: '2022-04-04T15:56:05.000Z'
+ lastUpdated: '2022-05-05T18:15:44.000Z'
+ isDefault: false
+ profile:
+ name: Car Co
+ realmType: PARTNER
+ _links:
+ self:
+ rel: self
+ href: http://your-subdomain.okta.com/api/v1/realms/guox9jQ16k9V8IFEL0g3
+ method: GET
+ ListRefreshTokensClientsResponse:
+ summary: List all refresh tokens for a Client
+ value:
+ - id: '{refreshTokenId}'
+ status: ACTIVE
+ created: '2023-09-21T19:59:56.000Z'
+ lastUpdated: '2023-09-21T20:00:38.000Z'
+ expiresAt: '2023-09-28T20:00:38.000Z'
+ issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId}
+ client_id: '{clientId}'
+ userId: '{userId}'
+ scopes:
+ - offline_access
+ - openid
+ _embedded:
+ scopes:
+ - id: '{scopeId}'
+ name: openid
+ displayName: openid
+ description: Signals that a request is an OpenID request
+ _links:
+ scope:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes/{scopeId}
+ title: openid
+ - id: '{scopeID}'
+ name: offline_access
+ displayName: Keep you signed in to the app
+ description: This keeps you signed in to the app, even when you aren't using it.
+ _links:
+ scope:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes/{scopeId}
+ itle: Keep you signed in to the app
+ _links:
+ app:
+ href: https://{yourOktaDomain}/api/v1/apps/{appId}
+ title: My Web App
+ authorizationServer:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}
+ title: Authorization Server name
+ self:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/clients/{clientId}/tokens/{tokenId}
+ revoke:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/clients/{clientId}/tokens/{tokenId}
+ hints:
+ allow:
+ - DELETE
+ client:
+ href: https://{yourOktaDomain}/oauth2/v1/clients/{clientId}
+ title: My Web App
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/{userId}
+ title: Joe User
+ ListRiskProviderResponse:
+ summary: List Risk Provider response example
+ value:
+ - id: 00rp12r4skkjkjgsn
+ action: log_only
+ name: Risk-Partner-X
+ clientId: 00ckjsfgjkdkjdkkljjsd
+ created: '2021-01-05 22:18:30'
+ lastUpdated: '2021-01-05 22:18:30'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/risk/providers/00rp12r4skkjkjgsn
+ hints:
+ allow:
+ - GET
+ - PUT
+ ListSessionsResponseForGetSessions:
+ value:
+ - id: aps1qqonvr2SZv6o70h8
+ identitySourceId: 0oa3l6l6WK6h0R0QW0g4
+ status: CREATED
+ importType: INCREMENTAL
+ created: '2022-04-04T15:56:05.000Z'
+ lastUpdated: '2022-05-05T16:15:44.000Z'
+ - id: aps1quck606ngubVq0h8
+ identitySourceId: 0oa3l6l6WK6h0R0QW0g4
+ status: TRIGGERED
+ importType: INCREMENTAL
+ created: '2022-04-04T16:56:05.000Z'
+ lastUpdated: '2022-05-05T17:15:44.000Z'
+ - id: aps1qzy2acb5jDlUc0h8
+ identitySourceId: 0oa3l6l6WK6h0R0QW0g4
+ status: IN_PROGRESS
+ importType: INCREMENTAL
+ created: '2022-04-04T17:56:05.000Z'
+ lastUpdated: '2022-05-05T18:15:44.000Z'
+ - id: aps1qqne8c1JHkMdF0h8
+ identitySourceId: 0oa3l6l6WK6h0R0QW0g4
+ status: EXPIRED
+ importType: INCREMENTAL
+ created: '2022-04-04T18:56:05.000Z'
+ lastUpdated: '2022-05-05T19:15:44.000Z'
+ - id: aps1qqonvr2SZv6o70h8
+ identitySourceId: 0oa3l6l6WK6h0R0QW0g4
+ status: CLOSED
+ importType: INCREMENTAL
+ created: '2022-04-04T19:56:05.000Z'
+ lastUpdated: '2022-05-05T20:15:44.000Z'
+ ListThemesResponse:
+ value:
+ - id: thdul904tTZ6kWVhP0g3
+ logo: https://{yourOktaDomain}/assets/img/logos/okta-logo.47066819ac7db5c13f4c431b2687cef6.png
+ favicon: https://{yourOktaDomain}/favicon.ico
+ backgroundImage: null
+ primaryColorHex: '#1662dd'
+ primaryColorContrastHex: '#000000'
+ secondaryColorHex: '#ebebed'
+ secondaryColorContrastHex: '#000000'
+ signInPageTouchPointVariant: OKTA_DEFAULT
+ endUserDashboardTouchPointVariant: OKTA_DEFAULT
+ errorPageTouchPointVariant: OKTA_DEFAULT
+ emailTemplateTouchPointVariant: OKTA_DEFAULT
+ loadingPageTouchPointVariant: OKTA_DEFAULT
+ ListUISchemaResponse:
+ summary: Lists all UI Schemas response
+ value:
+ - id: uis4a7liocgcRgcxZ0g7
+ uiSchema:
+ type: Group
+ label: Sign in
+ buttonLabel: Submit
+ elements:
+ - type: Control
+ scope: '#/properties/firstName'
+ label: First name
+ options:
+ format: text
+ - type: Control
+ scope: '#/properties/lastName'
+ label: Last name
+ options:
+ format: text
+ - type: Control
+ scope: '#/properties/email'
+ label: Email
+ options:
+ format: text
+ - type: Control
+ scope: '#/properties/countryCode'
+ label: Country code
+ options:
+ format: select
+ - type: Control
+ scope: '#/properties/bool2'
+ label: bool2
+ options:
+ format: checkbox
+ - type: Control
+ scope: '#/properties/date'
+ label: date
+ options:
+ format: text
+ - type: Control
+ scope: '#/properties/enum'
+ label: enum
+ options:
+ format: radio
+ created: '2022-07-25T12:56:31.000Z'
+ lastUpdated: '2022-07-26T11:53:59.000Z'
+ _links:
+ self:
+ href: https://example.com/api/v1/meta/uischemas/uis4a7liocgcRgcxZ0g7
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ - id: uis4abjqkkKXVPGAU0g7
+ uiSchema:
+ type: Group
+ label: Sign in 2
+ buttonLabel: Submit
+ elements:
+ - type: Control
+ scope: '#/properties/firstName'
+ label: First name
+ options:
+ format: text
+ - type: Control
+ scope: '#/properties/lastName'
+ label: Last name
+ options:
+ format: text
+ - type: Control
+ scope: '#/properties/email'
+ label: Email
+ options:
+ format: text
+ - type: Control
+ scope: '#/properties/countryCode'
+ label: Country code
+ options:
+ format: select
+ - type: Control
+ scope: '#/properties/bool2'
+ label: bool2
+ options:
+ format: checkbox
+ - type: Control
+ scope: '#/properties/date'
+ label: date
+ - type: Control
+ scope: '#/properties/enum'
+ label: enum
+ options:
+ format: radio
+ created: '2022-07-25T12:56:31.000Z'
+ lastUpdated: '2022-07-26T11:53:59.000Z'
+ _links:
+ self:
+ href: https://example.com/api/v1/meta/uischemas/uis4abjqkkKXVPGAU0g7
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ ListUserBlocksAnyDevicesResponse:
+ value:
+ - type: DEVICE_BASED
+ appliesTo: ANY_DEVICES
+ ListUserBlocksUnknownDevicesResponse:
+ value:
+ - type: DEVICE_BASED
+ appliesTo: UNKNOWN_DEVICES
+ ListUserClients:
+ value:
+ - client_id: 0oabskvc6442nkvQO0h7
+ client_name: My App
+ client_uri: null
+ logo_uri: null
+ _links:
+ grants:
+ href: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7/clients/0oabskvc6442nkvQO0h7/grants
+ tokens:
+ href: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7/clients/0oabskvc6442nkvQO0h7/tokens
+ ListUserGroups:
+ value:
+ - id: 0gabcd1234
+ profile:
+ name: Cloud App Users
+ description: Users can access cloud apps
+ - id: 0gefgh5678
+ profile:
+ name: Internal App Users
+ description: Users can access internal apps
+ ListUsersResponse:
+ summary: List all users
+ value:
+ - id: 00u118oQYT4TBTemp0g4
+ status: ACTIVE
+ created: '2022-04-04T15:56:05.000Z'
+ activated: null
+ statusChanged: null
+ lastLogin: '2022-05-04T19:50:52.000Z'
+ lastUpdated: '2022-05-05T18:15:44.000Z'
+ passwordChanged: '2022-04-04T16:00:22.000Z'
+ type:
+ id: oty1162QAr8hJjTaq0g4
+ profile:
+ firstName: Alice
+ lastName: Smith
+ mobilePhone: null
+ secondEmail: null
+ login: alice.smith@example.com
+ email: alice.smith@example.com
+ credentials:
+ password: {}
+ provider:
+ type: OKTA
+ name: OKTA
+ _links:
+ self:
+ href: http://your-subdomain.okta.com/api/v1/users/00u118oQYT4TBGuay0g4
+ ListYubikeyOptTokensResponse:
+ summary: List Yubikey OPT Token response
+ value:
+ - id: ykkwcx13nrDq8g4oy0g3
+ created: '2020-01-14T21:53:09.000Z'
+ lastVerified: '2020-01-14T21:53:06.000Z'
+ lastUpdated: '2020-01-14T21:53:09.000Z'
+ status: UNASSIGNED
+ profile:
+ serial: '000003632071'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/org/factors/yubikey_token/tokens/ykkwcx13nrDq8g4oy0g3
+ hints:
+ allow:
+ - GET
+ - DELETE
+ - id: ykkxdtCA1fKVxyu6R0g3
+ created: '2020-06-09T23:42:05.000Z'
+ activated: '2020-06-09T23:47:29.000Z'
+ lastVerified: '2020-06-09T23:47:29.000Z'
+ lastUpdated: '2020-06-09T23:47:29.000Z'
+ status: ACTIVE
+ profile:
+ serial: '000009508427'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/org/factors/yubikey_token/tokens/ykkxdtCA1fKVxyu6R0g3
+ hints:
+ allow:
+ - GET
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00uu0x8sxTr9HcHOo0g3
+ hints:
+ allow:
+ - GET
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/users/00uu0x8sxTr9HcHOo0g3/factors/ykfxduQAhl89YyPrV0g3
+ hints:
+ allow:
+ - DELETE
+ ListsAllUserTypes:
+ summary: Lists all user types
+ value:
+ - id: otyfnly5cQjJT9PnR0g4
+ displayName: New User Type
+ name: newUserType
+ description: A new custom user type
+ createdBy: sprz9fj1ycBcsgopy1d6
+ lastUpdatedBy: sprz9fj1ycBcsgopy1d6
+ created: '2021-07-05T20:40:38.000Z'
+ lastUpdated: '2021-07-05T20:40:38.000Z'
+ default: false
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6
+ schema:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6
+ - id: otyz9fj2jMiRBC1ZT1d6
+ displayName: User
+ name: user
+ description: Okta user profile template with default permission settings
+ createdBy: sprz9fj1ycBcsgopy1d6
+ lastUpdatedBy: sprz9fj1ycBcsgopy1d6
+ created: '2021-07-05T20:40:38.000Z'
+ lastUpdated: '2021-07-05T20:40:38.000Z'
+ default: true
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6
+ schema:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6
+ ListsOwnerOneResponse:
+ summary: Lists a response with one owner
+ value:
+ - id: 00g1gae1k0znUcLuU0h8
+ type: GROUP
+ resolved: true
+ originId: 'null'
+ originType: OKTA_DIRECTORY
+ displayName: Product & Engineering
+ lastUpdated: '2023-03-29 18:18:37.0'
+ ListsOwnersMultipleResponse:
+ summary: Lists a response with multiple owners
+ value:
+ - id: 00u1cmbqjkkmFXeqb0h8
+ type: USER
+ resolved: true
+ originId: 'null'
+ originType: OKTA_DIRECTORY
+ displayName: Mabel Mora
+ lastUpdated: '2023-03-29T18:30:58.000Z'
+ - id: 00u1cmc52x5B86cnZ0h8
+ type: USER
+ resolved: true
+ originId: 'null'
+ originType: OKTA_DIRECTORY
+ displayName: Cinda Canning
+ lastUpdated: '2023-03-29T18:30:55.000Z'
+ LogStreamActivateResponse:
+ summary: Activate Log Stream response
+ value:
+ id: 0oa1orqUGCIoCGNxf0g4
+ type: aws_eventbridge
+ name: Example AWS EventBridge
+ lastUpdated: '2023-03-24T21:22:43.000Z'
+ created: '2023-03-24T21:02:43.000Z'
+ status: ACTIVE
+ settings:
+ accountId: '123456789012'
+ eventSourceName: your-event-source-name
+ region: us-east-2
+ _links:
+ self:
+ href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4
+ method: GET
+ deactivate:
+ href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4/lifecycle/deactivate
+ method: POST
+ LogStreamDeactivateResponse:
+ summary: Deactivate Log Stream response
+ value:
+ id: 0oa7agphh5FT7H521d7
+ type: splunk_cloud_logstreaming
+ name: Splunk Cloud Example
+ lastUpdated: '2023-03-24T21:23:00.000Z'
+ created: '2023-03-24T21:15:13.000Z'
+ status: INACTIVE
+ settings:
+ edition: aws
+ host: okexample.splunkcloud.com
+ _links:
+ self:
+ href: http://{yourOktaDomain}/api/v1/logStreams/0oa7agphh5FT7H521d7
+ method: GET
+ activate:
+ href: http://{yourOktaDomain}/api/v1/logStreams/0oa7agphh5FT7H521d7/lifecycle/activate
+ method: POST
+ LogStreamGetAllResponse:
+ summary: Lists all Log Streams
+ value:
+ - id: 0oa1orqUGCIoCGNxf0g4
+ type: aws_eventbridge
+ name: Example AWS EventBridge
+ lastUpdated: '2023-03-24T21:02:43.000Z'
+ created: '2023-03-24T21:02:43.000Z'
+ status: ACTIVE
+ settings:
+ accountId: '123456789012'
+ eventSourceName: your-event-source-name
+ region: us-east-2
+ _links:
+ self:
+ href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4
+ method: GET
+ deactivate:
+ href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4/lifecycle/deactivate
+ method: POST
+ LogStreamPostRequest:
+ summary: Create an AWS EventBridge Log Stream
+ value:
+ type: aws_eventbridge
+ name: Example AWS EventBridge
+ settings:
+ eventSourceName: your-event-source-name
+ accountId: '123456789012'
+ region: us-east-2
+ LogStreamPostResponse:
+ summary: AWS EventBridge Log Stream response
+ value:
+ id: 0oa1orqUGCIoCGNxf0g4
+ type: aws_eventbridge
+ name: Example AWS EventBridge
+ lastUpdated: '2023-03-24T21:02:43.000Z'
+ created: '2023-03-24T21:02:43.000Z'
+ status: ACTIVE
+ settings:
+ accountId: '123456789012'
+ eventSourceName: your-event-source-name
+ region: us-east-2
+ _links:
+ self:
+ href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4
+ method: GET
+ deactivate:
+ href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4/lifecycle/deactivate
+ method: POST
+ LogStreamPutRequest:
+ summary: Replace AWS EventBridge name
+ value:
+ type: aws_eventbridge
+ name: Updated AWS EventBridge
+ settings:
+ eventSourceName: your-event-source-name
+ accountId: '123456789012'
+ region: us-east-2
+ LogStreamPutResponse:
+ summary: Replace AWS EventBridge name response
+ value:
+ id: 0oa1orqUGCIoCGNxf0g4
+ type: aws_eventbridge
+ name: Updated AWS EventBridge
+ lastUpdated: '2023-03-24T21:12:43.000Z'
+ created: '2023-03-24T21:02:43.000Z'
+ status: ACTIVE
+ settings:
+ accountId: '123456789012'
+ eventSourceName: your-event-source-name
+ region: us-east-2
+ _links:
+ self:
+ href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4
+ method: GET
+ deactivate:
+ href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4/lifecycle/deactivate
+ method: POST
+ LogStreamSchemaAws:
+ value:
+ $schema: https://json-schema.org/draft/2020-12/schema
+ $id: http://{yourOktaDomain}/api/v1/meta/schemas/logStream/aws_eventbridge
+ title: AWS EventBridge
+ type: object
+ properties:
+ settings:
+ description: Configuration properties specific to AWS EventBridge
+ type: object
+ properties:
+ accountId:
+ title: AWS Account ID
+ description: Your Amazon AWS Account ID.
+ type: string
+ writeOnce: true
+ pattern: ^\d{12}$
+ eventSourceName:
+ title: AWS Event Source Name
+ description: An alphanumeric name (no spaces) to identify this event source in AWS EventBridge.
+ type: string
+ writeOnce: true
+ pattern: ^[\.\-_A-Za-z0-9]{1,75}$
+ region:
+ title: AWS Region
+ description: The destination AWS region for your system log events.
+ type: string
+ writeOnce: true
+ oneOf:
+ - title: US East (Ohio)
+ const: us-east-2
+ - title: US East (N. Virginia)
+ const: us-east-1
+ - title: US West (N. California)
+ const: us-west-1
+ - title: US West (Oregon)
+ const: us-west-2
+ - title: Canada (Central)
+ const: ca-central-1
+ - title: Europe (Frankfurt)
+ const: eu-central-1
+ - title: Europe (Ireland)
+ const: eu-west-1
+ - title: Europe (London)
+ const: eu-west-2
+ - title: Europe (Paris)
+ const: eu-west-3
+ - title: Europe (Milan)
+ const: eu-south-1
+ - title: Europe (Stockholm)
+ const: eu-north-1
+ required:
+ - eventSourceName
+ - accountId
+ - region
+ errorMessage:
+ properties:
+ accountId: Account number must be 12 digits.
+ eventSourceName: Event source name can use numbers, letters, the symbols ".", "-" or "_". It must use fewer than 76 characters.
+ name:
+ title: Name
+ description: A name for this log stream in Okta
+ type: string
+ writeOnce: false
+ pattern: ^.{1,100}$
+ required:
+ - name
+ - settings
+ errorMessage:
+ properties:
+ name: Name can't exceed 100 characters.
+ LogStreamSchemaList:
+ value:
+ - $schema: https://json-schema.org/draft/2020-12/schema
+ $id: http://{yourOktaDomain}/api/v1/meta/schemas/logStream/aws_eventbridge
+ title: AWS EventBridge
+ type: object
+ properties:
+ settings:
+ description: Configuration properties specific to AWS EventBridge
+ type: object
+ properties:
+ accountId:
+ title: AWS Account ID
+ description: Your Amazon AWS Account ID.
+ type: string
+ writeOnce: true
+ pattern: ^\d{12}$
+ eventSourceName:
+ title: AWS Event Source Name
+ description: An alphanumeric name (no spaces) to identify this event source in AWS EventBridge.
+ type: string
+ writeOnce: true
+ pattern: ^[\.\-_A-Za-z0-9]{1,75}$
+ region:
+ title: AWS Region
+ description: The destination AWS region for your system log events.
+ type: string
+ writeOnce: true
+ oneOf:
+ - title: US East (Ohio)
+ const: us-east-2
+ - title: US East (N. Virginia)
+ const: us-east-1
+ - title: US West (N. California)
+ const: us-west-1
+ - title: US West (Oregon)
+ const: us-west-2
+ - title: Canada (Central)
+ const: ca-central-1
+ - title: Europe (Frankfurt)
+ const: eu-central-1
+ - title: Europe (Ireland)
+ const: eu-west-1
+ - title: Europe (London)
+ const: eu-west-2
+ - title: Europe (Paris)
+ const: eu-west-3
+ - title: Europe (Milan)
+ const: eu-south-1
+ - title: Europe (Stockholm)
+ const: eu-north-1
+ required:
+ - eventSourceName
+ - accountId
+ - region
+ errorMessage:
+ properties:
+ accountId: Account number must be 12 digits.
+ eventSourceName: Event source name can use numbers, letters, the symbols ".", "-" or "_". It must use fewer than 76 characters.
+ name:
+ title: Name
+ description: A name for this log stream in Okta
+ type: string
+ writeOnce: false
+ pattern: ^.{1,100}$
+ required:
+ - name
+ - settings
+ errorMessage:
+ properties:
+ name: Name can't exceed 100 characters.
+ - $schema: https://json-schema.org/draft/2020-12/schema
+ id: http://{yourOktaDomain}/api/v1/meta/schemas/logStream/splunk_cloud_logstreaming
+ title: Splunk Cloud
+ type: object
+ properties:
+ settings:
+ description: Configuration properties specific to Splunk Cloud
+ type: object
+ properties:
+ host:
+ title: Host
+ description: 'The domain for your Splunk Cloud instance without http or https. For example: acme.splunkcloud.com'
+ type: string
+ writeOnce: false
+ pattern: ^([a-z0-9]+(-[a-z0-9]+)*){1,100}\.splunkcloud(gc|fed)?\.com$
+ token:
+ title: HEC Token
+ description: The token from your Splunk Cloud HTTP Event Collector (HEC).
+ type: string
+ writeOnce: false
+ pattern: '[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}'
+ required:
+ - host
+ - token
+ errorMessage:
+ properties:
+ host: 'Host should be a domain without http or https. For example: acme.splunkcloud.com'
+ name:
+ title: Name
+ description: A name for this log stream in Okta
+ type: string
+ writeOnce: false
+ pattern: ^.{1,100}$
+ required:
+ - name
+ - settings
+ errorMessage:
+ properties:
+ name: Name can't exceed 100 characters.
+ LogStreamSchemaSplunk:
+ value:
+ $schema: https://json-schema.org/draft/2020-12/schema
+ id: http://{yourOktaDomain}/api/v1/meta/schemas/logStream/splunk_cloud_logstreaming
+ title: Splunk Cloud
+ type: object
+ properties:
+ settings:
+ description: Configuration properties specific to Splunk Cloud
+ type: object
+ properties:
+ host:
+ title: Host
+ description: 'The domain for your Splunk Cloud instance without http or https. For example: acme.splunkcloud.com'
+ type: string
+ writeOnce: false
+ pattern: ^([a-z0-9]+(-[a-z0-9]+)*){1,100}\.splunkcloud(gc|fed)?\.com$
+ token:
+ title: HEC Token
+ description: The token from your Splunk Cloud HTTP Event Collector (HEC).
+ type: string
+ writeOnce: false
+ pattern: '[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}'
+ required:
+ - host
+ - token
+ errorMessage:
+ properties:
+ host: 'Host should be a domain without http or https. For example: acme.splunkcloud.com'
+ name:
+ title: Name
+ description: A name for this log stream in Okta
+ type: string
+ writeOnce: false
+ pattern: ^.{1,100}$
+ required:
+ - name
+ - settings
+ errorMessage:
+ properties:
+ name: Name can't exceed 100 characters.
+ LogTargetChangeDetails:
+ summary: Example of the `changeDetails` property on the target
+ value:
+ from:
+ vpnLocationOptions: DISABLED
+ vpnSettingsZones:
+ include: null
+ exclude: null
+ to:
+ message: You must a use VPN to connect to this application
+ vpnLocationOptions: ZONE
+ vpnSettingsZones:
+ include:
+ - ALL_ZONES
+ exclude: null
+ MicrosoftIdPResponse:
+ summary: Microsoft Identity Provider
+ value:
+ id: 0oajmvdFawBih4gey0g3
+ type: MICROSOFT
+ name: Microsoft
+ status: ACTIVE
+ created: '2016-03-29T16:47:36.000Z'
+ lastUpdated: '2016-03-29T16:47:36.000Z'
+ protocol:
+ type: OIDC
+ endpoints:
+ authorization:
+ url: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
+ binding: HTTP-REDIRECT
+ token:
+ url: https://login.microsoftonline.com/common/oauth2/v2.0/token
+ binding: HTTP-POST
+ scopes:
+ - openid
+ - email
+ - profile
+ - https://graph.microsoft.com/User.Read
+ credentials:
+ client:
+ client_id: your-client-id
+ client_secret: your-client-secret
+ policy:
+ provisioning:
+ action: AUTO
+ profileMaster: true
+ groups:
+ action: NONE
+ conditions:
+ deprovisioned:
+ action: NONE
+ suspended:
+ action: NONE
+ accountLink:
+ filter: null
+ action: AUTO
+ subject:
+ userNameTemplate:
+ template: idpuser.userPrincipalName
+ filter: null
+ matchType: USERNAME
+ mapAMRClaims: false
+ maxClockSkew: 0
+ _links:
+ authorize:
+ href: |-
+ https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oajmvdFawBih4gey0g3&
+ client_id={clientId}&response_type={responseType}&response_mode={responseMode}&
+ scope={scopes}&redirect_uri={redirectUri}&state={state}
+ templated: true
+ hints:
+ allow:
+ - GET
+ clientRedirectUri:
+ href: https://{yourOktaDomain}/oauth2/v1/authorize/callback
+ hints:
+ allow:
+ - POST
+ MultipleIdPCsrsResponse:
+ summary: Identity Provider CSRs
+ value:
+ - id: h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50
+ created: '2017-03-28T01:11:10.000Z'
+ csr: MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9/tKvvbFN59T4raoCs/78KRm4fSefHQOv1TKLXo4wTLbsqYWRWc5u0sd5orUMQgPQOyj3i6qh13mALY4BzrT057EG1BUNjGg29QgYlnOk2iX890e5BIDMQQEIKFrvOi2V8cLUkLvE2ydRn0VO1Q1frbUkYeStJYC5Api2JQsYRwa+1ZeDH1ITnIzUaugWhW2WB2lSnwZkenne5KtffxMPYVu+IhNRHoKaRA6Z51YNhMJIx17JM2hs/H4Ka3drk6kzDf7ofk/yBpb9yBWyU7CTSQhdoHidxqFprMDaT66W928t3AeOENHBuwn8c2K9WeGG+bELNyQRJVmawIDAQABoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggxkZXYub2t0YS5jb20wDQYJKoZIhvcNAQELBQADggEBAA2hsVJRVM+A83X9MekjTnIbt19UNT8wX7wlE9jUKirWsxceLiZBpVGn9qfKhhVIpvdaIRSeoFYS2Kg/m1G6bCvjmZLcrQ5FcEBjZH2NKfNppGVnfC2ugtUkBtCB+UUzOhKhRKJtGugenKbP33zRWWIqnd2waF6Cy8TIuqQVPbwEDN9bCbAs7ND6CFYNguY7KYjWzQOeAR716eqpEEXuPYAS4nx/ty4ylonR8cv+gpq51rvq80A4k/36aoeM0Y6I4w64vhTfuvWW2UYFUD+/+y2FA2CSP4JfctySrf1s525v6fzTFZ3qZbB5OZQtP2b8xYWktMzywsxGKDoVDB4wkH4=
+ kty: RSA
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/idps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50
+ hints:
+ allow:
- GET
- DELETE
- user:
- href: https://{yourOktaDomain}/api/v1/users/00uabcdefg1234567890
+ publish:
+ href: https://{yourOktaDomain}/api/v1/idps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50/lifecycle/publish
+ hints:
+ allow:
+ - POST
+ - id: '-_-BFwAGoUYN-DDvsSKQFdx7OXaPZqrEPpFDO1hu-rg'
+ created: '2017-03-28T01:21:10.000Z'
+ csr: MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9/tKvvbFN59T4raoCs/78KRm4fSefHQOv1TKLXo4wTLbsqYWRWc5u0sd5orUMQgPQOyj3i6qh13mALY4BzrT057EG1BUNjGg29QgYlnOk2iX890e5BIDMQQEIKFrvOi2V8cLUkLvE2ydRn0VO1Q1frbUkYeStJYC5Api2JQsYRwa+1ZeDH1ITnIzUaugWhW2WB2lSnwZkenne5KtffxMPYVu+IhNRHoKaRA6Z51YNhMJIx17JM2hs/H4Ka3drk6kzDf7ofk/yBpb9yBWyU7CTSQhdoHidxqFprMDaT66W928t3AeOENHBuwn8c2K9WeGG+bELNyQRJVmawIDAQABoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggxkZXYub2t0YS5jb20wDQYJKoZIhvcNAQELBQADggEBAA2hsVJRVM+A83X9MekjTnIbt19UNT8wX7wlE9jUKirWsxceLiZBpVGn9qfKhhVIpvdaIRSeoFYS2Kg/m1G6bCvjmZLcrQ5FcEBjZH2NKfNppGVnfC2ugtUkBtCB+UUzOhKhRKJtGugenKbP33zRWWIqnd2waF6Cy8TIuqQVPbwEDN9bCbAs7ND6CFYNguY7KYjWzQOeAR716eqpEEXuPYAS4nx/ty4ylonR8cv+gpq51rvq80A4k/36aoeM0Y6I4w64vhTfuvWW2UYFUD+/+y2FA2CSP4JfctySrf1s525v6fzTFZ3qZbB5OZQtP2b8xYWktMzywsxGKDoVDB4wkH4=
+ kty: RSA
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/idps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/-_-BFwAGoUYN-DDvsSKQFdx7OXaPZqrEPpFDO1hu-rg
hints:
allow:
- GET
- - name: Another API Token
- userId: 00uabcdefg1234567890
- tokenWindow: PT5M
- id: 00T1234567890abcdefg
- clientName: Okta API
- expiresAt: 2021-11-11T20:43:10.000Z
- created: 2021-11-09T20:38:10.000Z
- lastUpdated: 2021-11-11T20:38:10.000Z
+ - DELETE
+ publish:
+ href: https://{yourOktaDomain}/api/v1/idps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/-_-BFwAGoUYN-DDvsSKQFdx7OXaPZqrEPpFDO1hu-rg/lifecycle/publish
+ hints:
+ allow:
+ - POST
+ MultipleIdPKeyCredentialsResponse:
+ summary: Identity Provider Key Credentials
+ value:
+ - kid: your-key-id
+ created: '2016-01-03T18:15:47.000Z'
+ lastUpdated: '2016-01-03T18:15:47.000Z'
+ e: '65537'
+ 'n': '101438407598598116085679865987760095721749307901605456708912786847324207000576780508113360584555007890315805735307890113536927352312915634368993759211767770602174860126854831344273970871509573365292777620005537635317282520456901584213746937262823585533063042033441296629204165064680610660631365266976782082747'
+ kty: RSA
+ use: sig
+ x5c:
+ - MIIDnjCCAoagAwIBAgIGAVG3MN+PMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB2V4YW1wbGUxHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMTUxMjE4MjIyMjMyWhcNMjUxMjE4MjIyMzMyWjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdleGFtcGxlMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtcnyvuVCrsFEKCwHDenS3Ocjed8eWDv3zLtD2K/iZfE8BMj2wpTfn6Ry8zCYey3mWlKdxIybnV9amrujGRnE0ab6Q16v9D6RlFQLOG6dwqoRKuZy33Uyg8PGdEudZjGbWuKCqqXEp+UKALJHV+k4wWeVH8g5d1n3KyR2TVajVJpCrPhLFmq1Il4G/IUnPe4MvjXqB6CpKkog1+ThWsItPRJPAM+RweFHXq7KfChXsYE7Mmfuly8sDQlvBmQyxZnFHVuiPfCvGHJjpvHy11YlHdOjfgqHRvZbmo30+y0X/oY/yV4YEJ00LL6eJWU4wi7ViY3HP6/VCdRjHoRdr5L/DwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCzzhOFkvyYLNFj2WDcq1YqD4sBy1iCia9QpRH3rjQvMKDwQDYWbi6EdOX0TQ/IYR7UWGj+2pXd6v0t33lYtoKocp/4lUvT3tfBnWZ5KnObi+J2uY2teUqoYkASN7F+GRPVOuMVoVgm05ss8tuMb2dLc9vsx93sDt+XlMTv/2qi5VPwaDtqduKkzwW9lUfn4xIMkTiVvCpe0X2HneD2Bpuao3/U8Rk0uiPfq6TooWaoW3kjsmErhEAs9bA7xuqo1KKY9CdHcFhkSsMhoeaZylZHtzbnoipUlQKSLMdJQiiYZQ0bYL83/Ta9fulr1EERICMFt3GUmtYaZZKHpWSfdJp9
+ x5t#S256: wzPVobIrveR1x-PCbjsFGNV-6zn7Rm9KuOWOG4Rk6jE
+ - kty: EC
+ created: '2020-04-24T20:51:20.000Z'
+ lastUpdated: '2020-04-24T20:51:20.000Z'
+ expiresAt: '2040-03-01T20:22:29.000Z'
+ alg: EC
+ x5c:
+ - MIICqDCCAgqgAwIBAgIJAOkmCa/S8dHiMAoGCCqGSM49BAMCMG0xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRAwDgYDVQQKDAdKYW5reUNvMR8wHQYDVQQDDBZUZXN0IElkZW50aXR5IFByb3ZpZGVyMB4XDTIwMDMwNjIwMjIyOVoXDTQwMDMwMTIwMjIyOVowbTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEDAOBgNVBAoMB0phbmt5Q28xHzAdBgNVBAMMFlRlc3QgSWRlbnRpdHkgUHJvdmlkZXIwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABABW/lGHl17mKDtCD4D7gcMYYOWgyWTGno8MTefDOABA8PddessTsbfrguF49Gli6lCzrZaAKhhvgINc3R6t/dYleAE3lY6LAocOoLe9xDkeggXNcSuP5fDc1x5R9GHTXl44vLoJOLSLsMbOXVMXIXoqbPDzTSYUy24aFdv4W4LZxW6ak6NQME4wHQYDVR0OBBYEFChTXNWvs4z1qjRVemPDD/hqlDQ4MB8GA1UdIwQYMBaAFChTXNWvs4z1qjRVemPDD/hqlDQ4MAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDgYsAMIGHAkIBuDhHMNLbBIsorbKtjxJzHJ2ItCSD2wAwqYv/6JBtA2ulKN5gRTSqdNCnqFsZ1/nYY7FFVXHEuQ2N3pPq7Ri8h84CQSgCq1UQyd0lFtb7+57JbiGb6LVaRqRm7vwx8zLRA+tVjIM1DlQ2Gbxkj3nlkzmM93j9wchiqGdQidyKnF6EBnfd
+ x: Vv5Rh5de5ig7Qg-A-4HDGGDloMlkxp6PDE3nwzgAQPD3XXrLE7G364LhePRpYupQs62WgCoYb4CDXN0erf3WJXg
+ 'y': ATeVjosChw6gt73EOR6CBc1xK4_l8NzXHlH0YdNeXji8ugk4tIuwxs5dUxcheips8PNNJhTLbhoV2_hbgtnFbpqT
+ crv: P-521
+ kid: your-kid
+ use: sig
+ x5t#S256: TUx-AIwypm2pZURHNqafk7ZDxqQP_ypzIyUwDDnPOlw
+ MultipleIdPSigningKeyCredentialsResponse:
+ summary: Identity Provider Signing Key Credentials
+ value:
+ - created: '2015-12-10T18:56:23.000Z'
+ expiresAt: '2017-12-10T18:56:22.000Z'
+ x5c:
+ - MIIDqDCCApCgAwIBAgIGAVGNQFX5MA0GCSqGSIb3DQEBBQUAMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTAeFw0xNTEyMTAxODU1MjJaFw0xNzEyMTAxODU2MjJaMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJJjrcnI6cXBiXNq9YDgfYrQe2O5qEHG4MXP8Ue0sMeefFkFEHYHnHUeZCq6WTAGqR+1LFgOl+Eq9We5V+qNlGIfkFkQ3iHGBrIALKqLCd0Et76HicDiegz7j9DtN+lo0hG/gfcw5783L5g5xeQ7zVmCQMkFwoUA0uA3bsfUSrmfORHJL+EMNQT8XIXD8NkG4g6u7ylHVRTLgXbe+W/p04m3EP6l41xl+MhIpBaPxDsyUvcKCNwkZN3aZIin1O9Y4YJuDHxrM64/VtLLp0sC05iawAmfsLunF7rdJAkWUpPn+xkviyNQ3UpvwAYuDr+jKLUdh2reRnm1PezxMIXzBVMCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEARnFIjyitrCGbleFr3KeAwdOyeHiRmgeKupX5ZopgXtcseJoToUIinX5DVw2fVZPahqs0Q7/a0wcVnTRpw6946qZCwKd/PvZ1feVuVEA5Ui3+XvHuSH5xLp7NvYG1snNEvlbN3+NDUMlWj2NEbihowUBt9+UxTpQO3+N08q3aZk3hOZ+tHt+1Te7KEEL/4CM28GZ9MY7fSrS7MAgp1+ZXtn+kRlMrXnQ49qBda37brwDRqmSY9PwNMbev3r+9ZHwxr9W5wXW4Ev4C4xngA7RkVoyDbItSUho0I0M0u/LHuppclnXrw97xyO5Z883eIBvPVjfRcxsJxXJ8jx70ATDskw==
+ kid: akm5hvbbevE341ovl0h7
+ kty: RSA
+ use: sig
+ x5t#S256: 5GOpy9CQVtfvBmu2T8BHvpKE4OGtC3BuS046t7p9pps
+ - created: '2015-12-10T18:55:35.000Z'
+ expiresAt: '2045-01-23T02:15:23.000Z'
+ x5c:
+ - MIIDqDCCApCgAwIBAgIGAVGNQFX5MA0GCSqGSIb3DQEBBQUAMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTAeFw0xNTEyMTAxODU1MjJaFw0xNzEyMTAxODU2MjJaMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJJjrcnI6cXBiXNq9YDgfYrQe2O5qEHG4MXP8Ue0sMeefFkFEHYHnHUeZCq6WTAGqR+1LFgOl+Eq9We5V+qNlGIfkFkQ3iHGBrIALKqLCd0Et76HicDiegz7j9DtN+lo0hG/gfcw5783L5g5xeQ7zVmCQMkFwoUA0uA3bsfUSrmfORHJL+EMNQT8XIXD8NkG4g6u7ylHVRTLgXbe+W/p04m3EP6l41xl+MhIpBaPxDsyUvcKCNwkZN3aZIin1O9Y4YJuDHxrM64/VtLLp0sC05iawAmfsLunF7rdJAkWUpPn+xkviyNQ3UpvwAYuDr+jKLUdh2reRnm1PezxMIXzBVMCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEARnFIjyitrCGbleFr3KeAwdOyeHiRmgeKupX5ZopgXtcseJoToUIinX5DVw2fVZPahqs0Q7/a0wcVnTRpw6946qZCwKd/PvZ1feVuVEA5Ui3+XvHuSH5xLp7NvYG1snNEvlbN3+NDUMlWj2NEbihowUBt9+UxTpQO3+N08q3aZk3hOZ+tHt+1Te7KEEL/4CM28GZ9MY7fSrS7MAgp1+ZXtn+kRlMrXnQ49qBda37brwDRqmSY9PwNMbev3r+9ZHwxr9W5wXW4Ev4C4xngA7RkVoyDbItSUho0I0M0u/LHuppclnXrw97xyO5Z883eIBvPVjfRcxsJxXJ8jx70ATDskw==
+ kid: akm5hvbn1vojA9Fsa0h7
+ kty: RSA
+ use: sig
+ x5t#S256: 7CCyXWwKzH4P6PoBP91B1S_iIZVzuGffVnUXu-BTYQQ
+ MultipleIdPsResponse:
+ summary: Multiple Identity Providers
+ value:
+ - id: 0oa62b57p7c8PaGpU0h7
+ type: FACEBOOK
+ name: Facebook
+ status: ACTIVE
+ created: '2016-03-24T23:18:27.000Z'
+ lastUpdated: '2016-03-24T23:18:27.000Z'
+ protocol:
+ type: OAUTH2
+ endpoints:
+ authorization:
+ url: https://www.facebook.com/dialog/oauth
+ binding: HTTP-REDIRECT
+ token:
+ url: https://graph.facebook.com/v2.5/oauth/access_token
+ binding: HTTP-POST
+ scopes:
+ - public_profile
+ - email
+ credentials:
+ client:
+ client_id: your-client-id
+ client_secret: your-client-secret
+ policy:
+ provisioning:
+ action: AUTO
+ profileMaster: true
+ groups:
+ action: NONE
+ conditions:
+ deprovisioned:
+ action: NONE
+ suspended:
+ action: NONE
+ accountLink:
+ filter: null
+ action: AUTO
+ subject:
+ userNameTemplate:
+ template: idpuser.userPrincipalName
+ filter: null
+ matchType: USERNAME
+ mapAMRClaims: false
+ maxClockSkew: 0
+ _links:
+ authorize:
+ href: https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa62b57p7c8PaGpU0h7&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri={redirectUri}&state={state}
+ templated: true
+ hints:
+ allow:
+ - GET
+ clientRedirectUri:
+ href: https://{yourOktaDomain}/oauth2/v1/authorize/callback
+ hints:
+ allow:
+ - POST
+ - id: 0oa62bc8wppPw0UGr0h7
+ type: SAML2
+ name: Example SAML IdP
+ status: ACTIVE
+ created: '2016-03-24T23:14:54.000Z'
+ lastUpdated: '2016-03-24T23:14:54.000Z'
+ protocol:
+ type: SAML2
+ endpoints:
+ sso:
+ url: https://idp.example.com
+ binding: HTTP-POST
+ destination: https://idp.example.com
+ acs:
+ binding: HTTP-POST
+ type: INSTANCE
+ algorithms:
+ request:
+ signature:
+ algorithm: SHA-256
+ scope: REQUEST
+ response:
+ signature:
+ algorithm: SHA-256
+ scope: ANY
+ settings:
+ nameFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+ credentials:
+ trust:
+ issuer: https://idp.example.com
+ audience: http://www.okta.com/123
+ kid: your-key-id
+ policy:
+ provisioning:
+ action: AUTO
+ profileMaster: true
+ groups:
+ action: NONE
+ conditions:
+ deprovisioned:
+ action: NONE
+ suspended:
+ action: NONE
+ accountLink:
+ filter: null
+ action: AUTO
+ subject:
+ userNameTemplate:
+ template: saml.subjectNameId
+ filter: (\S+@example\.com)
+ matchType: USERNAME
+ mapAMRClaims: false
+ maxClockSkew: 0
+ _links:
+ metadata:
+ href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/metadata.xml
+ type: application/xml
+ hints:
+ allow:
+ - GET
+ acs:
+ href: https://{yourOktaDomain}/sso/saml2/0oa62bc8wppPw0UGr0h7
+ type: application/xml
+ hints:
+ allow:
+ - POST
+ users:
+ href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/users
+ hints:
+ allow:
+ - GET
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ - id: 0oa62bfdiumsUndnZ0h7
+ type: GOOGLE
+ name: Google
+ status: ACTIVE
+ created: '2016-03-24T23:21:49.000Z'
+ lastUpdated: '2016-03-24T23:21:49.000Z'
+ protocol:
+ type: OIDC
+ endpoints:
+ authorization:
+ url: https://accounts.google.com/o/oauth2/auth
+ binding: HTTP-REDIRECT
+ token:
+ url: https://www.googleapis.com/oauth2/v3/token
+ binding: HTTP-POST
+ scopes:
+ - profile
+ - email
+ - openid
+ credentials:
+ client:
+ client_id: your-client-id
+ client_secret: your-client-secret
+ policy:
+ provisioning:
+ action: AUTO
+ profileMaster: true
+ groups:
+ action: NONE
+ conditions:
+ deprovisioned:
+ action: NONE
+ suspended:
+ action: NONE
+ accountLink:
+ filter: null
+ action: AUTO
+ subject:
+ userNameTemplate:
+ template: idpuser.userPrincipalName
+ filter: null
+ matchType: USERNAME
+ mapAMRClaims: false
+ maxClockSkew: 0
+ _links:
+ authorize:
+ href: https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa62bfdiumsUndnZ0h7&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri={redirectUri}&state={state}
+ templated: true
+ hints:
+ allow:
+ - GET
+ clientRedirectUri:
+ href: https://{yourOktaDomain}/oauth2/v1/authorize/callback
+ hints:
+ allow:
+ - POST
+ - id: 0oa62bfdjnK55Z5x80h7
+ type: LINKEDIN
+ name: LinkedIn
+ status: ACTIVE
+ created: '2016-03-24T23:23:59.000Z'
+ lastUpdated: '2016-03-24T23:23:59.000Z'
+ protocol:
+ type: OAUTH2
+ endpoints:
+ authorization:
+ url: https://www.linkedin.com/uas/oauth2/authorization
+ binding: HTTP-REDIRECT
+ token:
+ url: https://www.linkedin.com/uas/oauth2/accessToken
+ binding: HTTP-POST
+ scopes:
+ - r_basicprofile
+ - r_emailaddress
+ credentials:
+ client:
+ client_id: your-client-id
+ client_secret: your-client-secret
+ policy:
+ provisioning:
+ action: AUTO
+ profileMaster: true
+ groups:
+ action: NONE
+ conditions:
+ deprovisioned:
+ action: NONE
+ suspended:
+ action: NONE
+ accountLink:
+ filter: null
+ action: AUTO
+ subject:
+ userNameTemplate:
+ template: idpuser.userPrincipalName
+ filter: null
+ matchType: USERNAME
+ mapAMRClaims: false
+ maxClockSkew: 0
+ _links:
+ authorize:
+ href: https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa62bfdjnK55Z5x80h7&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri={redirectUri}&state={state}
+ templated: true
+ hints:
+ allow:
+ - GET
+ clientRedirectUri:
+ href: https://{yourOktaDomain}/oauth2/v1/authorize/callback
+ hints:
+ allow:
+ - POST
+ - id: 0oajmvdFawBih4gey0g3
+ type: MICROSOFT
+ name: Microsoft
+ status: ACTIVE
+ created: '2016-03-29T16:47:36.000Z'
+ lastUpdated: '2016-03-29T16:47:36.000Z'
+ protocol:
+ type: OIDC
+ endpoints:
+ authorization:
+ url: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
+ binding: HTTP-REDIRECT
+ token:
+ url: https://login.microsoftonline.com/common/oauth2/v2.0/token
+ binding: HTTP-POST
+ scopes:
+ - openid
+ - email
+ - profile
+ - https://graph.microsoft.com/User.Read
+ credentials:
+ client:
+ client_id: your-client-id
+ client_secret: your-client-secret
+ policy:
+ provisioning:
+ action: AUTO
+ profileMaster: true
+ groups:
+ action: NONE
+ conditions:
+ deprovisioned:
+ action: NONE
+ suspended:
+ action: NONE
+ accountLink:
+ filter: null
+ action: AUTO
+ subject:
+ userNameTemplate:
+ template: idpuser.userPrincipalName
+ filter: null
+ matchType: USERNAME
+ mapAMRClaims: false
+ maxClockSkew: 0
+ _links:
+ authorize:
+ href: https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oajmvdFawBih4gey0g3&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri={redirectUri}&state={state}
+ templated: true
+ hints:
+ allow:
+ - GET
+ clientRedirectUri:
+ href: https://{yourOktaDomain}/oauth2/v1/authorize/callback
+ hints:
+ allow:
+ - POST
+ - id: 0oaulob4BFVa4zQvt0g3
+ type: OIDC
+ name: Example OpenID Connect IdP
+ status: ACTIVE
+ created: '2019-02-07T20:07:47.000Z'
+ lastUpdated: '2019-02-07T20:07:47.000Z'
+ protocol:
+ type: OIDC
+ endpoints:
+ authorization:
+ url: https://idp.example.com/authorize
+ binding: HTTP-REDIRECT
+ token:
+ url: https://idp.example.com/token
+ binding: HTTP-POST
+ userInfo:
+ url: https://idp.example.com/userinfo
+ binding: HTTP-REDIRECT
+ jwks:
+ url: https://idp.example.com/keys
+ binding: HTTP-REDIRECT
+ scopes:
+ - openid
+ issuer:
+ url: https://idp.example.com
+ credentials:
+ client:
+ client_id: your-client-id
+ client_secret: your-client-secret
+ policy:
+ provisioning:
+ action: AUTO
+ profileMaster: false
+ groups:
+ action: NONE
+ conditions:
+ deprovisioned:
+ action: NONE
+ suspended:
+ action: NONE
+ accountLink:
+ filter: null
+ action: AUTO
+ subject:
+ userNameTemplate:
+ template: idpuser.email
+ filter: null
+ matchType: USERNAME
+ matchAttribute: null
+ mapAMRClaims: false
+ maxClockSkew: 0
+ _links:
+ authorize:
+ href: https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oaulob4BFVa4zQvt0g3&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri={redirectUri}&state={state}&nonce={nonce}
+ templated: true
+ hints:
+ allow:
+ - GET
+ clientRedirectUri:
+ href: https://{yourOktaDomain}/oauth2/v1/authorize/callback
+ hints:
+ allow:
+ - POST
+ - id: 0oa6jxasyhwM2ZHJh0g4
+ type: X509
+ name: Smart Card IDP Name
+ status: ACTIVE
+ created: '2020-01-07T00:19:27.000Z'
+ lastUpdated: '2020-01-07T00:19:27.000Z'
+ properties:
+ additionalAmr:
+ - sc
+ - hwk
+ - pin
+ - mfa
+ protocol:
+ type: MTLS
+ endpoints:
+ sso:
+ url: https://{yourOktaDomain}.okta.com/login/cert
+ credentials:
+ trust:
+ issuer: CN=Test Smart Card, OU=Test OU, O=Test O, C=US
+ audience: null
+ kid: 45dec5ff-8cdc-48c0-85fe-a4869f1753dc
+ revocation: CRL
+ revocationCacheLifetime: 2880
+ policy:
+ provisioning:
+ action: DISABLED
+ profileMaster: false
+ groups: null
+ subject:
+ userNameTemplate:
+ template: idpuser.subjectAltNameEmail
+ filter: null
+ matchType: EMAIL
+ matchAttribute: null
+ mapAMRClaims: false
+ maxClockSkew: 0
+ _links:
+ deactivate:
+ href: https://{yourOktaDomain}.okta.com/api/v1/idps/0oa6jxasyhwM2ZHJh0g4/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ users:
+ href: https://{yourOktaDomain}.okta.com/api/v1/idps/0oa6jxasyhwM2ZHJh0g4/users
+ hints:
+ allow:
+ - GET
+ keys:
+ href: https://{yourOktaDomain}.okta.com/api/v1/idps/credentials/keys/45dec5ff-8cdc-48c0-85fe-a4869f1753dc
+ hints:
+ allow:
+ - GET
+ NextAuthorizationServerKey:
+ summary: Next Authorization Server Key
+ value:
+ status: NEXT
+ alg: RS256
+ e: AQAB
+ 'n': l1hZ_g2sgBE3oHvu34T-5XP18FYJWgtul_nRNg-5xra5ySkaXEOJUDRERUG0HrR42uqf9jYrUTwg9fp-SqqNIdHRaN8EwRSDRsKAwK 3 HIJ2NJfgmrrO2ABkeyUq6rzHxAumiKv1iLFpSawSIiTEBJERtUCDcjbbqyHVFuivIFgH8L37 - XDIDb0XG - R8DOoOHLJPTpsgH - rJe M5w96VIRZInsGC5OGWkFdtgk6OkbvVd7_TXcxLCpWeg1vlbmX - 0 TmG5yjSj7ek05txcpxIqYu - 7 FIGT0KKvXge_BOSEUlJpBhLKU28 OtsOnmc3NLIGXB - GeDiUZiBYQdPR - myB4ZoQ
+ kid: Y3vBOdYT-l-I0j-gRQ26XjutSX00TeWiSguuDhW3ngo
+ kty: RSA
+ use: sig
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/keys/Y3vBOdYT-l-I0j-gRQ26XjutSX00TeWiSguuDhW3ngo
+ hints:
+ allow:
+ - GET
+ NzErrorApiValidationFailed:
+ summary: API Validation Failed
+ value:
+ errorCode: E0000003
+ errorSummary: The request body was not well-formed.
+ errorLink: E0000003
+ errorId: samplewNxQUR9iohr4QYlD0eg
+ errorCauses: []
+ NzErrorResourceNotFound:
+ summary: Resource Not Found
+ value:
+ errorCode: E0000007
+ errorSummary: 'Not found: Resource not found: itd (NetworkZone)'
+ errorLink: E0000007
+ errorId: samplejCSVaKFDkCMElmKQ
+ errorCauses: []
+ OAuth2RefreshTokenResponseEx:
+ summary: OAuth 2.0 refresh token example
+ value:
+ id: oar579Mcp7OUsNTlo0g3
+ status: ACTIVE
+ created: '2023-03-09T03:18:06.000Z'
+ lastUpdated: '2023-03-09T03:18:06.000Z'
+ expiresAt: '2023-03-16T03:18:06.000Z'
+ issuer: https://{yourOktaDomain}/oauth2/ausain6z9zIedDCxB0h7
+ clientId: 0oabskvc6442nkvQO0h7
+ userId: 00u5t60iloOHN9pBi0h7
+ scopes:
+ - offline_access
+ - car:drive
+ _embedded:
+ scopes:
+ - id: scppb56cIl4GvGxy70g3
+ name: offline_access
+ description: Requests a refresh token by default and is used to obtain more access tokens without re-prompting the user for authentication
+ _links:
+ scope:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7/scopes/scppb56cIl4GvGxy70g3
+ title: offline_access
+ - id: scp142iq2J8IGRUCS0g4
+ name: car:drive
+ displayName: Drive car
+ description: Allows the user to drive a car
+ _links:
+ scope:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7/scopes/scp142iq2J8IGRUCS0g4
+ title: Drive car
+ _links:
+ app:
+ href: https://{yourOktaDomain}/api/v1/apps/0oabskvc6442nkvQO0h7
+ title: Native
+ self:
+ href: https://{yourOktaDomain}/api/v1/apps/0oabskvc6442nkvQO0h7/tokens/oar579Mcp7OUsNTlo0g3
+ revoke:
+ href: https://{yourOktaDomain}/api/v1/apps/0oabskvc6442nkvQO0h7/tokens/oar579Mcp7OUsNTlo0g3
+ hints:
+ allow:
+ - DELETE
+ client:
+ href: https://{yourOktaDomain}/oauth2/v1/clients/0oabskvc6442nkvQO0h7
+ title: Example Client App
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00upcgi9dyWEOeCwM0g3
+ title: Saml Jackson
+ authorizationServer:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7
+ title: Example Authorization Server
+ OAuth2RefreshTokenResponseListEx:
+ summary: App refresh token list example
+ value:
+ - id: oar579Mcp7OUsNTlo0g3
+ status: ACTIVE
+ created: '2023-03-09T03:18:06.000Z'
+ lastUpdated: '2023-03-09T03:18:06.000Z'
+ expiresAt: '2023-03-16T03:18:06.000Z'
+ issuer: https://{yourOktaDomain}/oauth2/ausain6z9zIedDCxB0h7
+ clientId: 0oabskvc6442nkvQO0h7
+ userId: 00u5t60iloOHN9pBi0h7
+ scopes:
+ - offline_access
+ - car:drive
+ _embedded:
+ scopes:
+ - id: scppb56cIl4GvGxy70g3
+ name: offline_access
+ description: Requests a refresh token by default and is used to obtain more access tokens without re-prompting the user for authentication
+ _links:
+ scope:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7/scopes/scppb56cIl4GvGxy70g3
+ title: offline_access
+ - id: scp142iq2J8IGRUCS0g4
+ name: car:drive
+ displayName: Drive car
+ description: Allows the user to drive a car
+ _links:
+ scope:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7/scopes/scp142iq2J8IGRUCS0g4
+ title: Drive car
+ _links:
+ app:
+ href: https://{yourOktaDomain}/api/v1/apps/0oabskvc6442nkvQO0h7
+ title: Native
+ self:
+ href: https://{yourOktaDomain}/api/v1/apps/0oabskvc6442nkvQO0h7/tokens/oar579Mcp7OUsNTlo0g3
+ revoke:
+ href: https://{yourOktaDomain}/api/v1/apps/0oabskvc6442nkvQO0h7/tokens/oar579Mcp7OUsNTlo0g3
+ hints:
+ allow:
+ - DELETE
+ client:
+ href: https://{yourOktaDomain}/oauth2/v1/clients/0oabskvc6442nkvQO0h7
+ title: Example Client App
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00upcgi9dyWEOeCwM0g3
+ title: Saml Jackson
+ authorizationServer:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7
+ title: Example Authorization Server
+ OpenidConnectEx:
+ summary: OPENID_CONNECT
+ value:
+ name: oidc_client
+ label: Sample Client profile
+ signOnMode: OPENID_CONNECT
+ credentials:
+ oauthClient:
+ token_endpoint_auth_method: client_secret_post
+ profile:
+ label: oauth2 client app 1
+ settings:
+ oauthClient:
+ client_uri: http://localhost:8080
+ logo_uri: http://developer.okta.com/assets/images/logo-new.png
+ redirect_uris:
+ - https://example.com/oauth2/callback
+ - myapp://callback
+ response_types:
+ - token
+ - id_token
+ - code
+ grant_types:
+ - authorization_code
+ application_type: native
+ participate_slo: false
+ OpenidConnectPutEx:
+ summary: OPENID_CONNECT
+ value:
+ name: oidc_client
+ label: Sample Client profile updated
+ signOnMode: OPENID_CONNECT
+ OpenidConnectPutResponseEx:
+ summary: OPENID_CONNECT
+ value:
+ id: 0oafxqCAJWWGELFTYASJ
+ status: ACTIVE
+ lastUpdated: '2023-01-21T14:11:24.000Z'
+ created: '2023-01-21T14:11:24.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
+ _links:
+ uploadLogo:
+ href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo
+ hints:
+ allow:
+ - POST
+ appLinks:
+ - name: customswaapp_link
+ href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4
+ type: text/html
+ groups:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups
+ logo:
+ - name: medium
+ href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png
+ type: image/png
+ users:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate
+ visibility:
+ autoLaunch: false
+ autoSubmitToolbar: false
+ hide:
+ iOS: true
+ web: true
+ appLinks:
+ oidc_client_link: true
+ name: oidc_client
+ label: Sample Client profile updated
+ features: []
+ signOnMode: OPENID_CONNECT
+ credentials:
+ userNameTemplate:
+ template: ${source.email}
+ type: BUILT_IN
+ signing:
+ kid: H34mvc6VrfV5yvy5wA8ikMFws6WInx4nvsAs-7EYbVc
+ oauthClient:
+ autoKeyRotation: true
+ client_id: 0oahonkqCRR6TSNlg4
+ client_secret: wj9bOsLK0BRNJqy7KMMnaE7m8qrW51bPO2n1-PYvkOmhHRYgcuOecQkEwq9MPYa5
+ token_endpoint_auth_method: client_secret_post
+ pkce_required: true
+ settings:
+ app: {}
+ oauthClient:
+ client_uri: http://localhost:8080
+ logo_uri: http://developer.okta.com/assets/images/logo-new.png
+ redirect_uris:
+ - https://example.com/oauth2/callback
+ - myapp://callback
+ response_types:
+ - token
+ - id_token
+ - code
+ grant_types:
+ - authorization_code
+ application_type: native
+ issuer_mode: DYNAMIC
+ idp_initiated_login:
+ mode: DISABLED
+ default_scope: []
+ wildcard_redirect: DISABLED
+ dpop_bound_access_tokens: false
+ notifications:
+ vpn:
+ network:
+ connection: DISABLED
+ message: null
+ helpUrl: null
+ manualProvisioning: false
+ implicitAssignment: false
+ notes:
+ admin: null
+ enduser: null
+ OpenidConnectResponseEx:
+ summary: OPENID_CONNECT
+ value:
+ id: 0oafxqCAJWWGELFTYASJ
+ status: ACTIVE
+ lastUpdated: '2023-01-21T14:11:24.000Z'
+ created: '2023-01-21T14:11:24.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
+ _links:
+ uploadLogo:
+ href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo
+ hints:
+ allow:
+ - POST
+ appLinks:
+ - name: customswaapp_link
+ href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4
+ type: text/html
+ groups:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups
+ logo:
+ - name: medium
+ href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png
+ type: image/png
+ users:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate
+ visibility:
+ autoLaunch: false
+ autoSubmitToolbar: false
+ hide:
+ iOS: true
+ web: true
+ appLinks:
+ oidc_client_link: true
+ name: oidc_client
+ label: Sample Client profile
+ features: []
+ signOnMode: OPENID_CONNECT
+ credentials:
+ userNameTemplate:
+ template: ${source.email}
+ type: BUILT_IN
+ signing:
+ kid: H34mvc6VrfV5yvy5wA8ikMFws6WInx4nvsAs-7EYbVc
+ oauthClient:
+ autoKeyRotation: true
+ client_id: 0oahonkqCRR6TSNlg4
+ client_secret: wj9bOsLK0BRNJqy7KMMnaE7m8qrW51bPO2n1-PYvkOmhHRYgcuOecQkEwq9MPYa5
+ token_endpoint_auth_method: client_secret_post
+ pkce_required: true
+ settings:
+ app: {}
+ oauthClient:
+ client_uri: http://localhost:8080
+ logo_uri: http://developer.okta.com/assets/images/logo-new.png
+ redirect_uris:
+ - https://example.com/oauth2/callback
+ - myapp://callback
+ response_types:
+ - token
+ - id_token
+ - code
+ grant_types:
+ - authorization_code
+ application_type: native
+ issuer_mode: DYNAMIC
+ idp_initiated_login:
+ mode: DISABLED
+ default_scope: []
+ wildcard_redirect: DISABLED
+ dpop_bound_access_tokens: false
+ notifications:
+ vpn:
+ network:
+ connection: DISABLED
+ message: null
+ helpUrl: null
+ manualProvisioning: false
+ implicitAssignment: false
+ notes:
+ admin: null
+ enduser: null
+ profile:
+ label: oauth2 client app 1
+ OperationResponse:
+ value:
+ id: rre4mje4ez6B2a7B60g7
+ type: realm:assignment
+ status: COMPLETED
+ created: '2023-10-25T21:02:54.000Z'
+ started: '2023-10-25T21:02:54.000Z'
+ completed: '2023-10-25T21:02:54.000Z'
+ realmId: 00g1b7rvh0xPLKXFf0g5
+ realmName: Realm Name
+ assignmentOperation:
+ configuration:
+ id: 0pr1b7rxZj2ibQzfP0g5
+ name: Realm Assignment 1
+ conditions:
+ profileSourceId: 0oa4enoRyjwSCy5hx0g4
+ expression:
+ value: string
+ actions:
+ assignUserToRealm:
+ realmId: 00g1b7rvh0xPLKXFf0g5
+ numUserMoved: 50
+ _links:
+ self:
+ rel: self
+ href: http://your-subdomain.okta.com/api/v1/operations/rre4mje4ez6B2a7B60g7
+ method: GET
+ OptInStatusResponse:
+ summary: Opt in response
+ value:
+ optInStatus: OPTING_IN
+ _links:
+ optInStatus:
+ href: http://your-subdomain.okta.com/api/v1/iam/governance/optIn
+ OptOutStatusResponse:
+ summary: Opt out response
+ value:
+ optInStatus: OPTING_OUT
+ _links:
+ optInStatus:
+ href: http://your-subdomain.okta.com/api/v1/iam/governance/optIn
+ OrgCAPTCHASettingsConfigured:
+ summary: Org-wide Captcha Settings are configured
+ value:
+ captchaId: abcd4567
+ enabledPages:
+ - SSR
+ - SIGN_IN
+ _links:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/captchas/abcd4567
+ hints:
+ allow:
+ - GET
+ - POST
+ - PUT
+ - DELETE
+ OrgCAPTCHASettingsDisable:
+ summary: Disable Org-wide Captcha Settings
+ value:
+ captchaId: 'null'
+ enabledPages: 'null'
+ OrgCAPTCHASettingsDisabled:
+ summary: Disabled Org-wide Captcha Settings
+ value:
+ captchaId: 'null'
+ enabledPages: '[]'
+ _links:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/captchas/
+ hints:
+ allow:
+ - GET
+ - PUT
+ OrgCAPTCHASettingsEmpty:
+ summary: Org-wide Captcha Settings aren't configured
+ value:
+ captchaId: null
+ enabledPages: []
+ _links:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/captchas
+ hints:
+ allow:
+ - GET
+ - POST
+ - PUT
+ - DELETE
+ OrgCAPTCHASettingsUpdate:
+ summary: Update Org-wide Captcha Settings
+ value:
+ captchaId: abcd4567
+ enabledPages:
+ - SSR
+ - SIGN_IN
+ OrgCAPTCHASettingsUpdated:
+ summary: Updated Org-wide Captcha Settings
+ value:
+ captchaId: abcd4567
+ enabledPages:
+ - SSR
+ - SIGN_IN
+ _links:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/captchas/abcd4567
+ hints:
+ allow:
+ - GET
+ - POST
+ - PUT
+ - DELETE
+ OrgSettingResponse:
+ summary: Org setting response
+ value:
+ address1: 100 1st St
+ address2: 6th floor
+ city: San Fransico
+ companyName: okta
+ country: United States
+ endUserSupportHelpURL: support.okta.com
+ phoneNumber: '+18887227871'
+ postalCode: '94105'
+ state: California
+ supportPhoneNumber: '+18887227871'
+ website: www.okta.com
+ id: 00o3qqiw0vSCIwu8I0g7
+ created: '2024-01-24T14:15:22Z'
+ lastUpdated: '2024-07-21T14:15:22Z'
+ expiresAt: '2024-12-24T14:15:22Z'
+ status: ACTIVE
+ subdomain: okta
+ _links:
+ preferences:
+ href: https://{yourOktaDomain}/v1/org/preferences
+ uploadLogo:
+ href: https://{yourOktaDomain}/api/v1/org/logo
+ hints:
+ allow:
+ - POST
+ oktaCommunication:
+ href: https://{yourOktaDomain}/api/v1/org/privacy/oktaCommunication
+ logo: null
+ oktaSupport:
+ href: https://{yourOktaDomain}/api/v1/org/privacy/oktaSupport
+ contacts:
+ href: https://vantest.oktapreview.com/api/v1/org/contacts
+ PasswordImportPayloadExample:
+ summary: An example password import inline hook request body
+ value:
+ eventId: 3o9jBzq1SmOGmmsDsqyyeQ
+ eventTime: '2020-01-17T21:23:56.000Z'
+ eventType: com.okta.user.credential.password.import
+ eventTypeVersion: '1.0'
+ contentType: application/json
+ cloudEventVersion: '0.1'
+ source: https://${yourOktaDomain}/api/v1/inlineHooks/cbl2ad6phv9fsPLcF0g7
+ data:
+ context:
+ request:
+ id: XiIl6wn7005Rr@fjYqeC7CCDBxw
+ method: POST
+ url:
+ value: /idp/idx/challenge/answer
+ ipAddress: 66.124.153.138
+ credential:
+ username: isaac.brock@example.com
+ password: Okta
+ action:
+ credential: UNVERIFIED
+ PasswordImportUnVerifiedResponse:
+ summary: An example password hook response for an unverified user password
+ value:
+ commands:
+ - type: com.okta.action.update
+ value:
+ credential: UNVERIFIED
+ PasswordImportVerifiedResponse:
+ summary: An example password hook response for a verified user password
+ value:
+ commands:
+ - type: com.okta.action.update
+ value:
+ credential: VERIFIED
+ PerClientRateLimitSettingsEnforceDefault:
+ value:
+ defaultMode: ENFORCE
+ PerClientRateLimitSettingsEnforceDefaultWithOverrides:
+ value:
+ defaultMode: ENFORCE
+ useCaseModeOverrides:
+ OAUTH2_AUTHORIZE: PREVIEW
+ OIE_APP_INTENT: DISABLE
+ PerClientRateLimitSettingsPreviewDefaultWithOverrides:
+ value:
+ defaultMode: PREVIEW
+ useCaseModeOverrides:
+ LOGIN_PAGE: ENFORCE
+ PermissionResponse:
+ value:
+ label: okta.users.manage
+ created: '2021-02-06T16:20:57.000Z'
+ lastUpdated: '2021-02-06T16:20:57.000Z'
+ _links:
+ role:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3
+ self:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.users.manage
+ PermissionResponseWithConditions:
+ value:
+ label: okta.users.read
+ conditions:
+ include:
+ okta:ResourceAttribute/User/Profile:
+ - city
+ - state
+ - zipCode
+ created: '2021-02-06T16:20:57.000Z'
+ lastUpdated: '2021-02-06T16:20:57.000Z'
+ _links:
+ role:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3
+ self:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.users.read
+ PermissionsResponse:
+ value:
+ permissions:
+ - label: okta.users.create
+ created: '2021-02-06T16:20:57.000Z'
+ lastUpdated: '2021-02-06T16:20:57.000Z'
+ _links:
+ role:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3
+ self:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.users.create
+ - label: okta.users.read
+ created: '2021-02-06T16:20:57.000Z'
+ lastUpdated: '2021-02-06T16:20:57.000Z'
+ conditions:
+ include:
+ okta:ResourceAttribute/User/Profile:
+ - city
+ - state
+ - zipCode
+ _links:
+ role:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3
+ self:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.users.read
+ - label: okta.groups.read
+ created: '2021-02-06T16:20:57.000Z'
+ lastUpdated: '2021-02-06T16:20:57.000Z'
+ _links:
+ role:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3
+ self:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.groups.read
+ - label: okta.users.userprofile.manage
+ created: '2021-02-06T16:20:57.000Z'
+ lastUpdated: '2021-02-06T16:20:57.000Z'
+ _links:
+ role:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3
+ self:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.users.userprofile.manage
+ PreviewEmailCustomizationResponse:
+ value:
+ subject: Welcome to Okta!
+ body:
Hello, John. Click here to activate your account.
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel2kk1zYJBJbeaGo0g4/preview
+ hints:
+ allow:
+ - GET
+ template:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation
+ hints:
+ allow:
+ - GET
+ test:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test
+ hints:
+ allow:
+ - POST
+ PreviewEmailTemplateDefaultContentResponse:
+ value:
+ subject: Welcome to Okta!
+ body:
Hello, John. Click here to activate your account.
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/default-content/preview
+ hints:
+ allow:
+ - GET
+ template:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation
+ hints:
+ allow:
+ - GET
+ defaultContent:
+ href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test/default-content
+ hints:
+ allow:
+ - POST
+ PrincipalRateLimitEntityRequestEmptyPercentages:
+ value:
+ principalId: token1234
+ principalType: SSWS_TOKEN
+ PrincipalRateLimitEntityRequestSSWSToken:
+ value:
+ principalId: token1234
+ principalType: SSWS_TOKEN
+ defaultPercentage: 50
+ defaultConcurrencyPercentage: 75
+ PrincipalRateLimitEntityResponseSSWSToken:
+ value:
+ id: abcd1234
+ orgId: org1234
+ principalId: token1234
+ principalType: SSWS_TOKEN
+ defaultPercentage: 50
+ defaultConcurrencyPercentage: 75
+ createdDate: '2022-05-19T20:05:32.720Z'
+ createdBy: user1234
+ lastUpdate: '2022-05-20T21:13:07.410Z'
+ lastUpdatedBy: user4321
+ PrivilegedResourceClaimAppAccountResponse:
+ value:
+ id: opa100xTfFs4MasRf0g4
+ resourceType: APP_ACCOUNT
+ containerDetails:
+ appName: google,
+ containerId: 0oa103099SBEb3Z2b0g4,
+ displayName: Google App1,
+ globalAppId: 964b82aa-85b4-5645-b790-83312c473480,
+ passwordPushSupported: true,
+ provisioningEnabled: true,
_links:
- self:
- href: https://{yourOktaDomain}/api/v1/api-tokens/00T1234567890abcdefg
- hints:
- allow:
- - GET
- - DELETE
+ login:
+ href: https://appinstance-admin.oktapreview.com/home/google/0oa103099SBEb3Z2b0g4,
+ logo:
+ href: https://appinstance-admin.oktapreview.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png,
+ credentials:
+ userName: testuser@example.com
+ created: '2024-06-10T11:11:01.000Z'
+ lastUpdated: '2024-06-10T11:11:01.000Z'
+ status: ACTIVE
+ credentialSyncInfo:
+ secretVersionId: ''
+ syncTime: ''
+ syncState: NOT_SYNCED
+ errorCode: ''
+ errorReason: ''
+ PrivilegedResourceClaimOktaAccountResponse:
+ value:
+ id: opa100xTfFs4MasRf0g4
+ resourceType: OKTA_USER_ACCOUNT
+ resourceId: 00u100xTfFs4MasRf0g4,
+ credentials:
+ userName: username
+ profile:
+ email: testuser@example.com
+ created: '2024-06-10T11:11:01.000Z'
+ lastUpdated: '2024-06-10T11:11:01.000Z'
+ status: ACTIVE
+ credentialSyncInfo:
+ secretVersionId: ''
+ syncTime: ''
+ syncState: NOT_SYNCED
+ errorCode: ''
+ errorReason: ''
+ PrivilegedResourceCreateAppAccountRequest:
+ value:
+ resourceType: APP_ACCOUNT
+ containerDetails:
+ containerId: 0oa103099SBEb3Z2b0g4
+ credentials:
+ userName: testuser@example.com
+ PrivilegedResourceCreateAppAccountResponse:
+ value:
+ id: opa100xTfFs4MasRf0g4
+ resourceType: APP_ACCOUNT
+ containerDetails:
+ appName: google,
+ containerId: 0oa103099SBEb3Z2b0g4,
+ displayName: Google App1,
+ globalAppId: 964b82aa-85b4-5645-b790-83312c473480,
+ passwordPushSupported: true,
+ provisioningEnabled: true,
+ _links:
+ login:
+ href: https://appinstance-admin.oktapreview.com/home/google/0oa103099SBEb3Z2b0g4,
+ logo:
+ href: https://appinstance-admin.oktapreview.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png,
+ credentials:
+ userName: testuser@example.com
+ created: '2024-06-10T11:11:01.000Z'
+ lastUpdated: '2024-06-10T11:11:01.000Z'
+ status: INACTIVE
+ credentialSyncInfo:
+ secretVersionId: ''
+ syncTime: ''
+ syncState: NOT_SYNCED
+ errorCode: ''
+ errorReason: ''
+ PrivilegedResourceCreateOktaAccountRequestConvert:
+ value:
+ resourceType: OKTA_USER_ACCOUNT
+ resourceId: 00u100xTfFs4MasRf0g4
+ PrivilegedResourceCreateOktaAccountRequestNew:
+ value:
+ resourceType: OKTA_USER_ACCOUNT
+ credentials:
+ userName: username
+ profile:
+ email: testuser@example.com
+ PrivilegedResourceCreateOktaAccountResponse:
+ value:
+ id: opa100xTfFs4MasRf0g4
+ resourceType: OKTA_USER_ACCOUNT
+ resourceId: 00u100xTfFs4MasRf0g4,
+ credentials:
+ userName: username
+ profile:
+ email: testuser@example.com
+ created: '2024-06-10T11:11:01.000Z'
+ lastUpdated: '2024-06-10T11:11:01.000Z'
+ status: INACTIVE
+ credentialSyncInfo:
+ secretVersionId: ''
+ syncTime: ''
+ syncState: NOT_SYNCED
+ errorCode: ''
+ errorReason: ''
+ PrivilegedResourceRotatePasswordAppAccountResponse:
+ value:
+ id: opa100xTfFs4MasRf0g4
+ resourceType: APP_ACCOUNT
+ containerDetails:
+ appName: google,
+ containerId: 0oa103099SBEb3Z2b0g4,
+ displayName: Google App1,
+ globalAppId: 964b82aa-85b4-5645-b790-83312c473480,
+ passwordPushSupported: true,
+ provisioningEnabled: true,
+ _links:
+ login:
+ href: https://appinstance-admin.oktapreview.com/home/google/0oa103099SBEb3Z2b0g4,
+ logo:
+ href: https://appinstance-admin.oktapreview.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png,
+ credentials:
+ userName: testuser@example.com
+ created: '2024-06-10T11:11:01.000Z'
+ lastUpdated: '2024-06-10T11:11:01.000Z'
+ status: ACTIVE
+ credentialSyncInfo:
+ secretVersionId: 9f8400-e29b-41d4-a716-926655440034
+ syncTime: ''
+ syncState: SYNCING
+ errorCode: ''
+ errorReason: ''
+ PrivilegedResourceRotatePasswordOktaAccountResponse:
+ value:
+ id: opa100xTfFs4MasRf0g4
+ resourceType: OKTA_USER_ACCOUNT
+ resourceId: 00u100xTfFs4MasRf0g4,
+ credentials:
+ userName: username
+ profile:
+ email: testuser@example.com
+ created: '2024-06-10T11:11:01.000Z'
+ lastUpdated: '2024-06-10T11:11:01.000Z'
+ status: ACTIVE
+ credentialSyncInfo:
+ secretVersionId: 9f8400-e29b-41d4-a716-926655440034
+ syncTime: '2024-06-11T11:11:01.000Z'
+ syncState: SYNCED
+ errorCode: ''
+ errorReason: ''
+ PrivilegedResourcesAppAccountUpdateRequest:
+ value:
+ username: username
+ PrivilegedResourcesGetAppAccountResponse:
+ value:
+ id: opa100xTfFs4MasRf0g4
+ resourceType: APP_ACCOUNT
+ containerDetails:
+ appName: google,
+ containerId: 0oa103099SBEb3Z2b0g4,
+ displayName: Google App1,
+ globalAppId: 964b82aa-85b4-5645-b790-83312c473480,
+ passwordPushSupported: true,
+ provisioningEnabled: true,
+ _links:
+ login:
+ href: https://appinstance-admin.oktapreview.com/home/google/0oa103099SBEb3Z2b0g4,
+ logo:
+ href: https://appinstance-admin.oktapreview.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png,
+ credentials:
+ userName: testuser@example.com
+ created: '2024-06-10T11:11:01.000Z'
+ lastUpdated: '2024-06-10T11:11:01.000Z'
+ status: ACTIVE
+ credentialSyncInfo:
+ secretVersionId: 9f8400-e29b-41d4-a716-926655440034
+ syncTime: '2024-06-10T11:30:01.000Z'
+ syncState: SYNC_FAILED
+ errorCode: UNKNOWN_ERROR
+ errorReason: Password update failed
+ PrivilegedResourcesGetOktaAccountResponse:
+ value:
+ id: opa100xTfFs4MasRf0g4
+ resourceType: OKTA_USER_ACCOUNT
+ resourceId: 00u100xTfFs4MasRf0g4,
+ credentials:
+ userName: testuser@example.com
+ profile:
+ email: testuser@example.com
+ created: '2024-06-10T11:11:01.000Z'
+ lastUpdated: '2024-06-10T11:11:01.000Z'
+ status: ACTIVE
+ credentialSyncInfo:
+ secretVersionId: 9f8400-e29b-41d4-a716-926655440034
+ syncTime: '2024-06-10T11:30:01.000Z'
+ syncState: SYNCED
+ errorCode: ''
+ errorReason: ''
+ PrivilegedResourcesOktaUserAccountUpdateRequest:
+ value:
+ username: username
+ profile:
+ email: testuser@example.com
+ ProfileEnrollmentRequest:
+ summary: An example registration hook profile enrollment (SSR) inline hook request body
+ value:
+ eventId: 04Dmt8BcT_aEgM
+ eventTime: '2022-04-25T17:35:27.000Z'
+ eventType: com.okta.user.pre-registration
+ eventTypeVersion: 1
+ contentType: application/json
+ cloudEventVersion: 0.1
+ source: regt4qeBKU29vSoPz0g3
+ requestType: self.service.registration
+ data:
+ context:
+ request:
+ method: POST
+ ipAddress: 127.0.0.1
+ id: 123testId456
+ url:
+ value: /idp/idx/enroll/new
+ userProfile:
+ firstName: Rosario
+ lastName: Jones
+ login: rosario.jones@example.com
+ email: rosario.jones@example.com
+ action: ALLOW
+ ProfileEnrollmentResponse:
+ summary: An example registration hook profile enrollment (SSR) inline hook response
+ value:
+ commands:
+ - type: com.action.update
+ value:
+ registration: ALLOW
+ ProfileEnrollmentResponseDeny:
+ summary: An example Profile Enrollment (SSR) inline hook Deny response
+ value:
+ commands:
+ - type: com.action.update
+ value:
+ registration: DENY
+ error:
+ errorSummary: Incorrect email address. Please contact your admin.
+ errorCauses:
+ - errorSummary: Only example.com emails can register.
+ reason: INVALID_EMAIL_DOMAIN
+ locationType: body
+ location: data.userProfile.email
+ domain: end-user
+ ProgressiveProfileRequest:
+ summary: An example Progressive Profile inline hook request
+ value:
+ eventId: vzYp_zMwQu2htIWRbNJdfw
+ eventTime: '2022-04-25T04:04:41.000Z'
+ eventType: com.okta.user.pre-registration
+ eventTypeVersion: 1
+ contentType: application/json
+ cloudEventVersion: 0.1
+ source: regt4qeBKU29vS
+ requestType: progressive.profile
+ data:
+ context:
+ request:
+ method: POST
+ ipAddress: 127.0.0.1
+ id: 123dummyId456
+ url:
+ value: /idp/idx/enroll/update
user:
- href: https://{yourOktaDomain}/api/v1/users/00uabcdefg1234567890
- hints:
- allow:
- - GET
- ApiTokenMetadataResponse:
+ passwordChanged: '2022-01-01T00:00:00.000Z'
+ _links:
+ groups:
+ href: /api/v1/users/00u48gwcu01WxvNol0g7/groups
+ factors:
+ href: /api/v1/users/00u48gwcu01WxvNol0g7/factors
+ profile:
+ firstName: Rosario
+ lastName: Jones"
+ timeZone: America/Los_Angeles
+ login: rosario.jones@example.com
+ locale: en_US
+ id: 00u48gwcu01WxvNo
+ action: ALLOW
+ userProfileUpdate:
+ employeeNumber: 1234
+ ProgressiveProfileResponse:
+ summary: An example Progressive Profile inline hook response
value:
- name: My API Token
- userId: 00uXXXXXXXXXXXXXXXXX
- tokenWindow: P30D
- id: 00Tabcdefg1234567890
- clientName: Okta API
- expiresAt: 2021-12-11T20:38:10.000Z
- created: 2021-11-09T20:38:10.000Z
- lastUpdated: 2021-11-11T20:38:10.000Z
+ commands:
+ - type: com.okta.user.progressive.profile.update'
+ value: request.body.data.userProfileUpdate['employeeNumber']
+ ProgressiveProfileResponseDeny:
+ summary: An example Progressive Profile inline hook Deny response
+ value:
+ commands:
+ - type: com.action.update
+ value:
+ registration: DENY
+ error:
+ errorSummary: Incorrect employee number. Enter an employee number with 4 digits.
+ errorCauses:
+ - errorSummary: Only employee numbers with 4 digits can register.
+ reason: INVALID_EMPLOYEE_NUMBER
+ locationType: body
+ location: data.userProfile.employeeNumber
+ domain: end-user
+ ProvisioningConnectionOauthO365RequestEx:
+ summary: Provisioning Connection with OAuth 2.0 for Microsoft Office 365 app
+ value:
+ profile:
+ authScheme: OAUTH2
+ settings:
+ adminUsername: office_admin-username
+ adminPassword: office_admin-password
+ ProvisioningConnectionOauthRequestEx:
+ summary: Provisioning Connection with OAuth 2.0
+ value:
+ profile:
+ authScheme: OAUTH2
+ ProvisioningConnectionOauthResponseEx:
+ summary: Provisioning Connection with OAuth 2.0 for Microsoft Office 365 app
+ value:
+ status: ENABLED
+ profile:
+ authScheme: OAUTH2
_links:
self:
- href: https://{yourOktaDomain}/api/v1/api-tokens/00Tabcdefg1234567890
+ href: https://{yourOktaDomain}/api/v1/apps/${appId}/connections/default
hints:
allow:
- GET
- - DELETE
- user:
- href: https://{yourOktaDomain}/api/v1/users/00uXXXXXXXXXXXXXXXXX
+ - POST
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/${appId}/connections/default/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ authorize:
+ href: https://login.microsoftonline.com/myofficetenant.onmicrosoft.com/oauth2/authorize?response_type=code&state=>&client_id=&redirect_uri=&scope=
hints:
allow:
- GET
- AppFeatureListResponseEx:
- summary: List app Feature response
+ guidance:
+ - Specifies the URI to invoke in a browser for granting scope consent required to complete the OAuth 2.0 connection.
+ ProvisioningConnectionTokenOrg2OrgRequestEx:
+ summary: Provisioning Connection with token for Okta Org2Org app
value:
- - name: USER_PROVISIONING
- status: ENABLED
- description: User provisioning settings from Okta to a downstream application
- capabilities:
- create:
- lifecycleCreate:
- status: DISABLED
- update:
- profile:
- status: DISABLED
- lifecycleDeactivate:
- status: DISABLED
- password:
- status: DISABLED
- seed: RANDOM
- change: KEEP_EXISTING
- _links:
- self:
- href: https://{yourOktaDomain}/api/v1/apps/${appId}/features/USER_PROVISIONING
- hints:
- allow:
- - GET
- - PUT
- AppFeatureResponseEx:
- summary: App Feature response
+ profile:
+ authScheme: TOKEN
+ clientId: 0oa2h6su6bVFyJzIf1d7
+ ProvisioningConnectionTokenRequestEx:
+ summary: Provisioning Connection with token for Zscaler 2.0 (`zscalerbyz`) app
value:
- name: USER_PROVISIONING
+ baseUrl: https://scim.zscalerbeta.net/1234567/890/scim
+ profile:
+ authScheme: TOKEN
+ token: 00NgAPZqUVy8cX9ehNzzahEE5b-On9sImTcInvWp-x
+ ProvisioningConnectionTokenResponseWithProfileOrg2OrgEx:
+ summary: Provisioning Connection with token for Okta Org2Org (`okta_org2org`) app
+ value:
+ authScheme: TOKEN
status: ENABLED
- description: User provisioning settings from Okta to a downstream application
- capabilities:
- create:
- lifecycleCreate:
- status: DISABLED
- update:
- profile:
- status: DISABLED
- lifecycleDeactivate:
- status: DISABLED
- password:
- status: DISABLED
- seed: RANDOM
- change: KEEP_EXISTING
+ baseUrl: https://targetorg.okta.com
+ profile:
+ authScheme: TOKEN
_links:
self:
- href: https://{yourOktaDomain}/api/v1/apps/${appId}/features/USER_PROVISIONING
+ href: https://{yourOktaDomain}/api/v1/apps/${appId}/connections/default
+ hints:
+ allow:
+ - GET
+ - POST
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/${appId}/connections/default/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ ProvisioningConnectionTokenResponseWithProfileZscalerEx:
+ summary: Provisioning Connection with token for Zscaler 2.0 (`zscalerbyz`) app
+ value:
+ authScheme: TOKEN
+ status: ENABLED
+ baseUrl: https://scim.zscalerbeta.net/1234567/890/scim
+ profile:
+ authScheme: TOKEN
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/apps/${appId}/connections/default
+ hints:
+ allow:
+ - GET
+ - POST
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/${appId}/connections/default/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ PushProviderAPNsRequest:
+ value:
+ name: APNs Example
+ providerType: APNS
+ configuration:
+ keyId: KEY_ID
+ teamId: TEAM_ID
+ tokenSigningKey: '-----BEGIN PRIVATE KEY-----\nPRIVATE_KEY\n-----END PRIVATE KEY-----\n'
+ fileName: fileName.p8
+ PushProviderAPNsResponse:
+ value:
+ id: ppctekcmngGaqeiBxB0g4
+ name: APNs Example
+ providerType: APNS
+ lastUpdatedDate: '2022-01-01T00:00:00.000Z'
+ configuration:
+ keyId: KEY_ID
+ teamId: TEAM_ID
+ fileName: fileName.p8
+ _links:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/push-providers/ppctekcmngGaqeiBxB0g4
hints:
allow:
+ - DELETE
- GET
- PUT
- AppUserSchemaAddRequest:
+ PushProviderFCMRequest:
value:
- definitions:
- custom:
- id: '#custom'
- type: object
- properties:
- twitterUserName:
- title: Twitter username
- description: User's username for twitter.com
- type: string
- required: false
- minLength: 1
- maxLength: 20
- required: []
- AppUserSchemaResponse:
+ name: FCM Example
+ providerType: FCM
+ configuration:
+ serviceAccountJson:
+ type: service_account
+ project_id: PROJECT_ID
+ private_key_id: KEY_ID
+ private_key: '-----BEGIN PRIVATE KEY-----\nPRIVATE_KEY\n-----END PRIVATE KEY-----\n'
+ client_email: SERVICE_ACCOUNT_EMAIL
+ client_id: CLIENT_ID
+ auth_uri: https://accounts.google.com/o/oauth2/auth
+ token_uri: https://accounts.google.com/o/oauth2/token
+ auth_provider_x509_cert_url: https://www.googleapis.com/oauth2/v1/certs
+ client_x509_cert_url: https://www.googleapis.com/robot/v1/metadata/x509/SERVICE_ACCOUNT_EMAIL
+ fileName: fileName.json
+ PushProviderFCMResponse:
+ value:
+ id: ppctekcmngGaqeiBxB0g4
+ name: FCM Example
+ providerType: FCM
+ lastUpdatedDate: '2022-01-01T00:00:00.000Z'
+ configuration:
+ projectId: PROJECT_ID
+ fileName: fileName.p8
+ _links:
+ self:
+ href: https://your-subdomain.okta.com/api/v1/push-providers/ppctekcmngGaqeiBxB0g4
+ hints:
+ allow:
+ - DELETE
+ - GET
+ - PUT
+ RateLimitAdminNotificationsDisabled:
+ value:
+ notificationsEnabled: false
+ RateLimitAdminNotificationsEnabled:
+ value:
+ notificationsEnabled: true
+ RateLimitWarningThresholdValidExample:
+ value:
+ warningThreshold: 66
+ RealmResponse:
+ value:
+ id: guox9jQ16k9V8IFEL0g3
+ created: '2022-04-04T15:56:05.000Z'
+ lastUpdated: '2022-05-05T18:15:44.000Z'
+ isDefault: false
+ profile:
+ name: Car Co
+ _links:
+ self:
+ rel: self
+ href: http://your-subdomain.okta.com/api/v1/realms/guox9jQ16k9V8IFEL0g3
+ method: GET
+ RefreshCurrentSessionResponse:
+ summary: Refresh current session
+ value:
+ amr:
+ - pwd
+ createdAt: '2019-08-24T14:15:22Z'
+ expiresAt: '2019-08-24T14:15:22Z'
+ id: l7FbDVqS8zHSy65uJD85
+ idp:
+ id: 01a2bcdef3GHIJKLMNOP
+ type: ACTIVE_DIRECTORY
+ lastFactorVerification: '2019-08-24T14:15:22Z'
+ lastPasswordVerification: '2019-08-24T14:15:22Z'
+ login: user@example.com
+ status: ACTIVE
+ userId: 00u0abcdefGHIJKLMNOP
+ _links:
+ self:
+ hints:
+ allow:
+ - GET
+ - DELETE
+ href: https://{yourOktaDomain}/api/v1/sessions/me
+ refresh:
+ hints:
+ allow:
+ - POST
+ href: https://{yourOktaDomain}/api/v1/sessions/me/lifecycle/refresh
+ user:
+ hints:
+ allow:
+ - GET
+ href: https://{yourOktaDomain}/api/v1/users/me
+ name: User Name
+ RefreshSessionResponse:
+ summary: Refresh an existing Session using the session ID
+ value:
+ amr:
+ - pwd
+ createdAt: '2019-08-25T14:17:22Z'
+ expiresAt: '2019-08-25T14:17:22Z'
+ id: l7FbDVqS8zHSy65uJD85
+ idp:
+ id: 01a2bcdef3GHIJKLMNOP
+ type: ACTIVE_DIRECTORY
+ lastFactorVerification: '2019-08-24T14:15:22Z'
+ lastPasswordVerification: '2019-08-24T14:15:22Z'
+ login: user@example.com
+ status: ACTIVE
+ userId: 00u0abcdefGHIJKLMNOP
+ _links:
+ self:
+ hints:
+ allow:
+ - DELETE
+ href: https://{yourOktaDomain}/api/v1/sessions/l7FbDVqS8zHSy65uJD85
+ RemoveMappingBody:
+ summary: Update an existing profile mapping by removing one or more properties
value:
- id: https://{yourOktaDomain}/meta/schemas/apps/0oa25gejWwdXNnFH90g4/default
- $schema: http://json-schema.org/draft-04/schema#
- name: Example App
- title: Example App User
- lastUpdated: '2017-07-18T23:18:43.000Z'
- created: '2017-07-18T22:35:30.000Z'
- definitions:
- base:
- id: '#base'
- type: object
- properties:
- userName:
- title: Username
- type: string
- required: true
- scope: NONE
- maxLength: 100
- required:
- - userName
- custom:
- id: '#custom'
- type: object
- properties:
- twitterUserName:
- title: Twitter username
- description: User's username for twitter.com
- type: string
- scope: NONE
- minLength: 1
- maxLength: 20
- required: []
- type: object
properties:
- profile:
- allOf:
- - $ref: '#/definitions/base'
- - $ref: '#/definitions/custom'
- AssignGroupOwnerRequest:
- summary: Assign a group owner request example
+ nickName:
+ expression: null
+ pushStatus: null
+ RemoveMappingResponse:
+ summary: Update an existing profile mapping by removing one or more properties
value:
- id: 00u1cmc03xjzePoWD0h8
- type: USER
- AssignGroupOwnerResponse:
- summary: Assign a group owner response example
+ id: prm1k47ghydIQOTBW0g4
+ source:
+ id: otysbePhQ3yqt4cVv0g3
+ name: user
+ type: user
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/meta/types/user/otysbePhQ3yqt4cVv0g3
+ schema:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscsbePhQ3yqt4cVv0g3
+ target:
+ id: 0oa1qmn4LZQQEH0wZ0g4
+ name: okta_org2org
+ type: appuser
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/apps/0oa1qmn4LZQQEH0wZ0g4
+ schema:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/apps/0oa1qmn4LZQQEH0wZ0g4/default
+ properties:
+ fullName:
+ expression: user.firstName + user.lastName
+ pushStatus: PUSH
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/mappings/prm1k48weFSOnEUnw0g4
+ ReplaceAnEventHookWithFilter:
+ summary: Replace an event hook
value:
- id: 00u1cmc03xjzePoWD0h8
- type: USER
- resolved: true
- originId: null
- originType: OKTA_DIRECTORY
- displayName: Oliver Putnam
- lastUpdated: Wed Mar 29 18:34:31 UTC 2023
- AuthenticatorRequestDuo:
+ name: Event Hook with Filter
+ description: An event hook using an Okta Expression Language filter
+ events:
+ type: EVENT_TYPE
+ items:
+ - group.user_membership.add
+ filter:
+ type: EXPRESSION_LANGUAGE
+ eventFilterMap:
+ - event: group.user_membership.add
+ condition:
+ expression: event.target.?[type eq 'UserGroup'].size()>0 && event.target.?[displayName eq 'Sales'].size()>0
+ channel:
+ type: HTTP
+ version: 1.0.0
+ config:
+ uri: https://example_external_service/userAdded
+ authScheme:
+ type: HEADER
+ key: Authorization
+ value: my-shared-secret
+ ReplaceAuthServerBody:
+ summary: Replace a custom authorization server
value:
- key: duo
- name: Duo Security
- provider:
- type: DUO
- configuration:
- userNameTemplate:
- template: oktaId
- integrationKey: testIntegrationKey
- secretKey: testSecretKey
- host: https://api-xxxxxxxx.duosecurity.com
- AuthenticatorResponseDuo:
+ name: New Authorization Server
+ description: Authorization Server description
+ audiences:
+ - api://default
+ credentials:
+ signing:
+ rotationMode: AUTO
+ use: sig
+ issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId}
+ issuerMode: ORG_URL
+ status: ACTIVE
+ ReplaceAuthServerResponse:
+ summary: Replace a custom authorization server
+ value:
+ id: '{authorizationServerId}'
+ name: Sample Authorization Server
+ description: Sample Authorization Server description
+ audiences:
+ - https://api.resource.com
+ issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId}
+ issuerMode: ORG_URL
+ status: ACTIVE
+ created: '2023-05-17T22:25:57.000Z'
+ lastUpdated: '2023-05-17T22:25:57.000Z'
+ credentials:
+ signing:
+ rotationMode: AUTO
+ lastRotated: '2023-05-17T22:25:57.000Z'
+ nextRotation: '2023-08-15T22:25:57.000Z'
+ kid: WYQxoK4XAwGFn5Zw5AzLxFvqEKLP79BbsKmWeuc5TB4
+ _links:
+ scopes:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes
+ hints:
+ allow:
+ - GET
+ claims:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims
+ hints:
+ allow:
+ - GET
+ policies:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies
+ hints:
+ allow:
+ - GET
+ self:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}
+ hints:
+ allow:
+ - GET
+ - DELETE
+ - PUT
+ metadata:
+ - name: oauth-authorization-server
+ href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/oauth-authorization-server
+ hints:
+ allow:
+ - GET
+ - name: openid-configuration
+ href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/openid-configuration
+ hints:
+ allow:
+ - GET
+ rotateKey:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/lifecycle/keyRotate
+ hints:
+ allow:
+ - POST
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ ReplaceCustomTokenClaimBody:
+ summary: Replace a custom token Claim
+ value:
+ - alwaysIncludeInToken: true
+ claimType: IDENTITY
+ conditions:
+ scopes:
+ - profile
+ group_filter_type: CONTAINS
+ name: Knowledge_Base
+ status: ACTIVE
+ system: false
+ value: Knowledge Base
+ valueType: GROUPS
+ ReplaceCustomTokenClaimResponse:
+ summary: Replace a custom token Claim response
+ value:
+ - id: '{claimId}'
+ name: Knowledge_Base
+ status: ACTIVE
+ claimType: IDENTITY
+ valueType: GROUPS
+ value: Knowledge Base
+ conditions:
+ scopes:
+ - profile
+ system: false
+ alwaysIncludeInToken: true
+ apiResourceId: null
+ group_filter_type: CONTAINS
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims/{claimId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ ReplaceIdPRequestResponse:
+ summary: Replace an Identity Provider
value:
- type: app
- id: aut9gnvcjUHIWb37J0g4
- key: duo
- status: ACTIVE
- name: Duo Security
- created: '2022-07-15T21:14:02.000Z'
- lastUpdated: '2022-07-15T21:14:02.000Z'
- settings: {}
- provider:
- type: DUO
- configuration:
- host: https://api-xxxxxxxx.duosecurity.com
+ id: 0oa62bc8wppPw0UGr0h7
+ type: SAML2
+ name: Example SAML IdP
+ status: INACTIVE
+ created: null
+ lastUpdated: '2016-03-29T21:23:45.000Z'
+ protocol:
+ type: SAML2
+ endpoints:
+ sso:
+ url: https://idp.example.com/saml2/sso
+ binding: HTTP-REDIRECT
+ destination: https://idp.example.com/saml2/sso
+ acs:
+ binding: HTTP-POST
+ type: INSTANCE
+ algorithms:
+ request:
+ signature:
+ algorithm: SHA-256
+ scope: REQUEST
+ response:
+ signature:
+ algorithm: SHA-256
+ scope: ANY
+ settings:
+ nameFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+ credentials:
+ trust:
+ issuer: https://idp.example.com
+ audience: https://www.okta.com/saml2/service-provider/spCQJRNaaxs7ANqKBO7M
+ kid: your-key-id
+ policy:
+ provisioning:
+ action: AUTO
+ profileMaster: true
+ groups:
+ action: NONE
+ conditions:
+ deprovisioned:
+ action: NONE
+ suspended:
+ action: NONE
+ accountLink:
+ filter: null
+ action: AUTO
+ subject:
userNameTemplate:
- template: oktaId
+ template: idpuser.subjectNameId
+ filter: null
+ matchType: USERNAME
+ mapAMRClaims: false
+ maxClockSkew: 120000
_links:
- self:
- href: https://{yourOktaDomain}/api/v1/authenticators/aut5gnvcjUHIWb25J0g4
+ metadata:
+ href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/metadata.xml
+ type: application/xml
hints:
allow:
- GET
- - PUT
- deactivate:
- href: https://{yourOktaDomain}/api/v1/authenticators/aut5gnvcjUHIWb25J0g4/lifecycle/deactivate
+ acs:
+ href: https://{yourOktaDomain}/sso/saml2/0oa62bc8wppPw0UGr0h7
+ type: application/xml
hints:
allow:
- POST
- methods:
- href: https://{yourOktaDomain}/api/v1/authenticators/aut5gnvcjUHIWb25J0g4/methods
+ users:
+ href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/users
hints:
allow:
- GET
- AuthenticatorResponseEmail: &ref_0
+ activate:
+ href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ ReplaceKeyResponse:
+ summary: Replace a key response example
value:
- type: email
- id: aut1nbsPHh7jNjjyP0g4
- key: okta_email
+ id: HKY1p7jWLndGQV9M60g4
+ keyId: 7fbc27fd-e3df-4522-86bf-1930110256ad
+ name: My updated new key
+ created: '2022-08-31T18:09:58.000Z'
+ lastUpdated: '2022-08-31T18:16:59.000Z'
+ isUsed: 'false'
+ ReplaceNetworkZone:
+ summary: Replace a Network Zone
+ value:
+ type: IP
+ id: nzovw2rFz2YoqmvwZ0g9
+ name: UpdatedNetZone
status: ACTIVE
- name: Email
- created: '2020-07-26T21:05:23.000Z'
- lastUpdated: '2020-07-28T21:45:52.000Z'
- settings:
- allowedFor: any
- tokenLifetimeInMinutes: 5
+ system: false
+ usage: POLICY
+ gateways:
+ - type: CIDR
+ value: 10.2.3.4/24
+ - type: CIDR
+ value: 12.2.3.4/24
+ - type: RANGE
+ value: 13.4.5.6-13.4.5.8
+ - type: CIDR
+ value: 14.2.3.4/24
+ proxies:
+ - type: CIDR
+ value: 12.2.3.4/24
+ - type: CIDR
+ value: 13.3.4.5/24
+ - type: RANGE
+ value: 14.4.5.6-14.4.5.8
+ - type: RANGE
+ value: 15.5.6.7/24-15.5.6.9
_links:
self:
- href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbsPHh7jNjjyP0g4
+ href: https://{yourOktaDomain}/api/v1/zones/nzovw2rFz2YoqmvwZ0g9
hints:
allow:
- GET
- PUT
- methods:
- href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbsPHh7jNjjyP0g4/methods
- hints:
- allow:
- - GET
+ - DELETE
deactivate:
- href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbsPHh7jNjjyP0g4/lifecycle/deactivate
+ href: https://{yourOktaDomain}/api/v1/zones/nzovw2rFz2YoqmvwZ0g9/lifecycle/deactivate
hints:
allow:
- POST
- AuthenticatorResponsePassword: &ref_1
+ ReplaceNetworkZoneResponse:
+ summary: Replace Network Zone
value:
- type: password
- id: aut1nbtrJKKA9m45a0g4
- key: okta_password
+ type: IP
+ id: nzovw2rFz2YoqmvwZ0g9
+ name: UpdatedNetZone
status: ACTIVE
- name: Password
- created: '2020-07-26T21:05:23.000Z'
- lastUpdated: '2020-07-26T21:05:23.000Z'
+ usage: POLICY
+ created: '2022-05-08T18:25:05.000Z'
+ lastUpdated: '2022-05-10T13:15:22.000Z'
+ system: false
+ gateways:
+ - type: CIDR
+ value: 10.2.3.4/24
+ - type: CIDR
+ value: 12.2.3.4/24
+ - type: RANGE
+ value: 13.4.5.6-13.4.5.8
+ - type: CIDR
+ value: 14.2.3.4/24
+ proxies:
+ - type: CIDR
+ value: 12.2.3.4/24
+ - type: CIDR
+ value: 13.3.4.5/24
+ - type: RANGE
+ value: 14.4.5.6-14.4.5.8
+ - type: RANGE
+ value: 15.5.6.7/24-15.5.6.9
_links:
self:
- href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbtrJKKA9m45a0g4
+ href: https://{yourOktaDomain}/api/v1/zones/nzovw2rFz2YoqmvwZ0g9
hints:
allow:
- GET
- PUT
- methods:
- href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbtrJKKA9m45a0g4/methods
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/zones/nzovw2rFz2YoqmvwZ0g9/lifecycle/deactivate
hints:
allow:
- - GET
- AuthenticatorResponsePhone: &ref_2
+ - POST
+ ReplaceResourceSetRequest:
value:
- type: phone
- id: aut1nbuyD8m1ckAYc0g4
- key: phone_number
+ label: SF-IT-People
+ description: People in the IT department of San Francisco
+ ReplaceRoleRequest:
+ value:
+ label: UserCreator
+ description: Create users
+ ReplaceUserTypePutRequest:
+ summary: Replace user type request
+ value:
+ displayName: Replacement Display Name
+ description: Replacement description
+ name: newUserType
+ ReplaceUserTypePutResponse:
+ summary: Replace user type response
+ value:
+ id: otyfnly5cQjJT9PnR0g4
+ displayName: Replacement Display Name
+ name: newUserType
+ description: Replacement description
+ createdBy: sprz9fj1ycBcsgopy1d6
+ lastUpdatedBy: sprz9fj1ycBcsgopy1d6
+ created: '2021-07-05T20:40:38.000Z'
+ lastUpdated: '2021-07-05T20:40:38.000Z'
+ default: false
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6
+ schema:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6
+ ResetPwdWithoutSendingEmailResponse:
+ value:
+ summary: Reset password without sending email
+ resetPasswordUrl: https://{yourOktaDomain}/reset_password/XE6wE17zmphl3KqAPFxO
+ ResourceSelectorCreateRequestExample:
+ value:
+ name: All applications except Workday applications
+ description: All applications except Workday applications
+ schema: /api/v1/apps
+ filter: name ne "workday"
+ ResourceSelectorCreateResponseExample:
+ value:
+ id: rsl1hx31gVEa6x10v0g5
+ name: All applications except Workday applications
+ description: All applications except Workday applications
+ orn: orn:okta:idp:00o5rb5mt2H3d1TJd0h7:resource_selectors:rsl1hx31gVEa6x10v0g5:apps
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/resource-selectors/rsl1hx31gVEa6x10v0g5
+ resources:
+ href: https://{yourOktaDomain}/api/v1/apps?filter="name ne "workday""
+ ResourceSelectorPatchRequestExample:
+ value:
+ name: All applications except Facebook applications
+ description: All applications except Facebook applications
+ filter: name ne "facebook"
+ ResourceSelectorPatchResponseExample:
+ value:
+ id: rsl1hx31gVEa6x10v0g5
+ name: All applications except Facebook applications
+ description: All applications except Facebook applications
+ orn: orn:okta:idp:00o5rb5mt2H3d1TJd0h7:resource_selectors:rsl1hx31gVEa6x10v0g5:apps
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/resource-selectors/rsl1hx31gVEa6x10v0g5
+ resources:
+ href: https://{yourOktaDomain}/api/v1/apps?filter="name ne "facebook""
+ ResourceSelectorResponseExample:
+ value:
+ id: rsl1hx31gVEa6x10v0g5
+ name: All applications except a specific application
+ description: All applications except a specific application
+ orn: orn:okta:idp:00o5rb5mt2H3d1TJd0h7:resource_selectors:rsl1hx31gVEa6x10v0g5:apps
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/resource-selectors/rsl1hx31gVEa6x10v0g5
+ resources:
+ href: https://{yourOktaDomain}/api/v1/apps?filter="id ne 0oafxqAAJWWGELFTYASH"
+ ResourceSelectorsResponseExample:
+ value:
+ resourceSelectors:
+ - id: rsl1hx31gVEa6x10v0g5
+ name: All applications except Workday applications
+ description: All applications except Workday applications
+ orn: orn:okta:idp:00o5rb5mt2H3d1TJd0h7:resource_selectors:rsl1hx31gVEa6x10v0g5:apps
+ _links:
+ resources:
+ href: http://${yourOktaDomain}/api/v1/apps?filter="id ne 0oafxqCAJWWGELFTYASJ"
+ - id: rsl1hx31gVEa6x10v0g6
+ name: All applications except Facebook applications
+ description: All applications except Facebook applications
+ orn: orn:okta:idp:00o5rb5mt2H3d1TJd0h7:resource_selectors:rsl1hx31gVEa6x10v0g6:apps
+ _links:
+ resources:
+ href: http://${yourOktaDomain}/api/v1/apps?filter="id ne 0oafxqAAJWWGELFTYASH
+ _links:
+ next:
+ href: https://{yourOktaDomain}/api/v1/resource-selectors?after=rsl1hx31gVEa6x10v0g6
+ ResourceSetBindingAddMembersRequestExample:
+ value:
+ additions:
+ - https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3
+ - https://{yourOktaDomain}/api/v1/users/00u67DU2qNCjNZYO0g3
+ ResourceSetBindingCreateRequestExample:
+ value:
+ role: cr0Yq6IJxGIr0ouum0g3
+ members:
+ - https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3
+ ResourceSetBindingMemberResponse:
+ value:
+ id: irb1qe6PGuMc7Oh8N0g4
+ created: '2021-02-06T16:20:57.000Z'
+ lastUpdated: '2021-02-06T16:20:57.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00uuk41Hjga5qGfQ30g3
+ ResourceSetBindingMembersResponse:
+ value:
+ members:
+ - id: irb1qe6PGuMc7Oh8N0g4
+ created: '2021-02-06T16:20:57.000Z'
+ lastUpdated: '2021-02-06T16:20:57.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00uuk41Hjga5qGfQ30g3
+ - id: irb1q92TFAHzySt3x0g4
+ created: '2021-02-06T16:20:57.000Z'
+ lastUpdated: '2021-02-06T16:20:57.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3
+ _links:
+ binding:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3
+ next:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3/members?after=0ouRq6IJmGIr3ouum0g3
+ ResourceSetBindingResponseExample:
+ value:
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3
+ bindings:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings
+ resource-set:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g
+ ResourceSetBindingResponseWithIdExample:
+ value:
+ id: cr0Yq6IJxGIr0ouum0g3
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3
+ bindings:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings
+ resource-set:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g
+ ResourceSetBindingsResponse:
+ value:
+ roles:
+ - id: cr0WxyzJxGIr0ouum0g4
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr0WxyzJxGIr0ouum0g4
+ members:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0WxyzJxGIr0ouum0g4/members
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings
+ resource-set:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g
+ next:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings?after=cr0WxyzJxGIr0ouum0g4
+ ResourceSetRequest:
+ value:
+ label: SF-IT-People
+ description: People in the IT department of San Francisco
+ resources:
+ - https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3
+ - https://{yourOktaDomain}/api/v1/groups/00gu67DU2qNCjNZYO0g3/users
+ - https://{yourOktaDomain}/api/v1/users
+ ResourceSetResourcePatchRequestExample:
+ value:
+ additions:
+ - https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3
+ - https://{yourOktaDomain}/api/v1/groups/00gu67DU2qNCjNZYO0g3/users
+ ResourceSetResourcePostRequestExample:
+ summary: Resource Set with conditions request
+ value:
+ resourceOrnOrUrl: https://{yourOktaDomain}/api/v1/apps
+ conditions:
+ Exclude:
+ okta:ORN:
+ - orn:okta:idp:00o5rb5mt2H3d1TJd0h7:apps:0oa1014FmyZ2H0oRY0g4
+ - orn:okta:idp:00o5rb5mt2H3d1TJd0h7:apps:slack
+ ResourceSetResourcePutRequestExample:
+ value:
+ conditions:
+ Exclude:
+ okta:ORN:
+ - orn:okta:idp:00o5rb5mt2H3d1TJd0h7:apps:0oa1014FmyZ2H0oRY0g4
+ - orn:okta:idp:00o5rb5mt2H3d1TJd0h7:apps:slack
+ ResourceSetResourceResponse:
+ summary: Resource Set response
+ value:
+ id: ire106sQKoHoXXsAe0g4
+ orn: orn:okta:idp:00o5rb5mt2H3d1TJd0h7:apps
+ conditions:
+ Exclude:
+ okta:ORN:
+ - orn:okta:idp:00o5rb5mt2H3d1TJd0h7:apps:0oa1014FmyZ2H0oRY0g4
+ - orn:okta:idp:00o5rb5mt2H3d1TJd0h7:apps:slack
+ created: '2021-02-06T16:20:57.000Z'
+ lastUpdated: '2021-02-06T16:20:57.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/apps
+ resource:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources/ire2snv2xSY7a4iSe0g1
+ ResourceSetResourcesResponse:
+ value:
+ resources:
+ - id: ire106sQKoHoXXsAe0g4
+ orn: orn:{partition}:directory:{yourOrgId}:groups:00guaxWZ0AOa5NFAj0g3
+ created: '2021-02-06T16:20:57.000Z'
+ lastUpdated: '2021-02-06T16:20:57.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3
+ resource:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources/ire2snv2xSY7a4iSe0g1
+ - id: ire106riDrTYl4qA70g4
+ orn: orn:{partition}:directory:{yourOrgId}:groups:00gu67DU2qNCjNZYO0g3:contained_resources
+ created: '2021-02-06T16:20:57.000Z'
+ lastUpdated: '2021-02-06T16:20:57.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/groups/00gu67DU2qNCjNZYO0g3/users
+ resource:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources/ire2snv2xSY7a4iSe0g2
+ - id: irezvo4AwE2ngpMw40g3
+ orn: orn:{partition}:directory:{yourOrgId}:users
+ created: '2021-02-06T16:20:57.000Z'
+ lastUpdated: '2021-02-06T16:20:57.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/users
+ users:
+ href: https://{yourOktaDomain}/api/v1/users
+ - id: ire2j4iDnxHhUFaZN0g4
+ orn: orn:{partition}:directory:{yourOrgId}:groups
+ created: '2021-02-06T16:20:57.000Z'
+ lastUpdated: '2021-02-06T16:20:57.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/groups
+ groups:
+ href: https://{yourOktaDomain}/api/v1/groups
+ resource:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources/ire2snv2xSY7a4iSe0g3
+ _links:
+ next:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources?after=irezvn1ZZxLSIBM2J0g3
+ resource-set:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g
+ ResourceSetResponse:
+ value:
+ id: iamoJDFKaJxGIr0oamd9g
+ label: SF-IT-People
+ description: People in the IT department of San Francisco
+ created: '2021-02-06T16:20:57.000Z'
+ lastUpdated: '2021-02-06T16:20:57.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g
+ resources:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources
+ bindings:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings
+ ResourceSetsResponse:
+ value:
+ resource-sets:
+ - id: iamoJDFKaJxGIr0oamd9g
+ label: SF-IT-1
+ description: First San Francisco IT Resource Set
+ created: '2021-02-06T16:20:57.000Z'
+ lastUpdated: '2021-02-06T16:20:57.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g
+ resources:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources
+ bindings:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings
+ - id: iamoJDFKaJxGIr0oamd0q
+ label: SF-IT-2
+ description: Second San Francisco IT Resource Set
+ created: '2021-02-06T16:20:57.000Z'
+ lastUpdated: '2021-02-06T16:20:57.000Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd0q
+ resources:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd0q/resources
+ bindings:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd0q/bindings
+ _links:
+ next:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets?after=iamoJDFKaJxGIr0oamd0q
+ RetrieveADeactivatedEventHook:
+ summary: Deactivated event hook
+ value:
+ id: who8vt36qfNpCGz9H1e6
status: INACTIVE
- name: Phone
- created: '2020-07-26T21:05:23.000Z'
- lastUpdated: '2020-07-29T00:21:29.000Z'
- settings:
- allowedFor: none
+ verificationStatus: VERIFIED
+ name: Event Hook Test
+ description: null
+ created: '2023-07-07T13:41:56.000Z'
+ createdBy: 00u7xut94qEWYx5ss1e5
+ lastUpdated: '2023-07-07T13:43:03.000Z'
+ events:
+ type: EVENT_TYPE
+ items:
+ - group.user_membership.add
+ filter: null
+ channel:
+ type: HTTP
+ version: 1.0.0
+ config:
+ uri: https://example_external_service/userAdded
+ headers:
+ - key: X-Other-Header
+ value: my-header-value
+ method: POST
+ authScheme:
+ type: HEADER
+ key: authorization
_links:
self:
- href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbuyD8m1ckAYc0g4
- hints:
- allow:
- - GET
- - PUT
- methods:
- href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbuyD8m1ckAYc0g4/methods
+ href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6
+ verify:
+ href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/verify
hints:
allow:
- - GET
- activate:
- href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbuyD8m1ckAYc0g4/lifecycle/activate
+ - POST
+ deactivate:
+ href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/deactivate
hints:
allow:
- POST
- AuthenticatorResponseSecurityQuestion:
- summary: Security Question
+ RetrieveAllEventHooks:
+ summary: Retrieves all event hooks
+ value:
+ - id: who8tsqyrhCdmetzx135
+ status: ACTIVE
+ verificationStatus: VERIFIED
+ name: Event Hook Test
+ description: null
+ created: '2023-07-07T17:41:56.000Z'
+ createdBy: 00u7xut94qEWYx5ss1e5
+ lastUpdated: '2023-07-07T17:43:03.000Z'
+ events:
+ type: EVENT_TYPE
+ items:
+ - user.lifecycle.deactivate
+ - user.lifecycle.activate
+ filter: null
+ channel:
+ type: HTTP
+ version: 1.0.0
+ config:
+ uri: https://example_external_service/userDeactivate
+ headers: []
+ method: POST
+ authScheme:
+ type: HEADER
+ key: authorization
+ _links:
+ self:
+ href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx135
+ verify:
+ href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx135/lifecycle/verify
+ hints:
+ allow:
+ - POST
+ deactivate:
+ href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx135/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ - id: who8vt36qfNpCGz9H1e6
+ status: ACTIVE
+ verificationStatus: VERIFIED
+ name: Event Hook with Filter
+ description: An event hook using an Okta Expression Language filter
+ created: '2023-07-07T13:41:56.000Z'
+ createdBy: 00u7xut94qEWYx5ss1e5
+ lastUpdated: '2023-07-07T13:43:03.000Z'
+ events:
+ type: EVENT_TYPE
+ items:
+ - group.user_membership.add
+ filter:
+ type: EXPRESSION_LANGUAGE
+ eventFilterMap:
+ - event: group.user_membership.add
+ condition:
+ version: null
+ expression: event.target.?[type eq 'UserGroup'].size()>0 && event.target.?[displayName eq 'Sales'].size()>0
+ channel:
+ type: HTTP
+ version: 1.0.0
+ config:
+ uri: https://example_external_service/userAdded
+ headers: []
+ method: POST
+ authScheme:
+ type: HEADER
+ key: authorization
+ _links:
+ self:
+ href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6
+ verify:
+ href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/verify
+ hints:
+ allow:
+ - POST
+ deactivate:
+ href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ RetrieveAllZones:
+ summary: Retrieves all Network Zones
+ value:
+ - type: DYNAMIC_V2
+ id: nzok0oz2xYHOZtIch0g4
+ name: testZone106
+ status: ACTIVE
+ usage: BLOCKLIST
+ create: '2024-05-13T16:33:44.000Z'
+ lastUpdated: '2024-05-13T16:33:44.000Z'
+ system: false
+ locations:
+ include: []
+ exclude: []
+ asns:
+ include: []
+ exclude: []
+ ipServiceCategories:
+ include:
+ - ALL_ANONYMIZERS
+ exclude: []
+ _links:
+ self:
+ href: http://{yourOktaDomain}/api/v1/zones/nzok0oz2xYHOZtIch0g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: http://{yourOktaDomain}/api/v1/zones/nzok0oz2xYHOZtIch0g4/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ - type: DYNAMIC
+ id: nzoy0ox5xADOZtKrh0g6
+ name: test
+ status: ACTIVE
+ usage: POLICY
+ created: '2022-05-19T15:33:32.000Z'
+ lastUpdated: '2022-05-19T15:33:32.000Z'
+ system: false
+ locations:
+ - country: AF
+ region: AF-BGL
+ proxyType: ANY
+ asns:
+ - '23457'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/zones/nzoy0ox5xADOZtKrh0g6
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/zones/nzoy0ox5xADOZtKrh0g6/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ - type: IP
+ id: nzowc1U5Jh5xuAK0o0g3
+ name: MyIpZone
+ status: ACTIVE
+ usage: POLICY
+ created: '2021-06-24T20:37:32.000Z'
+ lastUpdated: '2021-06-24T20:37:32.000Z'
+ system: false
+ gateways:
+ - type: CIDR
+ value: 1.2.3.4/24
+ proxies:
+ - type: RANGE
+ value: 3.3.4.5-3.3.4.15
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ - type: IP
+ id: nzou3u0stMCmgOzXK1d6
+ name: BlockedIpZone
+ status: ACTIVE
+ usage: BLOCKLIST
+ created: '2021-06-09T21:32:46.000Z'
+ lastUpdated: '2021-06-09T21:32:46.000Z'
+ system: true
+ gateways: null
+ proxies: null
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/zones/nzou3u0stMCmgOzXK1d6
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/zones/nzou3u0stMCmgOzXK1d6/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ - type: DYNAMIC_V2
+ id: nzohcnxFrSgsiwyHp0g4
+ name: DefaultEnhancedDynamicZone
+ status: ACTIVE
+ usage: BLOCKLIST
+ created: '2024-05-06T19:12:29.000Z'
+ lastUpdated: '2024-05-09T21:02:31.000Z'
+ system: true
+ locations:
+ include: []
+ exclude: []
+ ipServiceCategories:
+ include:
+ - ALL_ANONYMIZERS
+ exclue: []
+ asns:
+ include: []
+ exclude: []
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/zones/nzou3u0stMCmgOzXK1d6
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/zones/nzou3u0stMCmgOzXK1d6/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ - type: IP
+ id: nzou3u0ssJfZjYsWL1d6
+ name: LegacyIpZone
+ status: ACTIVE
+ usage: POLICY
+ created: '2021-06-09T21:32:46.000Z'
+ lastUpdated: '2021-06-09T21:32:46.000Z'
+ system: true
+ gateways: null
+ proxies: null
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/zones/nzou3u0ssJfZjYsWL1d6
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/zones/nzou3u0ssJfZjYsWL1d6/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ RetrieveAllZonesWithFilter:
+ summary: Retrieves Network Zones with filter
value:
- type: security_question
- id: aut1nbvIgEenhwE6c0g4
- key: security_question
+ - type: IP
+ id: nzowc1U5Jh5xuAK0o0g3
+ name: MyIpZone
+ status: ACTIVE
+ usage: POLICY
+ created: '2021-06-24T20:37:32.000Z'
+ lastUpdated: '2021-06-24T20:37:32.000Z'
+ system: false
+ gateways:
+ - type: CIDR
+ value: 1.2.3.4/24
+ proxies:
+ - type: RANGE
+ value: 3.3.4.5-3.3.4.15
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ RetrieveAnEventHook:
+ summary: Retrieve an event hook
+ value:
+ id: who8vt36qfNpCGz9H1e6
status: ACTIVE
- name: Security Question
- created: '2020-07-26T21:05:23.000Z'
- lastUpdated: '2020-07-26T21:05:23.000Z'
+ verificationStatus: VERIFIED
+ name: Event Hook Test
+ description: null
+ created: '2023-07-07T13:41:56.000Z'
+ createdBy: 00u7xut94qEWYx5ss1e5
+ lastUpdated: '2023-07-07T13:43:03.000Z'
+ events:
+ type: EVENT_TYPE
+ items:
+ - group.user_membership.add
+ filter: null
+ channel:
+ type: HTTP
+ version: 1.0.0
+ config:
+ uri: https://example_external_service/userAdded
+ headers:
+ - key: X-Other-Header
+ value: my-header-value
+ method: POST
+ authScheme:
+ type: HEADER
+ key: authorization
_links:
self:
- href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbvIgEenhwE6c0g4
- hints:
- allow:
- - GET
- methods:
- href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbvIgEenhwE6c0g4/methods
+ href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6
+ verify:
+ href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/verify
hints:
allow:
- - GET
+ - POST
deactivate:
- href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbvIgEenhwE6c0g4/lifecycle/deactivate
+ href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/deactivate
hints:
allow:
- POST
- AuthenticatorResponseWebAuthn: &ref_3
+ RetrieveAnEventHookWithFilter:
+ summary: Retrieve an event hook
value:
- type: security_key
- id: aut1nd8PQhGcQtSxB0g4
- key: webauthn
+ id: who8vt36qfNpCGz9H1e6
status: ACTIVE
- name: Security Key or Biometric
- created: '2020-07-26T21:16:37.000Z'
- lastUpdated: '2020-07-27T18:59:30.000Z'
+ verificationStatus: VERIFIED
+ name: Event Hook with Filter
+ description: An event hook using an Okta Expression Language filter
+ created: '2023-07-07T13:41:56.000Z'
+ createdBy: 00u7xut94qEWYx5ss1e5
+ lastUpdated: '2023-07-07T13:43:03.000Z'
+ events:
+ type: EVENT_TYPE
+ items:
+ - group.user_membership.add
+ filter:
+ type: EXPRESSION_LANGUAGE
+ eventFilterMap:
+ - event: group.user_membership.add
+ condition:
+ version: null
+ expression: event.target.?[type eq 'UserGroup'].size()>0 && event.target.?[displayName eq 'Sales'].size()>0
+ channel:
+ type: HTTP
+ version: 1.0.0
+ config:
+ uri: https://example_external_service/userAdded
+ method: POST
+ authScheme:
+ type: HEADER
+ key: authorization
_links:
self:
- href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4
- hints:
- allow:
- - GET
- - PUT
- methods:
- href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods
- hints:
- allow:
- - GET
+ href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6
+ verify:
+ href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/verify
+ hints:
+ allow:
+ - POST
deactivate:
- href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/lifecycle/deactivate
+ href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/deactivate
hints:
allow:
- POST
- AuthenticatorsResponse:
- summary: Org Authenticators
- value:
- - *ref_0
- - *ref_1
- - *ref_2
- - *ref_3
- BehaviorRuleRequest:
- value:
- name: My Behavior Rule
- type: VELOCITY
- BehaviorRuleResponse:
+ RetrieveAuthServerResponse:
+ summary: Retrieve a custom authorization server
value:
- id: abcd1234
- name: My Behavior Rule
- type: VELOCITY
- settings:
- velocityKph: 805
+ id: '{authorizationServerId}'
+ name: Sample Authorization Server
+ description: Sample Authorization Server description
+ audiences:
+ - https://api.resource.com
+ issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId}
+ issuerMode: ORG_URL
status: ACTIVE
- created: 2021-11-09T20:38:10.000Z
- lastUpdated: 2021-11-11T20:38:10.000Z
- _link:
- self:
- href: https://your-subdomain.okta.com/api/v1/behaviors/abcd1234
- hints:
- allow:
- - GET
- - POST
- - PUT
- - DELETE
- CAPTCHAInstanceRequestHCaptcha:
- value:
- name: myHCaptcha
- secretKey: xxxxxxxxxxx
- siteKey: xxxxxxxxxxx
- type: HCAPTCHA
- CAPTCHAInstanceRequestReCaptcha:
- value:
- name: myReCaptcha
- secretKey: xxxxxxxxxxx
- siteKey: yyyyyyyyyyyyyyy
- type: RECAPTCHA_V2
- CAPTCHAInstanceResponseHCaptcha:
- value:
- id: abcd1234
- name: myHCaptcha
- siteKey: xxxxxxxxxxx
- type: HCAPTCHA
- _links:
- self:
- href: https://your-subdomain.okta.com/api/v1/captchas/abcd1234
- hints:
- allow:
- - GET
- - POST
- - PUT
- - DELETE
- CAPTCHAInstanceResponseReCaptcha:
- value:
- id: abcd4567
- name: myReCaptcha
- siteKey: yyyyyyyyyyyyyyy
- type: RECAPTCHA_V2
+ created: '2023-05-17T22:25:57.000Z'
+ lastUpdated: '2023-05-17T22:25:57.000Z'
+ credentials:
+ signing:
+ rotationMode: AUTO
+ lastRotated: '2023-05-17T22:25:57.000Z'
+ nextRotation: '2023-08-15T22:25:57.000Z'
+ kid: WYQxoK4XAwGFn5Zw5AzLxFvqEKLP79BbsKmWeuc5TB4
_links:
- self:
- href: https://your-subdomain.okta.com/api/v1/captchas/abcd4567
+ scopes:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes
hints:
allow:
- GET
- - POST
- - PUT
- - DELETE
- CreateBrandRequest:
- value:
- name: My Awesome Brand
- CreateBrandResponse:
- value:
- id: bnd114iNkrcN6aR680g5
- removePoweredByOkta: false
- customPrivacyPolicyUrl: null
- name: My Awesome Brand
- locale: en
- defaultApp:
- appInstanceId: 0oa114iNkrcN6aR680g4
- appLinkName: null
- classicApplicationUri: null
- isDefault: false
- _links:
- self:
- href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g5
+ claims:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims
hints:
allow:
- GET
- - PUT
- - DELETE
- themes:
- href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g5/themes
+ policies:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies
hints:
allow:
- GET
- CreateEmailDomainRequest:
- value:
- displayName: Admin
- userName: admin
- domain: example.com
- brandId: bnd100iSrkcN6aR680g1
- CreateHookKeyResponse:
- summary: Create a key response example
- value:
- id: HKY1p7jWLndGQV9M60g4
- keyId: 7fbc27fd-e3df-4522-86bf-1930110256ad
- name: My new key
- created: '2022-08-31T18:09:58.000Z'
- lastUpdated: '2022-08-31T18:09:58.000Z'
- isUsed: 'false'
- _embedded:
- kty: RSA
- alg: RSA
- kid: 7fbc27fd-e3df-4522-86bf-1930110256ad
- use: 'null'
- e: AQAB
- 'n': 2naqCnv6r4xNQs7207lRtKQvdtnlVND-8k5iYBIiqoKGY3CqUmRm1jleoOniiQoMkFX8Wj2DmVqr002efF3vOQ7_gjtTatBTVUNbNIQLybun4dkVoUtfP7pRc5SLpcP3eGPRVar734ZrpQXzmCEdpqBt3jrVjwYjNE5DqOjbYXFJtMsy8CWE9LRJ3kyHEoHPzo22dG_vMrXH0_sAQoCk_4TgNCbvyzVmGVYXI_BkUnp0hv2pR4bQVRYzGB9dKJdctOh8zULqc_EJ8tiYsS05YnF7whrWEyARK0rH-e4d4W-OmBTga_zhY4kJ4NsoQ4PyvcatZkxjPO92QHQOFDnf3w`
- CreateIPPolicyBlockListNetworkZone:
- summary: Create an IP Policy Blocklist Network Zone
- value:
- type: IP
- name: newBlockListNetworkZone
- status: ACTIVE
- usage: BLOCKLIST
- gateways:
- - type: CIDR
- value: 1.2.3.4/24
- - type: CIDR
- value: 2.3.4.5/24
- proxies: null
- CreateIPPolicyBlockListNetworkZoneResponse:
- summary: IP Policy Blocklist Network Zone Response
- value:
- type: IP
- id: nzo1qasnPb1kqEq0e0g4
- name: newBlockListNetworkzone
- status: ACTIVE
- usage: BLOCKLIST
- created: '2020-10-12T18:58:02.000Z'
- lastUpdated: '2020-10-12T18:58:02.000Z'
- system: false
- gateways:
- - type: CIDR
- value: 1.2.3.4/24
- - type: CIDR
- value: 2.3.4.5/24
- proxies: null
- _links:
self:
- href: https://{yourOktaDomain}/api/v1/zones/nzo1qasnPb1kqEq0e0g4
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}
hints:
allow:
- GET
- - PUT
- DELETE
- deactivate:
- href: https://{yourOktaDomain}/api/v1/zones/nzo1qasnPb1kqEq0e0g4/lifecycle/deactivate
+ - PUT
+ metadata:
+ - name: oauth-authorization-server
+ href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/oauth-authorization-server
+ hints:
+ allow:
+ - GET
+ - name: openid-configuration
+ href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/openid-configuration
+ hints:
+ allow:
+ - GET
+ rotateKey:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/lifecycle/keyRotate
hints:
allow:
- POST
- CreateIPPolicyNetworkZone:
- summary: Create an IP Policy Network Zone
- value:
- type: IP
- name: newNetworkZone
- gateways:
- - type: CIDR
- value: 1.2.3.4/24
- - type: CIDR
- value: 2.3.4.5/24
- proxies:
- - type: CIDR
- value: 2.2.3.4/24
- - type: CIDR
- value: 3.3.4.5/24
- CreateIPPolicyNetworkZoneResponse:
- summary: IP Policy Network Zone Response
- value:
- type: IP
- id: nzowc1U5Jh5xuAK0o0g3
- name: newNetworkZone
- status: ACTIVE
- usage: POLICY
- created: '2019-05-17T18:44:31.000Z'
- lastUpdated: '2019-05-21T13:50:49.000Z'
- system: false
- gateways:
- - type: CIDR
- value: 1.2.3.4/24'
- - type: CIDR
- value: 2.3.4.5/24
- proxies:
- - type: CIDR
- value: 2.2.3.4/24
- - type: CIDR
- value: 3.3.4.5/24
- _links:
- self:
- href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3
- hints:
- allow:
- - GET
- - PUT
- - DELETE
deactivate:
- href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/deactivate
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/lifecycle/deactivate
hints:
allow:
- POST
- CreateUISchemaBody:
- summary: UI Schema body request
- value:
- uiSchema:
- type: Group
- elements:
- - type: Control
- scope: '#/properties/firstName'
- label: First Name
- options:
- format: text
- - type: Control
- scope: '#/properties/lastName'
- label: Last Name
- options:
- format: text
- - type: Control
- scope: '#/properties/email'
- label: Primary email
- options:
- format: text
- buttonLabel: Submit
- label: Sign in
- CreateUISchemaResponse:
- summary: Returns full UI Schema body
- value:
- id: uis4a7liocgcRgcxZ0g7
- uiSchema:
- type: Group
- label: Sign in
- buttonLabel: Submit
- elements:
- - type: Control
- scope: '#/properties/firstName'
- label: First name
- options:
- format: text
- - type: Control
- scope: '#/properties/lastName'
- label: Last name
- options:
- format: text
- - type: Control
- scope: '#/properties/email'
- label: Primary email
- options:
- format: text
- created: '2022-07-25T12:56:31.000Z'
- lastUpdated: '2022-07-26T11:53:59.000Z'
- _links:
- self:
- href: https://exmaple.com/api/v1/meta/uischemas/uis4a7liocgcRgcxZ0g7
- hints:
- allow:
- - GET
- - PUT
- - DELETE
- CreateUpdateEmailCustomizationRequest:
- value:
- language: fr
- subject: Bienvenue dans ${org.name}!
- body: Bonjour ${user.profile.firstName}. Activer le compte
- isDefault: false
- CreateUpdateEmailCustomizationResponse:
+ RetrieveCurrentSessionResponse:
+ summary: Retrieve current session
value:
- language: fr
- subject: Bienvenue dans ${org.name}!
- body: Bonjour ${user.profile.firstName}. Activer le compte
- isDefault: false
- id: oel11u6DqUiMbQkpl0g4
- created: 2021-11-09T20:38:10.000Z
- lastUpdated: 2021-11-11T20:38:10.000Z
+ amr:
+ - pwd
+ createdAt: '2019-08-24T14:15:22Z'
+ expiresAt: '2019-08-24T14:15:22Z'
+ id: l7FbDVqS8zHSy65uJD85
+ idp:
+ id: 01a2bcdef3GHIJKLMNOP
+ type: ACTIVE_DIRECTORY
+ lastFactorVerification: '2019-08-24T14:15:22Z'
+ lastPasswordVerification: '2019-08-24T14:15:22Z'
+ login: user@example.com
+ status: ACTIVE
+ userId: 00u0abcdefGHIJKLMNOP
_links:
self:
- href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4
hints:
allow:
- GET
- - PUT
- DELETE
- template:
- href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation
+ href: https://{yourOktaDomain}/api/v1/sessions/me
+ refresh:
hints:
allow:
- - GET
- preview:
- href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4/preview
+ - POST
+ href: https://{yourOktaDomain}/api/v1/sessions/me/lifecycle/refresh
+ user:
hints:
allow:
- GET
- test:
- href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test
- hints:
- allow:
- - POST
- CreateUpdateIamRolePermissionRequestExample:
- value:
- conditions:
- include:
- okta:ResourceAttribute/User/Profile:
- - city
- - state
- - zipCode
- CreateUserRequest:
- summary: Create a user type request
- value:
- description: A new custom user type
- displayName: New User Type
- name: newUserType
- CreateUserResponse:
- summary: Create a user type response
+ href: https://{yourOktaDomain}/api/v1/users/me
+ name: User Name
+ RetrieveCustomTokenClaimResponse:
+ summary: Retrieve a custom token Claim response
value:
- id: otyfnly5cQjJT9PnR0g4
- displayName: New User Type
- name: newUserType
- description: A new custom user type
- createdBy: sprz9fj1ycBcsgopy1d6
- lastUpdatedBy: sprz9fj1ycBcsgopy1d6
- created: '2021-07-05T20:40:38.000Z'
- lastUpdated: '2021-07-05T20:40:38.000Z'
- default: false
- _links:
- self:
- href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6
- schema:
- href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6
- DeactivateNetworkZone:
- summary: Deactivated Network Zone response
+ - id: '{claimId}'
+ name: Support
+ status: ACTIVE
+ claimType: IDENTITY
+ valueType: GROUPS
+ value: Support
+ conditions:
+ scopes:
+ - profile
+ system: false
+ alwaysIncludeInToken: true
+ apiResourceId: null
+ group_filter_type: CONTAINS
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims/{claimId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ RetrieveFeaturesResponse:
+ summary: Retrieve a feature by ID
value:
- type: IP
- id: nzowc1U5Jh5xuAK0o0g3
- name: LegacyIpZone
- status: INACTIVE
- usage: POLICY
- created: '2019-05-17T18:44:31.000Z'
- lastUpdated: '2019-05-21T13:50:49.000Z'
- system: true
- gateways:
- - type: CIDR
- value: 1.2.3.4/24
- proxies:
- - type: RANGE
- value: 3.3.4.5-3.3.4.15
+ id: ftrZooGoT8b41iWRiQs7
+ description: Example feature description
+ name: Example feature name
+ stage:
+ state: CLOSED
+ value: BETA
+ status: DISABLED
+ type: self-service
_links:
self:
- href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3
- hints:
- allow:
- - GET
- - PUT
- - DELETE
- deactivate:
- href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/deactivate
hints:
allow:
- POST
- DefaultRealmResponse:
- value:
- id: guox9jQ16k9V8IQWL0g3
- created: 2022-04-04T15:56:05.000Z
- lastUpdated: 2022-05-05T18:15:44.000Z
- isDefault: true
- profile:
- name: Default Realm
- _links:
- self:
- rel: self
- href: http://your-subdomain.okta.com/api/v1/realms/guox9jQ16k9V8IQWL0g3
- method: GET
- DeviceAssuranceAndroidRequest:
- summary: Android request
- value:
- name: Device Assurance Android
- osVersion:
- minimum: 12.4.5
- diskEncryptionType:
- include:
- - USER
- - FULL
- jailbreak: false
- platform: ANDROID
- screenLockType:
- include:
- - BIOMETRIC
- secureHardwarePresent: true
- DeviceAssuranceAndroidResponse:
- summary: Android response
+ href: https://{yourOktaDomain}/api/v1/features/ftrZooGoT8b41iWRiQs7
+ dependents:
+ href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependents
+ dependencies:
+ href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependencies
+ RetrieveKeyResponse:
+ summary: Retrieve a key by id response example
value:
- id: dae3m8o4rWhwReDeM1c5
- name: Device Assurance Android
- lastUpdate: '2022-01-01T00:00:00.000Z'
- createdUpdate: '2022-01-01T00:00:00.000Z'
- lastUpdatedBy: 00u217pyf72CdUrBt1c5
- createdBy: 00u217pyf72CdUrBt1c5
- osVersion:
- minimum: 12.4.5
- diskEncryptionType:
- include:
- - USER
- - FULL
- jailbreak: false
- platform: ANDROID
- screenLockType:
- include:
- - BIOMETRIC
- secureHardwarePresent: true
- _links:
- self:
- href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5
- hints:
- allow:
- - DELETE
- - GET
- - PUT
- DeviceAssuranceChromeOSWithThirdPartySignalProvidersRequest:
- x-okta-lifecycle:
- features:
- - GOOGLE_DEVICE_CONTEXT_CONNECTOR
- summary: ChromeOS with third-party signal providers request
+ id: HKY1p7jWLndGQV9M60g4
+ keyId: 7fbc27fd-e3df-4522-86bf-1930110256ad
+ name: My new key
+ created: '2022-08-31T18:09:58.000Z'
+ lastUpdated: '2022-08-31T18:09:58.000Z'
+ isUsed: 'false'
+ RetrieveMappingsResponse:
+ summary: Retrieve a single Profile Mapping
value:
- name: Device Assurance ChromeOS
- platform: CHROMEOS
- thirdPartySignalProviders:
- dtc:
- osVersion:
- minimum: 10.0.19041.1110
- diskEncrypted: true
- osFirewall: true
- screenLockSecured: true
- allowScreenLock: true
- browserVersion:
- minimum: 15393.27.0
- deviceEnrollmentDomain: testDomain
- builtInDnsClientEnabled: true
- chromeRemoteDesktopAppBlocked: true
- safeBrowsingProtectionLevel: ENHANCED_PROTECTION
- siteIsolationEnabled: true
- passwordProtectionWarningTrigger: PASSWORD_PROTECTION_OFF
- realtimeUrlCheckMode: true
- keyTrustLevel: CHROME_OS_VERIFIED_MODE
- DeviceAssuranceChromeOSWithThirdPartySignalProvidersResponse:
- x-okta-lifecycle:
- features:
- - GOOGLE_DEVICE_CONTEXT_CONNECTOR
- summary: ChromeOS with third-party signal providers response
+ id: prm1k47ghydIQOTBW0g4
+ source:
+ id: otysbePhQ3yqt4cVv0g3
+ name: user
+ type: user
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/meta/types/user/otysbePhQ3yqt4cVv0g3
+ schema:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscsbePhQ3yqt4cVv0g3
+ target:
+ id: 0oa1qmn4LZQQEH0wZ0g4
+ name: okta_org2org
+ type: appuser
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/apps/0oa1qmn4LZQQEH0wZ0g4
+ schema:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/apps/0oa1qmn4LZQQEH0wZ0g4/default
+ properties:
+ firstName:
+ expression: user.firstName
+ pushStatus: PUSH
+ lastName:
+ expression: user.lastName
+ pushStatus: PUSH
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/mappings/prm1k48weFSOnEUnw0g4
+ RetrieveNetworkZoneDynamic:
+ summary: Dynamic Network Zone
value:
- id: dae3m8o4rWhwReDeM1c5
- name: Device Assurance ChromeOS
- lastUpdate: '2022-01-01T00:00:00.000Z'
- createdUpdate: '2022-01-01T00:00:00.000Z'
- lastUpdatedBy: 00u217pyf72CdUrBt1c5
- createdBy: 00u217pyf72CdUrBt1c5
- platform: CHROMEOS
- thirdPartySignalProviders:
- dtc:
- osVersion:
- minimum: 10.0.19041.1110
- diskEncrypted: true
- osFirewall: true
- screenLockSecured: true
- allowScreenLock: true
- browserVersion:
- minimum: 15393.27.0
- deviceEnrollmentDomain: testDomain
- builtInDnsClientEnabled: true
- chromeRemoteDesktopAppBlocked: true
- safeBrowsingProtectionLevel: ENHANCED_PROTECTION
- siteIsolationEnabled: true
- passwordProtectionWarningTrigger: PASSWORD_PROTECTION_OFF
- realtimeUrlCheckMode: true
- keyTrustLevel: CHROME_OS_VERIFIED_MODE
+ type: DYNAMIC
+ id: nzoy0ox5xADOZtKrh0g6
+ name: test
+ status: ACTIVE
+ usage: POLICY
+ created: '2022-05-19T15:33:32.000Z'
+ lastUpdated: '2022-05-19T15:33:32.000Z'
+ system: false
+ locations:
+ - country: AF
+ region: AF-BGL
+ proxyType: ANY
+ asns:
+ - '23457'
_links:
self:
- href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5
+ href: https://{yourOktaDomain}/api/v1/zones/nzoy0ox5xADOZtKrh0g6
hints:
allow:
- - DELETE
- GET
- PUT
- DeviceAssuranceIosRequest:
- summary: iOS request
- value:
- name: Device Assurance iOS
- osVersion:
- minimum: 12.4.5
- jailbreak: false
- platform: IOS
- screenLockType:
- include:
- - BIOMETRIC
- DeviceAssuranceIosResponse:
- summary: iOS response
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/zones/nzoy0ox5xADOZtKrh0g6/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ RetrieveNetworkZoneIP:
+ summary: IP Network Zone
value:
- id: dae3m8o4rWhwReDeM1c5
- name: Device Assurance iOS
- lastUpdate: '2022-01-01T00:00:00.000Z'
- createdUpdate: '2022-01-01T00:00:00.000Z'
- lastUpdatedBy: 00u217pyf72CdUrBt1c5
- createdBy: 00u217pyf72CdUrBt1c5
- osVersion:
- minimum: 12.4.5.9
- jailbroken: false
- platform: IOS
- screenLockType:
- include:
- - BIOMETRIC
+ type: IP
+ id: nzowc1U5Jh5xuAK0o0g3
+ name: MyIpZone
+ status: ACTIVE
+ usage: POLICY
+ created: '2021-06-24T20:37:32.000Z'
+ lastUpdated: '2021-06-24T20:37:32.000Z'
+ system: false
+ gateways:
+ - type: CIDR
+ value: 1.2.3.4/24
+ proxies:
+ - type: RANGE
+ value: 3.3.4.5-3.3.4.15
_links:
self:
- href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5
+ href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3
hints:
allow:
- - DELETE
- GET
- PUT
- DeviceAssuranceMacOSRequest:
- summary: macOS request
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ RetrievePublicKeyResponse:
+ summary: Retrieve Public Key response example
value:
- name: Device Assurance macOS
- osVersion:
- minimum: 12.4.5
- diskEncryptionType:
- include:
- - ALL_INTERNAL_VOLUMES
- platform: MACOS
- screenLockType:
- include:
- - PASSCODE
- - BIOMETRIC
- secureHardwarePresent: true
- DeviceAssuranceMacOSResponse:
- summary: macOS response
+ _embedded:
+ kty: RSA
+ alg: RSA
+ kid: 7fbc27fd-e3df-4522-86bf-1930110256ad
+ use: null
+ e: AQAB
+ 'n': 2naqCnv6r4xNQs7207lRtKQvdtnlVND-8k5iYBIiqoKGY3CqUmRm1jleoOniiQoMkFX8Wj2DmVqr002efF3vOQ7_gjtTatBTVUNbNIQLybun4dkVoUtfP7pRc5SLpcP3eGPRVar734ZrpQXzmCEdpqBt3jrVjwYjNE5DqOjbYXFJtMsy8CWE9LRJ3kyHEoHPzo22dG_vMrXH0_sAQoCk_4TgNCbvyzVmGVYXI_BkUnp0hv2pR4bQVRYzGB9dKJdctOh8zULqc_EJ8tiYsS05YnF7whrWEyARK0rH-e4d4W-OmBTga_zhY4kJ4NsoQ4PyvcatZkxjPO92QHQOFDnf3w`
+ RetrieveRefreshTokenClientResponse:
+ summary: Retrieve a refresh token for a Client
value:
- id: dae3m8o4rWhwReDeM1c5
- name: Device Assurance macOS
- lastUpdate: '2022-01-01T00:00:00.000Z'
- createdUpdate: '2022-01-01T00:00:00.000Z'
- lastUpdatedBy: 00u217pyf72CdUrBt1c5
- createdBy: 00u217pyf72CdUrBt1c5
- osVersion:
- minimum: 12.4.5
- diskEncryptionType:
- include:
- - ALL_INTERNAL_VOLUMES
- platform: MACOS
- screenLockType:
- include:
- - PASSCODE
- - BIOMETRIC
- secureHardwarePresent: true
+ - id: '{refreshTokenId}'
+ status: ACTIVE
+ created: '2023-09-21T19:59:56.000Z'
+ lastUpdated: '2023-09-21T20:00:38.000Z'
+ expiresAt: '2023-09-28T20:00:38.000Z'
+ issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId}
+ client_id: '{clientId}'
+ userId: '{userId}'
+ scopes:
+ - offline_access
+ - openid
+ _embedded:
+ scopes:
+ - id: '{scopeID}'
+ name: offline_access
+ displayName: Keep you signed in to the app
+ description: This keeps you signed in to the app, even when you aren't using it.
+ _links:
+ scope:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes/{scopeId}
+ title: Keep you signed in to the app
+ - id: '{scopeId}'
+ name: openid
+ displayName: openid
+ description: Signals that a request is an OpenID request
+ _links:
+ scope:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes/{scopeId}
+ title: openid
+ _links:
+ app:
+ href: https://{yourOktaDomain}/api/v1/apps/{appId}
+ title: My Web App
+ authorizationServer:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}
+ title: Authorization Server name
+ self:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/clients/{clientId}/tokens/{tokenId}
+ revoke:
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/clients/{clientId}/tokens/{tokenId}
+ hints:
+ allow:
+ - DELETE
+ client:
+ href: https://{yourOktaDomain}/oauth2/v1/clients/{clientId}
+ title: My Web App
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/{userId}
+ title: Joe User
+ RetrieveSessionResponse:
+ summary: Retrieve Session information for a single session ID
+ value:
+ amr:
+ - pwd
+ createdAt: '2019-08-24T14:15:22Z'
+ expiresAt: '2019-08-24T14:15:22Z'
+ id: l7FbDVqS8zHSy65uJD85
+ idp:
+ id: 01a2bcdef3GHIJKLMNOP
+ type: ACTIVE_DIRECTORY
+ lastFactorVerification: '2019-08-24T14:15:22Z'
+ lastPasswordVerification: '2019-08-24T14:15:22Z'
+ login: user@example.com
+ status: ACTIVE
+ userId: 00u0abcdefGHIJKLMNOP
_links:
self:
- href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5
hints:
allow:
- DELETE
- - GET
- - PUT
- DeviceAssuranceMacOSWithThirdPartySignalProvidersRequest:
- x-okta-lifecycle:
- features:
- - GOOGLE_DEVICE_CONTEXT_CONNECTOR
- summary: macOS with third-party signal providers request
- value:
- name: Device Assurance macOS
- osVersion:
- minimum: 12.4.5
- diskEncryptionType:
- include:
- - ALL_INTERNAL_VOLUMES
- platform: MACOS
- screenLockType:
- include:
- - PASSCODE
- - BIOMETRIC
- secureHardwarePresent: true
- thirdPartySignalProviders:
- dtc:
- osVersion:
- minimum: 10.0.19041.1110
- diskEncrypted: true
- osFirewall: true
- screenLockSecured: true
- browserVersion:
- minimum: 15393.27.0
- deviceEnrollmentDomain": testDomain
- builtInDnsClientEnabled": true
- chromeRemoteDesktopAppBlocked": true
- safeBrowsingProtectionLevel": true
- siteIsolationEnabled": true
- passwordProtectionWarningTrigger": PASSWORD_PROTECTION_OFF
- realtimeUrlCheckMode": true
- DeviceAssuranceMacOSWithThirdPartySignalProvidersResponse:
- x-okta-lifecycle:
- features:
- - GOOGLE_DEVICE_CONTEXT_CONNECTOR
- summary: macOS with third-party signal providers response
+ href: https://{yourOktaDomain}/api/v1/sessions/l7FbDVqS8zHSy65uJD85
+ RetrieveUISchemaResponse:
+ summary: Retrieves a UI Schema response
value:
- id: dae3m8o4rWhwReDeM1c5
- name: Device Assurance macOS
- lastUpdate: '2022-01-01T00:00:00.000Z'
- createdUpdate: '2022-01-01T00:00:00.000Z'
- lastUpdatedBy: 00u217pyf72CdUrBt1c5
- createdBy: 00u217pyf72CdUrBt1c5
- osVersion:
- minimum: 12.4.5.9
- diskEncryptionType:
- include:
- - ALL_INTERNAL_VOLUMES
- platform: MACOS
- screenLockType:
- include:
- - PASSCODE
- - BIOMETRIC
- secureHardwarePresent: true
- thirdPartySignalProviders:
- dtc:
- osVersion:
- minimum: 10.0.19041.1110
- diskEncrypted: true
- osFirewall: true
- screenLockSecured: true
- browserVersion:
- minimum: 15393.27.0
- deviceEnrollmentDomain: testDomain
- builtInDnsClientEnabled: true
- chromeRemoteDesktopAppBlocked: true
- safeBrowsingProtectionLevel: ENHANCED_PROTECTION
- siteIsolationEnabled: true
- passwordProtectionWarningTrigger: PASSWORD_PROTECTION_OFF
- realtimeUrlCheckMode: true
- keyTrustLevel: CHROME_BROWSER_HW_KEY
+ id: uis4a7liocgcRgcxZ0g7
+ uiSchema:
+ type: Group
+ label: Sign in
+ buttonLabel: Submit
+ elements:
+ - type: Control
+ scope: '#/properties/firstName'
+ label: First name
+ options:
+ format: text
+ - type: Control
+ scope: '#/properties/lastName'
+ label: Last name
+ options:
+ format: text
+ - type: Control
+ scope: '#/properties/email'
+ label: Email
+ options:
+ format: text
+ - type: Control
+ scope: '#/properties/countryCode'
+ label: Country code
+ options:
+ format: select
+ - type: Control
+ scope: '#/properties/bool2'
+ label: bool2
+ options:
+ format: checkbox
+ - type: Control
+ scope: '#/properties/date'
+ label: date
+ - type: Control
+ scope: '#/properties/enum'
+ label: enum
+ options:
+ format: radio
+ created: '2022-07-25T12:56:31.000Z'
+ lastUpdated: '2022-07-26T11:53:59.000Z'
_links:
self:
- href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5
+ href: https://exmaple.com/api/v1/meta/uischemas/uis4a7liocgcRgcxZ0g7
hints:
allow:
- - DELETE
- GET
- PUT
- DeviceAssuranceWindowsRequest:
- summary: Windows request
+ - DELETE
+ RiskEventsRequestExample:
+ summary: Risk Events payload example
value:
- name: Device Assurance Windows
- osVersion:
- minimum: 12.4.5.9
- diskEncryptionType:
- include:
- - ALL_INTERNAL_VOLUMES
- platform: WINDOWS
- screenLockType:
- include:
- - PASSCODE
- - BIOMETRIC
- secureHardwarePresent: true
- DeviceAssuranceWindowsResponse:
- summary: Windows response
+ - timestamp: '2021-01-20T00:00:00.001Z'
+ subjects:
+ - ip: 6.7.6.7
+ riskLevel: MEDIUM
+ - ip: 1.1.1.1
+ riskLevel: HIGH
+ message: Detected Attack tooling and suspicious activity
+ - timestamp: '2021-01-20T01:00:00.001Z'
+ subjects:
+ - ip: 6.7.6.7
+ riskLevel: LOW
+ - ip: 2.2.2.2
+ riskLevel: HIGH
+ RiskProviderPutRequest:
+ summary: Replace Risk Provider request example
value:
- id: dae3m8o4rWhwReDeM1c5
- name: Device Assurance Windows
- lastUpdate: '2022-01-01T00:00:00.000Z'
- createdUpdate: '2022-01-01T00:00:00.000Z'
- lastUpdatedBy: 00u217pyf72CdUrBt1c5
- createdBy: 00u217pyf72CdUrBt1c5
- osVersion:
- minimum: 12.4.5.9
- diskEncryptionType:
- include:
- - ALL_INTERNAL_VOLUMES
- platform: WINDOWS
- screenLockType:
- include:
- - PASSCODE
- - BIOMETRIC
- secureHardwarePresent: true
+ name: Risk-Partner-Y
+ action: enforce_and_log
+ clientId: 00ckjsfgjkdkjdkkljjsd
+ RiskProviderPutResponse:
+ summary: Replace Risk Provider response example
+ value:
+ id: 00rp12r4skkjkjgsn
+ action: enforce_and_log
+ name: Risk-Partner-Y
+ clientId: 00ckjsfgjkdkjdkkljjsd
+ created: '2021-01-05 22:18:30'
+ lastUpdated: '2021-01-05 23:18:30'
_links:
self:
- href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5
+ href: https://{yourOktaDomain}/api/v1/risk/providers/00rp12r4skkjkjgsn
hints:
allow:
- - DELETE
- GET
- PUT
- DeviceAssuranceWindowsWithThirdPartySignalProvidersRequest:
- x-okta-lifecycle:
- features:
- - GOOGLE_DEVICE_CONTEXT_CONNECTOR
- summary: Windows with third-party signal providers request
+ RiskProviderRequest:
+ summary: Risk Provider payload example
value:
- name: Device Assurance Windows
- osVersion:
- minimum: 12.4.5.9
- diskEncryptionType:
- include:
- - ALL_INTERNAL_VOLUMES
- platform: WINDOWS
- screenLockType:
- include:
- - PASSCODE
- - BIOMETRIC
- secureHardwarePresent: true
- thirdPartySignalProviders:
- dtc:
- osVersion:
- minimum: 10.0.19041.1110
- diskEncrypted: true
- osFirewall: true
- screenLockSecured: true
- browserVersion:
- minimum: 15393.27.0
- deviceEnrollmentDomain: testDomain
- builtInDnsClientEnabled: true
- chromeRemoteDesktopAppBlocked: true
- safeBrowsingProtectionLevel: ENHANCED_PROTECTION
- siteIsolationEnabled: true
- passwordProtectionWarningTrigger: PASSWORD_PROTECTION_OFF
- realtimeUrlCheckMode: true
- secureBootEnabled: true
- windowsMachineDomain: testMachineDomain
- windowsUserDomain: testUserDomain
- thirdPartyBlockingEnabled: true
- crowdStrikeCustomerId: testCustomerId
- crowdStrikeAgentId": testAgentId
- keyTrustLevel: CHROME_BROWSER_HW_KEY
- DeviceAssuranceWindowsWithThirdPartySignalProvidersResponse:
- x-okta-lifecycle:
- features:
- - GOOGLE_DEVICE_CONTEXT_CONNECTOR
- summary: Windows with third-party signal providers response
+ name: Risk-Partner-X
+ action: log_only
+ clientId: 00ckjsfgjkdkjdkkljjsd
+ RiskProviderResponse:
+ summary: Risk Provider response example
value:
- id: dae3m8o4rWhwReDeM1c5
- name: Device Assurance Windows
- lastUpdate: '2022-01-01T00:00:00.000Z'
- createdUpdate: '2022-01-01T00:00:00.000Z'
- lastUpdatedBy: 00u217pyf72CdUrBt1c5
- createdBy: 00u217pyf72CdUrBt1c5
- osVersion:
- minimum: 12.4.5.9
- diskEncryptionType:
- include:
- - ALL_INTERNAL_VOLUMES
- platform: WINDOWS
- screenLockType:
- include:
- - PASSCODE
- - BIOMETRIC
- secureHardwarePresent: true
- thirdPartySignalProviders:
- dtc:
- osVersion:
- minimum: 10.0.19041.1110
- diskEncrypted: true
- osFirewall: true
- screenLockSecured: true
- browserVersion:
- minimum: 15393.27.0
- deviceEnrollmentDomain: testDomain
- builtInDnsClientEnabled: true
- chromeRemoteDesktopAppBlocked: true
- safeBrowsingProtectionLevel: ENHANCED_PROTECTION
- siteIsolationEnabled: true
- passwordProtectionWarningTrigger: PASSWORD_PROTECTION_OFF
- realtimeUrlCheckMode: true
- secureBootEnabled: true
- windowsMachineDomain: testMachineDomain
- windowsUserDomain: testUserDomain
- thirdPartyBlockingEnabled: true
- crowdStrikeCustomerId: testCustomerId
- crowdStrikeAgentId": testAgentId
- keyTrustLevel: CHROME_BROWSER_HW_KEY
+ id: 00rp12r4skkjkjgsn
+ action: log_only
+ name: Risk-Partner-X
+ clientId: 00ckjsfgjkdkjdkkljjsd
+ created: '2021-01-05 22:18:30'
+ lastUpdated: '2021-01-05 22:18:30'
_links:
self:
- href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5
+ href: https://{yourOktaDomain}/api/v1/risk/providers/00rp12r4skkjkjgsn
hints:
allow:
- - DELETE
- GET
- PUT
- DeviceResponse:
+ RoleAssignedUsersResponseExample:
+ value:
+ value:
+ - id: 00u118oQYT4TBGuay0g4
+ orn: orn:okta:00o5rb5mt2H3d1TJd0h7:users:00u118oQYT4TBGuay0g4
+ _links:
+ self:
+ href: http://your-subdomain.okta.com/api/v1/users/00u118oQYT4TBGuay0g4
+ roles:
+ href: http://your-subdomain.okta.com/api/v1/users/00u118oQYT4TBGuay0g4/roles
+ _links:
+ next:
+ href: http://your-subdomain.okta.com/api/v1/iam/assignees/users?after=00u118oQYT4TBGuay0g4&limit=1
+ RoleRequest:
+ value:
+ label: UserCreator
+ description: Create users
+ permissions:
+ - okta.users.create
+ - okta.users.read
+ - okta.groups.read
+ - okta.users.userprofile.manage
+ RoleResponse:
+ value:
+ id: cr0Yq6IJxGIr0ouum0g3
+ label: UserCreator
+ description: Create users
+ created: '2021-02-06T16:20:57.000Z'
+ lastUpdated: '2021-02-06T16:20:57.000Z'
+ _links:
+ permissions:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions
+ self:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3
+ RolesResponse:
+ value:
+ roles:
+ - id: cr0Yq6IJxGIr0ouum0g3
+ label: UserCreator
+ description: Create users
+ created: '2021-02-06T16:20:57.000Z'
+ lastUpdated: '2021-02-06T16:20:57.000Z'
+ _links:
+ permissions:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions
+ self:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3
+ - id: cr0Fw7HKcWIroo88m3r1
+ label: GroupMembershipManager
+ description: Manage group membership
+ created: '2021-02-06T16:20:57.000Z'
+ lastUpdated: '2021-02-06T16:20:57.000Z'
+ _links:
+ permissions:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Fw7HKcWIroo88m3r1/permissions
+ self:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Fw7HKcWIroo88m3r1
+ _links:
+ next:
+ href: https://{yourOktaDomain}/api/v1/iam/roles?after=cr0Fw7HKcWIroo88m3r1
+ SAMLHookResponseExample:
+ summary: An example SAML assertion inline hook response
+ value:
+ commands:
+ - type: com.okta.assertion.patch
+ value:
+ - op: replace
+ path: /claims/array/attributeValues/1/value
+ value: replacementValue
+ - op: replace
+ path: /authentication/authnContext
+ value:
+ authnContextClassRef: replacementValue
+ - op: add
+ path: /claims/extPatientId
+ value:
+ attributes:
+ NameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:basic
+ attributeValues:
+ - attributes:
+ xsi:type: xs:string
+ value: '4321'
+ - op: add
+ path: /authentication/sessionLifetime
+ value: 300
+ - type: com.okta.assertion.patch
+ value:
+ - op: replace
+ path: /authentication/sessionIndex
+ value: exampleSession
+ SAMLHookResponseWithURIFormat:
+ summary: An example with `replace` and `add` operations with the URI formatted claim encoded
+ value:
+ commands:
+ - type: com.okta.assertion.patch
+ value:
+ - op: replace
+ path: /claims/http:~1~1schemas.xmlsoap.org~1ws~12005~105~1identity~1claims~1foo/attributeValues/0/value
+ value: replacementValue
+ - op: replace
+ path: /claims/http:~1~1schemas.xmlsoap.org~1ws~12005~105~1identity~1claims~1foo/attributes
+ value:
+ attributes:
+ NameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:basic
+ - op: add
+ path: /claims/http:~1~1schemas.xmlsoap.org~1ws~12005~105~1identity~1claims~1bar
+ value:
+ attributes:
+ NameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:basic
+ attributeValues:
+ - attributes:
+ xsi:type: xs:string
+ value: bearer
+ SAMLPayLoadExample:
+ summary: An example SAML assertion inline hook request body
+ value:
+ source: https://${yourOktaDomain}/app/saml20app_1/exkth8lMzFm0HZOTU0g3/sso/saml
+ eventId: XMFoHCM1S4Wi_SGWzL8T9A
+ eventTime: '2019-03-28T19:15:23.000Z'
+ data:
+ context:
+ request:
+ id: reqqXypjzYJRSu2j1G1imUovA
+ method: GET
+ url:
+ value: https://${yourOktaDomain}/app/saml20app_1/exkth8lMzFm0HZOTU0g3/sso/saml
+ ipAddress: 127.0.0.1
+ protocol:
+ type: SAML2.0
+ issuer:
+ id: 0oath92zlO60urQOP0g3
+ name: SAML 2.0 App
+ uri: http://www.okta.com/exkth8lMzFm0HZOTU0g3
+ session:
+ id: 102LN9Bnuc4S_ewfc9BYwageA
+ userId: 00uq8tMo3zV0OfJON0g3
+ login: user@example.com
+ createdAt: '2019-03-28T16:45:55.000Z'
+ expiresAt: '2019-03-28T21:15:23.000Z'
+ status: ACTIVE
+ lastPasswordVerification: '2019-03-28T16:45:55.000Z'
+ amr:
+ - PASSWORD
+ idp:
+ id: 00oq6kcVwvrDY2YsS0g3
+ type: OKTA
+ mfaActive: false
+ user:
+ id: 00uq8tMo3zV0OfJON0g3
+ passwordChanged: '2018-09-11T23:19:12.000Z'
+ profile:
+ login: user@example.com
+ firstName: Admin
+ lastName: Last
+ locale: en
+ timeZone: America/Los_Angeles
+ _links:
+ groups:
+ href: https://${yourOktaDomain}/00uq8tMo3zV0OfJON0g3/groups
+ factors:
+ href: https://${yourOktaDomain}/api/v1/users/00uq8tMo3zV0OfJON0g3/factors
+ assertion:
+ subject:
+ nameId: user@example.com
+ nameFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+ confirmation:
+ method: urn:oasis:names:tc:SAML:2.0:cm:bearer
+ data:
+ recipient: http://www.example.com:7070/saml/sso
+ authentication:
+ sessionIndex: id1553800523546.312669168
+ authnContext:
+ authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+ conditions:
+ audienceRestriction:
+ - urn:example:sp
+ claims:
+ extPatientId:
+ attributes:
+ NameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
+ attributeValues:
+ - attributes:
+ xsi:type: xs:integer
+ value: '4321'
+ array:
+ attributes:
+ NameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
+ attributeValues:
+ - attributes:
+ xsi:type: xs:string
+ value: Array 1
+ - attributes:
+ xsi:type: xs:string
+ value: Array2
+ - attributes:
+ xsi:type: xs:string
+ value: Array3
+ middle:
+ attributes:
+ NameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
+ attributeValues:
+ - attributes:
+ xsi:type: xs:string
+ value: admin
+ firstAndLast:
+ attributes:
+ NameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
+ attributeValues:
+ - attributes:
+ xsi:type: xs:string
+ value: 7d6a50c8-4d7e-4058-9c5b-2cc98cecd294
+ lifetime:
+ expiration: 300
+ eventTypeVersion: '1.0'
+ cloudEventVersion: '0.1'
+ eventType: com.okta.saml.tokens.transform
+ contentType: application/json
+ SMSTemplateEditablePropertyValues:
value:
- id: guo8jx5vVoxfvJeLb0w4
+ name: Custom
+ type: SMS_VERIFY_CODE
+ template: '${org.name}: your verification code is ${code}'
+ translations:
+ es: '${org.name}: el código de verificación es ${code}'
+ fr: '${org.name}: votre code de vérification est ${code}'
+ it: '${org.name}: il codice di verifica è ${code}'
+ SMSTemplateListResponse:
+ value:
+ - id: 6NQUJ5yR3bpgEiYmq8IC
+ name: Custom
+ type: SMS_VERIFY_CODE
+ template: '${org.name}: your verification code is ${code}'
+ translations:
+ es: '${org.name}: el código de verificación es ${code}'
+ fr: '${org.name}: votre code de vérification est ${code}'
+ it: '${org.name}: il codice di verifica è ${code}'
+ created: '2024-04-25T17:35:02.000Z'
+ lastUpdated: '2024-04-25T17:35:02.000Z'
+ SMSTemplateResponseValues:
+ value:
+ id: 6NQUJ5yR3bpgEiYmq8IC
+ name: Custom
+ type: SMS_VERIFY_CODE
+ template: '${org.name}: your verification code is ${code}'
+ translations:
+ es: '${org.name}: el código de verificación es ${code}'
+ fr: '${org.name}: votre code de vérification est ${code}'
+ it: '${org.name}: il codice di verifica è ${code}'
+ created: '2024-04-25T17:35:02.000Z'
+ lastUpdated: '2024-04-25T17:35:02.000Z'
+ Saml2.0Ex:
+ summary: SAML_2_0
+ value:
+ label: Example Custom SAML 2.0 App
+ visibility:
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ signOnMode: SAML_2_0
+ settings:
+ signOn:
+ defaultRelayState: ''
+ ssoAcsUrl: http://testorgone.okta
+ idpIssuer: http://www.okta.com/${org.externalKey}
+ audience: asdqwe123
+ recipient: http://testorgone.okta
+ destination: http://testorgone.okta
+ subjectNameIdTemplate: ${user.userName}
+ subjectNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+ responseSigned: true
+ assertionSigned: true
+ signatureAlgorithm: RSA_SHA256
+ digestAlgorithm: SHA256
+ honorForceAuthn: true
+ authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+ samlAssertionLifetimeSeconds: 3600
+ slo:
+ enabled: true
+ issuer: https://testorgone.okta.com
+ logoutUrl: https://testorgone.okta.com/logout
+ participateSlo:
+ enabled: true
+ logoutRequestUrl: https://testorgone.okta.com/logout/participate
+ sessionIndexRequired: true
+ bindingType: REDIRECT
+ spCertificate:
+ x5c:
+ - "MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV\r\n"
+ requestCompressed: false
+ allowMultipleAcsEndpoints: true
+ acsEndpoints:
+ - url: http://testorgone.okta
+ index: 0
+ - url: http://testorgone.okta/1
+ index: 1
+ attributeStatements:
+ - type: EXPRESSION
+ name: Attribute
+ namespace: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
+ values:
+ - Value
+ Saml2.0PutEx:
+ summary: SAML_2_0
+ value:
+ label: Example Custom SAML 2.0 App updated
+ visibility:
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ signOnMode: SAML_2_0
+ settings:
+ signOn:
+ defaultRelayState: ''
+ ssoAcsUrl: http://testorgone.okta
+ idpIssuer: http://www.okta.com/${org.externalKey}
+ audience: asdqwe123
+ recipient: http://testorgone.okta
+ destination: http://testorgone.okta
+ subjectNameIdTemplate: ${user.userName}
+ subjectNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+ responseSigned: true
+ assertionSigned: true
+ signatureAlgorithm: RSA_SHA256
+ digestAlgorithm: SHA256
+ honorForceAuthn: true
+ authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+ samlAssertionLifetimeSeconds: 3600
+ slo:
+ enabled: true
+ issuer: https://testorgone.okta.com
+ logoutUrl: https://testorgone.okta.com/logout
+ participateSlo:
+ enabled: true
+ logoutRequestUrl: https://testorgone.okta.com/logout/participate
+ sessionIndexRequired: true
+ bindingType: REDIRECT
+ spCertificate:
+ x5c:
+ - "MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV\r\n..."
+ requestCompressed: false
+ allowMultipleAcsEndpoints: true
+ acsEndpoints:
+ - url: http://testorgone.okta
+ index: 0
+ - url: http://testorgone.okta/1
+ index: 1
+ attributeStatements:
+ - type: EXPRESSION
+ name: Attribute
+ namespace: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
+ values:
+ - Value
+ Saml2.0PutResponseEx:
+ summary: SAML_2_0
+ value:
+ id: 0oafxqCAJWWGELFTYASJ
status: ACTIVE
- created: '2020-11-03T21:47:01.000Z'
- lastUpdated: '2020-11-03T23:46:27.000Z'
- profile:
- displayName: DESKTOP-EHAD3IE
- platform: WINDOWS
- manufacturer: International Corp
- model: VMware7,1
- osVersion: 10.0.18362
- serialNumber: 56 4d 4f 95 74 c5 d3 e7-fc 3a 57 9c c2 f8 5d ce
- udid: 954F4D56-C574-E7D3-FC3A-579CC2F85DCE
- sid: S-1-5-21-3992267483-1860856704-2413701314-500
- registered: true
- secureHardwarePresent: false
- diskEncryptionType: NONE
- resourceId: guo8jx5vVoxfvJeLb0w4
- resourceDisplayName:
- value: DESKTOP-EHAD3IE
- sensitive: false
- resourceType: UDDevice
- resourceAlternateId: null
+ lastUpdated: '2023-01-21T14:11:24.000Z'
+ created: '2023-01-21T14:11:24.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
_links:
- suspend:
- href: https://{yourOktaDomain}/api/v1/devices/guo8jx5vVoxfvJeLb0w4/lifecycle/suspend
+ uploadLogo:
+ href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo
hints:
allow:
- POST
- self:
- href: https://{yourOktaDomain}/api/v1/devices/guo8jx5vVoxfvJeLb0w4
- hints:
- allow:
- - GET
- - PATCH
- - PUT
+ appLinks:
+ - name: customswaapp_link
+ href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4
+ type: text/html
+ groups:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups
+ logo:
+ - name: medium
+ href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png
+ type: image/png
users:
- href: https://{yourOktaDomain}/api/v1/devices/guo8jx5vVoxfvJeLb0w4/users
- hints:
- allow:
- - GET
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users
deactivate:
- href: https://{yourOktaDomain}/api/v1/devices/guo8jx5vVoxfvJeLb0w4/lifecycle/deactivate
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate
+ visibility:
+ autoLaunch: false
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ testorgone_examplecustomsaml20app_1_link: true
+ name: testorgone_examplecustomsaml20app_1
+ label: Example Custom SAML 2.0 App updated
+ features: []
+ signOnMode: SAML_2_0
+ credentials:
+ userNameTemplate:
+ template: ${source.email}
+ type: BUILT_IN
+ signing:
+ kid: mh_16Cc8sIfHMFDMlHnp194cxKvJ6yXqs_mNn_6ZC0Q
+ settings:
+ app: {}
+ signOn:
+ defaultRelayState: null
+ ssoAcsUrl: http://testorgone.okta
+ idpIssuer: http://www.okta.com/${org.externalKey}
+ audience: asdqwe123
+ recipient: http://testorgone.okta
+ destination: http://testorgone.okta
+ subjectNameIdTemplate: ${user.userName}
+ subjectNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+ responseSigned: true
+ assertionSigned: true
+ signatureAlgorithm: RSA_SHA256
+ digestAlgorithm: SHA256
+ honorForceAuthn: true
+ authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+ spIssuer: https://testorgone.okta.com
+ samlAssertionLifetimeSeconds: 3600
+ slo:
+ enabled: true
+ issuer: https://testorgone.okta.com
+ logoutUrl: https://testorgone.okta.com/logout
+ requestCompressed: false
+ allowMultipleAcsEndpoints: false
+ acsEndpoints: []
+ samlSignedRequestEnabled: false
+ attributeStatements:
+ - type: EXPRESSION
+ name: Attribute
+ namespace: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
+ values:
+ - Value
+ inlineHooks: []
+ notifications:
+ vpn:
+ network:
+ connection: DISABLED
+ message: null
+ helpUrl: null
+ manualProvisioning: false
+ implicitAssignment: false
+ notes:
+ admin: null
+ enduser: null
+ Saml2.0ResponseEx:
+ summary: SAML_2_0
+ value:
+ id: 0oafxqCAJWWGELFTYASJ
+ status: ACTIVE
+ lastUpdated: '2023-01-21T14:11:24.000Z'
+ created: '2023-01-21T14:11:24.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
+ _links:
+ uploadLogo:
+ href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo
hints:
allow:
- POST
- EmailCustomizationResponse:
+ appLinks:
+ - name: customswaapp_link
+ href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4
+ type: text/html
+ groups:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups
+ logo:
+ - name: medium
+ href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png
+ type: image/png
+ users:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate
+ visibility:
+ autoLaunch: false
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ testorgone_examplecustomsaml20app_1_link: true
+ name: testorgone_examplecustomsaml20app_1
+ label: Example Custom SAML 2.0 App
+ features: []
+ signOnMode: SAML_2_0
+ credentials:
+ userNameTemplate:
+ template: ${source.email}
+ type: BUILT_IN
+ signing:
+ kid: mh_16Cc8sIfHMFDMlHnp194cxKvJ6yXqs_mNn_6ZC0Q
+ settings:
+ app: {}
+ signOn:
+ defaultRelayState: null
+ ssoAcsUrl: http://testorgone.okta
+ idpIssuer: http://www.okta.com/${org.externalKey}
+ audience: asdqwe123
+ recipient: http://testorgone.okta
+ destination: http://testorgone.okta
+ subjectNameIdTemplate: ${user.userName}
+ subjectNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+ responseSigned: true
+ assertionSigned: true
+ signatureAlgorithm: RSA_SHA256
+ digestAlgorithm: SHA256
+ honorForceAuthn: true
+ authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+ spIssuer: https://testorgone.okta.com
+ samlAssertionLifetimeSeconds: 3600
+ slo:
+ enabled: true
+ issuer: https://testorgone.okta.com
+ logoutUrl: https://testorgone.okta.com/logout
+ requestCompressed: false
+ allowMultipleAcsEndpoints: false
+ acsEndpoints: []
+ samlSignedRequestEnabled: false
+ attributeStatements:
+ - type: EXPRESSION
+ name: Attribute
+ namespace: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
+ values:
+ - Value
+ inlineHooks: []
+ notifications:
+ vpn:
+ network:
+ connection: DISABLED
+ message: null
+ helpUrl: null
+ manualProvisioning: false
+ implicitAssignment: false
+ notes:
+ admin: null
+ enduser: null
+ SamlIdPResponse:
+ summary: SAML 2.0 Identity Provider
value:
- language: en
- isDefault: true
- subject: Welcome to ${org.name}!
- body: Hello, ${user.profile.firstName}. Click here to activate your account.
- id: oel11u6DqUiMbQkpl0g4
- created: 2021-11-09T20:38:10.000Z
- lastUpdated: 2021-11-11T20:38:10.000Z
+ id: 0oa62bc8wppPw0UGr0h7
+ type: SAML2
+ name: Example SAML IdP
+ status: ACTIVE
+ created: '2016-03-24T23:14:54.000Z'
+ lastUpdated: '2016-03-24T23:14:54.000Z'
+ protocol:
+ type: SAML2
+ endpoints:
+ sso:
+ url: https://idp.example.com
+ binding: HTTP-POST
+ destination: https://idp.example.com
+ acs:
+ binding: HTTP-POST
+ type: INSTANCE
+ algorithms:
+ request:
+ signature:
+ algorithm: SHA-256
+ scope: REQUEST
+ response:
+ signature:
+ algorithm: SHA-256
+ scope: ANY
+ settings:
+ nameFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+ credentials:
+ trust:
+ issuer: https://idp.example.com
+ audience: http://www.okta.com/123
+ kid: your-key-id
+ policy:
+ provisioning:
+ action: AUTO
+ profileMaster: true
+ groups:
+ action: NONE
+ conditions:
+ deprovisioned:
+ action: NONE
+ suspended:
+ action: NONE
+ accountLink:
+ filter: null
+ action: AUTO
+ subject:
+ userNameTemplate:
+ template: saml.subjectNameId
+ filter: (\S+@example\.com)
+ matchType: USERNAME
+ mapAMRClaims: false
+ maxClockSkew: 0
_links:
- self:
- href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4
+ metadata:
+ href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/metadata.xml
+ type: application/xml
hints:
allow:
- GET
- - PUT
- - DELETE
- template:
- href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation
+ acs:
+ href: https://{yourOktaDomain}/sso/saml2/0oa62bc8wppPw0UGr0h7
+ type: application/xml
hints:
allow:
- - GET
- preview:
- href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4/preview
+ - POST
+ users:
+ href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/users
hints:
allow:
- GET
- test:
- href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/lifecycle/deactivate
hints:
allow:
- POST
- EmailDomainResponse:
+ SecurePasswordStoreEx:
+ summary: SECURE_PASSWORD_STORE
value:
- id: OeD114iNkrcN6aR680g4
- validationStatus: NOT_STARTED
- displayName: Admin
- userName: admin
- domain: example.com
- dnsValidationRecords:
- - recordType: TXT
- fqdn: _oktaverification.example.com
- verificationValue: 759080212bda43e3bc825a7d73b4bb64
- - recordType: CNAME
- fqdn: mail.example.com
- verificationValue: u22224444.wl024.sendgrid.net
- - recordType: CNAME
- fqdn: t02._domainkey.example.com
- verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net
- - recordType: CNAME
- fqdn: t022._domainkey.example.com
- verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net
- EmailSettingsResponse:
+ name: template_sps
+ label: Example SWA App
+ signOnMode: SECURE_PASSWORD_STORE
+ settings:
+ app:
+ url: https://example.com/login.html
+ passwordField: '#txtbox-password'
+ usernameField: '#txtbox-username'
+ optionalField1: param1
+ optionalField1Value: somevalue
+ optionalField2: param2
+ optionalField2Value: yetanothervalue
+ optionalField3: param3
+ optionalField3Value: finalvalue
+ SecurePasswordStorePutEx:
+ summary: SECURE_PASSWORD_STORE
value:
- recipients: ALL_USERS
+ name: template_sps
+ label: Example SWA App updated
+ signOnMode: SECURE_PASSWORD_STORE
+ settings:
+ app:
+ url: https://example.com/login.html
+ passwordField: '#txtbox-password'
+ usernameField: '#txtbox-username'
+ optionalField1: param1
+ optionalField1Value: somevalue_updated
+ optionalField2: param2
+ optionalField2Value: yetanothervalue
+ optionalField3: param3
+ optionalField3Value: finalvalue_updated
+ SecurePasswordStorePutResponseEx:
+ summary: SECURE_PASSWORD_STORE
+ value:
+ id: 0oafxqCAJWWGELFTYASJ
+ status: ACTIVE
+ lastUpdated: '2023-01-21T14:11:24.000Z'
+ created: '2023-01-21T14:11:24.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
_links:
- self:
- href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/settings
+ uploadLogo:
+ href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo
hints:
allow:
- - GET
- - PUT
- template:
- href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation
- hints:
- allow:
- - GET
- EmailTemplateDefaultContentResponse:
+ - POST
+ appLinks:
+ - name: customswaapp_link
+ href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4
+ type: text/html
+ groups:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups
+ logo:
+ - name: medium
+ href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png
+ type: image/png
+ users:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate
+ visibility:
+ autoLaunch: false
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ login: true
+ name: template_sps
+ label: Example SWA App updated
+ features: []
+ signOnMode: SECURE_PASSWORD_STORE
+ credentials:
+ scheme: EDIT_USERNAME_AND_PASSWORD
+ userNameTemplate:
+ template: ${source.email}
+ type: BUILT_IN
+ revealPassword: false
+ signing: {}
+ settings:
+ app:
+ url: https://example.com/login.html
+ passwordField: '#txtbox-password'
+ usernameField: '#txtbox-username'
+ optionalField1: param1
+ optionalField1Value: somevalue_updated
+ optionalField2: param2
+ optionalField2Value: yetanothervalue
+ optionalField3: param3
+ optionalField3Value: finalvalue_updated
+ notifications:
+ vpn:
+ network:
+ connection: DISABLED
+ message: null
+ helpUrl: null
+ manualProvisioning: false
+ implicitAssignment: false
+ notes:
+ admin: null
+ enduser: null
+ SecurePasswordStoreResponseEx:
+ summary: SECURE_PASSWORD_STORE
value:
- subject: Welcome to ${org.name}!
- body:
Hello, ${user.profile.firstName}. Click here to activate your account.
+ id: 0oafxqCAJWWGELFTYASJ
+ status: ACTIVE
+ lastUpdated: '2023-01-21T14:11:24.000Z'
+ created: '2023-01-21T14:11:24.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
_links:
- self:
- href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/default-content
- hints:
- allow:
- - GET
- template:
- href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation
- hints:
- allow:
- - GET
- preview:
- href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/default-content/preview
+ uploadLogo:
+ href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo
hints:
allow:
- - GET
- ErrorAccessDenied:
- summary: Access Denied
- value:
- errorCode: E0000006
- errorSummary: You do not have permission to perform the requested action
- errorLink: E0000006
- errorId: sampleNUSD_8fdkFd8fs8SDBK
- errorCauses: []
- ErrorApiValidationFailed:
- summary: API Validation Failed
- value:
- errorCode: E0000001
- errorSummary: 'Api validation failed: {0}'
- errorLink: E0000001
- errorId: sampleiCF-8D5rLW6myqiPItW
- errorCauses: []
- ErrorAppFeatureAPIValidationFailed:
- summary: API Validation Failed
- value:
- errorCode: E0000001
- errorSummary: 'Api validation failed: feature'
- errorLink: E0000001
- errorId: oaeZLxeiHUUQomPkM8xOqvu1A
- errorCauses:
- - errorSummary: Provisioning is not enabled for the app instance.
- ErrorCAPTCHALimitOfOne:
- value:
- errorCode: E0000165
- errorSummary: CAPTCHA count limit reached. At most one CAPTCHA instance is allowed per Org.
- errorLink: E0000165
- errorId: oaejrB1fWL1S7mc-2KcG-SOtw
- errorCauses: []
- ErrorCAPTCHAOrgWideSetting:
- value:
- errorCode: E0000149
- errorSummary: Current CAPTCHA is associated with org-wide settings, cannot be removed.
- errorLink: E0000149
- errorId: samplezsusshPdiTWiITwqBt8
- errorCauses: []
- ErrorCAPTCHAOrgWideSettingNull:
- summary: captchaId is null, but enabledPages is defined
- value:
- errorCode: E0000001
- errorSummary: 'Api validation failed: captchaId'
- errorLink: E0000001
- errorId: oae-hk3rssXQmOWDRsaFfxe8A
- errorCauses:
- errorSummary: 'captchaId: Invalid CAPTCHA ID. The value of captchaId cannot be blank when enabledPages is not empty. Please resubmit with an existing CAPTCHA ID or disable CAPTCHA support on all supported pages.'
- ErrorCreateUserWithExpiredPasswordWithNullPassword:
- value:
- errorCode: E0000124
- errorSummary: Could not create user. To create a user and expire their password immediately, a password must be specified
- errorLink: E0000124
- errorId: oaeXxuZgXBySvqi1FvtkwoYCA
- errorCauses:
- - errorSummary: Could not create user. To create a user and expire their password immediately, a password must be specified
- ErrorCreateUserWithExpiredPasswordWithoutActivation:
- value:
- errorCode: E0000125
- errorSummary: Could not create user. To create a user and expire their password immediately, "activate" must be true
- errorLink: E0000125
- errorId: oaeDd77L9R-TJaD7j_rXsQ31w
- errorCauses:
- - errorSummary: Could not create user. To create a user and expire their password immediately, "activate" must be true
- ErrorCreateUserWithTooManyManyGroupsResponse:
- value:
- errorCode: E0000093
- errorSummary: Target count limit exceeded
- errorLink: E0000093
- errorId: oaePVSLIYnIQsC0B-ptBIllVA
- errorCauses:
- - errorSummary: The number of group targets is too large.
- ErrorDeleteBrandAssociatedWithDomain:
- value:
- errorCode: E0000201
- errorSummary: A brand associated with a domain cannot be deleted
- errorLink: E0000201
- errorId: oaeAdRqprFuTyKokyYPbURJkA
- errorCauses: []
- ErrorDeleteDefaultBrand:
- value:
- errorCode: E0000200
- errorSummary: A default brand cannot be deleted
- errorLink: E0000200
- errorId: oaeAdRqprFuTyKokyYPbURJkA
- errorCauses: []
- ErrorDeviceAssuranceInUse:
- summary: Cannot delete device assurance policy in use by authentication policies
- value:
- errorSummary: Device assurance is in use and cannot be deleted.
- errorId: oaenwA1ra80S9W-pvbh4m6haA
- errorCauses: []
- ErrorEmailCustomizationCannotClearDefault:
- value:
- errorCode: E0000185
- errorSummary: The isDefault parameter of the default email template customization can't be set to false.
- errorLink: E0000185
- errorId: oaejrB1fWL1S7mc-2KcG-SOtw
- errorCauses: []
- ErrorEmailCustomizationCannotDeleteDefault:
- value:
- errorCode: E0000184
- errorSummary: A default email template customization can't be deleted.
- errorLink: E0000184
- errorId: oaeAdRqprFuTyKokyYPbURJkA
- errorCauses: []
- ErrorEmailCustomizationDefaultAlreadyExists:
- value:
- errorCode: E0000182
- errorSummary: A default email template customization already exists.
- errorLink: E0000182
- errorId: oaeXYwTiMvASsC3O4HCzjFaCA
- errorCauses: []
- ErrorEmailCustomizationLanguageAlreadyExists:
- value:
- errorCode: E0000183
- errorSummary: An email template customization for that language already exists.
- errorLink: E0000183
- errorId: oaeUcGELffqRay0u1OPdnPypw
- errorCauses: []
- ErrorEmailDomainAlreadyExists:
- value:
- errorCode: E0000197
- errorSummary: Email domain already exists.
- errorLink: E0000197
- errorId: oaeEdRqprFuTyKokyYPbURJkA
- errorCauses: []
- ErrorEmailDomainInUse:
- value:
- errorCode: E0000216
- errorSummary: Email domain can't be deleted due to mail provider restrictions.
- errorLink: E0000216
- errorId: oaeEdRqprFuTyKokyYPbURJkB
- errorCauses: []
- ErrorEmailDomainInvalidStatus:
- value:
- errorCode: E0000217
- errorSummary: Invalid status. Can't validate email domain with current status.
- errorLink: E0000217
- errorId: oaeEdRqprFuTyKokyYPbURJkD
- errorCauses: []
- ErrorEmailDomainNotVerified:
- value:
- errorCode: E0000218
- errorSummary: Email domain couldn't be verified by mail provider.
- errorLink: E0000218
- errorId: oaeEdRqprFuTyKokyYPbURJkC
- errorCauses: []
- ErrorInvalidEmailTemplateRecipients:
- value:
- errorCode: E0000189
- errorSummary: This template does not support the recipients value.
- errorLink: E0000189
- errorId: oae8L1-UkcNTeGi5xVQ28_lww
- errorCauses: []
- ErrorInvalidTokenProvided:
- summary: Invalid Token Provided
- value:
- errorCode: E0000011
- errorSummary: Invalid token provided
- errorLink: E0000011
- errorId: sampleQPivGUj_ND5v78vbYWW
- errorCauses: []
- ErrorMissingRequiredParameter:
- summary: Missing Required Parameter
- value:
- errorCode: E0000028
- errorSummary: The request is missing a required parameter.
- errorLink: E0000028
- errorId: sampleiCF-l7mr9XqM1NQ
- errorCauses: []
- ErrorPushProviderUsedByCustomAppAuthenticator:
- value:
- errorCode: E0000187
- errorSummary: Cannot delete push provider because it is being used by a custom app authenticator.
- errorLink: E0000187
- errorId: oaenwA1ra80S9W-pvbh4m6haA
- errorCauses: []
- ErrorResourceNotFound:
- summary: Resource Not Found
+ - POST
+ appLinks:
+ - name: customswaapp_link
+ href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4
+ type: text/html
+ groups:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups
+ logo:
+ - name: medium
+ href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png
+ type: image/png
+ users:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate
+ visibility:
+ autoLaunch: false
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ login: true
+ name: template_sps
+ label: Example SWA App
+ features: []
+ signOnMode: SECURE_PASSWORD_STORE
+ credentials:
+ scheme: EDIT_USERNAME_AND_PASSWORD
+ userNameTemplate:
+ template: ${source.email}
+ type: BUILT_IN
+ revealPassword: false
+ signing: {}
+ settings:
+ app:
+ url: https://example.com/login.html
+ passwordField: '#txtbox-password'
+ usernameField: '#txtbox-username'
+ optionalField1: param1
+ optionalField1Value: somevalue
+ optionalField2: param2
+ optionalField2Value: yetanothervalue
+ optionalField3: param3
+ optionalField3Value: finalvalue
+ notifications:
+ vpn:
+ network:
+ connection: DISABLED
+ message: null
+ helpUrl: null
+ manualProvisioning: false
+ implicitAssignment: false
+ notes:
+ admin: null
+ enduser: null
+ SecurityEventsProviderRequestIssuerAndJwksUrl:
+ summary: Provider with issuer and JWKS
value:
- errorCode: E0000007
- errorSummary: 'Not found: {0}'
- errorLink: E0000007
- errorId: sampleMlLvGUj_YD5v16vkYWY
- errorCauses: []
- ErrorTooManyRequests:
- summary: Too Many Requests
+ name: Security Events Provider with an issuer and a JWKS URL
+ type: okta
+ settings:
+ issuer: Issuer
+ jwks_url: https://example.okta.com/jwks/path
+ SecurityEventsProviderRequestWellKnownUrl:
+ summary: Provider with well-known URL
value:
- errorCode: E0000047
- errorSummary: You exceeded the maximum number of requests. Try again in a while.
- errorLink: E0000047
- errorId: sampleQPivGUj_ND5v78vbYWW
- errorCauses: []
- GetBrandResponse:
+ name: Security Events Provider with well-known URL
+ type: okta
+ settings:
+ well_known_url: https://example.okta.com/.well-known/ssf-configuration
+ SecurityEventsProviderResponseIssuerAndJwksUrl:
+ summary: Provider with issuer and JWKS
value:
- id: bnd114iNkrcN6aR680g4
- removePoweredByOkta: false
- customPrivacyPolicyUrl: null
- name: Okta Default
- isDefault: true
- locale: en
- emailDomainId: OeD114iNkrcN6aR680g4
- defaultApp:
- appInstanceId: 0oa114iNkrcN6aR680g4
- appLinkName: null
- classicApplicationUri: null
+ id: sse1qu4fUtsoD12iF0g5
+ name: Security Events Provider with an issuer and a JWKS URL
+ type: okta
+ status: ACTIVE
+ settings:
+ issuer: Issuer
+ jwks_url: https://example.okta.com/jwks/path
_links:
self:
- href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4
+ href: https://example.okta.com/api/v1/security-events-providers/sse1qu4fUtsoD12iF0g5
hints:
allow:
- GET
- PUT
- DELETE
- themes:
- href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4/themes
+ deactivate:
+ href: https://example.okta.com/api/v1/security-events-providers/sse1qu4fUtsoD12iF0g5/lifecycle/deactivate
hints:
allow:
- - GET
- GetEmailTemplateResponse:
+ - POST
+ SecurityEventsProviderResponseWellKnownUrl:
+ summary: Provider with well-known URL
value:
- name: UserActivation
+ id: sse1qg25RpusjUP6m0g5
+ name: Security Events Provider with well-known URL
+ type: okta
+ status: ACTIVE
+ settings:
+ well_known_url: https://example.okta.com/.well-known/ssf-configuration
+ issuer: Issuer
+ jwks_url: https://example.okta.com/jwks/path
_links:
self:
- href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation
+ href: https://example.okta.com/api/v1/security-events-providers/sse1qg25RpusjUP6m0g5
hints:
allow:
- GET
- settings:
- href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/settings
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://example.okta.com/api/v1/security-events-providers/sse1qg25RpusjUP6m0g5/lifecycle/deactivate
hints:
allow:
- - GET
- - PUT
- defaultContent:
- href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/default-content
+ - POST
+ SimulatePolicyBody:
+ summary: Simulate policy request body
+ description: Simulate policy request body
+ value:
+ policyType:
+ - OKTA_SIGN_ON
+ - MFA_ENROLL
+ appInstance: 0oa4eroj3nYCIJIW70g7
+ policyContext:
+ groups:
+ ids:
+ - 00g4eralvekR5RLuS0g7
+ - 00g4eralvekR5RLuS0g8
+ risk:
+ level: LOW
+ zones:
+ ids:
+ - nzo4eralxcRnbIHYJ0g7
+ device:
+ platform: IOS
+ registered: true
+ managed: true
+ SimulatePolicyElExpressionBody:
+ summary: Simulate policy request body with EL context
+ description: Simulate policy request body with EL context
+ value:
+ appInstance: 0oa4fdudGhhB5FNKR0g4
+ policyContext:
+ user:
+ id: 00u10wvS3zms2JVaO0g4
+ status: ACTIVE
+ created: '2024-04-29T18:05:24.000Z'
+ lastUpdated: '2024-04-29T18:05:24.000Z'
+ passwordChanged: '2024-04-29T18:05:24.000Z'
+ lastLogin: '2024-04-29T18:05:24.000Z'
+ profile:
+ city: string
+ costCenter: string
+ countryCode: st
+ department: string
+ displayName: string
+ division: string
+ email: user@example.com
+ employeeNumber: string
+ firstName: string
+ honorificPrefix: string
+ honorificSuffix: string
+ lastName: string
+ locale: string
+ login: string
+ manager: string
+ managerId: string
+ middleName: string
+ mobilePhone: string
+ nickName: string
+ organization: string
+ postalAddress: string
+ preferredLanguage: string
+ primaryPhone: string
+ profileUrl: string
+ secondEmail: user@example.com
+ state: string
+ streetAddress: string
+ timezone: string
+ title: string
+ userType: string
+ zipCode: string
+ SimulatePolicyElExpressionResponse:
+ summary: Simulate policy response body with EL Context
+ description: Simulate policy response body with EL Context
+ value:
+ evaluation:
+ - status: null
+ policyType: OKTA_SIGN_ON
+ result:
+ policies:
+ - id: 00p4eromwukk6qUku0g7
+ name: test policy
+ status: MATCH
+ conditions: []
+ rules:
+ - id: 0pr4erof85nGcyC7Y0g7
+ name: test rule
+ status: MATCH
+ conditions:
+ - type: people.groups.include
+ status: MATCH
+ undefined:
+ policies: []
+ evaluated:
+ policies: []
+ - status: null
+ policyType: MFA_ENROLL
+ result:
+ policies:
+ - id: 00p4eram2kw1aLcrx0g7
+ name: Default Policy
+ status: MATCH
+ conditions: []
+ rules:
+ - id: 0pr4eram2lMQT5FZF0g7
+ name: null
+ status: MATCH
+ conditions: []
+ undefined:
+ policies: []
+ evaluated:
+ policies: []
+ - status: null
+ policyType: ACCESS_POLICY
+ result:
+ policies:
+ - id: rst4eram06ZKZewEe0g7
+ name: Any two factors
+ status: MATCH
+ conditions: []
+ rules:
+ - id: rul4eram07VsWgybo0g7
+ name: Catch-all rule
+ status: MATCH
+ conditions: []
+ undefined:
+ policies: []
+ evaluated:
+ policies: []
+ - status: null
+ policyType: PROFILE_ENROLLMENT
+ result:
+ policies:
+ - id: rst4eram08ZSjPTOl0g7
+ name: Default Policy
+ status: MATCH
+ conditions: []
+ rules:
+ - id: rul4eram094PrQ2BX0g7
+ name: Catch-all rule
+ status: MATCH
+ conditions: []
+ undefined:
+ policies: []
+ evaluated:
+ policies: []
+ SimulatePolicyResponse:
+ summary: Simulate policy response body
+ description: Simulate policy response body
+ value:
+ evaluation:
+ - status: null
+ policyType: OKTA_SIGN_ON
+ result:
+ policies:
+ - id: 00p4eromwukk6qUku0g7
+ name: test policy
+ status: MATCH
+ conditions: []
+ rules:
+ - id: 0pr4erof85nGcyC7Y0g7
+ name: test rule
+ status: MATCH
+ conditions:
+ - type: people.groups.include
+ status: MATCH
+ undefined:
+ policies: []
+ evaluated:
+ policies: []
+ - status: null
+ policyType: MFA_ENROLL
+ result:
+ policies:
+ - id: 00p4eram2kw1aLcrx0g7
+ name: Default Policy
+ status: MATCH
+ conditions: []
+ rules:
+ - id: 0pr4eram2lMQT5FZF0g7
+ name: null
+ status: MATCH
+ conditions: []
+ undefined:
+ policies: []
+ evaluated:
+ policies: []
+ - status: null
+ policyType: ACCESS_POLICY
+ result:
+ policies:
+ - id: rst4eram06ZKZewEe0g7
+ name: Any two factors
+ status: MATCH
+ conditions: []
+ rules:
+ - id: rul4eram07VsWgybo0g7
+ name: Catch-all rule
+ status: MATCH
+ conditions: []
+ undefined:
+ policies: []
+ evaluated:
+ policies: []
+ - status: null
+ policyType: PROFILE_ENROLLMENT
+ result:
+ policies:
+ - id: rst4eram08ZSjPTOl0g7
+ name: Default Policy
+ status: MATCH
+ conditions: []
+ rules:
+ - id: rul4eram094PrQ2BX0g7
+ name: Catch-all rule
+ status: MATCH
+ conditions: []
+ undefined:
+ policies: []
+ evaluated:
+ policies: []
+ SmartCardIdPResponse:
+ summary: SmartCard Identity Provider
+ value:
+ id: 0oa6jxasyhwM2ZHJh0g4
+ type: X509
+ name: Smart Card IDP Name
+ status: ACTIVE
+ created: '2020-01-07T00:19:27.000Z'
+ lastUpdated: '2020-01-07T00:19:27.000Z'
+ properties:
+ additionalAmr:
+ - sc
+ - hwk
+ - pin
+ - mfa
+ protocol:
+ type: MTLS
+ endpoints:
+ sso:
+ url: https://{yourOktaDomain}.okta.com/login/cert
+ credentials:
+ trust:
+ issuer: CN=Test Smart Card, OU=Test OU, O=Test O, C=US
+ audience: null
+ kid: 45dec5ff-8cdc-48c0-85fe-a4869f1753dc
+ revocation: CRL
+ revocationCacheLifetime: 2880
+ policy:
+ provisioning:
+ action: DISABLED
+ profileMaster: false
+ groups: null
+ subject:
+ userNameTemplate:
+ template: idpuser.subjectAltNameEmail
+ filter: null
+ matchType: EMAIL
+ matchAttribute: null
+ mapAMRClaims: false
+ maxClockSkew: 120000
+ _links:
+ deactivate:
+ href: https://{yourOktaDomain}.okta.com/api/v1/idps/0oa6jxasyhwM2ZHJh0g4/lifecycle/deactivate
hints:
allow:
- - GET
- customizations:
- href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations
+ - POST
+ users:
+ href: https://{yourOktaDomain}.okta.com/api/v1/idps/0oa6jxasyhwM2ZHJh0g4/users
hints:
allow:
- GET
- - POST
- - DELETE
- test:
- href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test
+ keys:
+ href: https://{yourOktaDomain}.okta.com/api/v1/idps/credentials/keys/45dec5ff-8cdc-48c0-85fe-a4869f1753dc
hints:
allow:
- - POST
- GetUserResponse:
- summary: Retrieve a user type response
+ - GET
+ SocialAuthTokensResponse:
+ summary: Social Authentication Tokens
value:
- id: otyfnly5cQjJT9PnR0g4
- displayName: New User Type
- name: newUserType
- description: A new custom user type
- createdBy: sprz9fj1ycBcsgopy1d6
- lastUpdatedBy: sprz9fj1ycBcsgopy1d6
- created: '2021-07-05T20:40:38.000Z'
- lastUpdated: '2021-07-05T20:40:38.000Z'
- default: false
- _links:
- self:
- href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6
- schema:
- href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6
- GroupSchemaAddRequest:
+ - id:
+ token: JBTWGV22G4ZGKV3N
+ tokenType: urn:ietf:params:oauth:token-type:access_token
+ tokenAuthScheme: Bearer
+ expiresAt: '2014-08-06T16:56:31.000Z'
+ scopes:
+ - openid
+ - foo
+ - id:
+ token: JBTWGV22G4ZJBRXJ
+ tokenType: urn:ietf:params:oauth:token-type:id_token
+ tokenAuthScheme: null
+ StandardAndCustomRolesListResponse:
+ value:
+ - id: IFIFAX2BIRGUSTQ
+ label: Application administrator
+ type: APP_ADMIN
+ status: ACTIVE
+ created: '2019-02-06T16:17:40.000Z'
+ lastUpdated: '2019-02-06T16:17:40.000Z'
+ assignmentType: USER
+ _links:
+ assignee:
+ href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3
+ - id: JBCUYUC7IRCVGS27IFCE2SKO
+ label: Help Desk administrator
+ type: HELP_DESK_ADMIN
+ status: ACTIVE
+ created: '2019-02-06T16:17:40.000Z'
+ lastUpdated: '2019-02-06T16:17:40.000Z'
+ assignmentType: USER
+ _links:
+ assignee:
+ href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3
+ - id: ra125eqBFpETrMwu80g4
+ label: Organization administrator
+ type: ORG_ADMIN
+ status: ACTIVE
+ created: '2019-02-06T16:17:40.000Z'
+ lastUpdated: '2019-02-06T16:17:40.000Z'
+ assignmentType: USER
+ _links:
+ assignee:
+ href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3
+ - id: gra25fapn1prGTBKV0g4
+ label: API Access Management administrator
+ type: API_ACCESS_MANAGEMENT_ADMIN
+ status: ACTIVE
+ created: '2019-02-06T16:20:57.000Z'
+ lastUpdated: '2019-02-06T16:20:57.000Z'
+ assignmentType: GROUP
+ _links:
+ assignee:
+ href: https://{yourOktaDomain}/api/v1/groups/00g1ousb3XCr9Dkr20g4
+ - id: irb1q92TFAHzySt3x0g4
+ role: cr0Yq6IJxGIr0ouum0g3
+ label: UserCreatorRole
+ type: CUSTOM
+ status: ACTIVE
+ created: '2019-02-06T16:20:57.000Z'
+ lastUpdated: '2019-02-06T16:20:57.000Z'
+ assignmentType: USER
+ resource-set: iamoJDFKaJxGIr0oamd9g
+ _links:
+ assignee:
+ href": https://{yourOktaDomain}/api/v1/users/00u1gytb3XCr9Dkr18r2
+ resource-set:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g
+ member:
+ href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3/members/irb1qe6PGuMc7Oh8N0g4
+ role:
+ href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3
+ permissions:
+ href: https://{yourOktaDomain}/api/v1/iam/permission-sets/cr0Yq6IJxGIr0ouum0g3/permissions
+ - id: irb5e92YgBazyyQ3x1q5
+ role: cr0Yq6IJxGIr0ouum0g3
+ label: UserCreatorRole
+ type: CUSTOM
+ status: ACTIVE
+ created: '2019-02-06T16:20:57.000Z'
+ lastUpdated: '2019-02-06T16:20:57.000Z'
+ assignmentType: GROUP
+ resource-set: iamoakjsdQaJxGIr03int1o
+ _links:
+ assignee:
+ href: https://{ yourOktaDomain }/api/v1/groups/00g1ousb3XCr9Dkr20g4
+ resource-set:
+ href: https://{ yourOktaDomain }/api/v1/iam/resource-sets/iamoakjsdQaJxGIr03int1o
+ member:
+ href: https://{ yourOktaDomain }/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3/members/irb1qe6PGuMc7Oh8N0g4
+ role:
+ href: https://{ yourOktaDomain }/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3
+ permissions:
+ href: https://{ yourOktaDomain }/api/v1/iam/permission-sets/cr0Yq6IJxGIr0ouum0g3/permissions
+ StandardRoleAssignmentRequest:
value:
- definitions:
- custom:
- id: '#custom'
- type: object
- properties:
- groupContact:
- title: Group administrative contact
- description: Group administrative contact
- type: string
- required: false
- minLength: 1
- maxLength: 20
- permissions:
- - principal: SELF
- action: READ_WRITE
- required: []
- GroupSchemaResponse:
+ type: HELP_DESK_ADMIN
+ StandardRoleResponseClient:
value:
- $schema: http://json-schema.org/draft-04/schema#
+ id: JBCUYUC7IRCVGS27IFCE2SKO
+ label: Help Desk Administrator
+ type: HELP_DESK_ADMIN
+ status: ACTIVE
+ created: '2023-05-01T14:24:54.000Z'
+ lastUpdated: '2023-05-01T14:24:54.000Z'
+ assignmentType: CLIENT
_links:
- self:
- href: https://{yourOktaDomain}/api/v1/meta/schemas/group/default
- method: GET
- rel: self
- created: '2021-01-30T00:18:24.000Z'
- definitions:
- base:
- id: '#base'
- properties: {}
- required:
- - name
- type: object
- custom:
- id: '#custom'
- properties:
- groupContact:
- description: Group administrative contact
- master:
- type: PROFILE_MASTER
- mutability: READ_WRITE
- permissions:
- - action: READ_WRITE
- principal: SELF
- scope: NONE
- title: Group administrative contact
- type: string
- required: []
- type: object
- description: Okta group profile template
- id: https://{yourOktaDomain}/meta/schemas/group/default
- lastUpdated: '2021-02-25T23:05:31.000Z'
- name: group
- properties:
- profile:
- allOf:
- - $ref: '#/definitions/custom'
- - $ref: '#/definitions/base'
- title: Okta group
- type: object
- ListAllKeysResponse:
- summary: List All Keys response example
+ assignee:
+ href: https://{yourOktaDomain}/oauth2/v1/clients/0jrabyQWm4B9zVJPbotY/roles
+ StandardRoleResponseUser:
value:
- - id: HKY1i2htmXF5UNQhL0g4
- keyId: bb5bed7d-6e4d-488f-9c86-59b93a2bb3fb
- name: My new key
- created: '2022-08-22T16:34:33.000Z'
- lastUpdated: '2022-08-22T16:34:33.000Z'
- isUsed: 'true'
- - id: HKY1p7jWLndGQV9M60g4
- keyId: 7fbc27fd-e3df-4522-86bf-1930110256ad
- name: Test key
- created: '2022-08-31T18:09:58.000Z'
- lastUpdated: '2022-08-31T18:09:58.000Z'
- isUsed: 'false'
- ListBrandsResponse:
+ id: ra1b8anIk7rx7em7L0g4
+ label: Super Organization administrator
+ type: SUPER_ADMIN
+ status: ACTIVE
+ created: '2015-09-06T15:28:47.000Z'
+ lastUpdated: '2015-09-06T15:28:47.000Z'
+ assignmentType: USER
+ _links:
+ assignee:
+ href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR
+ StandardRolesListResponse:
value:
- - id: bnd114iNkrcN6aR680g4
- name: Okta Default
- isDefault: true
- removePoweredByOkta: false
- customPrivacyPolicyUrl: null
- locale: en
- emailDomainId: OeD114iNkrcN6aR680g4
- defaultApp:
- appInstanceId: 0oa114iNkrcN6aR680g4
- appLinkName: null
- classicApplicationUri: null
+ - id: IFIFAX2BIRGUSTQ
+ label: Application administrator
+ type: APP_ADMIN
+ status: ACTIVE
+ created: '2019-02-06T16:17:40.000Z'
+ lastUpdated: '2019-02-06T16:17:40.000Z'
+ assignmentType: USER
_links:
- self:
- href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4
- hints:
- allow:
- - GET
- - PUT
- - DELETE
- themes:
- href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4/themes
- hints:
- allow:
- - GET
- ListEmailCustomizationResponse:
+ assignee:
+ href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3
+ - id: JBCUYUC7IRCVGS27IFCE2SKO
+ label: Help Desk administrator
+ type: HELP_DESK_ADMIN
+ status: ACTIVE
+ created: '2019-02-06T16:17:40.000Z'
+ lastUpdated: '2019-02-06T16:17:40.000Z'
+ assignmentType: USER
+ _links:
+ assignee:
+ href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3
+ - id: ra125eqBFpETrMwu80g4
+ label: Organization administrator
+ type: ORG_ADMIN
+ status: ACTIVE
+ created: '2019-02-06T16:17:40.000Z'
+ lastUpdated: '2019-02-06T16:17:40.000Z'
+ assignmentType: USER
+ _links:
+ assignee:
+ href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3
+ - id: gra25fapn1prGTBKV0g4
+ label: API Access Management administrator
+ type: API_ACCESS_MANAGEMENT_ADMIN
+ status: ACTIVE
+ created": '2019-02-06T16:20:57.000Z'
+ lastUpdated": '2019-02-06T16:20:57.000Z'
+ assignmentType": GROUP
+ _links":
+ assignee":
+ href": https://{yourOktaDomain}/api/v1/groups/00g1ousb3XCr9Dkr20g4
+ StandardRolesListResponseClient:
value:
- - language: en
- isDefault: true
- subject: Welcome to ${org.name}!
- body: Hello, ${user.profile.firstName}. Click here to activate your account.
- id: oel11u6DqUiMbQkpl0g4
- created: 2021-11-09T20:38:10.000Z
- lastUpdated: 2021-11-11T20:38:10.000Z
+ - id: JBCUYUC7IRCVGS27IFCE2SKO
+ label: Help Desk Administrator
+ type: HELP_DESK_ADMIN
+ status: ACTIVE
+ created: '2023-05-01T14:24:54.000Z'
+ lastUpdated: '2023-05-01T14:24:54.000Z'
+ assignmentType: CLIENT
_links:
- self:
- href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4
- hints:
- allow:
- - GET
- - PUT
- - DELETE
- template:
- href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation
+ assignee:
+ href: https://{yourOktaDomain}/oauth2/v1/clients/0jrabyQWm4B9zVJPbotY/roles
+ StandardRolesListResponseGroup:
+ value:
+ - id: IFIFAX2BIRGUSTQ
+ label: Application Administrator
+ type: APP_ADMIN
+ status: ACTIVE
+ created: '2019-02-06T16:17:40.000Z'
+ lastUpdated: '2019-02-06T16:17:40.000Z'
+ assignmentType: GROUP
+ _links:
+ assignee:
+ href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3
+ SubmissionOidcRequest:
+ summary: Submission OIDC request example
+ value:
+ name: Strawberry Central
+ description: Your one source for in-season strawberry deals
+ logo: https://acme.okta.com/bc/image/fileStoreRecord?id=fs03xxd3KmkDBwJU80g4
+ sso:
+ oidc:
+ redirectUris:
+ - https://${org.subdomain}.example.com/strawberry/oidc/login
+ initiateLoginUri: https://${org.subdomain}.example.com/strawberry/oidc/sp-init
+ postLogoutUris:
+ - https://${org.subdomain}.example.com/strawberry/oidc/logged-out
+ doc: https://example.com/strawberry/help/oidcSetup
+ config:
+ - name: subdomain
+ label: Subdomain
+ SubmissionOidcResponse:
+ summary: Submission OIDC response example
+ value:
+ id: acme_strawberrycentral_1
+ name: Strawberry Central
+ description: Your one source for in-season strawberry deals
+ logo: https://acme.okta.com/bc/image/fileStoreRecord?id=fs03xxd3KmkDBwJU80g4
+ sso:
+ oidc:
+ redirectUris:
+ - https://${org.subdomain}.example.com/strawberry/oidc/login
+ initiateLoginUri: https://${org.subdomain}.example.com/strawberry/oidc/sp-init
+ postLogoutUris:
+ - https://${org.subdomain}.example.com/strawberry/oidc/logged-out
+ doc: https://example.com/strawberry/help/oidcSetup
+ config:
+ - name: subdomain
+ label: Subdomain
+ status: New
+ lastUpdated: '2023-08-24T14:15:22.000Z'
+ lastUpdatedBy: 00ub0oNGTSWTBKOLGLNR
+ lastPublished: '2023-09-01T13:23:45.000Z'
+ SubmissionSamlRequest:
+ summary: Submission SAML request example
+ value:
+ name: Strawberry Central
+ description: Your one source for in-season strawberry deals
+ logo: https://acme.okta.com/bc/image/fileStoreRecord?id=fs03xxd3KmkDBwJU80g4
+ sso:
+ saml:
+ acs:
+ - url: https://${org.subdomain}.example.com/saml/login
+ entityId: https://${org.subdomain}.example.com
+ claims:
+ - name: manager
+ values:
+ - ${user.manager}
+ groups:
+ - name: groups
+ doc: https://example.com/strawberry/help/samlSetup
+ config:
+ - name: subdomain
+ label: Subdomain
+ SubmissionSamlResponse:
+ summary: Submission SAML response example
+ value:
+ id: acme_strawberrycentral_1
+ name: Strawberry Central
+ description: Your one source for in-season strawberry deals
+ logo: https://acme.okta.com/bc/image/fileStoreRecord?id=fs03xxd3KmkDBwJU80g4
+ sso:
+ saml:
+ acs:
+ - url: https://${org.subdomain}.example.com/saml/login
+ entityId: https://${org.subdomain}.example.com
+ claims:
+ - name: manager
+ values:
+ - ${user.manager}
+ groups:
+ - name: groups
+ doc: https://example.com/strawberry/help/samlSetup
+ config:
+ - name: subdomain
+ label: Subdomain
+ status: To be reviewed by Okta
+ lastUpdated: '2023-08-24T14:15:22.000Z'
+ lastUpdatedBy: 00ub0oNGTSWTBKOLGLNR
+ lastPublished: null
+ SubmissionsResponse:
+ summary: Submission list example
+ value:
+ - id: acme_strawberrycentral_1
+ name: Strawberry Central
+ description: Your one source for in-season strawberry deals
+ logo: https://acme.okta.com/bc/image/fileStoreRecord?id=fs03xxd3KmkDBwJU80g4
+ sso:
+ saml:
+ acs:
+ - url: https://${org.subdomain}.example.com/saml/login
+ entityId: https://${org.subdomain}.example.com
+ claims:
+ - name: manager
+ values:
+ - ${user.manager}
+ groups:
+ - name: groups
+ doc: https://example.com/strawberry/help/samlSetup
+ config:
+ - name: subdomain
+ label: Subdomain
+ status: Complete
+ lastUpdated: '2023-08-24T14:15:22.000Z'
+ lastUpdatedBy: 00ub0oNGTSWTBKOLGLNR
+ lastPublished: '2023-09-01T13:23:45.000Z'
+ SupportedFactorResults:
+ value:
+ - factorType: question
+ provider: OKTA
+ vendorName: OKTA
+ _links:
+ questions:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/questions
hints:
allow:
- GET
- preview:
- href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4/preview
+ enroll:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors
hints:
allow:
- - GET
- test:
- href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test
+ - POST
+ - factorType: token:software:totp
+ provider: OKTA
+ _links:
+ enroll:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors
hints:
allow:
- POST
- ListEmailTemplateResponse:
- value:
- - name: UserActivation
+ - factorType: token:software:totp
+ provider: GOOGLE
_links:
- self:
- href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation
+ enroll:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors
hints:
allow:
- - GET
- settings:
- href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/settings
+ - POST
+ - factorType: sms
+ provider: OKTA
+ vendorName: OKTA
+ _links:
+ enroll:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors
hints:
allow:
- - GET
- - PUT
- defaultContent:
- href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/default-content
+ - POST
+ _embedded:
+ phones:
+ - id: mblldntFJevYKbyQQ0g3
+ profile:
+ phoneNumber: '+14081234567'
+ status: ACTIVE
+ - factorType: call
+ provider: OKTA
+ _links:
+ enroll:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors
hints:
allow:
- - GET
- customizations:
- href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations
+ - POST
+ - factorType: token
+ provider: RSA
+ _links:
+ enroll:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors
hints:
allow:
- - GET
- POST
- - DELETE
- test:
- href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test
+ - factorType: token
+ provider: SYMANTEC
+ _links:
+ enroll:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors
hints:
allow:
- POST
- ListMappingsResponse:
- summary: List all Profile Mappings response
+ TelephonyFailureResponse:
+ summary: An example telephony hook response for an external web service returning failure
value:
- - id: prm1k47ghydIQOTBW0g4
- source:
- id: otysbePhQ3yqt4cVv0g3
- name: user
- type: user
- _links:
- self:
- href: https://{yourOktaDomain}/api/v1/meta/types/user/otysbePhQ3yqt4cVv0g3
- schema:
- href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscsbePhQ3yqt4cVv0g3
- target:
- id: 0oa1qmn4LZQQEH0wZ0g4
- name: okta_org2org
- type: appuser
- _links:
- self:
- href: https://{yourOktaDomain}/api/v1/apps/0oa1qmn4LZQQEH0wZ0g4
- schema:
- href: https://{yourOktaDomain}/api/v1/meta/schemas/apps/0oa1qmn4LZQQEH0wZ0g4/default
- _links:
- self:
- href: https://{yourOktaDomain}/api/v1/mappings/prm1k48weFSOnEUnw0g4
- ListRealmAwareUsersResponse:
- summary: List all Users
+ error:
+ - errorSummary: Failed to deliver SMS OTP to test.user@okta.com
+ - errorCauses:
+ errorSummary: Provider could not deliver OTP
+ reason: The content of the message is not supported
+ location: South Africa
+ TelephonyPayloadExample:
+ summary: An example telephony inline hook request body
value:
- - id: 00u118oQYT4TBGuay0g4
- status: ACTIVE
- created: 2022-04-04T15:56:05.000Z
- activated: null
- statusChanged: null
- lastLogin: 2022-05-04T19:50:52.000Z
- lastUpdated: 2022-05-05T18:15:44.000Z
- passwordChanged: 2022-04-04T16:00:22.000Z
- type:
- id: oty1162QAr8hJjTaq0g4
- profile:
- firstName: Alice
- lastName: Smith
- mobilePhone: null
- secondEmail: null
- login: alice.smith@example.com
- email: alice.smith@example.com
- realmId: guo1afiNtSnZYILxO0g4
- credentials:
- password: {}
- provider:
- type: OKTA
- name: OKTA
- _links:
- self:
- href: http://your-subdomain.okta.com/api/v1/users/00u118oQYT4TBGuay0g4
- ListRealmsResponse:
+ eventId: uS5871kJThSsU8qlA1LTcg
+ eventTime: '2020-01-17T21:23:56.000Z'
+ eventType: com.okta.telephony.provider
+ eventTypeVersion: '1.0'
+ contentType: application/json
+ cloudEventVersion: '0.1'
+ source: https://${yourOktaDomain}/api/v1/inlineHooks/cbl2ad6phv9fsPLcF0g7
+ data:
+ context:
+ request:
+ id: reqRgSk8IBBRhuo0YdlEDTmUw
+ method: POST
+ url:
+ value: /api/internal/v1/inlineHooks/com.okta.telephony.provider/generatePreview
+ ipAddress: 127.0.0.1
+ userProfile:
+ firstName: test
+ lastName: user
+ login: test.user@okta.com
+ userId: 00uyxxSknGtK8022w0g3
+ messageProfile:
+ msgTemplate: (HOOK)Your code is 11111
+ phoneNumber: 9876543210
+ otpExpires: '2022-01-28T21:48:34.321Z'
+ deliveryChannel: SMS
+ otpCode: 11111
+ locale: EN-US
+ TelephonySuccessResponse:
+ summary: An example telephony hook response for an external web service returning success
value:
- - id: guox9jQ16k9V8IFEL0g3
- created: 2022-04-04T15:56:05.000Z
- lastUpdated: 2022-05-05T18:15:44.000Z
- isDefault: false
- profile:
- name: Car Co
- _links:
- self:
- rel: self
- href: http://your-subdomain.okta.com/api/v1/realms/guox9jQ16k9V8IFEL0g3
- method: GET
- ListRiskProviderResponse:
- summary: List Risk Provider response example
+ commands:
+ - type: com.okta.telephony.action
+ - value:
+ status: FAILURE
+ provider: VONAGE
+ transactionId: SM49a8ece2822d44e4adaccd7ed268f954
+ transactionMetadata: Duration=300ms
+ TestInfoOidcRequest:
+ summary: OIDC SSO Submission Testing Information request
value:
- - id: 00rp12r4skkjkjgsn
- action: log_only
- name: Risk-Partner-X
- clientId: 00ckjsfgjkdkjdkkljjsd
- created: '2021-01-05 22:18:30'
- lastUpdated: '2021-01-05 22:18:30'
- _links:
- self:
- href: https://{yourOktaDomain}/api/v1/risk/providers/00rp12r4skkjkjgsn
- hints:
- allow:
- - GET
- - PUT
- ListSessionsResponse:
+ testAccount:
+ url: https://example.com/strawberry/login
+ username: test@example.com
+ password: sUperP@ssw0rd
+ instructions: Go to your app URL from a browser and enter your credentials
+ escalationSupportContact: strawberry.support@example.com
+ oidcTestConfiguration:
+ jit: false
+ spInitiateUrl: https://test.example.com/strawberry/oidc/sp-init
+ TestInfoOidcResponse:
+ summary: OIDC SSO Submission Testing Information response
value:
- - id: uij4ri8ZLk0ywyqxB0g1
- identitySourceId: 0oa3l6l6WK6h0R0QW0g4
- status: CREATED
- importType: INCREMENTAL
- created: 2022-04-04T15:56:05.000Z
- lastUpdated: 2022-05-05T16:15:44.000Z
- ListSessionsResponseForGetSessions:
+ testAccount:
+ url: https://example.com/strawberry/login
+ username: test@example.com
+ password: sUperP@ssw0rd
+ instructions: Go to your app URL from a browser and enter your credentials
+ escalationSupportContact: strawberry.support@example.com
+ oidcTestConfiguration:
+ idp: true
+ sp: true
+ jit: false
+ spInitiateUrl: https://test.example.com/strawberry/oidc/sp-init
+ TestInfoSamlRequest:
+ summary: SAML SSO Submission Testing Information request
value:
- - id: uij4ri8ZLk0ywyqxB0g1
- identitySourceId: 0oa3l6l6WK6h0R0QW0g4
- status: CREATED
- importType: INCREMENTAL
- created: 2022-04-04T15:56:05.000Z
- lastUpdated: 2022-05-05T16:15:44.000Z
- - id: uij4ri8ZLk0ywyqxB0g2
+ testAccount:
+ url: https://example.com/strawberry/login
+ username: test@example.com
+ password: sUperP@ssw0rd
+ instructions: Go to your app URL from a browser and enter your credentials
+ escalationSupportContact: strawberry.support@example.com
+ samlTestConfiguration:
+ idp: true
+ sp: true
+ jit: false
+ spInitiateUrl: https://test.example.com/strawberry/saml/sp-init
+ spInitiateDescription: Go to the app URL from a browser and enter your username
+ TestInfoSamlResponse:
+ summary: SAML SSO Submission Testing Information response
+ value:
+ testAccount:
+ url: https://example.com/strawberry/login
+ username: test@example.com
+ password: sUperP@ssw0rd
+ instructions: Go to your app URL from a browser and enter your credentials
+ escalationSupportContact: strawberry.support@example.com
+ samlTestConfiguration:
+ idp: true
+ sp: true
+ jit: false
+ spInitiateUrl: https://test.example.com/strawberry/saml/sp-init
+ spInitiateDescription: Go to the app URL from a browser and enter your username
+ ThreatInsightResponseExample:
+ summary: ThreatInsight response
+ value:
+ action: none
+ excludeZones: []
+ created: '2020-08-05T22:18:30.629Z'
+ lastUpdated: '2020-08-05T22:18:30.629Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/threats/configuration
+ hints:
+ allow:
+ - GET
+ - POST
+ ThreatInsightUpdateRequestExample:
+ summary: ThreatInsight update request
+ value:
+ action: audit
+ excludeZones:
+ - nzo1q7jEOsoCnoKcj0g4
+ - nzouagptWUz5DlLfM0g3
+ ThreatInsightUpdateResponseExample:
+ summary: ThreatInsight update response
+ value:
+ action: audit
+ excludeZones:
+ - nzo1q7jEOsoCnoKcj0g4
+ - nzouagptWUz5DlLfM0g3
+ created: '2020-08-05T22:18:30.629Z'
+ lastUpdated: '2020-10-13T21:23:10.178Z'
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/threats/configuration
+ hints:
+ allow:
+ - GET
+ - POST
+ TokenHookErrorExample:
+ summary: Error response
+ value:
+ error:
+ errorSummary: Human-readable summary of the error
+ TokenHookModifyLifetime:
+ summary: Modify token lifetime
+ value:
+ commands:
+ - type: com.okta.identity.patch
+ value:
+ - op: replace
+ path: /token/lifetime/expiration
+ value: 36000
+ - type: com.okta.access.patch
+ value:
+ - op: replace
+ path: /token/lifetime/expiration
+ value: 36000
+ TokenHookRemoveClaim:
+ summary: Remove claim
+ value:
+ commands:
+ - type: com.okta.identity.patch
+ value:
+ - op: remove
+ path: /claims/birthdate
+ value: null
+ - type: com.okta.access.patch
+ value:
+ - op: remove
+ path: /claims/external_guid
+ TokenHookRemoveFromArray:
+ summary: Remove from array
+ value:
+ commands:
+ - type: com.okta.identity.patch
+ value:
+ - op: remove
+ path: /claims/preferred_airports/1
+ TokenHookRemoveFromObject:
+ summary: Remove from JSON object
+ value:
+ commands:
+ - type: com.okta.identity.patch
+ value:
+ - op: remove
+ path: /claims/employee_profile/email
+ TokenHookReplaceExisting:
+ summary: Replace an existing claim
+ value:
+ commands:
+ - type: com.okta.identity.patch
+ value:
+ - op: replace
+ path: /claims/extPatientId
+ value: '1234'
+ - op: replace
+ path: /claims/external_guid
+ value: F0384685-F87D-474B-848D-2058AC5655A7
+ TokenHookReplaceInPath:
+ summary: Replace within JSON object
+ value:
+ commands:
+ - type: com.okta.identity.patch
+ value:
+ - op: replace
+ path: /claims/employee_profile/email
+ value: anna@company.com
+ TokenHookResponse:
+ description: Token inline hook response
+ summary: An example token inline hook response that adds a claim
+ value:
+ commands:
+ - type: com.okta.assertion.patch
+ value:
+ - op: add
+ path: /claims/extPatientId
+ value: '1234'
+ - type: com.okta.assertion.patch
+ value:
+ - op: add
+ path: /claims/external_guid
+ value: F0384685-F87D-474B-848D-2058AC5655A7
+ TokenHookResponseAppendArray:
+ summary: Append to array
+ value:
+ commands:
+ - type: com.okta.identity.patch
+ value:
+ - op: add
+ path: /claims/preferred_airports/3
+ value: lax
+ TokenHookResponseWithURIFormat:
+ summary: Add new members to existing JSON objects
+ value:
+ commands:
+ - type: com.okta.identity.patch
+ value:
+ - op: add
+ path: /claims/employee_profile/department_id
+ value: '4947'
+ TokenPayLoadExample:
+ summary: An example token inline hook request body
+ description: An example token inline hook request body
+ value:
+ source: https://{yourOktaDomain}/oauth2/default/v1/authorize
+ eventId: 3OWo4oo-QQ-rBWfRyTmQYw
+ eventTime: '2019-01-15T23:20:47.000Z'
+ eventTypeVersion: '1.0'
+ cloudEventVersion: '0.1'
+ contentType: application/json
+ eventType: com.okta.oauth2.tokens.transform
+ data: null
+ context:
+ request:
+ id: reqv66CbCaCStGEFc8AdfS0ng
+ method: GET
+ url:
+ value: https://{yourOktaDomain}/oauth2/default/v1/authorize?scope=openid+profile+email&response_type=token+id_token&redirect_uri=https%3A%2F%2Fhttpbin.org%2Fget&state=foobareere&nonce=asf&client_id=customClientIdNative
+ ipAddress: 127.0.0.1
+ protocol:
+ type: OAUTH2.0
+ request:
+ scope: openid profile email
+ state: foobareere
+ redirect_uri: https://httpbin.org/get
+ response_mode: fragment
+ response_type: token id_token
+ client_id: customClientIdNative
+ issuer:
+ uri: https://{yourOktaDomain}/oauth2/default
+ client:
+ id: customClientIdNative
+ name: Native client
+ type: PUBLIC
+ session:
+ id: 102Qoe7t5PcRnSxr8j3I8I6pA
+ userId: 00uq8tMo3zV0OfJON0g3
+ login: administrator1@clouditude.net
+ createdAt: '2019-01-15T23:17:09.000Z'
+ expiresAt: '2019-01-16T01:20:46.000Z'
+ status: ACTIVE
+ lastPasswordVerification: '2019-01-15T23:17:09.000Z'
+ amr:
+ - PASSWORD
+ idp:
+ id: 00oq6kcVwvrDY2YsS0g3
+ type: OKTA
+ mfaActive: false
+ user:
+ id: 00uq8tMo3zV0OfJON0g3
+ passwordChanged: '2018-09-11T23:19:12.000Z'
+ profile:
+ login: administrator1@clouditude.net
+ firstName: Add-Min
+ lastName: O'Cloudy Tud
+ locale: en
+ timeZone: America/Los_Angeles
+ _links:
+ groups:
+ href: https://{yourOktaDomain}/00uq8tMo3zV0OfJON0g3/groups
+ factors:
+ href: https://{yourOktaDomain}/api/v1/users/00uq8tMo3zV0OfJON0g3/factors
+ policy:
+ id: 00pq8lGaLlI8APuqY0g3
+ rule:
+ id: 0prq8mLKuKAmavOvq0g3
+ identity:
+ claims:
+ sub: 00uq8tMo3zV0OfJON0g3
+ name: Add-Min O'Cloudy Tud
+ email: administrator1@clouditude.net
+ ver: 1
+ iss: https://{yourOktaDomain}/oauth2/default
+ aud: customClientIdNative
+ jti: ID.YxF2whJfB3Eu4ktG_7aClqtCgjDq6ab_hgpiV7-ZZn0
+ amr:
+ - pwd
+ idp: 00oq6kcVwvrDY2YsS0g3
+ nonce: asf
+ preferred_username: administrator1@clouditude.net
+ auth_time: 1547594229
+ token:
+ lifetime:
+ expiration: 3600
+ access:
+ claims:
+ ver: 1
+ jti: AT.W-rrB-z-kkZQmHW0e6VS3Or...QfEN_YvoWJa46A7HAA
+ iss: https://{yourOktaDomain}/oauth2/default
+ aud: api://default
+ cid: customClientIdNative
+ uid: 00uq8tMo3zV0OfJON0g3
+ sub: administrator1@clouditude.net
+ firstName: Add-Min
+ preferred_username: administrator1@clouditude.net
+ token:
+ lifetime:
+ expiration: 3600
+ scopes:
+ openid:
+ id: scpq7bW1cp6dcvrz80g3
+ action: GRANT
+ profile:
+ id: scpq7cWJ81CIP5Qkr0g3
+ action: GRANT
+ email:
+ id: scpq7dxsoz6LQlRj00g3
+ action: GRANT
+ refresh_token:
+ jti: oarob4a0tckCkGcyo1d6
+ TriggerSessionResponse:
+ value:
+ - id: aps1qqonvr2SZv6o70h8
identitySourceId: 0oa3l6l6WK6h0R0QW0g4
status: TRIGGERED
importType: INCREMENTAL
- created: 2022-04-04T16:56:05.000Z
- lastUpdated: 2022-05-05T17:15:44.000Z
- - id: uij4ri8ZLk0ywyqxB0g3
- identitySourceId: 0oa3l6l6WK6h0R0QW0g4
- status: IN_PROGRESS
- importType: INCREMENTAL
- created: 2022-04-04T17:56:05.000Z
- lastUpdated: 2022-05-05T18:15:44.000Z
- - id: uij4ri8ZLk0ywyqxB0g4
- identitySourceId: 0oa3l6l6WK6h0R0QW0g4
- status: EXPIRED
- importType: INCREMENTAL
- created: 2022-04-04T18:56:05.000Z
- lastUpdated: 2022-05-05T19:15:44.000Z
- - id: uij4ri8ZLk0ywyqxB0g5
- identitySourceId: 0oa3l6l6WK6h0R0QW0g4
- status: CLOSED
- importType: INCREMENTAL
- created: 2022-04-04T19:56:05.000Z
- lastUpdated: 2022-05-05T20:15:44.000Z
- ListUISchemaResponse:
- summary: Lists all UI Schemas response
+ created: '2022-04-04T15:56:05.000Z'
+ lastUpdated: '2022-05-05T18:15:44.000Z'
+ TrustedOriginBody:
+ summary: Trusted origin request body
value:
- - id: uis4a7liocgcRgcxZ0g7
- uiSchema:
- type: Group
- label: Sign in
- buttonLabel: Submit
- elements:
- - type: Control
- scope: '#/properties/firstName'
- label: First name
- options:
- format: text
- - type: Control
- scope: '#/properties/lastName'
- label: Last name
- options:
- format: text
- - type: Control
- scope: '#/properties/email'
- label: Email
- options:
- format: text
- - type: Control
- scope: '#/properties/countryCode'
- label: Country code
- options:
- format: select
- - type: Control
- scope: '#/properties/bool2'
- label: bool2
- options:
- format: checkbox
- - type: Control
- scope: '#/properties/date'
- label: date
- options:
- format: text
- - type: Control
- scope: '#/properties/enum'
- label: enum
- options:
- format: radio
- created: '2022-07-25T12:56:31.000Z'
- lastUpdated: '2022-07-26T11:53:59.000Z'
+ name: New Trusted Origin
+ origin: http://example.com
+ scopes:
+ - type: CORS
+ - type: REDIRECT
+ TrustedOriginBodyWithIframeEmbedding:
+ summary: Trusted origin request body with iFrame embedding (Okta End-User Dashboard and Okta sign-in page)
+ description: |
+ Creates a new Trusted Origin for iFrame embedding of an Okta resource within that origin. In this example, the type
+ of Okta resource is both the Okta End-User Dashboard and the Okta sign-in page.
+ value:
+ name: New Trusted Origin
+ origin: http://example.com
+ scopes:
+ - type: IFRAME_EMBED
+ allowedOktaApps:
+ - OKTA_ENDUSER
+ TrustedOriginBodyWithIframeEmbeddingSignIn:
+ summary: Trusted origin request body with iFrame embedding (Okta sign-in page)
+ description: |
+ Creates a new Trusted Origin for iFrame embedding of an Okta resource within that origin. In this example, the Okta
+ resource is the Okta sign-in page.
+ value:
+ name: New Trusted Origin
+ origin: http://example.com
+ scopes:
+ - type: IFRAME_EMBED
+ allowedOktaApps: []
+ TrustedOriginInactiveResponse:
+ summary: Trusted origin response
+ value:
+ id: tos10hu7rkbtrFt1M0g4
+ name: New Trusted Origin
+ origin: http://example.com
+ status: INACTIVE
+ scopes:
+ - type: CORS
+ - type: REDIRECT
+ created: '2018-01-13T01:11:44.000Z'
+ createdBy: 00ut5t92p6IEOi4bu0g3
+ lastedUpdated: '2018-01-13T01:11:44.000Z'
+ lastedUpdatedBy: 00ut5t92p6IEOi4bu0g3
+ _links:
+ activate:
+ href: https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ TrustedOriginPut:
+ value:
+ id: tosue7JvguwJ7U6kz0g3
+ name: Updated Example Trusted Origin
+ origin: http://updated.example.com
+ scopes:
+ - type: CORS
+ - type: REDIRECT
+ status: ACTIVE
+ created: '2017-12-16T05:01:12.000Z'
+ createdBy: 00ut5t92p6IEOi4bu0g3
+ lastUpdated: '2017-12-16T05:01:12.000Z'
+ lastUpdatedBy: 00ut5t92p6IEOi4bu0g3
+ _links:
+ self:
+ href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ TrustedOriginPutBody:
+ summary: Trusted origin request body
+ value:
+ value:
+ id: tosue7JvguwJ7U6kz0g3
+ name: Updated Example Trusted Origin
+ origin: http://updated.example.com
+ scopes:
+ - type: CORS
+ - type: REDIRECT
+ status: ACTIVE
+ created: '2017-12-16T05:01:12.000Z'
+ createdBy: 00ut5t92p6IEOi4bu0g3
+ lastUpdated: '2017-12-16T05:01:12.000Z'
+ lastUpdatedBy: 00ut5t92p6IEOi4bu0g3
_links:
self:
- href: https://example.com/api/v1/meta/uischemas/uis4a7liocgcRgcxZ0g7
+ href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3
hints:
allow:
- GET
- PUT
- DELETE
- - id: uis4abjqkkKXVPGAU0g7
- uiSchema:
- type: Group
- label: Sign in 2
- buttonLabel: Submit
- elements:
- - type: Control
- scope: '#/properties/firstName'
- label: First name
- options:
- format: text
- - type: Control
- scope: '#/properties/lastName'
- label: Last name
- options:
- format: text
- - type: Control
- scope: '#/properties/email'
- label: Email
- options:
- format: text
- - type: Control
- scope: '#/properties/countryCode'
- label: Country code
- options:
- format: select
- - type: Control
- scope: '#/properties/bool2'
- label: bool2
- options:
- format: checkbox
- - type: Control
- scope: '#/properties/date'
- label: date
- - type: Control
- scope: '#/properties/enum'
- label: enum
- options:
- format: radio
- created: '2022-07-25T12:56:31.000Z'
- lastUpdated: '2022-07-26T11:53:59.000Z'
+ deactivate:
+ href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ TrustedOriginPutBodyWithIframeEmbedding:
+ summary: Trusted origin request body with iFrame embedding
+ value:
+ value:
+ id: tosue7JvguwJ7U6kz0g3
+ name: Updated Example Trusted Origin
+ origin: http://updated.example.com
+ scopes:
+ - type: IFRAME_EMBED
+ allowedOktaApps:
+ - OKTA_ENDUSER
+ status: ACTIVE
+ created: '2017-12-16T05:01:12.000Z'
+ createdBy: 00ut5t92p6IEOi4bu0g3
+ lastUpdated: '2017-12-16T05:01:12.000Z'
+ lastUpdatedBy: 00ut5t92p6IEOi4bu0g3
_links:
self:
- href: https://example.com/api/v1/meta/uischemas/uis4abjqkkKXVPGAU0g7
+ href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3
hints:
allow:
- GET
- PUT
- DELETE
- ListUserBlocksAnyDevicesResponse:
- value:
- - type: DEVICE_BASED
- appliesTo: ANY_DEVICES
- ListUserBlocksUnknownDevicesResponse:
- value:
- - type: DEVICE_BASED
- appliesTo: UNKNOWN_DEVICES
- ListUsersResponse:
- summary: List all Users
- value:
- - id: 00u118oQYT4TBTemp0g4
- status: ACTIVE
- created: 2022-04-04T15:56:05.000Z
- activated: null
- statusChanged: null
- lastLogin: 2022-05-04T19:50:52.000Z
- lastUpdated: 2022-05-05T18:15:44.000Z
- passwordChanged: 2022-04-04T16:00:22.000Z
- type:
- id: oty1162QAr8hJjTaq0g4
- profile:
- firstName: Alice
- lastName: Smith
- mobilePhone: null
- secondEmail: null
- login: alice.smith@example.com
- email: alice.smith@example.com
- credentials:
- password: {}
- provider:
- type: OKTA
- name: OKTA
- _links:
- self:
- href: http://your-subdomain.okta.com/api/v1/users/00u118oQYT4TBGuay0g4
- ListsAllUserTypes:
- summary: Lists all user types
+ deactivate:
+ href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ TrustedOriginPutResponse:
+ summary: Trusted origin response body
value:
- - id: otyfnly5cQjJT9PnR0g4
- displayName: New User Type
- name: newUserType
- description: A new custom user type
- createdBy: sprz9fj1ycBcsgopy1d6
- lastUpdatedBy: sprz9fj1ycBcsgopy1d6
- created: '2021-07-05T20:40:38.000Z'
- lastUpdated: '2021-07-05T20:40:38.000Z'
- default: false
+ value:
+ id: tosue7JvguwJ7U6kz0g3
+ name: Updated Example Trusted Origin
+ origin: http://updated.example.com
+ scopes:
+ - type: CORS
+ - type: REDIRECT
+ status: ACTIVE
+ created: '2017-12-16T05:01:12.000Z'
+ createdBy: 00ut5t92p6IEOi4bu0g3
+ lastUpdated: '2017-12-16T05:01:12.000Z'
+ lastUpdatedBy: 00ut5t92p6IEOi4bu0g3
_links:
self:
- href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6
- schema:
- href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6
- - id: otyz9fj2jMiRBC1ZT1d6
- displayName: User
- name: user
- description: Okta user profile template with default permission settings
- createdBy: sprz9fj1ycBcsgopy1d6
- lastUpdatedBy: sprz9fj1ycBcsgopy1d6
- created: '2021-07-05T20:40:38.000Z'
- lastUpdated: '2021-07-05T20:40:38.000Z'
- default: true
+ href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ TrustedOriginPutResponseWithIframeEmbedding:
+ summary: Trusted origin response body with iFrame embedding
+ value:
+ value:
+ id: tosue7JvguwJ7U6kz0g3
+ name: Updated Example Trusted Origin
+ origin: http://updated.example.com
+ scopes:
+ - type: IFRAME_EMBED
+ allowedOktaApps:
+ - OKTA_ENDUSER
+ status: ACTIVE
+ created: '2017-12-16T05:01:12.000Z'
+ createdBy: 00ut5t92p6IEOi4bu0g3
+ lastUpdated: '2017-12-16T05:01:12.000Z'
+ lastUpdatedBy: 00ut5t92p6IEOi4bu0g3
_links:
self:
- href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6
- schema:
- href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6
- ListsOwnerOneResponse:
- summary: Lists a response with one owner
+ href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ TrustedOriginPutWithIframeEmbedding:
value:
- - id: 00g1gae1k0znUcLuU0h8
- type: GROUP
- resolved: true
- originId: 'null'
- originType: OKTA_DIRECTORY
- displayName: Product & Engineering
- lastUpdated: '2023-03-29 18:18:37.0'
- ListsOwnersMultipleResponse:
- summary: Lists a response with multiple owners
+ id: tosue7JvguwJ7U6kz0g3
+ name: Updated Example Trusted Origin
+ origin: http://updated.example.com
+ scopes:
+ - type: IFRAME_EMBED
+ allowedOktaApps:
+ - OKTA_ENDUSER
+ status: ACTIVE
+ created: '2017-12-16T05:01:12.000Z'
+ createdBy: 00ut5t92p6IEOi4bu0g3
+ lastUpdated: '2017-12-16T05:01:12.000Z'
+ lastUpdatedBy: 00ut5t92p6IEOi4bu0g3
+ _links:
+ self:
+ href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ TrustedOriginResponse:
+ summary: Trusted origin response
value:
- - id: 00u1cmbqjkkmFXeqb0h8
- type: USER
- resolved: true
- originId: 'null'
- originType: OKTA_DIRECTORY
- displayName: Mabel Mora
- lastUpdated: 2023-03-29T18:30:58.000Z
- - id: 00u1cmc52x5B86cnZ0h8
- type: USER
- resolved: true
- originId: 'null'
- originType: OKTA_DIRECTORY
- displayName: Cinda Canning
- lastUpdated: 2023-03-29T18:30:55.000Z
- LogStreamActivateResponse:
- summary: Activate Log Stream response
+ id: tos10hu7rkbtrFt1M0g4
+ name: New Trusted Origin
+ origin: http://example.com
+ status: ACTIVE
+ scopes:
+ - type: CORS
+ - type: REDIRECT
+ created: '2018-01-13T01:11:44.000Z'
+ createdBy: 00ut5t92p6IEOi4bu0g3
+ lastedUpdated: '2018-01-13T01:11:44.000Z'
+ lastedUpdatedBy: 00ut5t92p6IEOi4bu0g3
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ TrustedOriginResponseWithIframeEmbedding:
+ summary: Trusted origin response with iFrame embedding (End-User Dashboard and Okta sign-in page)
value:
- id: 0oa1orqUGCIoCGNxf0g4
- type: aws_eventbridge
- name: Example AWS EventBridge
- lastUpdated: '2023-03-24T21:22:43.000Z'
- created: '2023-03-24T21:02:43.000Z'
+ id: tos10hu7rkbtrFt1M0g4
+ name: New Trusted Origin
+ origin: http://example.com
status: ACTIVE
- settings:
- accountId: '123456789012'
- eventSourceName: your-event-source-name
- region: us-east-2
+ scopes:
+ - type: IFRAME_EMBED
+ allowedOktaApps:
+ - OKTA_ENDUSER
+ created: '2018-01-13T01:11:44.000Z'
+ createdBy: 00ut5t92p6IEOi4bu0g3
+ lastedUpdated: '2018-01-13T01:11:44.000Z'
+ lastedUpdatedBy: 00ut5t92p6IEOi4bu0g3
_links:
self:
- href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4
- method: GET
+ href: https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
deactivate:
- href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4/lifecycle/deactivate
- method: POST
- LogStreamDeactivateResponse:
- summary: Deactivate Log Stream response
+ href: https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ TrustedOriginResponseWithIframeEmbeddingSignIn:
+ summary: Trusted origin response with iFrame embedding (Okta sign-in page)
value:
- id: 0oa7agphh5FT7H521d7
- type: splunk_cloud_logstreaming
- name: Splunk Cloud Example
- lastUpdated: '2023-03-24T21:23:00.000Z'
- created: '2023-03-24T21:15:13.000Z'
- status: INACTIVE
- settings:
- edition: aws
- host: okexample.splunkcloud.com
+ id: tos10hu7rkbtrFt1M0g4
+ name: New Trusted Origin
+ origin: http://example.com
+ status: ACTIVE
+ scopes:
+ - type: IFRAME_EMBED
+ allowedOktaApps: []
+ created: '2018-01-13T01:11:44.000Z'
+ createdBy: 00ut5t92p6IEOi4bu0g3
+ lastedUpdated: '2018-01-13T01:11:44.000Z'
+ lastedUpdatedBy: 00ut5t92p6IEOi4bu0g3
_links:
self:
- href: http://{yourOktaDomain}/api/v1/logStreams/0oa7agphh5FT7H521d7
- method: GET
- activate:
- href: http://{yourOktaDomain}/api/v1/logStreams/0oa7agphh5FT7H521d7/lifecycle/activate
- method: POST
- LogStreamGetAllResponse:
- summary: Lists all Log Streams
+ href: https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ TrustedOriginsResponse:
+ summary: Trusted origins response
value:
- - id: 0oa1orqUGCIoCGNxf0g4
- type: aws_eventbridge
- name: Example AWS EventBridge
- lastUpdated: '2023-03-24T21:02:43.000Z'
- created: '2023-03-24T21:02:43.000Z'
+ - id: tos10hu7rkbtrFt1M0g4
+ name: New Trusted Origin
+ origin: http://example.com
status: ACTIVE
- settings:
- accountId: '123456789012'
- eventSourceName: your-event-source-name
- region: us-east-2
+ scopes:
+ - type: CORS
+ - type: REDIRECT
+ created: '2018-01-13T01:11:44.000Z'
+ createdBy: 00ut5t92p6IEOi4bu0g3
+ lastedUpdated: '2018-01-13T01:11:44.000Z'
+ lastedUpdatedBy: 00ut5t92p6IEOi4bu0g3
_links:
self:
- href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4
- method: GET
+ href: https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
deactivate:
- href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4/lifecycle/deactivate
- method: POST
- LogStreamPostRequest:
- summary: Create an AWS EventBridge Log Stream
+ href: https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ UpdateAppFeatureRequestEx:
+ summary: Update USER_PROVISIONING request
value:
- type: aws_eventbridge
- name: Example AWS EventBridge
- settings:
- eventSourceName: your-event-source-name
- accountId: '123456789012'
- region: us-east-2
- LogStreamPostResponse:
- summary: AWS EventBridge Log Stream response
+ create:
+ lifecycleCreate:
+ status: ENABLED
+ update:
+ lifecycleDeactivate:
+ status: ENABLED
+ profile:
+ status: ENABLED
+ password:
+ status: ENABLED
+ seed: RANDOM
+ change: CHANGE
+ UpdateAppFeatureResponseEx:
+ summary: Update USER_PROVISIONING response
value:
- id: 0oa1orqUGCIoCGNxf0g4
- type: aws_eventbridge
- name: Example AWS EventBridge
- lastUpdated: '2023-03-24T21:02:43.000Z'
- created: '2023-03-24T21:02:43.000Z'
- status: ACTIVE
- settings:
- accountId: '123456789012'
- eventSourceName: your-event-source-name
- region: us-east-2
+ name: USER_PROVISIONING
+ status: ENABLED
+ description: User provisioning settings from Okta to a downstream application
+ capabilities:
+ create:
+ lifecycleCreate:
+ status: ENABLED
+ update:
+ lifecycleDeactivate:
+ status: ENABLED
+ profile:
+ status: ENABLED
+ password:
+ status: ENABLED
+ seed: RANDOM
+ change: CHANGE
_links:
self:
- href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4
- method: GET
- deactivate:
- href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4/lifecycle/deactivate
- method: POST
- LogStreamPutRequest:
- summary: Replace AWS EventBridge name
+ href: https://{yourOktaDomain}/api/v1/apps/${appId}/features/USER_PROVISIONING
+ hints:
+ allow:
+ - GET
+ - PUT
+ UpdateAuthorizationServerPolicyRequest:
+ summary: Update Authorization Server Policy
value:
- type: aws_eventbridge
- name: Updated AWS EventBridge
- settings:
- eventSourceName: your-event-source-name
- accountId: '123456789012'
- region: us-east-2
- LogStreamPutResponse:
- summary: Replace AWS EventBridge name response
+ id: 00p5m9xrrBffPd9ah0g4
+ type: OAUTH_AUTHORIZATION_POLICY
+ status: ACTIVE
+ name: Default Policy
+ description: Default policy description
+ priority: 1
+ system: false
+ conditions:
+ clients":
+ include":
+ - ALL_CLIENTS
+ UpdateAuthorizationServerPolicyRuleRequest:
+ summary: Update Authorization Server Policy Rule
value:
- id: 0oa1orqUGCIoCGNxf0g4
- type: aws_eventbridge
- name: Updated AWS EventBridge
- lastUpdated: '2023-03-24T21:12:43.000Z'
- created: '2023-03-24T21:02:43.000Z'
+ type: RESOURCE_ACCESS
+ name: Default Policy Rule
+ priority: 1
status: ACTIVE
- settings:
- accountId: '123456789012'
- eventSourceName: your-event-source-name
- region: us-east-2
+ conditions:
+ people:
+ groups:
+ include:
+ - EVERYONE
+ grantTypes:
+ include:
+ - implicit
+ - client_credentials
+ - authorization_code
+ - password
+ scopes:
+ include:
+ - '*'
+ actions:
+ token:
+ accessTokenLifetimeMinutes: 60
+ refreshTokenLifetimeMinutes: 0
+ refreshTokenWindowMinutes: 10080
+ inlineHook:
+ id: cal4egvp1mbMldrYN0g7
+ UpdateBrandRequest:
+ value:
+ customPrivacyPolicyUrl: https://www.someHost.com/privacy-policy
+ agreeToCustomPrivacyPolicy: true
+ removePoweredByOkta: true
+ name: New Name For Brand
+ emailDomainId: OeD114iNkrcN6aR680g4
+ locale: en
+ defaultApp:
+ appInstanceId: 0oa114iNkrcN6aR680g4
+ appLinkName: null
+ classicApplicationUri: null
+ UpdateBrandResponse:
+ value:
+ id: bnd114iNkrcN6aR680g4
+ removePoweredByOkta: true
+ agreeToCustomPrivacyPolicy: true
+ name: New Name For Brand
+ isDefault: true
+ customPrivacyPolicyUrl: https://www.someHost.com/privacy-policy
+ emailDomainId: OeD114iNkrcN6aR680g4
+ defaultApp:
+ appInstanceId: 0oa114iNkrcN6aR680g4
+ appLinkName: null
+ classicApplicationUri: null
+ locale: en
_links:
self:
- href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4
- method: GET
- deactivate:
- href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4/lifecycle/deactivate
- method: POST
- LogStreamSchemaAws:
- value: &ref_4
- $schema: https://json-schema.org/draft/2020-12/schema
- $id: http://{yourOktaDomain}/api/v1/meta/schemas/logStream/aws_eventbridge
- title: AWS EventBridge
- type: object
+ href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ themes:
+ href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4/themes
+ hints:
+ allow:
+ - GET
+ emailDomain:
+ href: https://{yourOktaDomain}/api/v1/email-domains/OeD114iNkrcN6aR680g4
+ hints:
+ allow:
+ - GET
+ - PUT
+ UpdateEmailDomainRequest:
+ value:
+ displayName: IT Admin
+ userName: noreply
+ UpdateFeatureLifecycleResponse:
+ summary: Update the feature lifecycle status
+ value:
+ description: Example feature description
+ id: ftrZooGoT8b41iWRiQs7
+ name: Example feature name
+ stage:
+ state: OPEN
+ value: BETA
+ status: DISABLED
+ type: self-service
+ _links:
+ self:
+ hints:
+ allow:
+ - POST
+ href: https://{yourOktaDomain}/api/v1/features/ftrZooGoT8b41iWRiQs7
+ dependents:
+ href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependents
+ dependencies:
+ href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependencies
+ UpdateInboundProvisioningFeatureRequestEx:
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ summary: Update INBOUND_PROVISIONING request
+ value:
+ capabilities:
+ importSettings:
+ username:
+ userNameFormat: EMAIL
+ schedule:
+ status: ENABLED
+ fullImport:
+ expression: 0 0 * * 0
+ timezone: America/New_York
+ incrementalImport:
+ expression: 0 */3 * * *
+ timezone: America/New_York
+ importRules:
+ userCreateAndMatch:
+ exactMatchCriteria: EMAIL
+ allowPartialMatch: false
+ autoConfirmPartialMatch: false
+ autoConfirmExactMatch: false
+ autoConfirmNewUsers: false
+ autoActivateNewUsers: false
+ UpdateInboundProvisioningFeatureResponseEx:
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ summary: Update INBOUND_PROVISIONING response
+ value:
+ name: INBOUND_PROVISIONING
+ status: ENABLED
+ description: In-bound provisioning settings from an application to Okta
+ capabilities:
+ importSettings:
+ username:
+ userNameFormat: EMAIL
+ schedule:
+ status: ENABLED
+ fullImport:
+ expression: 0 0 * * 0
+ timezone: America/New_York
+ incrementalImport:
+ expression: 0 */3 * * *
+ timezone: America/New_York
+ importRules:
+ userCreateAndMatch:
+ exactMatchCriteria: EMAIL
+ allowPartialMatch: false
+ autoConfirmPartialMatch: false
+ autoConfirmExactMatch: false
+ autoConfirmNewUsers: false
+ autoActivateNewUsers: false
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/apps/${appId}/features/INBOUND_PROVISIONING
+ hints:
+ allow:
+ - GET
+ - PUT
+ UpdateMappingBody:
+ summary: Update an existing profile mapping by updating one or more properties
+ value:
properties:
- settings:
- description: Configuration properties specific to AWS EventBridge
- type: object
- properties:
- accountId:
- title: AWS Account ID
- description: Your Amazon AWS Account ID.
- type: string
- writeOnce: true
- pattern: ^\d{12}$
- eventSourceName:
- title: AWS Event Source Name
- description: An alphanumeric name (no spaces) to identify this event source in AWS EventBridge.
- type: string
- writeOnce: true
- pattern: ^[\.\-_A-Za-z0-9]{1,75}$
- region:
- title: AWS Region
- description: The destination AWS region for your system log events.
- type: string
- writeOnce: true
- oneOf:
- - title: US East (Ohio)
- const: us-east-2
- - title: US East (N. Virginia)
- const: us-east-1
- - title: US West (N. California)
- const: us-west-1
- - title: US West (Oregon)
- const: us-west-2
- - title: Canada (Central)
- const: ca-central-1
- - title: Europe (Frankfurt)
- const: eu-central-1
- - title: Europe (Ireland)
- const: eu-west-1
- - title: Europe (London)
- const: eu-west-2
- - title: Europe (Paris)
- const: eu-west-3
- - title: Europe (Milan)
- const: eu-south-1
- - title: Europe (Stockholm)
- const: eu-north-1
- required:
- - eventSourceName
- - accountId
- - region
- errorMessage:
- properties:
- accountId: Account number must be 12 digits.
- eventSourceName: Event source name can use numbers, letters, the symbols ".", "-" or "_". It must use fewer than 76 characters.
- name:
- title: Name
- description: A name for this log stream in Okta
- type: string
- writeOnce: false
- pattern: ^.{1,100}$
- required:
- - name
- - settings
- errorMessage:
- properties:
- name: Name can't exceed 100 characters.
- LogStreamSchemaList:
+ nickName:
+ expression: user.honorificPrefix + user.displayName
+ pushStatus: DONT_PUSH
+ UpdateMappingResponse:
+ summary: Update an existing profile mapping by updating one or more properties
value:
- - *ref_4
- - &ref_5
- $schema: https://json-schema.org/draft/2020-12/schema
- $id: http://{yourOktaDomain}/api/v1/meta/schemas/logStream/splunk_cloud_logstreaming
- title: Splunk Cloud
- type: object
- properties:
- settings:
- description: Configuration properties specific to Splunk Cloud
- type: object
- properties:
- host:
- title: Host
- description: 'The domain for your Splunk Cloud instance without http or https. For example: acme.splunkcloud.com'
- type: string
- writeOnce: false
- pattern: ^([a-z0-9]+(-[a-z0-9]+)*){1,100}\.splunkcloud(gc|fed)?\.com$
- token:
- title: HEC Token
- description: The token from your Splunk Cloud HTTP Event Collector (HEC).
- type: string
- writeOnce: false
- pattern: '[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}'
- required:
- - host
- - token
- errorMessage:
- properties:
- host: 'Host should be a domain without http or https. For example: acme.splunkcloud.com'
- name:
- title: Name
- description: A name for this log stream in Okta
- type: string
- writeOnce: false
- pattern: ^.{1,100}$
- required:
- - name
- - settings
- errorMessage:
- properties:
- name: Name can't exceed 100 characters.
- LogStreamSchemaSplunk:
- value: *ref_5
- OrgCAPTCHASettingsConfigured:
- summary: Org-wide Captcha Settings are configured
+ id: prm1k47ghydIQOTBW0g4
+ source:
+ id: otysbePhQ3yqt4cVv0g3
+ name: user
+ type: user
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/meta/types/user/otysbePhQ3yqt4cVv0g3
+ schema:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscsbePhQ3yqt4cVv0g3
+ target:
+ id: 0oa1qmn4LZQQEH0wZ0g4
+ name: okta_org2org
+ type: appuser
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/apps/0oa1qmn4LZQQEH0wZ0g4
+ schema:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/apps/0oa1qmn4LZQQEH0wZ0g4/default
+ properties:
+ fullName:
+ expression: user.firstName + user.lastName
+ pushStatus: PUSH
+ nickName:
+ expression: user.honorificPrefix + user.displayName
+ pushStatus: DONT_PUSH
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/mappings/prm1k48weFSOnEUnw0g4
+ UpdateOAuth2ScopeRequest:
+ summary: Example scope
+ value:
+ description: Order car
+ name: car:order
+ metadataPublish: ALL_CLIENTS
+ UpdateOrgSettingEx:
+ summary: Org setting request
+ value:
+ address1: 100 1st St
+ address2: 6th floor
+ city: San Fransico
+ companyName: okta
+ country: United States
+ endUserSupportHelpURL: support.okta.com
+ phoneNumber: '+18887227871'
+ postalCode: '94105'
+ state: California
+ supportPhoneNumber: '+18887227871'
+ website: www.okta.com
+ UpdateRecQuestionRequest:
+ value:
+ password:
+ value: tlpWENT2m
+ recovery_question:
+ question: How many roads must a man walk down?
+ answer: forty two
+ UpdateRecQuestionResponse:
+ value:
+ password: {}
+ recovery_question:
+ question: How many roads must a man walk down?
+ provider:
+ type: OKTA
+ name: OKTA
+ UpdateSMSTemplateRequest:
+ value:
+ translations:
+ de: '${org.name}: ihre bestätigungscode ist ${code}.'
+ UpdateSMSTemplateResponse:
+ value:
+ id: 6NQUJ5yR3bpgEiYmq8IC
+ name: Custom
+ type: SMS_VERIFY_CODE
+ template: '${org.name}: your verification code is ${code}'
+ translations:
+ es: '${org.name}: el código de verificación es ${code}'
+ fr: '${org.name}: votre code de vérification est ${code}'
+ it: '${org.name}: il codice di verifica è ${code}'
+ de: '${org.name}: ihre bestätigungscode ist ${code}.'
+ created: '2024-04-25T17:35:02.000Z'
+ lastUpdated: '2024-04-25T17:35:02.000Z'
+ UpdateThemeRequest:
+ value:
+ primaryColorHex: '#1662dd'
+ primaryColorContrastHex: '#000000'
+ secondaryColorHex: '#ebebed'
+ secondaryColorContrastHex: '#000000'
+ signInPageTouchPointVariant: OKTA_DEFAULT
+ endUserDashboardTouchPointVariant: OKTA_DEFAULT
+ errorPageTouchPointVariant: OKTA_DEFAULT
+ emailTemplateTouchPointVariant: OKTA_DEFAULT
+ loadingPageTouchPointVariant: OKTA_DEFAULT
+ UpdateThemeResponse:
+ value:
+ id: thdul904tTZ6kWVhP0g3
+ logo: https://{yourOktaDomain}/assets/img/logos/okta-logo.47066819ac7db5c13f4c431b2687cef6.png
+ favicon: https://{yourOktaDomain}/favicon.ico
+ backgroundImage: null
+ primaryColorHex: '#1662dd'
+ primaryColorContrastHex: '#000000'
+ secondaryColorHex: '#ebebed'
+ secondaryColorContrastHex: '#000000'
+ signInPageTouchPointVariant: OKTA_DEFAULT
+ endUserDashboardTouchPointVariant: OKTA_DEFAULT
+ errorPageTouchPointVariant: OKTA_DEFAULT
+ emailTemplateTouchPointVariant: OKTA_DEFAULT
+ loadingPageTouchPointVariant: OKTA_DEFAULT
+ UpdateUserTypePostRequest:
+ summary: Update user type request
+ value:
+ displayName: Updated Display Name
+ UpdateUserTypePostResponse:
+ summary: Update user type response
+ value:
+ id: otyfnly5cQjJT9PnR0g4
+ displayName: Updated Display Name
+ name: newUserType
+ description: A new custom user type
+ createdBy: sprz9fj1ycBcsgopy1d6
+ lastUpdatedBy: sprz9fj1ycBcsgopy1d6
+ created: '2021-07-05T20:40:38.000Z'
+ lastUpdated: '2021-07-05T20:40:38.000Z'
+ default: false
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6
+ schema:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6
+ UpdatedEmailDomainResponse:
value:
- captchaId: abcd4567
- enabledPages:
- - SSR
- - SIGN_IN
+ id: OeD114iNkrcN6aR680g4
+ validationStatus: NOT_STARTED
+ displayName: IT Admin
+ userName: noreply
+ domain: example.com
+ validationSubdomain: mail
+ dnsValidationRecords:
+ - recordType: TXT
+ fqdn: _oktaverification.example.com
+ verificationValue: 759080212bda43e3bc825a7d73b4bb64
+ - recordType: CNAME
+ fqdn: mail.example.com
+ verificationValue: u22224444.wl024.sendgrid.net
+ - recordType: CNAME
+ fqdn: t02._domainkey.example.com
+ verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net
+ - recordType: CNAME
+ fqdn: t022._domainkey.example.com
+ verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net
+ UpdatedOAuth2ScopeResponse:
+ summary: Updated scope
+ value:
+ id: scp5yu8kLOnDzo7lh0g4
+ name: car:order
+ description: Order car
+ system: false
+ default: false
+ displayName: Saml Jackson
+ consent: REQUIRED
+ optional: false
+ metadataPublish: ALL_CLIENTS
_links:
self:
- href: https://your-subdomain.okta.com/api/v1/captchas/abcd4567
+ href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes/scp5yu8kLOnDzo7lh0g4
hints:
allow:
- GET
- - POST
- PUT
- DELETE
- OrgCAPTCHASettingsDisable:
- summary: Disable Org-wide Captcha Settings
+ UploadYubikeyTokenSeedRequest:
+ summary: Yubikey OTP Seed
value:
- captchaId: 'null'
- enabledPages: 'null'
- OrgCAPTCHASettingsDisabled:
- summary: Disabled Org-wide Captcha Settings
+ serialNumber: '7886622'
+ publicId: ccccccijgibu
+ privateId: b74be6169486
+ aesKey: 1fcc6d8ce39bf1604e0b17f3e0a11067
+ UploadYubikeyTokenSeedResponse:
value:
- captchaId: 'null'
- enabledPages: '[]'
+ id: ykkut4G6ti62DD8Dy0g3
+ created: '2020-01-10T23:04:10.000Z'
+ lastVerified: '2020-01-10T23:04:10.000Z'
+ lastUpdated: '2020-01-10T23:04:10.000Z'
+ status: UNASSIGNED
+ profile:
+ serial: '000007886622'
_links:
self:
- href: https://your-subdomain.okta.com/api/v1/captchas/
+ href: https://{yourOktaDomain}/api/v1/org/factors/yubikey_token/tokens/ykkut4G6ti62DD8Dy0g3
hints:
allow:
- GET
- - PUT
- OrgCAPTCHASettingsEmpty:
- summary: Org-wide Captcha Settings aren't configured
+ - DELETE
+ UserFactorChallengeCallResponse:
+ summary: call challenge
value:
- captchaId: null
- enabledPages: []
+ factorResult: CHALLENGE
+ profile:
+ phoneNumber: '+12532236986'
+ phoneExtension: '1234'
_links:
- self:
- href: https://your-subdomain.okta.com/api/v1/captchas
+ verify:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/clff17zuKEUMYQAQGCOV/verify
+ hints:
+ allow:
+ - POST
+ factor:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/clff17zuKEUMYQAQGCOV
hints:
allow:
- GET
+ - DELETE
+ UserFactorChallengeEmailResponse:
+ summary: email challenge
+ value:
+ factorResult: CHALLENGE
+ _links:
+ verify:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/emfnf3gSScB8xXoXK0g3/verify
+ hints:
+ allow:
- POST
- - PUT
+ factor:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/emfnf3gSScB8xXoXK0g3
+ hints:
+ allow:
+ - GET
- DELETE
- OrgCAPTCHASettingsUpdate:
- summary: Update Org-wide Captcha Settings
+ UserFactorChallengePushResponse:
+ summary: push challenge
value:
- captchaId: abcd4567
- enabledPages:
- - SSR
- - SIGN_IN
- OrgCAPTCHASettingsUpdated:
- summary: Updated Org-wide Captcha Settings
+ expiresAt: '2015-04-01T15:57:32.000Z'
+ factorResult: WAITING
+ _links:
+ poll:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/transactions/mst1eiHghhPxf0yhp0g
+ hints:
+ allow:
+ - GET
+ cancel:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/transactions/mst1eiHghhPxf0yhp0g
+ hints:
+ allow:
+ - DELETE
+ UserFactorChallengeSmsResponse:
+ summary: sms challenge
value:
- captchaId: abcd4567
- enabledPages:
- - SSR
- - SIGN_IN
+ factorResult: CHALLENGE
+ profile:
+ phoneNumber: '+12532236986'
_links:
- self:
- href: https://your-subdomain.okta.com/api/v1/captchas/abcd4567
+ verify:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/smsszf1YNUtGWTx4j0g3/verify
+ hints:
+ allow:
+ - POST
+ factor:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/smsszf1YNUtGWTx4j0g3
hints:
allow:
- GET
+ - DELETE
+ UserFactorChallengeU2fResponse:
+ summary: u2f challenge
+ value:
+ factorResult: CHALLENGE
+ profile:
+ credentialId: GAiiLsVab2m3-zL1Fi3bVtNrM9G6_MntUITHKjxkV24ktGKjLSCRnz72wCEdHCe18IvC69Aia0sE4UpsO0HpFQ
+ version: U2F_V2
+ _links:
+ verify:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fuf2rovRxogXJ0nDy0g4/verify
+ hints:
+ allow:
- POST
- - PUT
+ factor:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fuf2rovRxogXJ0nDy0g4
+ hints:
+ allow:
+ - GET
- DELETE
- PerClientRateLimitSettingsEnforceDefault:
+ _embedded:
+ challenge:
+ nonce: vQFwTt6zKzMV7HFPzjS2
+ timeoutSeconds: 20
+ UserFactorChallengeWebauthnResponse:
+ summary: webAuthn challenge
value:
- defaultMode: ENFORCE
- PerClientRateLimitSettingsEnforceDefaultWithOverrides:
+ factorResult: CHALLENGE
+ profile:
+ credentialId: l3Br0n-7H3g047NqESqJynFtIgf3Ix9OfaRoNwLoloso99Xl2zS_O7EXUkmPeAIzTVtEL4dYjicJWBz7NpqhGA
+ authenticatorName: MacBook Touch ID
+ _links:
+ verify:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fwf2rovRxogXJ0nDy0g4/verify
+ hints:
+ allow:
+ - POST
+ factor:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fwf2rovRxogXJ0nDy0g4
+ hints:
+ allow:
+ - GET
+ - DELETE
+ _embedded:
+ challenge:
+ challenge: vQFwTt6zKzMV7HFPzjS2
+ extensions: {}
+ UserFactorVerifyCallSuccessResponse:
+ summary: call verify
value:
- defaultMode: ENFORCE
- useCaseModeOverrides:
- OAUTH2_AUTHORIZE: PREVIEW
- OIE_APP_INTENT: DISABLE
- PerClientRateLimitSettingsPreviewDefaultWithOverrides:
+ factorResult: SUCCESS
+ UserFactorVerifyEmailSuccessResponse:
+ summary: email verify
value:
- defaultMode: PREVIEW
- useCaseModeOverrides:
- LOGIN_PAGE: ENFORCE
- PermissionResponse:
+ factorResult: SUCCESS
+ UserFactorVerifyPushRejectedResponse:
+ summary: push verification rejected
value:
- label: okta.users.manage
- created: '2021-02-06T16:20:57.000Z'
- lastUpdated: '2021-02-06T16:20:57.000Z'
+ factorResult: REJECTED
+ profile:
+ credentialId: jane.doe@example.com
_links:
- role:
- href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3
- self:
- href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.users.manage
- PermissionResponseWithConditions:
+ verify:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/verify
+ hints:
+ allow:
+ - POST
+ factor:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3
+ hints:
+ allow:
+ - GET
+ - DELETE
+ UserFactorVerifyPushTransactionApproved:
+ summary: SUCCESS
value:
- label: okta.users.read
- conditions:
- include:
- okta:ResourceAttribute/User/Profile:
- - city
- - state
- - zipCode
- created: '2021-02-06T16:20:57.000Z'
- lastUpdated: '2021-02-06T16:20:57.000Z'
+ factorResult: SUCCESS
+ UserFactorVerifyPushTransactionRejected:
+ summary: REJECTED
+ value:
+ factorResult: REJECTED
+ profile:
+ credentialId: jane.doe@example.com
+ _links:
+ verify:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/verify
+ hints:
+ allow:
+ - POST
+ factor:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3
+ hints:
+ allow:
+ - GET
+ - DELETE
+ UserFactorVerifyPushTransactionTimeout:
+ summary: TIMEOUT
+ value:
+ factorResult: TIMEOUT
+ profile:
+ credentialId: jane.doe@example.com
+ _links:
+ verify:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/verify
+ hints:
+ allow:
+ - POST
+ factor:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3
+ hints:
+ allow:
+ - GET
+ - DELETE
+ UserFactorVerifyPushTransactionWaiting:
+ summary: WAITING
+ value:
+ expiresAt: '2015-04-01T15:57:32.000Z'
+ factorResult: WAITING
+ profile:
+ credentialId: jane.doe@example.com
+ _links:
+ poll:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/transactions/v2mst.GldKV5VxTrifyeZmWSQguA
+ hints:
+ allow:
+ - GET
+ cancel:
+ href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/transactions/v2mst.GldKV5VxTrifyeZmWSQguA
+ hints:
+ allow:
+ - DELETE
+ UserFactorVerifySecurityQuestionRequest:
+ summary: security question verify
+ value:
+ answer: mayonnaise
+ UserFactorVerifySuccessSmsResponse:
+ summary: sms verify
+ value:
+ factorResult: SUCCESS
+ UserFactorVerifySuccessSqResponse:
+ summary: security question verify
+ value:
+ factorResult: SUCCESS
+ UserFactorVerifySuccessTokenResponse:
+ summary: token verify
+ value:
+ factorResult: SUCCESS
+ UserFactorVerifySuccessTotpResponse:
+ summary: totp verify
+ value:
+ factorResult: SUCCESS
+ UserFactorVerifySuccessYubikeyResponse:
+ summary: yubikey verify
+ value:
+ factorResult: SUCCESS
+ UserFactorVerifyU2fRequest:
+ summary: u2f verify
+ value:
+ clientData: eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZ2V0QXNzZXJ0aW9uIiwiY2hhbGxlbmdlIjoiS2NCLXRqUFU0NDY0ZThuVFBudXIiLCJvcmlnaW4iOiJodHRwczovL2xvY2FsaG9zdDozMDAwIiwiY2lkX3B1YmtleSI6InVudXNlZCJ9
+ signatureData: AQAAACYwRgIhAKPktdpH0T5mlPSm_9uGW5w-VaUy-LhI9tIacexpgItkAiEAncRVZURVPOq7zDwIw-OM5LtSkdAxOkfv0ZDVUx3UFHc
+ UserFactorVerifyU2fResponse:
+ summary: u2f verify response
+ value:
+ factorResult: SUCCESS
+ profile:
+ credentialId: h1bFwJFU9wnelYkexJuQfoUHZ5lX3CgQMTZk4H3I8kM9Nn6XALiQ-BIab4P5EE0GQrA7VD-kAwgnG950aXkhBw
+ version: U2F_V2
+ UserFactorVerifyWebauthnRequest:
+ summary: WebAuthn verify challenge (posts a signed assertion using the challenge `nonce`)
+ value:
+ clientData: eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZ2V0QXNzZXJ0aW9uIiwiY2hhbGxlbmdlIjoiS2NCLXRqUFU0NDY0ZThuVFBudXIiLCJvcmlnaW4iOiJodHRwczovL2xvY2FsaG9zdDozMDAwIiwiY2lkX3B1YmtleSI6InVudXNlZCJ9
+ authenticatorData: SBv04caJ+NLZ0bTeotGq9esMhHJ8YC5z4bMXXPbT95UFXbDsOg==
+ signatureData: AQAAACYwRgIhAKPktdpH0T5mlPSm_9uGW5w-VaUy-LhI9tIacexpgItkAiEAncRVZURVPOq7zDwIw-OM5LtSkdAxOkfv0ZDVUx3UFHc
+ UserFactorVerifyWebauthnResponse:
+ summary: WebAuthn verify
+ value:
+ factorResult: SUCCESS
+ profile:
+ credentialId: l3Br0n-7H3g047NqESqJynFtIgf3Ix9OfaRoNwLoloso99Xl2zS_O7EXUkmPeAIzTVtEL4dYjicJWBz7NpqhGA
+ authenticatorName: MacBook Touch ID
+ UserImportChangeAppUserProfileExample:
+ summary: An example user import inline hook response that updates an app user's profile
+ value:
+ commands:
+ - type: com.okta.appUser.profile.update
+ value:
+ firstName: Stan
+ UserImportChangeUserProfileExample:
+ summary: Update an Okta user's profile response
+ value:
+ commands:
+ - type: com.okta.user.profile.update
+ value:
+ firstName: Stan
+ UserImportCreateANewUserExample:
+ summary: Create a new Okta user profile response
+ value:
+ commands:
+ - type: com.okta.action.update
+ value:
+ result: CREATE_USER
+ UserImportErrorExample:
+ summary: Return an error object
+ value:
+ error:
+ errorSummary: Error at third-party service. Please contact your admin.
+ UserImportMatchExample:
+ summary: Match an existing Okta user response
+ value:
+ commands:
+ - type: com.okta.action.update
+ value:
+ result: LINK_USER
+ - type: com.okta.user.update
+ value:
+ id: 00garwpuyxHaWOkdV0g3
+ UserImportPayloadExample:
+ summary: An example user import request body
+ value:
+ source: cal7eyxOsnb20oWbZ0g4
+ eventId: JUGOUiYZTaKPmH6db0nDag
+ eventTime: '2019-02-27T20:59:04.000Z'
+ eventTypeVersion: '1.0'
+ cloudEventVersion: '0.1'
+ eventType: com.okta.import.transform
+ contentType: application/json
+ data:
+ context:
+ conflicts:
+ - login
+ application:
+ name: test_app
+ id: 0oa7ey7aLRuBvcYUD0g4
+ label: Test App
+ status: ACTIVE
+ job:
+ id: ij17ez2AWtMZRfCZ60g4
+ type: import:users
+ matches: []
+ policy:
+ - EMAIL
+ - FIRST_AND_LAST_NAME
+ action:
+ result: CREATE_USER
+ appUser:
+ profile:
+ firstName: Sally2
+ lastName: Admin2
+ mobilePhone: null
+ accountType: PRO
+ secondEmail: null
+ failProvisioning: null
+ failDeprovisioning: null
+ externalId: user221
+ groups:
+ - everyone@examplee.net
+ - tech@example.net
+ userName: administrator2
+ email: sally.admin@example.net
+ user:
+ profile:
+ lastName: Admin2
+ zipCode: null
+ city: null
+ secondEmail: null
+ postAddress: null
+ login: sally.admin@example.net
+ firstName: Sally2
+ primaryPhone: null
+ mobilePhone: null
+ streetAddress: null
+ countryCode: null
+ typeId: null
+ state: null
+ email: sally.admin@example.net
+ UserRiskNoneResponse:
+ summary: Example User Risk with NONE risk level response
+ value:
+ riskLevel: NONE
_links:
- role:
- href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3
self:
- href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.users.read
- PermissionsResponse:
+ href: https://{yourOktaDomain}/api/v1/users/{userId}/risk
+ hints:
+ allow:
+ - GET
+ - PUT
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/{userId}
+ hints:
+ allow:
+ - GET
+ UserRiskRequest:
+ summary: Example upsert the risk for a user request
value:
- permissions:
- - label: okta.users.create
- created: '2021-02-06T16:20:57.000Z'
- lastUpdated: '2021-02-06T16:20:57.000Z'
- _links:
- role:
- href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3
- self:
- href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.users.create
- - label: okta.users.read
- created: '2021-02-06T16:20:57.000Z'
- lastUpdated: '2021-02-06T16:20:57.000Z'
- _links:
- role:
- href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3
- self:
- href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.users.read
- - label: okta.groups.read
- created: '2021-02-06T16:20:57.000Z'
- lastUpdated: '2021-02-06T16:20:57.000Z'
- _links:
- role:
- href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3
- self:
- href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.groups.read
- - label: okta.users.userprofile.manage
- created: '2021-02-06T16:20:57.000Z'
- lastUpdated: '2021-02-06T16:20:57.000Z'
- _links:
- role:
- href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3
- self:
- href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.users.userprofile.manage
- PreviewEmailCustomizationResponse:
+ riskLevel: HIGH
+ UserRiskResponse:
+ summary: Example User Risk response
value:
- subject: Welcome to Okta!
- body:
Hello, John. Click here to activate your account.
+ riskLevel: HIGH
+ reason: Admin override risk
_links:
self:
- href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel2kk1zYJBJbeaGo0g4/preview
+ href: https://{yourOktaDomain}/api/v1/users/{userId}/risk
hints:
allow:
- GET
- template:
- href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation
+ - PUT
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/{userId}
hints:
allow:
- GET
- test:
- href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test
+ UserSchemaAddRequest:
+ value:
+ definitions:
+ custom:
+ id: '#custom'
+ type: object
+ properties:
+ twitterUserName:
+ title: Twitter username
+ description: Twitter Username
+ type: string
+ required: false
+ minLength: 1
+ maxLength: 20
+ permissions:
+ - principal: SELF
+ action: READ_WRITE
+ required: []
+ UserSchemaResponse:
+ value:
+ id: https://{yourOktaDomain}/meta/schemas/user/default
+ $schema: http://json-schema.org/draft-04/schema#
+ name: user
+ title: Default Okta User
+ lastUpdated: '2015-09-05T10:40:45.000Z'
+ created: '2015-02-02T10:27:36.000Z'
+ definitions:
+ base:
+ id: '#base'
+ type: object
+ properties:
+ login:
+ title: Username
+ type: string
+ required: true
+ minLength: 5
+ maxLength: 100
+ permissions:
+ - principal: SELF
+ action: READ_WRITE
+ firstName:
+ title: First name
+ type: string
+ required: true
+ minLength: 1
+ maxLength: 50
+ permissions:
+ - principal: SELF
+ action: READ_WRITE
+ lastName:
+ title: Last name
+ type: string
+ required: true
+ minLength: 1
+ maxLength: 50
+ permissions:
+ - principal: SELF
+ action: READ_WRITE
+ email:
+ title: Primary email
+ type: string
+ required: true
+ format: email
+ permissions:
+ - principal: SELF
+ action: READ_WRITE
+ required:
+ - login
+ - firstName
+ - lastName
+ - email
+ custom:
+ id: '#custom'
+ type: object
+ properties:
+ twitterUserName:
+ title: Twitter username
+ description: User's username for twitter.com
+ type: string
+ required: false
+ minLength: 1
+ maxLength: 20
+ permissions:
+ - principal: SELF
+ action: READ_WRITE
+ required: []
+ type: object
+ properties:
+ profile:
+ allOf:
+ - $ref: '#/definitions/base'
+ - $ref: '#/definitions/custom'
+ VerifiedEmailDomainResponse:
+ value:
+ id: OeD114iNkrcN6aR680g4
+ validationStatus: VERIFIED
+ displayName: IT Admin
+ userName: noreply
+ domain: example.com
+ validationSubdomain: mail
+ dnsValidationRecords:
+ - recordType: TXT
+ fqdn: _oktaverification.example.com
+ verificationValue: 759080212bda43e3bc825a7d73b4bb64
+ - recordType: CNAME
+ fqdn: mail.example.com
+ verificationValue: u22224444.wl024.sendgrid.net
+ - recordType: CNAME
+ fqdn: t02._domainkey.example.com
+ verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net
+ - recordType: CNAME
+ fqdn: t022._domainkey.example.com
+ verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net
+ WSFederationEx:
+ summary: WS_FEDERATION
+ value:
+ name: template_wsfed
+ label: Sample WS-Fed App
+ signOnMode: WS_FEDERATION
+ settings:
+ app:
+ audienceRestriction: urn:example:app
+ groupValueFormat: windowsDomainQualifiedName
+ wReplyURL: https://example.com/
+ nameIDFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+ authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+ siteURL: https://example.com
+ usernameAttribute: username
+ WSFederationPutEx:
+ summary: WS_FEDERATION
+ value:
+ name: template_wsfed
+ label: Sample WS-Fed App updated
+ signOnMode: WS_FEDERATION
+ settings:
+ app:
+ audienceRestriction: urn:exampleupdated:app
+ groupValueFormat: windowsDomainQualifiedName
+ wReplyURL: https://example.com/
+ nameIDFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+ authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+ siteURL: https://example.com
+ usernameAttribute: username
+ WSFederationPutResponseEx:
+ summary: WS_FEDERATION
+ value:
+ id: 0oafxqCAJWWGELFTYASJ
+ status: ACTIVE
+ lastUpdated: '2023-01-21T14:11:24.000Z'
+ created: '2023-01-21T14:11:24.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
+ _links:
+ uploadLogo:
+ href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo
hints:
allow:
- POST
- PreviewEmailTemplateDefaultContentResponse:
+ appLinks:
+ - name: customswaapp_link
+ href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4
+ type: text/html
+ groups:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups
+ logo:
+ - name: medium
+ href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png
+ type: image/png
+ users:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate
+ visibility:
+ autoLaunch: false
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ login: true
+ name: template_wsfed
+ label: Sample WS-Fed App updated
+ features: []
+ signOnMode: WS_FEDERATION
+ credentials:
+ userNameTemplate:
+ template: ${source.email}
+ type: BUILT_IN
+ signing:
+ kid: FzJvvXtBHvs_-n70T4C2Rb2d64AyN4fqOme6piHOUKU
+ settings:
+ app:
+ groupFilter: null
+ siteURL: https://example.com
+ authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+ wReplyOverride: false
+ digestAlgorithm: SHA1
+ usernameAttribute: username
+ signatureAlgorithm: RSA_SHA1
+ audienceRestriction: urn:exampleupdated:app
+ wReplyURL: https://example.com/
+ groupName: http://schemas.microsoft.com/ws/2008/06/identity/claims/role
+ attributeStatements: null
+ nameIDFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+ realm: urn:okta:app:exkarjfNMKUjTmzTZ0g4
+ groupValueFormat: windowsDomainQualifiedName
+ notifications:
+ vpn:
+ network:
+ connection: DISABLED
+ message: null
+ helpUrl: null
+ manualProvisioning: false
+ implicitAssignment: false
+ notes:
+ admin: null
+ enduser: null
+ WSFederationResponseEx:
+ summary: WS_FEDERATION
value:
- subject: Welcome to Okta!
- body:
Hello, John. Click here to activate your account.
+ id: 0oafxqCAJWWGELFTYASJ
+ status: ACTIVE
+ lastUpdated: '2023-01-21T14:11:24.000Z'
+ created: '2023-01-21T14:11:24.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ loginRedirectUrl: null
+ _links:
+ uploadLogo:
+ href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo
+ hints:
+ allow:
+ - POST
+ appLinks:
+ - name: customswaapp_link
+ href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4
+ type: text/html
+ groups:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups
+ logo:
+ - name: medium
+ href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png
+ type: image/png
+ users:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate
+ visibility:
+ autoLaunch: false
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ login: true
+ name: template_wsfed
+ label: Sample WS-Fed App
+ features: []
+ signOnMode: WS_FEDERATION
+ credentials:
+ userNameTemplate:
+ template: ${source.email}
+ type: BUILT_IN
+ signing:
+ kid: FzJvvXtBHvs_-n70T4C2Rb2d64AyN4fqOme6piHOUKU
+ settings:
+ app:
+ groupFilter: null
+ siteURL: https://example.com
+ authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+ wReplyOverride: false
+ digestAlgorithm: SHA1
+ usernameAttribute: username
+ signatureAlgorithm: RSA_SHA1
+ audienceRestriction: urn:example:app
+ wReplyURL: https://example.com/
+ groupName: http://schemas.microsoft.com/ws/2008/06/identity/claims/role
+ attributeStatements: null
+ nameIDFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+ realm: urn:okta:app:exkarjfNMKUjTmzTZ0g4
+ groupValueFormat: windowsDomainQualifiedName
+ notifications:
+ vpn:
+ network:
+ connection: DISABLED
+ message: null
+ helpUrl: null
+ manualProvisioning: false
+ implicitAssignment: false
+ notes:
+ admin: null
+ enduser: null
+ WellKnownAppAuthenticatorConfigurationCustomApp:
+ value:
+ - authenticatorId: aut22f6xzargnJZYE3l7
+ orgId: 00o1vhf34q20MfCFC3l7
+ type: app
+ key: custom_app
+ name: EnergyAus Authenticator
+ createdDate: '2022-10-11T08:56:45.000Z'
+ lastUpdated: '2023-09-07T11:31:35.000Z'
+ settings:
+ userVerification: PREFERRED
+ supportedMethods:
+ - type: push
+ status: ACTIVE
+ settings:
+ algorithms:
+ - RS256
+ - ES256
+ keyProtection: ANY
+ appAuthenticatorEnrollEndpoint: https://{yourOktaDomain}/idp/myaccount/app-authenticators
+ WellKnownOrgMetadataResponseClassic:
+ value:
+ id: 00o5rb5mt2H3d1TJd0h7
+ _links:
+ organization:
+ href: https://{{yourOktaDomain}}
+ pipeline: v1
+ settings:
+ analyticsCollectionEnabled: false
+ bugReportingEnabled: true
+ omEnabled: true
+ WellKnownOrgMetadataResponseCustomUrlOie:
+ value:
+ id: 00o47wwoytgsDqEtz0g7
+ _links:
+ organization:
+ href: https://{yourSubdomain}.okta.com
+ alternate:
+ href: https://{yourCustomDomain}
+ pipeline: idx
+ settings:
+ analyticsCollectionEnabled: false
+ bugReportingEnabled: true
+ omEnabled: false
+ activateOAuth2ClientSecretResponse:
+ summary: Activate Secret response example
+ value:
+ id: ocs2f50kZB0cITmYU0g4
+ status: ACTIVE
+ client_secret: DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B
+ secret_hash: 0WOOvBSzV9clc4Nr7Rbaug
+ created: '2023-04-06T21:32:33.000Z'
+ lastUpdated: '2023-04-06T21:32:33.000Z'
+ _links:
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f50kZB0cITmYU0g4/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ activeAPIServiceIntegrationInstanceSecretResponse:
+ summary: Activate Secret response example
+ value:
+ id: ocs2f50kZB0cITmYU0g4
+ status: ACTIVE
+ client_secret: '***MQGQ'
+ secret_hash: 0WOOvBSzV9clc4Nr7Rbaug
+ created: '2023-04-06T21:32:33.000Z'
+ lastUpdated: '2023-04-06T21:32:33.000Z'
+ _links:
+ deactivate:
+ href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f50kZB0cITmYU0g4/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ bulkDeletePayload:
+ value:
+ entityType: USERS
+ profiles:
+ - externalId: EXT123456784C2IF
+ - externalId: EXT123456784C3IF
+ - externalId: EXT123456784C4IF
+ bulkUpsertPayload:
+ value:
+ entityType: USERS
+ profiles:
+ - externalId: EXT123456784C2IF
+ profile:
+ userName: isaac.brock@example.com
+ firstName: Isaac
+ lastName: Brock
+ email: isaac.brock@example.com
+ secondEmail: isaac2.brock@example.com
+ mobilePhone: 123-456-7890
+ homeAddress: Kirkland, WA
+ cloud-rule:
+ summary: Global session policy - Challenge cloud users
+ description: This global session policy uses a rule to challenge cloud users
+ value:
+ type: SIGN_ON
+ name: Challenge Cloud Users
+ conditions:
+ people:
+ users:
+ include: []
+ exclude: []
+ groups:
+ include: []
+ exclude: []
+ network:
+ connection: ZONE
+ include:
+ - 00u7yq5goxNFTiMjW1d7
+ authContext:
+ authType: ANY
+ actions:
+ signon:
+ access: ALLOW
+ requireFactor: true
+ factorPromptMode: ALWAYS
+ rememberDeviceByDefault: false
+ session:
+ usePersistentCookie: false
+ maxSessionIdleMinutes: 720
+ maxSessionLifetimeMinutes: 0
+ cloud-rule-response:
+ summary: Global session policy - Challenge cloud users
+ description: The response body from the creation of a global session policy that uses a rule to challenge cloud users
+ value:
+ id: rule8jjozjGMGbHyC1d6
+ status: ACTIVE
+ type: SIGN_ON
+ name: Challenge Cloud Users
+ priority: 0
+ created: '2024-04-25T17:35:02.000Z'
+ lastUpdated: '2024-04-25T17:35:02.000Z'
+ system: false
+ conditions:
+ people:
+ users:
+ include: []
+ exclude: []
+ groups:
+ include: []
+ exclude: []
+ network:
+ connection: ZONE
+ include:
+ - 00u7yq5goxNFTiMjW1d7
+ authContext:
+ authType: ANY
+ risk:
+ behaviors: []
+ riskScore:
+ level: ANY
+ identityProvider:
+ provider: ANY
+ actions:
+ signon:
+ access: ALLOW
+ requireFactor: true
+ primaryFactor: PASSWORD_IDP_ANY_FACTOR
+ factorPromptMode: ALWAYS
+ rememberDeviceByDefault: false
+ session:
+ usePersistentCookie: false
+ maxSessionIdleMinutes: 720
+ maxSessionLifetimeMinutes: 0
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ create-auth-policy-rule-condition:
+ summary: Authentication policy - Create rule with conditions
+ description: Creates an authentication policy rule with a conditions object.
+ value:
+ system: false
+ type: ACCESS_POLICY
+ name: Rule with conditions
+ conditions:
+ userType:
+ include: []
+ exclude:
+ - otyezu4m0xN6w5JEa1d7
+ network:
+ connection: ZONE
+ exclude:
+ - 00u7yq5goxNFTiMjW1d7
+ riskScore:
+ level: ANY
+ people:
+ users:
+ exclude:
+ - 00u7yq5goxNFTiMjW1d7
+ include: []
+ groups:
+ include:
+ - 00g9i12jictsYdZdi1d7
+ exclude: []
+ platform:
+ include:
+ - type: MOBILE
+ os:
+ type: IOS
+ - type: MOBILE
+ os:
+ type: ANDROID
+ - type: DESKTOP
+ os:
+ type: MACOS
+ elCondition:
+ condition: security.risk.level == 'HIGH'
+ actions:
+ appSignOn:
+ access: ALLOW
+ verificationMethod:
+ factorMode: 2FA
+ reauthenticateIn: PT2H
+ constraints:
+ - knowledge:
+ reauthenticateIn: PT2H
+ types:
+ - password
+ type: ASSURANCE
+ create-auth-policy-rule-condition-response:
+ summary: Authentication policy - Policy rule with conditions
+ description: The response body from the creation of an authentication policy rule with conditions.
+ value:
+ id: rule8jjozjGMGbHyC1d6
+ status: ACTIVE
+ name: Rule with conditions
+ priority: 0
+ created: '2024-04-25T17:35:02.000Z'
+ lastUpdated: '2024-04-25T17:35:02.000Z'
+ system: false
+ conditions:
+ people:
+ users:
+ exclude:
+ - 00u7yq5goxNFTiMjW1d7
+ groups:
+ include:
+ - 00g9i12jictsYdZdi1d7
+ network:
+ connection: ZONE
+ exclude:
+ - nzo9o4rctwQCJNE6y1d7
+ platform:
+ include:
+ - type: MOBILE
+ os:
+ type: IOS
+ - type: MOBILE
+ os:
+ type: ANDROID
+ - type: DESKTOP
+ os:
+ type: MACOS
+ exclude: []
+ riskScore:
+ level: ANY
+ userType:
+ include: []
+ exclude:
+ - otyezu4m0xN6w5JEa1d7
+ elCondition:
+ condition: security.risk.level == 'HIGH'
+ actions:
+ appSignOn:
+ access: ALLOW
+ verificationMethod:
+ factorMode: 2FA
+ type: ASSURANCE
+ reauthenticateIn: PT2H
+ constraints:
+ knowledge:
+ required: true
+ types:
+ - password
+ reauthenticateIn: PT2H
+ type: ACCESS_POLICY
_links:
self:
- href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/default-content/preview
+ href: https://sampleorg.okta.com/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6
hints:
allow:
- GET
- template:
- href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://sampleorg.okta.com/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6
hints:
allow:
- GET
- defaultContent:
- href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test/default-content
- hints:
- allow:
- - POST
- PrincipalRateLimitEntityRequestEmptyPercentages:
+ - PUT
+ - DELETE
+ create-group-rule-request-example:
+ summary: Create group rule request example
value:
- principalId: token1234
- principalType: SSWS_TOKEN
- PrincipalRateLimitEntityRequestSSWSToken:
+ type: group_rule
+ name: Engineering group rule
+ conditions:
+ people:
+ users:
+ exclude:
+ - 00u22w79JPMEeeuLr0g4
+ groups:
+ exclude: []
+ expression:
+ value: user.role=="Engineer"
+ type: urn:okta:expression:1.0
+ actions:
+ assignUserToGroups:
+ groupIds:
+ - 00gjitX9HqABSoqTB0g3
+ create-user-in-group-request:
+ description: See [Create user in group](/openapi/okta-management/management/tag/User/#create-user--in-group) for description.
value:
- principalId: token1234
- principalType: SSWS_TOKEN
- defaultPercentage: 50
- defaultConcurrencyPercentage: 75
- PrincipalRateLimitEntityResponseSSWSToken:
+ profile:
+ firstName: Isaac
+ lastName: Brock
+ email: isaac.brock@example.com
+ login: isaac.brock@example.com
+ mobilePhone: 555-415-1337
+ groupIds:
+ - 00g1emaKYZTWRYYRRTSK
+ - 00garwpuyxHaWOkdV0g4
+ create-user-in-group-response:
value:
- id: abcd1234
- orgId: org1234
- principalId: token1234
- principalType: SSWS_TOKEN
- defaultPercentage: 50
- defaultConcurrencyPercentage: 75
- createdDate: '2022-05-19T20:05:32.720Z'
- createdBy: user1234
- lastUpdate: '2022-05-20T21:13:07.410Z'
- lastUpdatedBy: user4321
- ProvisioningConnectionOauthRequestEx:
- summary: Provisioning Connection with OAuth 2.0
+ id: 00ub0oNGTSWTBKOLGLNR
+ status: STAGED
+ created: '2013-07-02T21:36:25.344Z'
+ activated: null
+ statusChanged: null
+ lastLogin: null
+ lastUpdated: '2013-07-02T21:36:25.344Z'
+ passwordChanged: null
+ profile:
+ firstName: Isaac
+ lastName: Brock
+ email: isaac.brock@example.com
+ login: isaac.brock@example.com
+ mobilePhone: 555-415-1337
+ credentials:
+ provider:
+ type: OKTA
+ name: OKTA
+ _links:
+ activate:
+ href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/activate
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR
+ create-user-with-authentication-provider-request:
+ description: Set `activate` parameter to `true`. See [Create user with authentication provider](/openapi/okta-management/management/tag/User/#create-user-with-authentication-provider) for description.
value:
profile:
- authScheme: OAUTH2
- clientId: 0oa2h6su6bVFyJzIf1d7
- ProvisioningConnectionOauthResponseEx:
- summary: Provisioning Connection with OAuth 2.0
+ firstName: Isaac
+ lastName: Brock
+ email: isaac.brock@example.com
+ login: isaac.brock@example.com
+ mobilePhone: 555-415-1337
+ credentials:
+ provider:
+ type: FEDERATION
+ name: FEDERATION
+ create-user-with-authentication-provider-response:
value:
- authScheme: OAUTH2
- status: ENABLED
+ id: 00uijntSwJjSHtDY70g3
+ status: ACTIVE
+ created: '2016-01-19T22:02:08.000Z'
+ activated: '2016-01-19T22:02:08.000Z'
+ statusChanged: '2016-01-19T22:02:08.000Z'
+ lastLogin: null
+ lastUpdated: '2016-01-19T22:02:08.000Z'
+ passwordChanged: null
+ profile:
+ login: isaac.brock@example.com
+ firstName: Isaac
+ lastName: Brock
+ mobilePhone: 555-415-1337
+ email: isaac.brock@example.com
+ secondEmail: null
+ credentials:
+ provider:
+ type: FEDERATION
+ name: FEDERATION
_links:
- self:
- href: https://{yourOktaDomain}/api/v1/apps/${appId}/connections/default
- hints:
- allow:
- - GET
- - POST
+ resetPassword:
+ href: https://{yourOktaDomain}/api/v1/users/00uijntSwJjSHtDY70g3/lifecycle/reset_password
+ method: POST
+ changeRecoveryQuestion:
+ href: https://{yourOktaDomain}/api/v1/users/00uijntSwJjSHtDY70g3/credentials/change_recovery_question
+ method: POST
deactivate:
- href: https://{yourOktaDomain}/api/v1/apps/${appId}/connections/default/lifecycle/deactivate
- hints:
- allow:
- - POST
- ProvisioningConnectionTokenRequestEx:
- summary: Provisioning Connection with token
+ href: https://{yourOktaDomain}/api/v1/users/00uijntSwJjSHtDY70g3/lifecycle/deactivate
+ method: POST
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR
+ create-user-with-imported-hashed-password-request:
+ description: Set `activate` parameter to `true`. See [Create user with imported hashed password](/openapi/okta-management/management/tag/User/#create-user-with-password) for description.
value:
profile:
- authScheme: TOKEN
- token: 00NgAPZqUVy8cX9ehNzzahEE5b-On9sImTcInvWp-x
- ProvisioningConnectionTokenResponseEx:
- summary: Provisioning Connection with token
+ firstName: Isaac
+ lastName: Brock
+ email: isaac.brock@example.com
+ login: isaac.brock@example.com
+ mobilePhone: 555-415-1337
+ credentials:
+ password:
+ hash:
+ algorithm: BCRYPT
+ workFactor: 10
+ salt: rwh3vH166HCH/NT9XV5FYu
+ value: qaMqvAPULkbiQzkTCWo5XDcvzpk8Tna
+ create-user-with-imported-hashed-password-response:
value:
- authScheme: TOKEN
- status: ENABLED
+ id: 00ub0oNGTSWTBKOLGLNR
+ status: ACTIVE
+ created: '2013-07-02T21:36:25.344Z'
+ activated: null
+ statusChanged: null
+ lastLogin: null
+ lastUpdated: '2013-07-02T21:36:25.344Z'
+ passwordChanged: '2013-07-02T21:36:25.344Z'
+ profile:
+ firstName: Isaac
+ lastName: Brock
+ email: isaac.brock@example.com
+ login: isaac.brock@example.com
+ mobilePhone: 555-415-1337
+ credentials:
+ password: {}
+ provider:
+ type: IMPORT
+ name: IMPORT
_links:
+ activate:
+ href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/activate
self:
- href: https://{yourOktaDomain}/api/v1/apps/${appId}/connections/default
- hints:
- allow:
- - GET
- - POST
- deactivate:
- href: https://{yourOktaDomain}/api/v1/apps/${appId}/connections/default/lifecycle/deactivate
- hints:
- allow:
- - POST
- PushProviderAPNsRequest:
+ href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR
+ create-user-with-non-default-user-type-request:
+ description: See [Create user with non-default user type](/openapi/okta-management/management/tag/User/#create-user-with-non-default-user-type) for description.
value:
- name: APNs Example
- providerType: APNS
- configuration:
- keyId: KEY_ID
- teamId: TEAM_ID
- tokenSigningKey: '-----BEGIN PRIVATE KEY-----\nPRIVATE_KEY\n-----END PRIVATE KEY-----\n'
- fileName: fileName.p8
- PushProviderAPNsResponse:
+ profile:
+ firstName: Isaac
+ lastName: Brock
+ email: isaac.brock@example.com
+ login: isaac.brock@example.com
+ mobilePhone: 555-415-1337
+ type:
+ id: otyfnjfba4ye7pgjB0g4
+ create-user-with-non-default-user-type-response:
value:
- id: ppctekcmngGaqeiBxB0g4
- name: APNs Example
- providerType: APNS
- lastUpdatedDate: 2022-01-01T00:00:00.000Z
- configuration:
- keyId: KEY_ID
- teamId: TEAM_ID
- fileName: fileName.p8
+ id: 00ub0oNGTSWTBKOLGLNR
+ status: STAGED
+ created: '2013-07-02T21:36:25.344Z'
+ activated: null
+ statusChanged: null
+ lastLogin: null
+ lastUpdated: '2013-07-02T21:36:25.344Z'
+ passwordChanged: null
+ type:
+ id: otyfnjfba4ye7pgjB0g4
+ profile:
+ firstName: Isaac
+ lastName: Brock
+ email: isaac.brock@example.com
+ login: isaac.brock@example.com
+ mobilePhone: 555-415-1337
+ credentials:
+ provider:
+ type: OKTA
+ name: OKTA
_links:
+ schema:
+ href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscfnjfba4ye7pgjB0g4
+ activate:
+ href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/activate
self:
- href: https://your-subdomain.okta.com/api/v1/push-providers/ppctekcmngGaqeiBxB0g4
- hints:
- allow:
- - DELETE
- - GET
- - PUT
- PushProviderFCMRequest:
+ href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR
+ type:
+ href: https://{yourOktaDomain}/api/v1/meta/types/user/otyfnjfba4ye7pgjB0g4
+ create-user-with-password-and-recovery-question-request:
+ description: See [Create user with password and recovery question](/openapi/okta-management/management/tag/User/#create-user-with-password-and-recovery-question) for description.
value:
- name: FCM Example
- providerType: FCM
- configuration:
- serviceAccountJson:
- type: service_account
- project_id: PROJECT_ID
- private_key_id: KEY_ID
- private_key: '-----BEGIN PRIVATE KEY-----\nPRIVATE_KEY\n-----END PRIVATE KEY-----\n'
- client_email: SERVICE_ACCOUNT_EMAIL
- client_id: CLIENT_ID
- auth_uri: https://accounts.google.com/o/oauth2/auth
- token_uri: https://accounts.google.com/o/oauth2/token
- auth_provider_x509_cert_url: https://www.googleapis.com/oauth2/v1/certs
- client_x509_cert_url: https://www.googleapis.com/robot/v1/metadata/x509/SERVICE_ACCOUNT_EMAIL
- fileName: fileName.json
- PushProviderFCMResponse:
+ profile:
+ firstName: Isaac
+ lastName: Brock
+ email: isaac.brock@example.com
+ login: isaac.brock@example.com
+ mobilePhone: 555-415-1337
+ credentials:
+ password:
+ value: tlpWENT2m
+ recovery_question:
+ question: Who is a major player in the cowboy scene?
+ answer: Annie Oakley
+ create-user-with-password-and-recovery-question-response:
value:
- id: ppctekcmngGaqeiBxB0g4
- name: FCM Example
- providerType: FCM
- lastUpdatedDate: 2022-01-01T00:00:00.000Z
- configuration:
- projectId: PROJECT_ID
- fileName: fileName.p8
+ id: 00ub0oNGTSWTBKOLGLNR
+ status: STAGED
+ created: '2013-07-02T21:36:25.344Z'
+ activated: null
+ statusChanged: null
+ lastLogin: null
+ lastUpdated: '2013-07-02T21:36:25.344Z'
+ passwordChanged: '2013-07-02T21:36:25.344Z'
+ profile:
+ firstName: Isaac
+ lastName: Brock
+ email: isaac.brock@example.com
+ login: isaac.brock@example.com
+ mobilePhone: 555-415-1337
+ credentials:
+ password: {}
+ recovery_question:
+ question: Who's a major player in the cowboy scene?
+ provider:
+ type: OKTA
+ name: OKTA
_links:
+ activate:
+ href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/activate
self:
- href: https://your-subdomain.okta.com/api/v1/push-providers/ppctekcmngGaqeiBxB0g4
- hints:
- allow:
- - DELETE
- - GET
- - PUT
- RateLimitAdminNotificationsDisabled:
+ href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR
+ create-user-with-password-import-inline-hook-request:
+ description: Set `activate` parameter to `true`. See [Create user with password inline hook](/openapi/okta-management/management/tag/User/#create-user-with-password-inline-hook) for description.
value:
- notificationsEnabled: false
- RateLimitAdminNotificationsEnabled:
+ profile:
+ firstName: Isaac
+ lastName: Brock
+ email: isaac.brock@example.com
+ login: isaac.brock@example.com
+ mobilePhone: 555-415-1337
+ credentials:
+ password:
+ hook:
+ type: default
+ create-user-with-password-import-inline-hook-response:
value:
- notificationsEnabled: true
- RateLimitWarningThresholdValidExample:
+ id: 00ub0oNGTSWTBKOLGLNR
+ status: ACTIVE
+ created: '2013-07-02T21:36:25.344Z'
+ activated: null
+ statusChanged: null
+ lastLogin: null
+ lastUpdated: '2013-07-02T21:36:25.344Z'
+ passwordChanged: '2013-07-02T21:36:25.344Z'
+ profile:
+ firstName: Isaac
+ lastName: Brock
+ email: isaac.brock@example.com
+ login: isaac.brock@example.com
+ mobilePhone: 555-415-1337
+ credentials:
+ password: {}
+ provider:
+ type: IMPORT
+ name: IMPORT
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR
+ create-user-with-password-request:
+ description: Set `activate` parameter to `true`. See [Create user with password](/openapi/okta-management/management/tag/User/#create-user-with-password) for description.
value:
- warningThreshold: 66
- RealmResponse:
+ profile:
+ firstName: Isaac
+ lastName: Brock
+ email: isaac.brock@example.com
+ login: isaac.brock@example.com
+ mobilePhone: 555-415-1337
+ credentials:
+ password:
+ value: tlpWENT2m
+ create-user-with-password-response:
value:
- id: guox9jQ16k9V8IFEL0g3
- created: 2022-04-04T15:56:05.000Z
- lastUpdated: 2022-05-05T18:15:44.000Z
- isDefault: false
+ id: 00ub0oNGTSWTBKOLGLNR
+ status: ACTIVE
+ created: '2013-07-02T21:36:25.344Z'
+ activated: null
+ statusChanged: null
+ lastLogin: null
+ lastUpdated: '2013-07-02T21:36:25.344Z'
+ passwordChanged: '2013-07-02T21:36:25.344Z'
profile:
- name: Car Co
+ firstName: Isaac
+ lastName: Brock
+ email: isaac.brock@example.com
+ login: isaac.brock@example.com
+ mobilePhone: 555-415-1337
+ credentials:
+ password: {}
+ provider:
+ type: OKTA
+ name: OKTA
_links:
+ activate:
+ href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/activate
self:
- rel: self
- href: http://your-subdomain.okta.com/api/v1/realms/guox9jQ16k9V8IFEL0g3
- method: GET
- RemoveMappingBody:
- summary: Update an existing profile mapping by removing one or more properties
+ href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR
+ create-user-with-recovery-question-request:
+ description: See [Create user with recovery question](/openapi/okta-management/management/tag/User/#create-user-with-recovery-question) for description.
value:
- properties:
- nickName:
- expression: null
- pushStatus: null
- RemoveMappingResponse:
- summary: Update an existing profile mapping by removing one or more properties
+ profile:
+ firstName: Isaac
+ lastName: Brock
+ email: isaac.brock@example.com
+ login: isaac.brock@example.com
+ mobilePhone: 555-415-1337
+ credentials:
+ recovery_question:
+ question: Who is a major player in the cowboy scene?
+ answer: Annie Oakley
+ create-user-with-recovery-question-response:
value:
- id: prm1k47ghydIQOTBW0g4
- source:
- id: otysbePhQ3yqt4cVv0g3
- name: user
- type: user
- _links:
- self:
- href: https://{yourOktaDomain}/api/v1/meta/types/user/otysbePhQ3yqt4cVv0g3
- schema:
- href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscsbePhQ3yqt4cVv0g3
- target:
- id: 0oa1qmn4LZQQEH0wZ0g4
- name: okta_org2org
- type: appuser
- _links:
- self:
- href: https://{yourOktaDomain}/api/v1/apps/0oa1qmn4LZQQEH0wZ0g4
- schema:
- href: https://{yourOktaDomain}/api/v1/meta/schemas/apps/0oa1qmn4LZQQEH0wZ0g4/default
- properties:
- fullName:
- expression: user.firstName + user.lastName
- pushStatus: PUSH
+ id: 00ub0oNGTSWTBKOLGLNR
+ status: STAGED
+ created: '2013-07-02T21:36:25.344Z'
+ activated: null
+ statusChanged: null
+ lastLogin: null
+ lastUpdated: '2013-07-02T21:36:25.344Z'
+ passwordChanged: null
+ profile:
+ firstName: Isaac
+ lastName: Brock
+ email: isaac.brock@example.com
+ login: isaac.brock@example.com
+ mobilePhone: 555-415-1337
+ credentials:
+ recovery_question:
+ question: Who's a major player in the cowboy scene?
+ provider:
+ type: OKTA
+ name: OKTA
_links:
+ activate:
+ href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/activate
self:
- href: https://{yourOktaDomain}/api/v1/mappings/prm1k48weFSOnEUnw0g4
- ReplaceKeyResponse:
- summary: Replace a key response example
+ href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR
+ create-user-without-credentials-request:
value:
- id: HKY1p7jWLndGQV9M60g4
- keyId: 7fbc27fd-e3df-4522-86bf-1930110256ad
- name: My updated new key
- created: '2022-08-31T18:09:58.000Z'
- lastUpdated: '2022-08-31T18:16:59.000Z'
- isUsed: 'false'
- ReplaceNetworkZone:
- summary: Replace a Network Zone
+ profile:
+ firstName: Isaac
+ lastName: Brock
+ email: isaac.brock@example.com
+ login: isaac.brock@example.com
+ mobilePhone: 555-415-1337
+ create-user-without-credentials-response:
value:
- type: IP
- id: nzovw2rFz2YoqmvwZ0g9
- name: UpdatedNetZone
- status: ACTIVE
- usage: POLICY
- gateways:
- - type: CIDR
- value: 10.2.3.4/24
- - type: CIDR
- value: 12.2.3.4/24
- - type: RANGE
- value: 13.4.5.6-13.4.5.8
- - type: CIDR
- value: 14.2.3.4/24
- proxies:
- - type: CIDR
- value: 12.2.3.4/24
- - type: CIDR
- value: 13.3.4.5/24
- - type: RANGE
- value: 14.4.5.6-14.4.5.8
- - type: RANGE
- value: 15.5.6.7/24-15.5.6.9
+ id: 00ub0oNGTSWTBKOLGLNR
+ status: STAGED
+ created: '2013-07-02T21:36:25.344Z'
+ activated: null
+ statusChanged: null
+ lastLogin: null
+ lastUpdated: '2013-07-02T21:36:25.344Z'
+ passwordChanged: null
+ profile:
+ firstName: Isaac
+ lastName: Brock
+ email: isaac.brock@example.com
+ login: isaac.brock@example.com
+ mobilePhone: 555-415-1337
+ credentials:
+ provider:
+ type: OKTA
+ name: OKTA
_links:
+ activate:
+ href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/activate
self:
- href: https://{yourOktaDomain}/api/v1/zones/nzovw2rFz2YoqmvwZ0g9
+ href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR
+ createOAuth2ClientSecretCustomRequestBody:
+ summary: Add a user provided client secret
+ value:
+ client_secret: DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B
+ status: ACTIVE
+ createOAuth2ClientSecretSystemGeneratedRequestBody:
+ summary: Add a system-generated client secret
+ value: {}
+ deactivateOAuth2ClientJsonWebKeyResponse:
+ summary: Deactivate JSON Web Key example
+ value:
+ id: pks2f50kZB0cITmYU0g4
+ kid: ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B
+ kty: RSA
+ alg: RS256
+ use: sig
+ e: AQAB
+ 'n': AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn=
+ status: INACTIVE
+ created: '2023-04-06T21:32:33.000Z'
+ lastUpdated: '2023-04-06T21:32:33.000Z'
+ _links:
+ activate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/jwks/pks2f50kZB0cITmYU0g4/lifecycle/activate
hints:
allow:
- - GET
- - PUT
- - DELETE
- deactivate:
- href: https://{yourOktaDomain}/api/v1/zones/nzovw2rFz2YoqmvwZ0g9/lifecycle/deactivate
+ - POST
+ deactivateOAuth2ClientSecretResponse:
+ summary: Deactivate Secret response example
+ value:
+ id: ocs2f4zrZbs8nUa7p0g4
+ status: INACTIVE
+ client_secret: DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B
+ secret_hash: yk4SVx4sUWVJVbHt6M-UPA
+ created: '2023-02-21T20:08:24.000Z'
+ lastUpdated: '2023-02-21T20:08:24.000Z'
+ _links:
+ activate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4/lifecycle/activate
hints:
allow:
- POST
- ReplaceNetworkZoneResponse:
- summary: Replace Network Zone response
+ delete:
+ href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4
+ hints:
+ allow:
+ - DELETE
+ deny-rule:
+ summary: Global session policy - Deny users
+ description: This global session policy uses a rule to deny users
value:
- type: IP
- id: nzovw2rFz2YoqmvwZ0g3
- name: UpdatedNetZone
+ type: SIGN_ON
+ name: Deny users
+ conditions:
+ network:
+ connection: ANYWHERE
+ authContext:
+ authType: ANY
+ actions:
+ signon:
+ access: DENY
+ requireFactor: false
+ deny-rule-response:
+ summary: Global session policy - Deny users
+ description: The response body from the creation of a global session policy that uses a rule to deny users
+ value:
+ id: rule8jjozjGMGbHyC1d6
status: ACTIVE
- usage: POLICY
- created: '2019-01-24T19:53:28.000Z'
- lastUpdated: '2019-02-24T19:53:28.000Z'
+ type: SIGN_ON
+ name: Deny
+ priority: 0
+ created: '2024-04-25T17:35:02.000Z'
+ lastUpdated: '2024-04-25T17:35:02.000Z'
system: false
- gateways:
- - type: CIDR
- value: 10.2.3.4/24
- - type: CIDR
- value: 12.2.3.4/24
- - type: RANGE
- value: 13.4.5.6-13.4.5.8
- - type: CIDR
- value: 14.2.3.4/24
- proxies:
- - type: CIDR
- value: 12.2.3.4/24
- - type: CIDR
- value: 13.3.4.5/24
- - type: RANGE
- value: 14.4.5.6-14.4.5.8
- - type: RANGE
- value: 15.5.6.7/24-15.5.6.9
- ReplaceUserTypePutRequest:
- summary: Replace user type request
- value:
- displayName: Replacement Display Name
- description: Replacement description
- name: newUserType
- ReplaceUserTypePutResponse:
- summary: Replace user type response
- value:
- id: otyfnly5cQjJT9PnR0g4
- displayName: Replacement Display Name
- name: newUserType
- description: Replacement description
- createdBy: sprz9fj1ycBcsgopy1d6
- lastUpdatedBy: sprz9fj1ycBcsgopy1d6
- created: '2021-07-05T20:40:38.000Z'
- lastUpdated: '2021-07-05T20:40:38.000Z'
- default: false
+ conditions:
+ people:
+ users:
+ exclude: []
+ network:
+ connection: ANYWHERE
+ authContext:
+ authType: ANY
+ risk:
+ behaviors: []
+ riskScore:
+ level: ANY
+ identityProvider:
+ provider: ANY
+ actions:
+ signon:
+ access: DENY
+ requireFactor: false
+ primaryFactor: PASSWORD_IDP
+ rememberDeviceByDefault: false
+ session:
+ usePersistentCookie: false
+ maxSessionIdleMinutes: 120
+ maxSessionLifetimeMinutes: 0
_links:
self:
- href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6
- schema:
- href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6
- ResourceSetBindingAddMembersRequestExample:
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ editFeatureExample:
+ summary: Enable Okta Personal admin settings
value:
- additions:
- - https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3
- - https://{yourOktaDomain}/api/v1/users/00u67DU2qNCjNZYO0g3
- ResourceSetBindingCreateRequestExample:
+ enableExportApps: true
+ enableEnduserEntryPoints: true
+ getBlockListExample:
+ summary: List of blocked email domains
value:
- role: cr0Yq6IJxGIr0ouum0g3
- members:
- - https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3
- ResourceSetBindingMemberResponse:
+ domains:
+ - yahoo.com
+ - google.com
+ group-example:
+ summary: Group example
+ description: Example of a Group
value:
- id: irb1qe6PGuMc7Oh8N0g4
- created: '2021-02-06T16:20:57.000Z'
- lastUpdated: '2021-02-06T16:20:57.000Z'
+ id: 00g1emaKYZTWRYYRRTSK
+ created: '2015-02-06T10:11:28.000Z'
+ lastUpdated: '2015-10-05T19:16:43.000Z'
+ lastMembershipUpdated: '2015-11-28T19:15:32.000Z'
+ objectClass:
+ - okta:user_group
+ type: OKTA_GROUP
+ profile:
+ name: West Coast Users
+ description: All Users West of The Rockies
_links:
- self:
- href: https://{yourOktaDomain}/api/v1/users/00uuk41Hjga5qGfQ30g3
- ResourceSetBindingMembersResponse:
+ logo:
+ - name: medium
+ href: https://{yourOktaDomain}/img/logos/groups/okta-medium.png
+ type: image/png
+ - name: large
+ href: https://{yourOktaDomain}/img/logos/groups/okta-large.png
+ type: image/png
+ users:
+ href: https://{yourOktaDomain}/api/v1/groups/00g1emaKYZTWRYYRRTSK/users
+ apps:
+ href: https://{yourOktaDomain}/api/v1/groups/00g1emaKYZTWRYYRRTSK/apps
+ group-rule-example:
+ summary: Group rule example
+ description: Example of a group rule
value:
- members:
- - id: irb1qe6PGuMc7Oh8N0g4
- created: '2021-02-06T16:20:57.000Z'
- lastUpdated: '2021-02-06T16:20:57.000Z'
- _links:
- self:
- href: https://{yourOktaDomain}/api/v1/users/00uuk41Hjga5qGfQ30g3
- - id: irb1q92TFAHzySt3x0g4
- created: '2021-02-06T16:20:57.000Z'
- lastUpdated: '2021-02-06T16:20:57.000Z'
- _links:
- self:
- href: https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3
- _links:
- binding:
- href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3
- next:
- href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3/members?after=0ouRq6IJmGIr3ouum0g3
- ResourceSetBindingResponseExample:
+ type: group_rule
+ id: 0pr3f7zMZZHPgUoWO0g4
+ status: INACTIVE
+ name: Engineering group rule
+ created: '2016-12-01T14:40:04.000Z'
+ lastUpdated: '2016-12-01T14:40:04.000Z'
+ conditions:
+ people:
+ users:
+ exclude:
+ - 00u22w79JPMEeeuLr0g4
+ groups:
+ exclude: []
+ expression:
+ value: user.role=="Engineer"
+ type: urn:okta:expression:1.0
+ actions:
+ assignUserToGroups:
+ groupIds:
+ - 00gjitX9HqABSoqTB0g3
+ idp-discovery-dynamic-routing-rule:
+ summary: IdP discovery policy - Dynamic routing rule
+ description: This routing rule uses a dynamic Identity Provider.
value:
- _links:
- self:
- href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3
- bindings:
- href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings
- resource-set:
- href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g
- ResourceSetBindingResponseWithIdExample:
+ name: Dynamic routing rule
+ priority: 1
+ status: ACTIVE
+ conditions:
+ network:
+ connection: ANYWHERE
+ actions:
+ idp:
+ providers: []
+ idpSelectionType: DYNAMIC
+ matchCriteria:
+ - providerExpression: login.identifier.substringAfter('@')
+ propertyName: name
+ system: false
+ type: IDP_DISCOVERY
+ idp-discovery-dynamic-routing-rule-response:
+ summary: IdP discovery policy - Dynamic routing rule
value:
- id: cr0Yq6IJxGIr0ouum0g3
+ id: ruleId
_links:
self:
- href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3
- bindings:
- href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings
- resource-set:
- href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g
- ResourceSetBindingsResponse:
+ href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ name: Dynamic routing rule
+ priority: 1
+ status: ACTIVE
+ conditions:
+ network:
+ connection: ANYWHERE
+ actions:
+ idp:
+ providers: []
+ idpSelectionType: DYNAMIC
+ matchCriteria:
+ - providerExpression: login.identifier.substringAfter('@')
+ propertyName: name
+ system: false
+ type: IDP_DISCOVERY
+ idp-discovery-policy-response:
+ summary: IDP_DISCOVERY
value:
- roles:
- - id: cr0WxyzJxGIr0ouum0g4
- _links:
- self:
- href: https://{yourOktaDomain}/api/v1/iam/roles/cr0WxyzJxGIr0ouum0g4
- members:
- href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0WxyzJxGIr0ouum0g4/members
+ type: IDP_DISCOVERY
+ id: policyId
+ status: ACTIVE
+ name: Policy name
+ description: Policy description
+ priority: 1
+ system: true
+ created: createdDate
+ lastUpdated: lastUpdated
+ conditions: null
_links:
self:
- href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings
- resource-set:
- href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g
- next:
- href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings?after=cr0WxyzJxGIr0ouum0g4
- ResourceSetRequest:
- value:
- label: SF-IT-People
- description: People in the IT department of San Francisco
- resources:
- - https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3
- - https://{yourOktaDomain}/api/v1/groups/00gu67DU2qNCjNZYO0g3/users
- - https://{yourOktaDomain}/api/v1/users
- ResourceSetResourcePatchRequestExample:
- value:
- additions:
- - https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3
- - https://{yourOktaDomain}/api/v1/groups/00gu67DU2qNCjNZYO0g3/users
- ResourceSetResourcesResponse:
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ rules:
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules
+ hints:
+ allow:
+ - POST
+ - GET
+ idp-discovery-specific-routing-rule:
+ summary: IdP discovery policy - Specific routing rule
+ description: This routing rule uses a specific Identity Provider.
value:
- resources:
- - id: ire106sQKoHoXXsAe0g4
- created: '2021-02-06T16:20:57.000Z'
- lastUpdated: '2021-02-06T16:20:57.000Z'
- _links:
- self:
- href: https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3
- - id: ire106riDrTYl4qA70g4
- created: '2021-02-06T16:20:57.000Z'
- lastUpdated: '2021-02-06T16:20:57.000Z'
- _links:
- self:
- href: https://{yourOktaDomain}/api/v1/groups/00gu67DU2qNCjNZYO0g3/users
- - id: irezvo4AwE2ngpMw40g3
- created: '2021-02-06T16:20:57.000Z'
- lastUpdated: '2021-02-06T16:20:57.000Z'
- _links:
- users:
- href: https://{yourOktaDomain}/api/v1/users
- groups:
- href: https://{yourOktaDomain}/api/v1/groups
- _links:
- next:
- href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources?after=irezvn1ZZxLSIBM2J0g3
- resource-set:
- href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g
- ResourceSetResponse:
+ name: Specific routing rule
+ priority: 1
+ status: ACTIVE
+ conditions:
+ network:
+ connection: ANYWHERE
+ actions:
+ idp:
+ providers:
+ - type: GOOGLE
+ id: 0oa5ks3WmHLRh8Ivr0g4
+ idpSelectionType: SPECIFIC
+ system: false
+ type: IDP_DISCOVERY
+ idp-discovery-specific-routing-rule-response:
+ summary: IdP discovery policy - Specific routing rule
value:
- id: iamoJDFKaJxGIr0oamd9g
- label: SF-IT-People
- description: People in the IT department of San Francisco
- created: '2021-02-06T16:20:57.000Z'
- lastUpdated: '2021-02-06T16:20:57.000Z'
+ id: ruleId
_links:
self:
- href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g
- resources:
- href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources
- bindings:
- href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings
- ResourceSetsResponse:
+ href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ name: Specific routing rule
+ priority: 1
+ status: ACTIVE
+ conditions:
+ network:
+ connection: ANYWHERE
+ actions:
+ idp:
+ providers:
+ - type: GOOGLE
+ id: 0oa5ks3WmHLRh8Ivr0g4
+ idpSelectionType: SPECIFIC
+ system: false
+ type: IDP_DISCOVERY
+ inactiveAPIServiceIntegrationInstanceSecretResponse:
+ summary: Deactivate Secret response example
value:
- resource-sets:
- - id: iamoJDFKaJxGIr0oamd9g
- label: SF-IT-1
- description: First San Francisco IT Resource Set
- created: '2021-02-06T16:20:57.000Z'
- lastUpdated: '2021-02-06T16:20:57.000Z'
- _links:
- self:
- href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g
- resources:
- href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources
- bindings:
- href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings
- - id: iamoJDFKaJxGIr0oamd0q
- label: SF-IT-2
- description: Second San Francisco IT Resource Set
- created: '2021-02-06T16:20:57.000Z'
- lastUpdated: '2021-02-06T16:20:57.000Z'
- _links:
- self:
- href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd0q
- resources:
- href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd0q/resources
- bindings:
- href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd0q/bindings
+ id: ocs2f4zrZbs8nUa7p0g4
+ status: INACTIVE
+ client_secret: '***DhOW'
+ secret_hash: yk4SVx4sUWVJVbHt6M-UPA
+ created: '2023-02-21T20:08:24.000Z'
+ lastUpdated: '2023-02-21T20:08:24.000Z'
_links:
- next:
- href: https://{yourOktaDomain}/api/v1/iam/resource-sets?after=iamoJDFKaJxGIr0oamd0q
- RetrieveAllZones:
- summary: Retrieves all Network Zones
+ activate:
+ href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ delete:
+ href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4
+ hints:
+ allow:
+ - DELETE
+ list-all-idp-discovery-policy-rule-response:
+ summary: IDP_DISCOVERY
value:
- - type: IP
- id: nzowc1U5Jh5xuAK0o0g3
- name: LegacyIpZone
+ - id: 0prgu3bb10hce267M1d7
status: ACTIVE
- usage: POLICY
- created: 2019-05-17T18:44:31.000Z
- lastUpdated: 2019-05-21T13:50:49.000Z
+ name: Test rule
+ priority: 1
+ created: '2024-08-27T19:51:15.000Z'
+ lastUpdated: '2024-08-27T19:51:15.000Z'
system: true
- gateways:
- - type: CIDR
- value: 1.2.3.4/24
- proxies:
- - type: RANGE
- value: 3.3.4.5-3.3.4.15
+ conditions:
+ network:
+ connection: ANYWHERE
+ platform:
+ include: []
+ exclude: []
+ userIdentifier:
+ patterns: []
+ app:
+ include: []
+ exclude: []
+ actions:
+ idp:
+ providers:
+ - type: OKTA
+ idpSelectionType: SPECIFIC
_links:
self:
- href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}
hints:
allow:
- GET
- PUT
- - DELETE
- deactivate:
- href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/deactivate
+ type: IDP_DISCOVERY
+ list-all-mfa-enroll-policy-rule-response:
+ summary: MFA_ENROLL
+ value:
+ - id: 0prgu3g4mon9ARm9F1d7
+ status: ACTIVE
+ name: Test Rule
+ priority: 1
+ created: '2024-08-27T19:51:39.000Z'
+ lastUpdated: '2024-08-27T19:51:39.000Z'
+ system: true
+ conditions:
+ people:
+ users:
+ exclude: []
+ network:
+ connection: ANYWHERE
+ actions:
+ enroll:
+ self: CHALLENGE
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}
hints:
allow:
- - POST
- - type: DYNAMIC
- id: nzowc1U5Jh5xuAK0o0g3
- name: test
+ - GET
+ - PUT
+ type: MFA_ENROLL
+ list-all-password-policy-rule-response:
+ summary: PASSWORD
+ value:
+ - id: 0prgu3baytQGHuVEv1d7
status: ACTIVE
- usage: POLICY
- created: 2019-05-17T18:44:31.000Z
- lastUpdated: 2019-05-21T13:50:49.000Z
- system: false
- locations:
- - country: AF
- region: AF-BGL
- proxyType: ANY
- asns:
- - '23457'
+ name: Test Rule
+ priority: 1
+ created: '2024-08-27T19:51:11.000Z'
+ lastUpdated: '2024-08-27T19:51:17.000Z'
+ system: true
+ conditions:
+ people:
+ users:
+ exclude: []
+ network:
+ connection: ANYWHERE
+ actions:
+ passwordChange:
+ access: ALLOW
+ selfServicePasswordReset:
+ access: ALLOW
+ requirement:
+ primary:
+ methods:
+ - email
+ stepUp:
+ required: false
+ selfServiceUnlock:
+ access: DENY
_links:
self:
- href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}
hints:
allow:
- GET
- PUT
- - DELETE
- deactivate:
- href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/deactivate
+ type: PASSWORD
+ list-all-profile-enrollment-policy-rule-response:
+ summary: PROFILE_ENROLLMENT
+ value:
+ - id: rulgu3bb4oWR7qbMi1d7
+ status: ACTIVE
+ name: Test Rule
+ priority: 99
+ created: '2024-08-27T19:51:18.000Z'
+ lastUpdated: '2024-08-27T19:51:22.000Z'
+ system: true
+ conditions: null
+ actions:
+ profileEnrollment:
+ access: ALLOW
+ preRegistrationInlineHooks: null
+ profileAttributes:
+ - name: email
+ label: Email
+ required: true
+ - name: firstName
+ label: First name
+ required: true
+ - name: lastName
+ label: Last name
+ required: true
+ targetGroupIds: null
+ unknownUserAction: DENY
+ activationRequirements:
+ emailVerification: true
+ uiSchemaId: uisgu3bb4zTbvwD8S1d7
+ progressiveProfilingAction: DISABLED
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}
hints:
allow:
- - POST
- RetrieveAllZonesWithFilter:
- summary: Retrieves Network Zones with filter
+ - GET
+ - PUT
+ type: PROFILE_ENROLLMENT
+ list-all-sign-on-policy-rule-response:
+ summary: OKTA_SIGN_ON
value:
- - type: IP
- id: nzowc1U5Jh5xuAK0o0g3
- name: LegacyIpZone
+ - id: 0prh1sd28q5sXGW08697
status: ACTIVE
- usage: POLICY
- created: 2019-05-17T18:44:31.000Z
- lastUpdated: 2019-05-21T13:50:49.000Z
- system: true
- gateways:
- - type: CIDR
- value: 1.2.3.4/24
- proxies:
- - type: RANGE
- value: 3.3.4.5-3.3.4.15
+ name: Test rule
+ priority: 0
+ created: '2024-04-25T17:35:02.000Z'
+ lastUpdated: '2024-04-25T17:35:02.000Z'
+ system: false
+ conditions:
+ people:
+ users:
+ exclude: []
+ network:
+ connection: ANYWHERE
+ risk:
+ behaviors: []
+ riskScore:
+ level: ANY
+ identityProvider:
+ provider: ANY
+ actions:
+ signon:
+ requireFactor: false
+ factorPromptMode: ALWAYS
+ factorLifetime: 15
+ access: ALLOW
+ primaryFactor: PASSWORD_IDP_ANY_FACTOR
+ session:
+ maxSessionIdleMinutes: 720
+ maxSessionLifetimeMinutes: 0
+ usePersistentCookie: false
_links:
self:
- href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}
hints:
allow:
- GET
- PUT
- DELETE
deactivate:
- href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/deactivate
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}
hints:
allow:
- POST
- RetrieveKeyResponse:
- summary: Retrieve a key by hookKeyId response example
+ type: SIGN_ON
+ list-apps-example:
+ summary: List apps example
+ description: List all apps example
value:
- id: HKY1p7jWLndGQV9M60g4
- keyId: 7fbc27fd-e3df-4522-86bf-1930110256ad
- name: My new key
- created: '2022-08-31T18:09:58.000Z'
- lastUpdated: '2022-08-31T18:09:58.000Z'
- isUsed: 'false'
- RetrieveMappingsResponse:
- summary: Retrieve a single Profile Mapping
+ - id: 0oafwvZDWJKVLDCUWUAC
+ name: template_basic_auth
+ label: Sample Basic Auth App
+ status: ACTIVE
+ lastUpdated: '2013-09-30T00:56:52.000Z'
+ created: '2013-09-30T00:56:52.000Z'
+ accessibility:
+ selfService: false
+ errorRedirectUrl: null
+ visibility:
+ autoSubmitToolbar: false
+ hide:
+ iOS: false
+ web: false
+ appLinks:
+ login: true
+ features: []
+ signOnMode: BASIC_AUTH
+ credentials:
+ scheme: EDIT_USERNAME_AND_PASSWORD
+ userNameTemplate:
+ template: ${source.login}
+ type: BUILT_IN
+ settings:
+ app:
+ url: https://example.com/login.html
+ authURL: https://example.com/auth.html
+ _links:
+ appLinks:
+ - href: https://{yourOktaDomain}/home/template_basic_auth/0oafwvZDWJKVLDCUWUAC/1438
+ name: login
+ type: text/html
+ users:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafwvZDWJKVLDCUWUAC/users
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafwvZDWJKVLDCUWUAC/lifecycle/deactivate
+ groups:
+ href: https://{yourOktaDomain}/api/v1/apps/0oafwvZDWJKVLDCUWUAC/groups
+ list-group-rules-example:
+ summary: List Group rules example
+ description: List all group rules example
value:
- id: prm1k47ghydIQOTBW0g4
- source:
- id: otysbePhQ3yqt4cVv0g3
- name: user
- type: user
+ - type: group_rule
+ id: 0pr3f7zMZZHPgUoWO0g4
+ status: INACTIVE
+ name: Engineering group rule
+ created: '2016-12-01T14:40:04.000Z'
+ lastUpdated: '2016-12-01T14:40:04.000Z'
+ conditions:
+ people:
+ users:
+ exclude:
+ - 00u22w79JPMEeeuLr0g4
+ groups:
+ exclude: []
+ expression:
+ value: user.role=="Engineer"
+ type: urn:okta:expression:1.0
+ actions:
+ assignUserToGroups:
+ groupIds:
+ - 00gjitX9HqABSoqTB0g3
+ list-groups-examples:
+ summary: List all groups example
+ description: Lists an example of an OKTA_GROUP and an APP_GROUP
+ value:
+ - id: 00g1emaKYZTWRYYRRTSK
+ created: '2015-02-06T10:11:28.000Z'
+ lastUpdated: '2015-10-05T19:16:43.000Z'
+ lastMembershipUpdated: '2015-11-28T19:15:32.000Z'
+ objectClass:
+ - okta:user_group
+ type: OKTA_GROUP
+ profile:
+ name: West Coast Users
+ description: All Users West of The Rockies
_links:
- self:
- href: https://{yourOktaDomain}/api/v1/meta/types/user/otysbePhQ3yqt4cVv0g3
- schema:
- href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscsbePhQ3yqt4cVv0g3
- target:
- id: 0oa1qmn4LZQQEH0wZ0g4
- name: okta_org2org
- type: appuser
+ logo:
+ - name: medium
+ href: https://{yourOktaDomain}/img/logos/groups/okta-medium.png
+ type: image/png
+ - name: large
+ href: https://{yourOktaDomain}/img/logos/groups/okta-large.png
+ type: image/png
+ users:
+ href: https://{yourOktaDomain}/api/v1/groups/00g1emaKYZTWRYYRRTSK/users
+ apps:
+ href: https://{yourOktaDomain}/api/v1/groups/00g1emaKYZTWRYYRRTSK/apps
+ - id: 00garwpuyxHaWOkdV0g4
+ created: '2015-08-15T19:15:17.000Z'
+ lastUpdated: '2015-11-18T04:02:19.000Z'
+ lastMembershipUpdated: '2015-08-15T19:15:17.000Z'
+ objectClass:
+ - okta:windows_security_principal
+ type: APP_GROUP
+ profile:
+ name: Engineering Users
+ description: corp.example.com/Engineering/Engineering Users
+ groupType: Security
+ samAccountName: Engineering Users
+ objectSid: S-1-5-21-717838489-685202119-709183397-1177
+ groupScope: Global
+ dn: CN=Engineering Users,OU=Engineering,DC=corp,DC=example,DC=com
+ windowsDomainQualifiedName: CORP\Engineering Users
+ externalId: OZJdWdONCU6h7WjQKp+LPA==
+ source:
+ id: 0oa2v0el0gP90aqjJ0g7
+ _links:
+ logo:
+ - name: medium
+ href: https://{yourOktaDomain}/img/logos/groups/active_directory-medium.png
+ type: image/png
+ - name: large
+ href: https://{yourOktaDomain}/img/logos/groups/active_directory-large.png
+ type: image/png
+ source:
+ href: https://{yourOktaDomain}/api/v1/apps/0oa2v0el0gP90aqjJ0g7
+ users:
+ href: https://{yourOktaDomain}/api/v1/groups/00garwpuyxHaWOkdV0g4/users
+ apps:
+ href: https://{yourOktaDomain}/api/v1/groups/00garwpuyxHaWOkdV0g4/apps
+ list-user-example:
+ value:
+ - id: 00u1f96ECLNVOKVMUSEA
+ status: ACTIVE
+ created: '2013-12-12T16:14:22.000Z'
+ activated: '2013-12-12T16:14:22.000Z'
+ statusChanged: '2013-12-12T22:14:22.000Z'
+ lastLogin: '2013-12-12T22:14:22.000Z'
+ lastUpdated: '2015-11-15T19:23:32.000Z'
+ passwordChanged: '2013-12-12T22:14:22.000Z'
+ profile:
+ firstName: Easy
+ lastName: E
+ email: easy-e@example.com
+ login: easy-e@example.com
+ mobilePhone: null
+ credentials:
+ password: {}
+ provider:
+ type: OKTA
+ name: OKTA
_links:
self:
- href: https://{yourOktaDomain}/api/v1/apps/0oa1qmn4LZQQEH0wZ0g4
- schema:
- href: https://{yourOktaDomain}/api/v1/meta/schemas/apps/0oa1qmn4LZQQEH0wZ0g4/default
- properties:
- firstName:
- expression: user.firstName
- pushStatus: PUSH
- lastName:
- expression: user.lastName
- pushStatus: PUSH
- _links:
- self:
- href: https://{yourOktaDomain}/api/v1/mappings/prm1k48weFSOnEUnw0g4
- RetrieveNetworkZoneDynamic:
- summary: Dynamic Network Zone response
+ href: https://{yourOktaDomain}/api/v1/users/00u1f96ECLNVOKVMUSEA
+ listStreamConfigurationExample:
+ summary: List of SSF Stream configurations example
value:
- type: DYNAMIC
- id: nzowc1U5Jh5xuAK0o0g3
- name: test
+ - aud: https://example.com
+ delivery:
+ method: urn:ietf:rfc:8935
+ endpoint_url: https://example.com
+ events_delivered:
+ - https://schemas.openid.net/secevent/caep/event-type/session-revoked
+ - https://schemas.openid.net/secevent/caep/event-type/credential-change
+ events_requested:
+ - https://schemas.openid.net/secevent/caep/event-type/session-revoked
+ - https://schemas.openid.net/secevent/caep/event-type/credential-change
+ events_supported:
+ - https://schemas.openid.net/secevent/caep/event-type/session-revoked
+ - https://schemas.openid.net/secevent/caep/event-type/credential-change
+ format: iss_sub
+ iss: https://{yourOktaDomain}
+ min_verification_interval: 0
+ stream_id: esc1k235GIIztAuGK0g5
+ mfa-enroll-policy-response:
+ summary: MFA_ENROLL
+ value:
+ type: MFA_ENROLL
+ id: policyId
status: ACTIVE
- usage: POLICY
- created: '2019-05-17T18:44:31.000Z'
- lastUpdated: '2019-05-21T13:50:49.000Z'
- system: false
- locations:
- - country: AF
- region: AF-BGL
- proxyType: ANY
- asns:
- - '23457'
+ name: Policy name
+ description: Policy description
+ priority: 1
+ system: true
+ created: createdDate
+ lastUpdated: lastUpdated
+ conditions:
+ people:
+ groups:
+ include:
+ - groupId
+ settings:
+ factors:
+ okta_otp:
+ enroll:
+ self: OPTIONAL
+ consent:
+ type: NONE
+ okta_push:
+ enroll:
+ self: OPTIONAL
+ consent:
+ type: NONE
+ okta_password:
+ enroll:
+ self: OPTIONAL
+ consent:
+ type: NONE
_links:
self:
- href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}
hints:
allow:
- GET
- PUT
- - DELETE
- deactivate:
- href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/deactivate
+ rules:
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules
hints:
allow:
- POST
- RetrieveNetworkZoneIP:
- summary: IP Network Zone response
+ - GET
+ newAPIServiceIntegrationInstanceSecretResponse:
+ summary: New secret response example
value:
- type: IP
- id: nzowc1U5Jh5xuAK0o0g3
- name: LegacyIpZone
+ id: ocs2f50kZB0cITmYU0g4
status: ACTIVE
- usage: POLICY
- created: 2019-05-17T18:44:31.000Z
- lastUpdated: 2019-05-21T13:50:49.000Z
- system: true
- gateways:
- - type: CIDR
- value: 1.2.3.4/24
- proxies:
- - type: RANGE
- value: 3.3.4.5-3.3.4.15
+ client_secret: DRUFXGF9XbLnS9k-Sla3x3POBiIxDreBCdZuFs5B
+ secret_hash: FpCwXwSjTRQNtEI11I00-g
+ created: '2023-04-06T21:32:33.000Z'
+ lastUpdated: '2023-04-06T21:32:33.000Z'
_links:
- self:
- href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3
+ deactivate:
+ href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f50kZB0cITmYU0g4/lifecycle/deactivate
hints:
allow:
- - GET
- - PUT
- - DELETE
+ - POST
+ oAuth2ClientSecretResponse:
+ summary: Client secret response example
+ value:
+ id: ocs2f50kZB0cITmYU0g4
+ status: ACTIVE
+ client_secret: DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B
+ secret_hash: FpCwXwSjTRQNtEI11I00-g
+ created: '2023-04-06T21:32:33.000Z'
+ lastUpdated: '2023-04-06T21:32:33.000Z'
+ _links:
deactivate:
- href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/deactivate
+ href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f50kZB0cITmYU0g4/lifecycle/deactivate
hints:
allow:
- POST
- RetrievePublicKeyResponse:
- summary: Retrieve Public Key response example
- value:
- _embedded:
- kty: RSA
- alg: RSA
- kid: 7fbc27fd-e3df-4522-86bf-1930110256ad
- use: null
- e: AQAB
- 'n': 2naqCnv6r4xNQs7207lRtKQvdtnlVND-8k5iYBIiqoKGY3CqUmRm1jleoOniiQoMkFX8Wj2DmVqr002efF3vOQ7_gjtTatBTVUNbNIQLybun4dkVoUtfP7pRc5SLpcP3eGPRVar734ZrpQXzmCEdpqBt3jrVjwYjNE5DqOjbYXFJtMsy8CWE9LRJ3kyHEoHPzo22dG_vMrXH0_sAQoCk_4TgNCbvyzVmGVYXI_BkUnp0hv2pR4bQVRYzGB9dKJdctOh8zULqc_EJ8tiYsS05YnF7whrWEyARK0rH-e4d4W-OmBTga_zhY4kJ4NsoQ4PyvcatZkxjPO92QHQOFDnf3w`
- RetrieveUISchemaResponse:
- summary: Retrieves a UI Schema response
+ oAuthClientJsonWebKey:
+ summary: JSON Web Key example
value:
- id: uis4a7liocgcRgcxZ0g7
- uiSchema:
- type: Group
- label: Sign in
- buttonLabel: Submit
- elements:
- - type: Control
- scope: '#/properties/firstName'
- label: First name
- options:
- format: text
- - type: Control
- scope: '#/properties/lastName'
- label: Last name
- options:
- format: text
- - type: Control
- scope: '#/properties/email'
- label: Email
- options:
- format: text
- - type: Control
- scope: '#/properties/countryCode'
- label: Country code
- options:
- format: select
- - type: Control
- scope: '#/properties/bool2'
- label: bool2
- options:
- format: checkbox
- - type: Control
- scope: '#/properties/date'
- label: date
- - type: Control
- scope: '#/properties/enum'
- label: enum
- options:
- format: radio
- created: '2022-07-25T12:56:31.000Z'
- lastUpdated: '2022-07-26T11:53:59.000Z'
+ id: pks2f50kZB0cITmYU0g4
+ kid: ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B
+ kty: RSA
+ alg: RS256
+ use: sig
+ e: AQAB
+ 'n': AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn=
+ status: ACTIVE
+ created: '2023-04-06T21:32:33.000Z'
+ lastUpdated: '2023-04-06T21:32:33.000Z'
_links:
- self:
- href: https://exmaple.com/api/v1/meta/uischemas/uis4a7liocgcRgcxZ0g7
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/jwks/pks2f50kZB0cITmYU0g4/lifecycle/deactivate
hints:
allow:
- - GET
- - PUT
- - DELETE
- RiskEventsRequestExample:
- summary: Risk Events payload example
+ - POST
+ oAuthClientJsonWebKeyListResponse:
+ summary: JSON Web Key list response example
value:
- - timestamp: '2021-01-20T00:00:00.001Z'
- subjects:
- - ip: 6.7.6.7
- riskLevel: MEDIUM
- - ip: 1.1.1.1
- riskLevel: HIGH
- message: Detected Attack tooling and suspicious activity
- - timestamp: '2021-01-20T01:00:00.001Z'
- subjects:
- - ip: 6.7.6.7
- riskLevel: LOW
- - ip: 2.2.2.2
- riskLevel: HIGH
- RiskProviderPutRequest:
- summary: Replace Risk Provider request example
+ jwks:
+ keys:
+ - id: pks2f4zrZbs8nUa7p0g4
+ kid: DRUFXGF9XbLnS9k-Sla3x3POBiIxDreBCdZuFs5B
+ kty: RSA
+ alg: RS256
+ use: sig
+ e: AQAB
+ 'n': AJncrKuine49_CEVR4GPn.....zOrouIUCSMlRL0HU=
+ status: INACTIVE
+ created: '2023-02-21T20:08:24.000Z'
+ lastUpdated: '2023-02-21T20:08:24.000Z'
+ _links:
+ activate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/jwks/pks2f4zrZbs8nUa7p0g4/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ delete:
+ href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/jwks/pks2f4zrZbs8nUa7p0g4
+ hints:
+ allow:
+ - DELETE
+ - id: pks2f50kZB0cITmYU0g4
+ kid: ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B
+ kty: RSA
+ alg: RS256
+ use: sig
+ e: AQAB
+ 'n': AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn=
+ status: ACTIVE
+ created: '2023-04-06T21:32:33.000Z'
+ lastUpdated: '2023-04-06T21:32:33.000Z'
+ _links:
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/jwks/pks2f50kZB0cITmYU0g4/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ oAuthClientJsonWebKeyRequest:
+ summary: JSON Web Key Request example
value:
- name: Risk-Partner-Y
- action: enforce_and_log
- clientId: 00ckjsfgjkdkjdkkljjsd
- RiskProviderPutResponse:
- summary: Replace Risk Provider response example
+ id: pks2f50kZB0cITmYU0g4
+ kid: ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B
+ kty: RSA
+ alg: RS256
+ use: sig
+ e: AQAB
+ 'n': AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn=
+ status: ACTIVE
+ oAuthClientSecretListResponse:
+ summary: Secrets list response example
value:
- id: 00rp12r4skkjkjgsn
- action: enforce_and_log
- name: Risk-Partner-Y
- clientId: 00ckjsfgjkdkjdkkljjsd
- created: '2021-01-05 22:18:30'
- lastUpdated: '2021-01-05 23:18:30'
- _links:
- self:
- href: https://{yourOktaDomain}/api/v1/risk/providers/00rp12r4skkjkjgsn
- hints:
- allow:
- - GET
- - PUT
- RiskProviderRequest:
- summary: Risk Provider payload example
+ - id: ocs2f4zrZbs8nUa7p0g4
+ status: INACTIVE
+ client_secret: DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B
+ secret_hash: yk4SVx4sUWVJVbHt6M-UPA
+ created: '2023-02-21T20:08:24.000Z'
+ lastUpdated: '2023-02-21T20:08:24.000Z'
+ _links:
+ activate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4/lifecycle/activate
+ hints:
+ allow:
+ - POST
+ delete:
+ href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4
+ hints:
+ allow:
+ - DELETE
+ - id: ocs2f50kZB0cITmYU0g4
+ status: ACTIVE
+ client_secret: HAGDTYU9XbLnS......3xasFDDwecdZuFs5B
+ secret_hash: 0WOOvBSzV9clc4Nr7Rbaug
+ created: '2023-04-06T21:32:33.000Z'
+ lastUpdated: '2023-04-06T21:32:33.000Z'
+ _links:
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f50kZB0cITmYU0g4/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ oamp-id-proofing-policy-rule:
+ summary: Account Management Policy - Account management policy rule with ID proofing enabled
+ description: This account management policy rule enables ID proofing for enrollment processes
value:
- name: Risk-Partner-X
- action: log_only
- clientId: 00ckjsfgjkdkjdkkljjsd
- RiskProviderResponse:
- summary: Risk Provider response example
+ id: ruleId
+ name: Account Management Policy Rule
+ priority: 1
+ status: ACTIVE
+ conditions:
+ people:
+ users:
+ exclude: []
+ network:
+ connection: ANYWHERE
+ actions:
+ appSignOn:
+ access: ALLOW
+ verificationMethod:
+ id: entity_id
+ type: ID_PROOFING
+ oamp-id-proofing-policy-rule-response:
+ summary: Account Management Policy - Account management policy rule with ID proofing enabled
+ description: This account management policy rule response enables ID proofing for enrollment processes
value:
- id: 00rp12r4skkjkjgsn
- action: log_only
- name: Risk-Partner-X
- clientId: 00ckjsfgjkdkjdkkljjsd
- created: '2021-01-05 22:18:30'
- lastUpdated: '2021-01-05 22:18:30'
+ id: ruleId
_links:
self:
- href: https://{yourOktaDomain}/api/v1/risk/providers/00rp12r4skkjkjgsn
+ href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}
hints:
allow:
- GET
- PUT
- RoleAssignedUsersResponseExample:
- value:
- value:
- - id: 00u118oQYT4TBGuay0g4
- orn: orn:okta:00o5rb5mt2H3d1TJd0h7:users:00u118oQYT4TBGuay0g4
- _links:
- self:
- href: http://your-subdomain.okta.com/api/v1/users/00u118oQYT4TBGuay0g4
- roles:
- href: http://your-subdomain.okta.com/api/v1/users/00u118oQYT4TBGuay0g4/roles
- _links:
- next:
- href: http://your-subdomain.okta.com/api/v1/iam/assignees/users?after=00u118oQYT4TBGuay0g4&limit=1
- RoleRequest:
- value:
- label: UserCreator
- description: Create users
- permissions:
- - okta.users.create
- - okta.users.read
- - okta.groups.read
- - okta.users.userprofile.manage
- RoleResponse:
- value:
- id: cr0Yq6IJxGIr0ouum0g3
- label: UserCreator
- description: Create users
- created: '2021-02-06T16:20:57.000Z'
- lastUpdated: '2021-02-06T16:20:57.000Z'
- _links:
- permissions:
- href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions
- self:
- href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3
- RolesResponse:
- value:
- roles:
- - id: cr0Yq6IJxGIr0ouum0g3
- label: UserCreator
- description: Create users
- created: '2021-02-06T16:20:57.000Z'
- lastUpdated: '2021-02-06T16:20:57.000Z'
- _links:
- permissions:
- href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions
- self:
- href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3
- - id: cr0Fw7HKcWIroo88m3r1
- label: GroupMembershipManager
- description: Manage group membership
- created: '2021-02-06T16:20:57.000Z'
- lastUpdated: '2021-02-06T16:20:57.000Z'
- _links:
- permissions:
- href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Fw7HKcWIroo88m3r1/permissions
- self:
- href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Fw7HKcWIroo88m3r1
+ - DELETE
+ deactivate:
+ href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ name: Account Management Policy Rule
+ priority: 1
+ status: ACTIVE
+ conditions:
+ people:
+ users:
+ exclude: []
+ network:
+ connection: ANYWHERE
+ actions:
+ appSignOn:
+ access: ALLOW
+ verificationMethod:
+ id: entity_id
+ type: ID_PROOFING
+ orgCommunicationOptInResponse:
+ summary: Opt in to communication emails
+ value:
+ optOutEmailUsers: false
_links:
- next:
- href: https://{yourOktaDomain}/api/v1/iam/roles?after=cr0Fw7HKcWIroo88m3r1
- SimulatePolicyBody:
- summary: Simulate policy request body
- description: Simulate policy request body
+ optOut:
+ href: https://{yourOktaDomain}/api/v1/org/privacy/oktaCommunication/optOut
+ hints:
+ allow:
+ - POST
+ orgCommunicationOptOutResponse:
+ summary: Opt out of communication emails
value:
- policyType:
- - OKTA_SIGN_ON
- - MFA_ENROLL
- appInstance: 0oa4eroj3nYCIJIW70g7
- policyContext:
- groups:
- ids:
- - 00g4eralvekR5RLuS0g7
- - 00g4eralvekR5RLuS0g8
- risk:
- level: LOW
- zones:
- ids:
- - nzo4eralxcRnbIHYJ0g7
- device:
- platform: IOS
- registered: true
- managed: true
- SimulatePolicyResponse:
- summary: Simulate policy response body
- description: Simulate policy response body
+ optOutEmailUsers: true
+ _links:
+ optIn:
+ href: https://{yourOktaDomain}/api/v1/org/privacy/oktaCommunication/optIn
+ hints:
+ allow:
+ - POST
+ orgContactTypeResponse:
+ summary: Org Contact Types
value:
- evaluation:
- - status: null
- policyType: OkTA_SIGN_ON
- result:
- policies:
- - id: 00p4eromwukk6qUku0g7
- - name: test policy
- - status: MATCH
- - conditions: []
- - rules:
- - id: 0pr4erof85nGcyC7Y0g7
- - name: test rule
- - status: MATCH
- - conditions:
- - type: people.groups.include
- - status: MATCH
- undefined:
- policies: null
- evaluated:
- policies: null
- - status: null
- policyType: ACCESS_POLICY
- result:
- policies:
- - id: rst4eram06ZKZewEe0g7
- - name: Any two factors
- - status: MATCH
- - conditions: []
- - rules:
- - id: rul4eram07VsWgybo0g7
- - name: Catch-all rule
- - status: MATCH
- - conditions: []
- undefined:
- policies: null
- evaluated:
- policies: null
- - status: null
- policyType: PROFILE_ENROLLMENT
- result:
- policies:
- - id: rst4eram08ZSjPTOl0g7
- - name: Default Policy
- - status: MATCH
- - conditions: []
- - rules:
- - id: rul4eram094PrQ2BX0g7
- - name: Catch-all rule
- - status: MATCH
- - conditions: []
- undefined:
- policies: null
- evaluated:
- policies: null
- ThreatInsightResponseExample:
- summary: ThreatInsight response
+ - contactType: BILLING
+ _links:
+ billing:
+ href: https://{yourOktaDomain}/api/v1/org/contacts/billing
+ - contactType: TECHNICAL
+ _links:
+ technical:
+ href: https://{yourOktaDomain}/api/v1/org/contacts/technical
+ orgContactUserResponse:
+ summary: Contact User
value:
- action: none
- excludeZones: []
- created: '2020-08-05T22:18:30.629Z'
- lastUpdated: '2020-08-05T22:18:30.629Z'
+ userId: 00ux3u0ujW1r5AfZC1d7
_links:
- self:
- href: https://{yourOktaDomain}/api/v1/threats/configuration
+ user:
+ href: https://{yourOktaDomain}/api/v1/users/00ux3u0ujW1r5AfZC1d7
+ orgHideFooterPrefResponse:
+ summary: Hide footer response
+ value:
+ showEndUserFooter: false
+ _links:
+ showEndUserFooter:
+ href: https://{yourOktaDomain}/api/v1/org/preferences/showEndUserFooter
hints:
allow:
- - GET
- POST
- ThreatInsightUpdateRequestExample:
- summary: ThreatInsight update request
+ orgShowFooterPrefResponse:
+ summary: Show footer response
value:
- action: audit
- excludeZones:
- - nzo1q7jEOsoCnoKcj0g4
- - nzouagptWUz5DlLfM0g3
- ThreatInsightUpdateResponseExample:
- summary: ThreatInsight update response
+ showEndUserFooter: true
+ _links:
+ hideEndUserFooter:
+ href: https://{yourOktaDomain}/api/v1/org/preferences/hideEndUserFooter
+ hints:
+ allow:
+ - POST
+ orgSupportSettingsResponse:
+ summary: Org Support Settings
value:
- action: audit
- excludeZones:
- - nzo1q7jEOsoCnoKcj0g4
- - nzouagptWUz5DlLfM0g3
- created: '2020-08-05T22:18:30.629Z'
- lastUpdated: '2020-10-13T21:23:10.178Z'
+ support: ENABLED
+ expiration: '2024-01-24T11:13:14.000Z'
_links:
- self:
- href: https://{yourOktaDomain}/api/v1/threats/configuration
+ extend:
+ href: https://{yourOktaDomain}/api/v1/org/privacy/oktaSupport/extend
hints:
allow:
- - GET
- POST
- TriggerSessionResponse:
+ revoke:
+ href: https://{yourOktaDomain}/api/v1/org/privacy/oktaSupport/revoke
+ hints:
+ allow:
+ - POST
+ orgSupportSettingsRevokeResponse:
+ summary: Revoked Org Support
value:
- - id: uij4ri8ZLk0ywyqxB0g4
- identitySourceId: 0oa3l6l6WK6h0R0QW0g4
- status: TRIGGERED
- importType: INCREMENTAL
- created: 2022-04-04T15:56:05.000Z
- lastUpdated: 2022-05-05T18:15:44.000Z
- UpdateAppFeatureRequestEx:
- summary: Update app Feature request
+ support: DISABLED
+ expiration: null
+ _links:
+ grant:
+ href: https://{yourOktaDomain}/api/v1/org/privacy/oktaSupport/grant
+ hints:
+ allow:
+ - POST
+ password-policy-response:
+ summary: PASSWORD
value:
- create:
- lifecycleCreate:
- status: ENABLED
- update:
- lifecycleDeactivate:
- status: ENABLED
- profile:
- status: ENABLED
+ type: PASSWORD
+ id: policyId
+ status: ACTIVE
+ name: Policy name
+ description: Policy description
+ priority: 1
+ system: true
+ created: createdDate
+ lastUpdated: lastUpdated
+ conditions:
+ people:
+ groups:
+ include:
+ - groupId
+ authProvider:
+ provider: provider
+ settings:
password:
- status: ENABLED
- seed: RANDOM
- change: CHANGE
- UpdateAppFeatureResponseEx:
- summary: Update app Feature response
- value:
- name: USER_PROVISIONING
- status: ENABLED
- description: User provisioning settings from Okta to a downstream application
- capabilities:
- create:
- lifecycleCreate:
- status: ENABLED
- update:
- lifecycleDeactivate:
- status: ENABLED
- profile:
- status: ENABLED
- password:
- status: ENABLED
- seed: RANDOM
- change: CHANGE
+ complexity:
+ minLength: 8
+ minLowerCase: 1
+ minUpperCase: 1
+ minNumber: null
+ minSymbol: 0
+ excludeUsername: true
+ dictionary:
+ common:
+ exclude: false
+ excludeAttributes: []
+ age:
+ maxAgeDays: 0
+ expireWarnDays: 0
+ minAgeMinutes: 0
+ historyCount: 4
+ lockout:
+ maxAttempts: 0
+ autoUnlockMinutes: 0
+ userLockoutNotificationChannels: []
+ showLockoutFailures: false
+ recovery:
+ factors:
+ recovery_question:
+ status: ACTIVE
+ properties:
+ complexity:
+ complexity: 4
+ okta_email:
+ status: ACTIVE
+ properties:
+ recoveryToken:
+ tokenLifetimeMinutes: 10080
+ okta_sms:
+ status: INACTIVE
+ okta_call:
+ status: INACTIVE
+ delegation:
+ options:
+ skipUnlock: false
_links:
self:
- href: https://{yourOktaDomain}/api/v1/apps/${appId}/features/USER_PROVISIONING
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}
hints:
allow:
- GET
- PUT
- UpdateBrandRequest:
+ rules:
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules
+ hints:
+ allow:
+ - POST
+ - GET
+ policy-mapping-list-response:
+ summary: List all Mappings for a policy
value:
- customPrivacyPolicyUrl: https://www.someHost.com/privacy-policy
- agreeToCustomPrivacyPolicy: true
- removePoweredByOkta: true
- name: New Name For Brand
- emailDomainId: OeD114iNkrcN6aR680g4
- locale: en
- defaultApp:
- appInstanceId: 0oa114iNkrcN6aR680g4
- appLinkName: null
- classicApplicationUri: null
- UpdateBrandResponse:
+ - id: policyId
+ _links:
+ application:
+ href: https://{yourOktaDomain}/api/v1/apps/{appId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ self:
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}/mappings/{mappingId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ policy:
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ policy-mapping-response:
+ summary: Policy Mapping for a Policy
value:
- id: bnd114iNkrcN6aR680g4
- removePoweredByOkta: true
- agreeToCustomPrivacyPolicy: true
- name: New Name For Brand
- isDefault: true
- customPrivacyPolicyUrl: https://www.someHost.com/privacy-policy
- emailDomainId: OeD114iNkrcN6aR680g4
- defaultApp:
- appInstanceId: 0oa114iNkrcN6aR680g4
- appLinkName: null
- classicApplicationUri: null
- locale: en
+ id: policyId
_links:
+ application:
+ href: https://{yourOktaDomain}/api/v1/apps/{appId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
self:
- href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}/mappings/{mappingId}
hints:
allow:
- GET
- PUT
- DELETE
- themes:
- href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4/themes
+ policy:
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}
hints:
allow:
- GET
- UpdateEmailDomainRequest:
- value:
- displayName: IT Admin
- userName: noreply
- UpdateMappingBody:
- summary: Update an existing profile mapping by updating one or more properties
+ - PUT
+ - DELETE
+ postAPIServiceIntegrationRequest:
value:
- properties:
- nickName:
- expression: user.honorificPrefix + user.displayName
- pushStatus: DONT_PUSH
- UpdateMappingResponse:
- summary: Update an existing profile mapping by updating one or more properties
+ type: my_app_cie
+ grantedScopes:
+ - okta.logs.read
+ - okta.groups.read
+ - okta.users.read
+ postAPIServiceIntegrationResponse:
+ summary: Post response example
value:
- id: prm1k47ghydIQOTBW0g4
- source:
- id: otysbePhQ3yqt4cVv0g3
- name: user
- type: user
- _links:
- self:
- href: https://{yourOktaDomain}/api/v1/meta/types/user/otysbePhQ3yqt4cVv0g3
- schema:
- href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscsbePhQ3yqt4cVv0g3
- target:
- id: 0oa1qmn4LZQQEH0wZ0g4
- name: okta_org2org
- type: appuser
- _links:
- self:
- href: https://{yourOktaDomain}/api/v1/apps/0oa1qmn4LZQQEH0wZ0g4
- schema:
- href: https://{yourOktaDomain}/api/v1/meta/schemas/apps/0oa1qmn4LZQQEH0wZ0g4/default
- properties:
- fullName:
- expression: user.firstName + user.lastName
- pushStatus: PUSH
- nickName:
- expression: user.honorificPrefix + user.displayName
- pushStatus: DONT_PUSH
+ id: 0oa72lrepvp4WqEET1d9
+ type: my_app_cie
+ name: My App Cloud Identity Engine
+ createdAt: '2023-02-21T20:08:24.000Z'
+ createdBy: 00uu3u0ujW1P6AfZC2d5
+ clientSecret: CkF69kXtag0q0P4pXU8OnP5IAzgGlwx6eqGy7Fmg
+ configGuideUrl: https://{docDomain}/my-app-cie/configuration-guide
+ grantedScopes:
+ - okta.logs.read
+ - okta.groups.read
+ - okta.users.read
_links:
self:
- href: https://{yourOktaDomain}/api/v1/mappings/prm1k48weFSOnEUnw0g4
- UpdateUserTypePostRequest:
- summary: Update user type request
- value:
- displayName: Updated Display Name
- UpdateUserTypePostResponse:
- summary: Update user type response
+ href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa72lrepvp4WqEET1d9
+ hints:
+ allow:
+ - GET
+ - DELETE
+ client:
+ href: https://{yourOktaDomain}/oauth2/v1/clients/0oa72lrepvp4WqEET1d9
+ hints:
+ allow:
+ - GET
+ logo:
+ name: small
+ href: https://{logoDomain}/{logoPath}/my_app_cie_small_logo
+ profile-enrollment-policy-response:
+ summary: PROFILE_ENROLLMENT
value:
- id: otyfnly5cQjJT9PnR0g4
- displayName: Updated Display Name
- name: newUserType
- description: A new custom user type
- createdBy: sprz9fj1ycBcsgopy1d6
- lastUpdatedBy: sprz9fj1ycBcsgopy1d6
- created: '2021-07-05T20:40:38.000Z'
- lastUpdated: '2021-07-05T20:40:38.000Z'
- default: false
+ type: PROFILE_ENROLLMENT
+ id: policyId
+ status: ACTIVE
+ name: Policy name
+ description: Policy description
+ priority: 1
+ system: true
+ created: createdDate
+ lastUpdated: lastUpdated
+ conditions: null
_links:
self:
- href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6
- schema:
- href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6
- UpdatedEmailDomainResponse:
- value:
- id: OeD114iNkrcN6aR680g4
- validationStatus: NOT_STARTED
- displayName: IT Admin
- userName: noreply
- domain: example.com
- dnsValidationRecords:
- - recordType: TXT
- fqdn: _oktaverification.example.com
- verificationValue: 759080212bda43e3bc825a7d73b4bb64
- - recordType: CNAME
- fqdn: mail.example.com
- verificationValue: u22224444.wl024.sendgrid.net
- - recordType: CNAME
- fqdn: t02._domainkey.example.com
- verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net
- - recordType: CNAME
- fqdn: t022._domainkey.example.com
- verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net
- UserSchemaAddRequest:
- value:
- definitions:
- custom:
- id: '#custom'
- type: object
- properties:
- twitterUserName:
- title: Twitter username
- description: Twitter Username
- type: string
- required: false
- minLength: 1
- maxLength: 20
- permissions:
- - principal: SELF
- action: READ_WRITE
- required: []
- UserSchemaResponse:
- value:
- id: https://{yourOktaDomain}/meta/schemas/user/default
- $schema: http://json-schema.org/draft-04/schema#
- name: user
- title: Default Okta User
- lastUpdated: '2015-09-05T10:40:45.000Z'
- created: '2015-02-02T10:27:36.000Z'
- definitions:
- base:
- id: '#base'
- type: object
- properties:
- login:
- title: Username
- type: string
- required: true
- minLength: 5
- maxLength: 100
- permissions:
- - principal: SELF
- action: READ_WRITE
- firstName:
- title: First name
- type: string
- required: true
- minLength: 1
- maxLength: 50
- permissions:
- - principal: SELF
- action: READ_WRITE
- lastName:
- title: Last name
- type: string
- required: true
- minLength: 1
- maxLength: 50
- permissions:
- - principal: SELF
- action: READ_WRITE
- email:
- title: Primary email
- type: string
- required: true
- format: email
- permissions:
- - principal: SELF
- action: READ_WRITE
- required:
- - login
- - firstName
- - lastName
- - email
- custom:
- id: '#custom'
- type: object
- properties:
- twitterUserName:
- title: Twitter username
- description: User's username for twitter.com
- type: string
- required: false
- minLength: 1
- maxLength: 20
- permissions:
- - principal: SELF
- action: READ_WRITE
- required: []
- type: object
- properties:
- profile:
- allOf:
- - $ref: '#/definitions/base'
- - $ref: '#/definitions/custom'
- VerifiedEmailDomainResponse:
- value:
- id: OeD114iNkrcN6aR680g4
- validationStatus: VERIFIED
- displayName: IT Admin
- userName: noreply
- domain: example.com
- dnsValidationRecords:
- - recordType: TXT
- fqdn: _oktaverification.example.com
- verificationValue: 759080212bda43e3bc825a7d73b4bb64
- - recordType: CNAME
- fqdn: mail.example.com
- verificationValue: u22224444.wl024.sendgrid.net
- - recordType: CNAME
- fqdn: t02._domainkey.example.com
- verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net
- - recordType: CNAME
- fqdn: t022._domainkey.example.com
- verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net
- WellKnownOrgMetadataResponseClassic:
- value:
- id: 00o5rb5mt2H3d1TJd0h7
- _links:
- organization:
- href: https://{{yourOktaDomain}}
- pipeline: v1
- settings:
- analyticsCollectionEnabled: false
- bugReportingEnabled: true
- omEnabled: true
- WellKnownOrgMetadataResponseCustomUrlOie:
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ rules:
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules
+ hints:
+ allow:
+ - POST
+ - GET
+ radius-rule:
+ summary: Global session policy - Challenge VPN users with Radius
+ description: This global session policy uses a rule to challenge VPN users with Radius
value:
- id: 00o47wwoytgsDqEtz0g7
- _links:
- organization:
- href: https://{{yourSubdomain}}.okta.com
- alternate:
- href: https://{{yourCustomDomain}}
- pipeline: idx
- settings:
- analyticsCollectionEnabled: false
- bugReportingEnabled: true
- omEnabled: false
- activeAPIServiceIntegrationInstanceSecretResponse:
- summary: Activate Secret response example
+ type: SIGN_ON
+ status: ACTIVE
+ name: Challenge VPN users
+ conditions:
+ network:
+ connection: ANYWHERE
+ authContext:
+ authType: RADIUS
+ people:
+ users:
+ exclude: []
+ risk:
+ behaviors: []
+ riskScore:
+ level: ANY
+ identityProvider:
+ provider: ANY
+ actions:
+ signon:
+ access: ALLOW
+ requireFactor: true
+ primaryFactor: PASSWORD_IDP_ANY_FACTOR
+ factorPromptMode: ALWAYS
+ rememberDeviceByDefault: false
+ session:
+ usePersistentCookie: false
+ maxSessionIdleMinutes: 720
+ maxSessionLifetimeMinutes: 0
+ radius-rule-response:
+ summary: Global session policy - Challenge VPN users with Radius
+ description: The response body from the creation of a global session policy that uses a rule to challenge VPN users with Radius
value:
- id: ocs2f50kZB0cITmYU0g4
+ id: rule8jjozjGMGbHyC1d6
status: ACTIVE
- client_secret: '***MQGQ'
- secret_hash: 0WOOvBSzV9clc4Nr7Rbaug
- created: '2023-04-06T21:32:33.000Z'
- lastUpdated: '2023-04-06T21:32:33.000Z'
+ type: SIGN_ON
+ name: Challenge VPN users
+ priority: 0
+ created: '2024-04-25T17:35:02.000Z'
+ lastUpdated: '2024-04-25T17:35:02.000Z'
+ system: false
+ conditions:
+ network:
+ connection: ANYWHERE
+ authContext:
+ authType: RADIUS
+ actions:
+ signon:
+ access: ALLOW
+ requireFactor: true
+ factorPromptMode: ALWAYS
+ rememberDeviceByDefault: false
+ session:
+ usePersistentCookie: false
+ maxSessionIdleMinutes: 720
+ maxSessionLifetimeMinutes: 0
_links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
deactivate:
- href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f50kZB0cITmYU0g4/lifecycle/deactivate
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}
hints:
allow:
- - POST
- inactiveAPIServiceIntegrationInstanceSecretResponse:
- summary: Deactivate Secret response example
+ - GET
+ - PUT
+ - DELETE
+ replace-user-request:
value:
- id: ocs2f4zrZbs8nUa7p0g4
- status: INACTIVE
- client_secret: '***DhOW'
- secret_hash: yk4SVx4sUWVJVbHt6M-UPA
- created: '2023-02-21T20:08:24.000Z'
- lastUpdated: '2023-02-21T20:08:24.000Z'
+ credentials:
+ password:
+ value: tlpWENT2m
+ recovery_question:
+ question: Who's a major player in the cowboy scene?
+ answer: Annie Oakley
+ provider:
+ type: OKTA
+ name: OKTA
+ profile:
+ firstName: Isaac
+ lastName: Brock
+ email: isaac.brock@example.com
+ login: isaac.brock@example.com
+ mobilePhone: 555-415-1337
+ settingsResponseBaseEx:
+ value:
+ notifications:
+ vpn:
+ network:
+ connection: DISABLED
+ message: null
+ helpUrl: null
+ manualProvisioning: false
+ implicitAssignment: false
+ notes:
+ admin: null
+ enduser: null
+ sign-on-policy-rule:
+ summary: Sign-on policy - Rule with factor mode always
+ description: Sign-on policy rule with a factor mode always
+ value:
+ type: SIGN_ON
+ name: Test Sign On
+ conditions:
+ network:
+ connection: ANYWHERE
+ riskScore:
+ level: ANY
+ identityProvider:
+ provider: ANY
+ authContext:
+ authType: ANY
+ actions:
+ signon:
+ requireFactor: false
+ factorPromptMode: ALWAYS
+ factorLifetime: 15
+ access: ALLOW
+ session:
+ maxSessionIdleMinutes: 720
+ maxSessionLifetimeMinutes: 0
+ usePersistentCookie: false
+ primaryFactor: PASSWORD_IDP_ANY_FACTOR
+ sign-on-policy-rule-response:
+ summary: Sign-on policy - Rule with factor mode always
+ description: Sign-on policy rule with a factor mode always
+ value:
+ type: SIGN_ON
+ name: Test Sign On
+ id: 0prh1sd28q5sXGW08697
+ priority: 0
+ created: '2024-04-25T17:35:02.000Z'
+ lastUpdated: '2024-04-25T17:35:02.000Z'
+ system: false
+ status: ACTIVE
+ conditions:
+ network:
+ connection: ANYWHERE
+ riskScore:
+ level: ANY
+ identityProvider:
+ provider: ANY
+ authContext:
+ authType: ANY
+ people:
+ users:
+ exclude: []
+ actions:
+ signon:
+ requireFactor: false
+ factorPromptMode: ALWAYS
+ factorLifetime: 15
+ access: ALLOW
+ session:
+ maxSessionIdleMinutes: 720
+ maxSessionLifetimeMinutes: 0
+ usePersistentCookie: false
+ primaryFactor: PASSWORD_IDP_ANY_FACTOR
_links:
- activate:
- href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4/lifecycle/activate
+ self:
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}
hints:
allow:
- - POST
- delete:
- href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}
hints:
allow:
+ - GET
+ - PUT
- DELETE
- newAPIServiceIntegrationInstanceSecretResponse:
- summary: New secret response example
+ skip-factor-challenge-on-prem-rule:
+ summary: Global session policy - Skip factor challenge for on-prem sign-in use
+ description: This global session policy uses a rule to skip factor challenge for on-prem sign-in use
value:
- id: ocs2f50kZB0cITmYU0g4
+ type: SIGN_ON
status: ACTIVE
- client_secret: DRUFXGF9XbLnS9k-Sla3x3POBiIxDreBCdZuFs5B
- secret_hash: FpCwXwSjTRQNtEI11I00-g
- created: '2023-04-06T21:32:33.000Z'
- lastUpdated: '2023-04-06T21:32:33.000Z'
+ name: Skip Factor Challenge when On-Prem
+ conditions:
+ network:
+ connection: ZONE
+ include:
+ - 00u7yq5goxNFTiMjW1d7
+ authContext:
+ authType: ANY
+ actions:
+ signon:
+ access: ALLOW
+ requireFactor: false
+ rememberDeviceByDefault: false
+ session:
+ usePersistentCookie: false
+ maxSessionIdleMinutes: 720
+ maxSessionLifetimeMinutes: 0
+ skip-factor-challenge-on-prem-rule-response:
+ summary: Global session policy - Skip factor challenge for on-prem sign-in use
+ description: The response body from the creation of a global session policy that uses a rule to skip the factor challenge for on-prem sign-in use
+ value:
+ id: rule8jjozjGMGbHyC1d6
+ status: ACTIVE
+ name: Skip Factor Challenge when On-Prem
+ priority: 0
+ created: '2024-04-25T17:35:02.000Z'
+ lastUpdated: '2024-04-25T17:35:02.000Z'
+ system: false
+ conditions:
+ network:
+ connection: ZONE
+ include:
+ - 00u7yq5goxNFTiMjW1d7
+ authContext:
+ authType: ANY
+ people:
+ users:
+ exclude: []
+ risk:
+ behaviors: []
+ riskScore:
+ level: ANY
+ identityProvider:
+ provider: ANY
+ actions:
+ signon:
+ access: ALLOW
+ requireFactor: false
+ primaryFactor: PASSWORD_IDP_ANY_FACTOR
+ rememberDeviceByDefault: false
+ session:
+ usePersistentCookie: false
+ maxSessionIdleMinutes: 720
+ maxSessionLifetimeMinutes: 0
+ type: SIGN_ON
_links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
deactivate:
- href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f50kZB0cITmYU0g4/lifecycle/deactivate
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}
hints:
allow:
- - POST
- postAPIServiceIntegrationRequest:
+ - GET
+ - PUT
+ - DELETE
+ sspr-enabled-OAMP:
+ summary: Password policy - SSPR with Okta account management policy
+ description: This policy defers to the Okta account management policy to define SSPR authentication requirements.
value:
- type: my_app_cie
- grantedScopes:
- - okta.logs.read
- - okta.groups.read
- - okta.users.read
- postAPIServiceIntegrationResponse:
- summary: Post response example
+ name: SSPR Rule
+ priority: 1
+ status: ACTIVE
+ conditions:
+ people:
+ users:
+ exclude: []
+ network:
+ connection: ANYWHERE
+ actions:
+ passwordChange:
+ access: ALLOW
+ selfServicePasswordReset:
+ access: ALLOW
+ requirement:
+ accessControl: AUTH_POLICY
+ primary:
+ methods:
+ - sms
+ - email
+ stepUp:
+ required: false
+ selfServiceUnlock:
+ access: ALLOW
+ system: false
+ type: PASSWORD
+ sspr-enabled-OAMP-response:
+ summary: Password policy - SSPR with access control set to Okta account management policy
value:
- id: 0oa72lrepvp4WqEET1d9
- type: my_app_cie
- name: My App Cloud Identity Engine
- createdAt: '2023-02-21T20:08:24.000Z'
- createdBy: 00uu3u0ujW1P6AfZC2d5
- clientSecret: CkF69kXtag0q0P4pXU8OnP5IAzgGlwx6eqGy7Fmg
- configGuideUrl: https://{docDomain}/my-app-cie/configuration-guide
- grantedScopes:
- - okta.logs.read
- - okta.groups.read
- - okta.users.read
+ id: ruleId
_links:
self:
- href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa72lrepvp4WqEET1d9
+ href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}
hints:
allow:
- GET
+ - PUT
- DELETE
- client:
- href: https://{yourOktaDomain}/oauth2/v1/clients/0oa72lrepvp4WqEET1d9
+ deactivate:
+ href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate
hints:
allow:
- - GET
- logo:
- name: small
- href: https://{logoDomain}/{logoPath}/my_app_cie_small_logo
+ - POST
+ name: SSPR Rule
+ priority: 1
+ status: ACTIVE
+ conditions:
+ people:
+ users:
+ exclude: []
+ network:
+ connection: ANYWHERE
+ actions:
+ passwordChange:
+ access: ALLOW
+ selfServicePasswordReset:
+ access: ALLOW
+ requirement:
+ accessControl: AUTH_POLICY
+ primary:
+ methods:
+ - sms
+ - email
+ stepUp:
+ required: false
+ selfServiceUnlock:
+ access: ALLOW
+ system: false
+ type: PASSWORD
+ sspr-enabled-OAMP-update:
+ summary: Password policy - SSPR with Okta account management policy
+ description: This policy defers to the Okta account management policy to define SSPR authentication requirements.
+ value:
+ id: ruleId
+ name: SSPR Rule
+ priority: 1
+ status: ACTIVE
+ conditions:
+ people:
+ users:
+ exclude: []
+ network:
+ connection: ANYWHERE
+ actions:
+ passwordChange:
+ access: ALLOW
+ selfServicePasswordReset:
+ access: ALLOW
+ requirement:
+ accessControl: AUTH_POLICY
+ primary:
+ methods:
+ - sms
+ - email
+ stepUp:
+ required: false
+ selfServiceUnlock:
+ access: ALLOW
+ system: false
+ type: PASSWORD
sspr-enabled-no-step-up:
summary: Password policy - SSPR with no step up
description: This password policy permits self-service password change, reset, and unlock. Phone SMS or email are initial authenticators with no secondary authentication required.
@@ -21282,7 +45222,6 @@ components:
summary: Password policy - SSPR with no step up
value:
id: ruleId
- $ref: '#/components/examples/sspr-enabled-no-step-up/value'
_links:
self:
href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}
@@ -21296,15 +45235,64 @@ components:
hints:
allow:
- POST
+ name: SSPR Rule
+ priority: 1
+ status: ACTIVE
+ conditions:
+ people:
+ users:
+ exclude: []
+ network:
+ connection: ANYWHERE
+ actions:
+ passwordChange:
+ access: ALLOW
+ selfServicePasswordReset:
+ access: ALLOW
+ requirement:
+ primary:
+ methods:
+ - sms
+ - email
+ stepUp:
+ required: false
+ selfServiceUnlock:
+ access: ALLOW
+ system: false
+ type: PASSWORD
sspr-enabled-no-step-up-update:
summary: Password policy - SSPR with no step up
description: This password policy permits self-service password change, reset, and unlock. Phone SMS or email are initial authenticators with no secondary authentication required.
value:
id: ruleId
- $ref: '#/components/examples/sspr-enabled-no-step-up/value'
+ name: SSPR Rule
+ priority: 1
+ status: ACTIVE
+ conditions:
+ people:
+ users:
+ exclude: []
+ network:
+ connection: ANYWHERE
+ actions:
+ passwordChange:
+ access: ALLOW
+ selfServicePasswordReset:
+ access: ALLOW
+ requirement:
+ primary:
+ methods:
+ - sms
+ - email
+ stepUp:
+ required: false
+ selfServiceUnlock:
+ access: ALLOW
+ system: false
+ type: PASSWORD
sspr-enabled-sq-step-up:
- summary: Password policy - SSPR with security question as step up
- description: This password policy permits self-service password change, reset, and unlock. Phone SMS and Okta Verify push are initial authenticators, and the secondary authentication is a security question.
+ summary: Password policy - SSPR with security question as step-up auth
+ description: This password policy permits self-service password change, reset, and unlock. Phone SMS and Okta Verify push are the initial authenticators, and the secondary authentication is a security question.
value:
name: SSPR Rule
priority: 1
@@ -21337,7 +45325,6 @@ components:
summary: Password policy - SSPR with security question as step up
value:
id: ruleId
- $ref: '#/components/examples/sspr-enabled-sq-step-up/value'
_links:
self:
href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}
@@ -21351,12 +45338,65 @@ components:
hints:
allow:
- POST
+ name: SSPR Rule
+ priority: 1
+ status: ACTIVE
+ conditions:
+ people:
+ users:
+ exclude: []
+ network:
+ connection: ANYWHERE
+ actions:
+ passwordChange:
+ access: ALLOW
+ selfServicePasswordReset:
+ access: ALLOW
+ requirement:
+ primary:
+ methods:
+ - push
+ - sms
+ stepUp:
+ required: true
+ methods:
+ - security_question
+ selfServiceUnlock:
+ access: ALLOW
+ system: false
+ type: PASSWORD
sspr-enabled-sq-step-up-update:
summary: Password policy - SSPR with security question as step up
description: This password policy permits self-service password change, reset, and unlock. Phone SMS and Okta Verify push are initial authenticators, and the secondary authentication is a security question.
value:
id: ruleId
- $ref: '#/components/examples/sspr-enabled-sq-step-up/value'
+ name: SSPR Rule
+ priority: 1
+ status: ACTIVE
+ conditions:
+ people:
+ users:
+ exclude: []
+ network:
+ connection: ANYWHERE
+ actions:
+ passwordChange:
+ access: ALLOW
+ selfServicePasswordReset:
+ access: ALLOW
+ requirement:
+ primary:
+ methods:
+ - push
+ - sms
+ stepUp:
+ required: true
+ methods:
+ - security_question
+ selfServiceUnlock:
+ access: ALLOW
+ system: false
+ type: PASSWORD
sspr-enabled-sso-step-up:
summary: Password policy - SSPR with any SSO authenticator as step up
description: This password policy permits self-service password change, reset, and unlock. Phone SMS or email are initial authenticators. The step-up authentication required is any active SSO authenticator.
@@ -21390,7 +45430,6 @@ components:
summary: Password policy - SSPR with any SSO authenticator as step up
value:
id: ruleId
- $ref: '#/components/examples/sspr-enabled-sso-step-up/value'
_links:
self:
href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}
@@ -21404,12 +45443,61 @@ components:
hints:
allow:
- POST
+ name: SSPR Rule
+ priority: 1
+ status: ACTIVE
+ conditions:
+ people:
+ users:
+ exclude: []
+ network:
+ connection: ANYWHERE
+ actions:
+ passwordChange:
+ access: ALLOW
+ selfServicePasswordReset:
+ access: ALLOW
+ requirement:
+ primary:
+ methods:
+ - push
+ - sms
+ stepUp:
+ required: true
+ selfServiceUnlock:
+ access: ALLOW
+ system: false
+ type: PASSWORD
sspr-enabled-sso-step-up-update:
summary: Password policy - SSPR with any SSO authenticator as step up
description: This password policy permits self-service password change, reset, and unlock. Phone SMS or email are initial authenticators. The step-up authentication required is any active SSO authenticator.
value:
id: ruleId
- $ref: '#/components/examples/sspr-enabled-sso-step-up/value'
+ name: SSPR Rule
+ priority: 1
+ status: ACTIVE
+ conditions:
+ people:
+ users:
+ exclude: []
+ network:
+ connection: ANYWHERE
+ actions:
+ passwordChange:
+ access: ALLOW
+ selfServicePasswordReset:
+ access: ALLOW
+ requirement:
+ primary:
+ methods:
+ - push
+ - sms
+ stepUp:
+ required: true
+ selfServiceUnlock:
+ access: ALLOW
+ system: false
+ type: PASSWORD
sspr-enabled-sso-step-up-with-constraints:
summary: Password policy - Enable SSPR with OTP enabled and Google authenticator constraint
description: This password policy permits self-service password change, reset, and unlock. Okta Verify push, Phone SMS, or Google OTP are initial authenticators. The secondary authentication required is any SSO authenticator. The `methodConstraints` property limits OTP authenticators to Google.
@@ -21449,27 +45537,487 @@ components:
summary: Password policy - Enable SSPR with OTP enabled and Google authenticator constraint
value:
id: ruleId
- $ref: '#/components/examples/sspr-enabled-sso-step-up-with-constraints/value'
_links:
self:
- href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}
hints:
allow:
- GET
- PUT
- DELETE
deactivate:
- href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate
+ href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate
hints:
allow:
- POST
+ name: SSPR Rule
+ priority: 1
+ status: ACTIVE
+ conditions:
+ people:
+ users:
+ exclude: []
+ network:
+ connection: ANYWHERE
+ actions:
+ passwordChange:
+ access: ALLOW
+ selfServicePasswordReset:
+ access: ALLOW
+ requirement:
+ primary:
+ methods:
+ - push
+ - sms
+ - otp
+ methodConstraints:
+ - method: otp
+ allowedAuthenticators:
+ - key: google_otp
+ stepUp:
+ required: true
+ selfServiceUnlock:
+ access: ALLOW
+ system: false
+ type: PASSWORD
sspr-enabled-sso-step-up-with-constraints-update:
summary: Password policy - Enable SSPR with OTP enabled and Google authenticator constraint
description: This password policy permits self-service password change, reset, and unlock. Okta Verify push, Phone SMS, or Google OTP are initial authenticators. The secondary authentication required is any SSO authenticator. The `methodConstraints` property limits OTP authenticators to Google.
value:
id: ruleId
- $ref: '#/components/examples/sspr-enabled-sso-step-up-with-constraints/value'
+ name: SSPR Rule
+ priority: 1
+ status: ACTIVE
+ conditions:
+ people:
+ users:
+ exclude: []
+ network:
+ connection: ANYWHERE
+ actions:
+ passwordChange:
+ access: ALLOW
+ selfServicePasswordReset:
+ access: ALLOW
+ requirement:
+ primary:
+ methods:
+ - push
+ - sms
+ - otp
+ methodConstraints:
+ - method: otp
+ allowedAuthenticators:
+ - key: google_otp
+ stepUp:
+ required: true
+ selfServiceUnlock:
+ access: ALLOW
+ system: false
+ type: PASSWORD
+ streamConfigurationExample:
+ summary: SSF Stream configuration example
+ value:
+ aud: https://example.com
+ delivery:
+ method: urn:ietf:rfc:8935
+ endpoint_url: https://example.com
+ events_delivered:
+ - https://schemas.openid.net/secevent/caep/event-type/session-revoked
+ - https://schemas.openid.net/secevent/caep/event-type/credential-change
+ events_requested:
+ - https://schemas.openid.net/secevent/caep/event-type/session-revoked
+ - https://schemas.openid.net/secevent/caep/event-type/credential-change
+ events_supported:
+ - https://schemas.openid.net/secevent/caep/event-type/session-revoked
+ - https://schemas.openid.net/secevent/caep/event-type/credential-change
+ format: iss_sub
+ iss: https://{yourOktaDomain}
+ min_verification_interval: 0
+ stream_id: esc1k235GIIztAuGK0g5
+ twofa-enabled-disallow-password-allow-phishing:
+ summary: Authentication policy - 2FA with granular authentication
+ description: This two-factor authentication policy uses a rule to disallow passwords and require phishing resistance for possession authenticators for authentication.
+ value:
+ name: Passwordless 2FA
+ actions:
+ appSignOn:
+ access: ALLOW
+ verificationMethod:
+ factorMode: 2FA
+ type: ASSURANCE
+ reauthenticateIn: PT0S
+ constraints:
+ knowledge:
+ excludedAuthenticationMethods:
+ key: okta_password
+ possession:
+ deviceBound: REQUIRED
+ phishingREsistant: REQUIRED
+ type: ACCESS_POLICY
+ twofa-enabled-disallow-password-allow-phishing-response:
+ summary: Authentication policy - 2FA with granular authentication
+ description: The rule from a two-factor authentication policy that disallows passwords and requires phishing resistance
+ value:
+ id: rul7yut96gmsOzKAA1d6
+ status: ACTIVE
+ name: Passwordless 2FA
+ priority: 0
+ created: '2023-05-01T21:13:15.000Z'
+ lastUpdated: '2023-05-01T21:13:15.000Z'
+ system: false
+ conditions: null
+ actions:
+ appSignOn:
+ access: ALLOW
+ verificationMethod:
+ factorMode: 2FA
+ type: ASSURANCE
+ reauthenticateIn: PT0S
+ constraints:
+ knowledge:
+ excludedAuthenticationMethods:
+ key: okta_password
+ required: false
+ possession:
+ deviceBound: REQUIRED
+ phishingREsistant: REQUIRED
+ required: true
+ type: ACCESS_POLICY
+ _links:
+ self:
+ href: https://sampleorg.okta.com/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6
+ hints:
+ allow:
+ - GET
+ - PUT
+ twofa-enabled-post-auth-kmsi-disabled:
+ summary: Authentication policy - 2FA with granular authentication (KMSI disabled)
+ description: This two-factor authentication policy uses a rule that doesn't prompt the user to stay signed in post-authentication.
+ value:
+ name: 2FA with Post Auth KMSI prompt disabled
+ actions:
+ appSignOn:
+ access: ALLOW
+ verificationMethod:
+ factorMode: 2FA
+ type: ASSURANCE
+ reauthenticateIn: PT2H
+ constraints:
+ knowledge:
+ excludedAuthenticationMethods:
+ key: okta_password
+ keepMeSignedIn:
+ postAuth: NOT_ALLOWED
+ type: ACCESS_POLICY
+ twofa-enabled-post-auth-kmsi-disabled-response:
+ summary: Authentication policy - 2FA with granular authentication (KMSI disabled)
+ description: This two-factor authentication policy uses a rule that doesn't prompt the user to stay signed in post-authentication.
+ value:
+ id: rul7yut96gmsOzKAA1d6
+ status: ACTIVE
+ name: 2FA with Post Auth KMSI prompt disabled
+ priority: 0
+ created: '2023-05-01T21:13:15.000Z'
+ lastUpdated: '2023-05-01T21:13:15.000Z'
+ system: false
+ conditions: null
+ actions:
+ appSignOn:
+ access: ALLOW
+ verificationMethod:
+ factorMode: 2FA
+ type: ASSURANCE
+ reauthenticateIn: PT0S
+ constraints:
+ knowledge:
+ excludedAuthenticationMethods:
+ key: okta_password
+ required: true
+ keepMeSignedIn:
+ postAuth: NOT_ALLOWED
+ type: ACCESS_POLICY
+ _links:
+ self:
+ href: https://sampleorg.okta.com/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6
+ hints:
+ allow:
+ - GET
+ - PUT
+ deactivate:
+ href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ twofa-enabled-post-auth-kmsi-enabled:
+ summary: Authentication policy - 2FA with granular authentication (KMSI enabled)
+ description: This two-factor authentication policy uses a rule to prompt the user to stay signed in post authentication.
+ value:
+ name: 2FA with Post Auth KMSI prompt enabled
+ actions:
+ appSignOn:
+ access: ALLOW
+ verificationMethod:
+ factorMode: 2FA
+ type: ASSURANCE
+ reauthenticateIn: PT2H
+ constraints:
+ knowledge:
+ excludedAuthenticationMethods:
+ key: okta_password
+ keepMeSignedIn:
+ postAuth: ALLOWED
+ postAuthPromptFrequency: P30D
+ twofa-enabled-post-auth-kmsi-enabled-response:
+ summary: Authentication policy - 2FA with granular authentication (KMSI enabled)
+ description: This two-factor authentication policy uses a rule to prompt the user to stay signed in post authentication.
+ value:
+ id: rul7yut96gmsOzKAA1d6
+ status: ACTIVE
+ name: 2FA with Post Auth KMSI prompt enabled
+ priority: 0
+ created: '2023-05-01T21:13:15.000Z'
+ lastUpdated: '2023-05-01T21:13:15.000Z'
+ system: false
+ conditions: null
+ actions:
+ appSignOn:
+ access: ALLOW
+ verificationMethod:
+ factorMode: 2FA
+ type: ASSURANCE
+ reauthenticateIn: PT0S
+ constraints:
+ knowledge:
+ excludedAuthenticationMethods:
+ key: okta_password
+ required: true
+ keepMeSignedIn:
+ postAuth: ALLOWED
+ postAuthPromptFrequency: PT720H
+ type: ACCESS_POLICY
+ _links:
+ self:
+ href: https://sampleorg.okta.com/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6
+ hints:
+ allow:
+ - GET
+ - PUT
+ deactivate:
+ href: https://sampleorg.okta.com/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate
+ hints:
+ allow:
+ - POST
+ update-auth-policy-rule-condition:
+ summary: Authentication policy - Update rule with conditions
+ description: Updates the conditions object on the request body of an authentication policy rule.
+ value:
+ type: ACCESS_POLICY
+ name: Rule with conditions - exclude a group
+ description: Updated policy rule
+ conditions:
+ userType:
+ include: []
+ exclude:
+ - otyezu4m0xN6w5JEa1d7
+ network:
+ connection: ZONE
+ exclude:
+ - nzo9o4rctwQCJNE6y1d7
+ riskScore:
+ level: ANY
+ people:
+ users:
+ exclude:
+ - 00u7yq5goxNFTiMjW1d7
+ include: []
+ groups:
+ include: []
+ exclude:
+ - 00g8vta8qzkxPEfKC1d7
+ platform:
+ include:
+ - type: MOBILE
+ os:
+ type: IOS
+ - type: MOBILE
+ os:
+ type: ANDROID
+ - type: DESKTOP
+ os:
+ type: MACOS
+ elCondition:
+ condition: security.risk.level == 'HIGH'
+ update-auth-policy-rule-condition-response:
+ summary: Authentication policy - Update rule with conditions
+ description: The response body from an updated conditions object of an authentication policy rule.
+ value:
+ id: rulezuo73ySrHndLb1d7
+ status: ACTIVE
+ name: Rule with conditions - exclude a group
+ priority: 0
+ created: '2024-04-25T17:35:02.000Z'
+ lastUpdated: '2024-04-25T17:35:02.000Z'
+ system: false
+ conditions:
+ people:
+ users:
+ exclude: []
+ groups:
+ exclude:
+ - 00u7yq5goxNFTiMjW1d7
+ network:
+ connection: ZONE
+ exclude:
+ - nzo9o4rctwQCJNE6y1d7
+ platform:
+ include:
+ - type: MOBILE
+ os:
+ type: IOS
+ - type: MOBILE
+ os:
+ type: ANDROID
+ - type: DESKTOP
+ os:
+ type: MACOS
+ exclude: []
+ riskScore:
+ level: ANY
+ userType:
+ include: []
+ exclude:
+ - otyezu4m0xN6w5JEa1d7
+ elCondition:
+ condition: security.risk.level == 'HIGH'
+ actions:
+ appSignOn:
+ access: ALLOW
+ verificationMethod:
+ factorMode: 2FA
+ type: ASSURANCE
+ reauthenticateIn: PT2H
+ constraints:
+ knowledge:
+ required: true
+ types:
+ - password
+ reauthenticateIn: PT2H
+ type: ACCESS_POLICY
+ _links:
+ self:
+ href: https://sampleorg.okta.com/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ deactivate:
+ href: https://sampleorg.okta.com/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6
+ hints:
+ allow:
+ - GET
+ - PUT
+ - DELETE
+ update-user-profile-request:
+ value:
+ profile:
+ firstName: Isaac
+ email: isaac.brock@update.example.com
+ mobilePhone: 555-415-1337
+ update-user-set-password-request:
+ value:
+ credentials:
+ password:
+ value: uTVM,TPw55
+ update-user-set-recovery-question-and-answer:
+ value:
+ credentials:
+ recovery_question:
+ question: How many roads must a man walk down?
+ answer: forty two
+ user-example:
+ summary: User example
+ value:
+ id: 00ub0oNGTSWTBKOLGLNR
+ status: ACTIVE
+ created: '2013-06-24T16:39:18.000Z'
+ activated: '2013-06-24T16:39:19.000Z'
+ statusChanged: '2013-06-24T16:39:19.000Z'
+ lastLogin: '2013-06-24T17:39:19.000Z'
+ lastUpdated: '2013-07-02T21:36:25.344Z'
+ passwordChanged: '2013-07-02T21:36:25.344Z'
+ profile:
+ login: isaac.brock@example.com
+ firstName: Isaac
+ lastName: Brock
+ nickName: issac
+ displayName: Isaac Brock
+ email: isaac.brock@example.com
+ secondEmail: isaac@example.org
+ profileUrl: http://www.example.com/profile
+ preferredLanguage: en-US
+ userType: Employee
+ organization: Okta
+ title: Director
+ division: R&D
+ department: Engineering
+ costCenter: '10'
+ employeeNumber: '187'
+ mobilePhone: +1-555-415-1337
+ primaryPhone: +1-555-514-1337
+ streetAddress: 301 Brannan St.
+ city: San Francisco
+ state: CA
+ zipCode: '94107'
+ countryCode: US
+ credentials:
+ password: {}
+ recovery_question:
+ question: What's my childhood elementary school?
+ provider:
+ type: OKTA
+ name: OKTA
+ _links:
+ self:
+ href: https://{yourOktaDomain}/api/v1/users/00u1f96ECLNVOKVMUSEA
+ userNameTemplateResponseBaseEx:
+ value:
+ userNameTemplate:
+ template: ${source.email}
+ type: BUILT_IN
+ wellKnownSSFMetadataExample:
+ summary: Well-Known SSF Metadata example
+ value:
+ configuration_endpoint: https://{yourOktaDomain}/api/v1/ssf/stream
+ delivery_methods_supported:
+ - https://schemas.openid.net/secevent/risc/delivery-method/push
+ - urn:ietf:rfc:8935
+ issuer: https://{yourOktaDomain}
+ jwks_uri: https://{yourOktaDomain}/oauth2/v1/keys
parameters:
+ OktaResponse:
+ name: Content-Type
+ in: header
+ description: |-
+ Specifies the media type of the resource. Optional `okta-response` value can be included for performance optimization.
+
+ Complex DelAuth configurations may degrade performance when fetching specific parts of the response, and passing this parameter can omit these parts, bypassing the bottleneck.
+
+ Enum values for `okta-response`:
+ * `omitCredentials`: Omits the credentials subobject from the response.
+ * `omitCredentialsLinks`: Omits the following HAL links from the response: Change Password, Change Recovery Question, Forgot Password, Reset Password, Reset Factors, Unlock.
+ * `omitTransitioningToStatus`: Omits the `transitioningToStatus` field from the response.
+ required: false
+ schema:
+ type: string
+ examples:
+ Omit credentials subobject and credentials links:
+ value: application/json; okta-response=omitCredentials,omitCredentialsLinks
+ summary: Omits the credentials subobject and credentials links from the response. Does not apply performance optimization.
+ Omit credentials, credentials links, and `transitioningToStatus` field:
+ value: application/json; okta-response="omitCredentials,omitCredentialsLinks, omitTransitioningToStatus"
+ summary: Omits the credentials, credentials links, and `transitioningToStatus` field from the response. Applies performance optimization.
UISchemaId:
name: id
description: The unique ID of the UI Schema
@@ -21478,6 +46026,54 @@ components:
schema:
type: string
example: uis4a7liocgcRgcxZ0g7
+ appInstanceId:
+ name: appInstanceId
+ in: path
+ description: ID of the AD AppInstance in Okta
+ schema:
+ type: string
+ required: true
+ assignmentId:
+ name: assignmentId
+ description: '`id` of the Realm Assignment'
+ in: path
+ required: true
+ schema:
+ type: string
+ example: rul2jy7jLUlnO3ng00g4
+ authenticatorEnrollmentId:
+ name: authenticatorEnrollmentId
+ in: path
+ required: true
+ description: ID for a WebAuthn Preregistration Factor in Okta
+ schema:
+ type: string
+ domain:
+ name: domain
+ in: path
+ description: The okta domain name of your org or one of your custom domains
+ required: true
+ schema:
+ type: string
+ inlineHookType:
+ name: type
+ description: One of the supported inline hook types
+ in: query
+ schema:
+ type: string
+ enum:
+ - com.okta.import.transform
+ - com.okta.oauth2.tokens.transform
+ - com.okta.saml.tokens.transform
+ - com.okta.user.credential.password.import
+ - com.okta.user.pre-registration
+ - com.okta.telephony.provider
+ limitParameter:
+ name: limit
+ in: query
+ schema:
+ type: string
+ description: Defines the number of policy rules returned. See [Pagination](https://developer.okta.com/docs/api/#pagination).
pathApiServiceId:
name: apiServiceId
in: path
@@ -21496,7 +46092,7 @@ components:
description: id of the API Token
pathAppId:
name: appId
- description: ID of the Application
+ description: Application ID
in: path
required: true
schema:
@@ -21504,11 +46100,20 @@ components:
example: 0oafxqCAJWWGELFTYASJ
pathAppName:
name: appName
+ description: Application name for the app type
in: path
required: true
schema:
type: string
example: oidc_client
+ pathAppUserId:
+ name: userId
+ description: ID of an existing Okta user
+ in: path
+ required: true
+ schema:
+ type: string
+ example: 00u13okQOVWZJGDOAUVR
pathAssociatedServerId:
name: associatedServerId
description: '`id` of the associated Authorization Server'
@@ -21548,6 +46153,14 @@ components:
schema:
type: string
description: The ID of the brand
+ pathBundleId:
+ name: bundleId
+ in: path
+ schema:
+ type: string
+ example: 08ab2db568c7c300079fefd0
+ required: true
+ description: The `id` of a bundle
pathCaptchaId:
name: captchaId
in: path
@@ -21571,12 +46184,33 @@ components:
schema:
type: string
example: 52Uy4BUWVBOjFItcg2jWsmnd83Ad8dD
+ pathClientSecretId:
+ name: secretId
+ in: path
+ schema:
+ type: string
+ required: true
+ description: Unique `id` of the OAuth 2.0 Client Secret
+ example: ocs2f4zrZbs8nUa7p0g4
pathContactType:
name: contactType
in: path
required: true
schema:
type: string
+ description: Type of contact
+ enum:
+ - BILLING
+ - TECHNICAL
+ example: BILLING
+ pathCredentialKeyId:
+ name: keyId
+ description: '`id` of the certificate key'
+ in: path
+ required: true
+ schema:
+ type: string
+ example: P7jXpG-LG2ObNgY9C0Mn2uf4InCQTmRZMDCZoVNxdrk
pathCsrId:
name: csrId
description: '`id` of the CSR'
@@ -21596,7 +46230,14 @@ components:
in: path
name: deviceAssuranceId
required: true
- description: Id of the Device Assurance Policy
+ description: Id of the device assurance policy
+ schema:
+ type: string
+ pathDeviceCheckId:
+ in: path
+ name: deviceCheckId
+ required: true
+ description: Id of the Device Check
schema:
type: string
pathDeviceId:
@@ -21628,7 +46269,15 @@ components:
required: true
schema:
type: string
- description: The ID of the email SMTP Server
+ description: ID of your SMTP Server configuration
+ pathEntitlementId:
+ name: entitlementId
+ in: path
+ schema:
+ type: string
+ example: 0obfxqCAJWWGELFTYASJ
+ required: true
+ description: The `id` of a bundle entitlement
pathEventHookId:
name: eventHookId
description: '`id` of the Event Hook'
@@ -21636,10 +46285,10 @@ components:
required: true
schema:
type: string
- example: YTDQbItFfFuy9RdHrvly
+ example: who8vt36qfNpCGz9H1e6
pathFactorId:
name: factorId
- description: '`id` of the Factor'
+ description: ID of an existing user Factor
in: path
required: true
schema:
@@ -21647,7 +46296,7 @@ components:
example: zAgrsaBe0wVGRugDYtdv
pathFeatureId:
name: featureId
- description: '`id` of the Feature'
+ description: '`id` of the feature'
in: path
required: true
schema:
@@ -21658,12 +46307,22 @@ components:
description: Name of the Feature
in: path
required: true
+ schema:
+ $ref: '#/components/schemas/ApplicationFeatureType'
+ pathFirstPartyAppName:
+ name: appName
+ description: |
+ The key name for the Okta app.
+ Supported apps:
+ * Okta Admin Console (`admin-console`)
+ in: path
+ required: true
schema:
type: string
- example: USER_PROVISIONING
+ example: admin-console
pathGrantId:
name: grantId
- description: ID of the Grant
+ description: Grant ID
in: path
required: true
schema:
@@ -21686,23 +46345,34 @@ components:
type: string
example: 0pr3f7zMZZHPgUoWO0g4
pathHookKeyId:
- name: hookKeyId
- description: '`id` of the Hook Key'
+ name: id
+ description: ID of the Hook Key
in: path
required: true
schema:
type: string
example: XreKU5laGwBkjOTehusG
+ pathId:
+ name: id
+ description: '`id`, `login`, or `login shortname` (as long as it is unambiguous) of a user'
+ in: path
+ required: true
+ schema:
+ type: string
pathIdentitySourceId:
name: identitySourceId
in: path
required: true
+ description: The ID of the Identity Source for which the session is created
+ example: 0oa3l6l6WK6h0R0QW0g4
schema:
type: string
pathIdentitySourceSessionId:
name: sessionId
in: path
required: true
+ description: The ID of the Identity Source Session
+ example: aps1qqonvr2SZv6o70h8
schema:
type: string
pathIdpCsrId:
@@ -21720,15 +46390,7 @@ components:
required: true
schema:
type: string
- example: SVHoAOh0l8cPQkVX1LRl
- pathIdpKeyId:
- name: idpKeyId
- description: '`id` of IdP Key'
- in: path
- required: true
- schema:
- type: string
- example: KmMo85SSsU7TZzOShcGb
+ example: 0oa62bfdjnK55Z5x80h7
pathInlineHookId:
name: inlineHookId
description: '`id` of the Inline Hook'
@@ -21737,6 +46399,14 @@ components:
schema:
type: string
example: Y7Rzrd4g4xj6WdKzrBHH
+ pathJsonWebKeyId:
+ name: keyId
+ in: path
+ schema:
+ type: string
+ required: true
+ description: Unique `id` of the OAuth 2.0 Client JSON Web Key
+ example: pks2f4zrZbs8nUa7p0g4
pathKeyId:
name: keyId
description: ID of the Key Credential for the application
@@ -21745,15 +46415,24 @@ components:
schema:
type: string
example: sjP9eiETijYz110VkhHN
+ pathKid:
+ name: kid
+ description: Unique `id` of the IdP Key Credential
+ in: path
+ required: true
+ schema:
+ type: string
+ example: KmMo85SSsU7TZzOShcGb
pathLifecycle:
name: lifecycle
- description: Whether to `enable` or `disable` the feature
+ description: Whether to `ENABLE` or `DISABLE` the feature
in: path
required: true
schema:
$ref: '#/components/schemas/FeatureLifecycle'
pathLinkedObjectName:
name: linkedObjectName
+ description: Primary or Associated name
in: path
required: true
schema:
@@ -21787,10 +46466,10 @@ components:
type: string
example: irb1qe6PGuMc7Oh8N0g4
required: true
- description: '`id` of a member'
+ description: '`id` of the Member'
pathMethodType:
name: methodType
- description: Type of the authenticator method
+ description: Type of authenticator method
in: path
required: true
schema:
@@ -21801,6 +46480,12 @@ components:
required: true
schema:
$ref: '#/components/schemas/NotificationType'
+ pathOAuthProvisioningAppName:
+ name: appName
+ in: path
+ required: true
+ schema:
+ $ref: '#/components/schemas/OAuthProvisioningEnabledApp'
pathOperation:
name: operation
in: path
@@ -21848,18 +46533,19 @@ components:
required: true
pathPrimaryRelationshipName:
name: primaryRelationshipName
+ description: Name of the `primary` relationship being assigned
in: path
required: true
schema:
type: string
+ example: manager
pathPrimaryUserId:
name: primaryUserId
- description: '`id` of primary User'
+ description: User ID to be assigned to the `primary` relationship for the `associated` user
in: path
required: true
schema:
type: string
- example: ctxeQ5JnAVdGFBB7Zr7W
pathPrincipalRateLimitId:
name: principalRateLimitId
in: path
@@ -21869,8 +46555,8 @@ components:
required: true
description: id of the Principal Rate Limit
pathPublicKeyId:
- name: publicKeyId
- description: '`id` of the Public Key'
+ name: keyId
+ description: id" of the Public Key
in: path
required: true
schema:
@@ -21883,6 +46569,20 @@ components:
description: Id of the push provider
schema:
type: string
+ pathQueryRoleExpand:
+ name: expand
+ description: 'An optional parameter used to return targets configured for the standard Role Assignment in the `embedded` property. Supported values: `targets/groups` or `targets/catalog/apps`'
+ in: query
+ required: false
+ schema:
+ type: string
+ examples:
+ groupTarget:
+ value: targets/groups
+ summary: Return Group targets
+ appTarget:
+ value: targets/catalog/apps
+ summary: Return App targets
pathRealmId:
name: realmId
description: '`id` of the Realm'
@@ -21893,10 +46593,18 @@ components:
example: vvrcFogtKCrK9aYq3fgV
pathRelationshipName:
name: relationshipName
+ description: Name of the `primary` or `associated` relationship being queried
in: path
required: true
schema:
type: string
+ examples:
+ manager:
+ value: manager
+ summary: Example of a `primary` name
+ subordinate:
+ value: subordinate
+ summary: Example of an `associated` name
pathResourceId:
name: resourceId
in: path
@@ -21904,15 +46612,23 @@ components:
type: string
example: ire106sQKoHoXXsAe0g4
required: true
- description: '`id` of a resource'
- pathResourceSetId:
- name: resourceSetId
+ description: '`id` of the Resource'
+ pathResourceSelectorId:
+ name: resourceSelectorId
+ in: path
+ schema:
+ type: string
+ example: rsl1hx31gVEa6x10v0g5
+ required: true
+ description: '`id` of a Resource Selector'
+ pathResourceSetIdOrLabel:
+ name: resourceSetIdOrLabel
in: path
schema:
type: string
example: iamoJDFKaJxGIr0oamd9g
required: true
- description: '`id` of a Resource Set'
+ description: '`id` or `label` the Resource Set'
pathRiskProviderId:
name: riskProviderId
in: path
@@ -21921,9 +46637,17 @@ components:
example: 00rp12r4skkjkjgsn
required: true
description: '`id` of the Risk Provider object'
+ pathRoleAssignmentId:
+ name: roleAssignmentId
+ description: The `id` of the role assignment
+ in: path
+ required: true
+ schema:
+ type: string
+ example: JBCUYUC7IRCVGS27IFCE2SKO
pathRoleId:
name: roleId
- description: '`id` of the Role'
+ description: '`id` of the role'
in: path
required: true
schema:
@@ -21936,11 +46660,11 @@ components:
type: string
example: cr0Yq6IJxGIr0ouum0g3
required: true
- description: '`id` or `label` of the role'
+ description: '`id` or `label` of the Role'
pathRoleRef:
name: roleRef
in: path
- description: A reference to an existing role. Standard roles require a `roleType`, while Custom Roles require a `roleId`. See [Standard Role Types](https://developer.okta.com/docs/concepts/role-assignment/#standard-role-types).
+ description: A reference to an existing role. Standard roles require a `roleType`, while Custom Roles require a `roleId`. See [Standard Roles](/openapi/okta-management/guides/roles/#standard-roles).
required: true
schema:
oneOf:
@@ -21985,6 +46709,14 @@ components:
required: true
schema:
type: string
+ pathSecurityEventProviderId:
+ name: securityEventProviderId
+ in: path
+ schema:
+ type: string
+ example: sse1qg25RpusjUP6m0g5
+ required: true
+ description: '`id` of the Security Events Provider instance'
pathSessionId:
name: sessionId
description: '`id` of the Session'
@@ -21993,6 +46725,14 @@ components:
schema:
type: string
example: l7FbDVqS8zHSy65uJD85
+ pathSubmissionId:
+ name: submissionId
+ description: OIN Integration ID
+ in: path
+ required: true
+ schema:
+ type: string
+ example: acme_submissionapp_1
pathTargetGroupId:
name: targetGroupId
in: path
@@ -22032,7 +46772,7 @@ components:
example: sHHSth53yJAyNSTQKDJZ
pathTransactionId:
name: transactionId
- description: '`id` of the Transaction'
+ description: ID of an existing Factor verification transaction
in: path
required: true
schema:
@@ -22062,10 +46802,29 @@ components:
required: true
pathUserId:
name: userId
+ description: ID of an existing Okta user
in: path
required: true
schema:
type: string
+ example: 00ub0oNGTSWTBKOLGLNR
+ pathUserIdOrLogin:
+ name: userIdOrLogin
+ description: |-
+ If for the `self` link, the ID of the User for whom you want to get the primary User ID. If for the `associated` relation, the User ID or login value of the User assigned the associated relationship.
+
+ This can be `me` to represent the current session User.
+ in: path
+ required: true
+ schema:
+ type: string
+ examples:
+ manager:
+ value: 00u5zex6ztMbOZhF50h7
+ summary: Example ID of `primary`
+ subordinate:
+ value: 00u5zex6ztMbOZhF50h7
+ summary: Example ID of `associated`
pathZoneId:
name: zoneId
in: path
@@ -22074,19 +46833,89 @@ components:
required: true
description: '`id` of the Network Zone'
example: nzowc1U5Jh5xuAK0o0g3
+ privilegedAccountId:
+ name: id
+ in: path
+ description: ID of an existing Privileged Account
+ required: true
+ schema:
+ type: string
+ privilegedResourceId:
+ name: id
+ in: path
+ description: ID of an existing privileged resource
+ required: true
+ schema:
+ type: string
queryAfter:
name: after
in: query
schema:
type: string
- description: The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](/#pagination) for more information.
- queryExpand:
+ description: The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination).
+ queryAppAfter:
+ name: after
+ in: query
+ description: Specifies the pagination cursor for the next page of results. Treat this as an opaque value obtained through the next link relationship. See [Pagination](/#pagination).
+ schema:
+ type: string
+ example: 16275000448691
+ queryAppGrantsExpand:
name: expand
in: query
- description: 'An optional parameter to include scope details in the `_embedded` attribute. Valid value: `scope`'
+ description: 'An optional parameter to return scope details in the `_embedded` property. Valid value: `scope`'
schema:
type: string
example: scope
+ queryAppLimit:
+ name: limit
+ in: query
+ schema:
+ type: integer
+ format: int32
+ minimum: 1
+ maximum: 500
+ default: 50
+ description: |
+ Specifies the number of objects to return per page.
+ If there are multiple pages of results, the Link header contains a `next` link that you need to use as an opaque value (follow it, don't parse it).
+ See [Pagination](/#pagination).
+ queryAppUserExpand:
+ name: expand
+ in: query
+ description: |-
+ An optional query parameter to return the corresponding [User](/openapi/okta-management/management/tag/User/) object in the `_embedded` property.
+ Valid value: `user`
+ schema:
+ type: string
+ example: user
+ queryAppUserQ:
+ name: q
+ in: query
+ schema:
+ type: string
+ example: sam
+ description: |
+ Specifies a filter for the list of Application Users returned based on their profile attributes.
+ The value of `q` is matched against the beginning of the following profile attributes: `userName`, `firstName`, `lastName`, and `email`.
+ This filter only supports the `startsWith` operation that matches the `q` string against the beginning of the attribute values.
+ > **Note:** For OIDC apps, user profiles don't contain the `firstName` or `lastName` attributes. Therefore, the query only matches against the `userName` or `email` attributes.
+ queryAppsExpand:
+ name: expand
+ in: query
+ description: |-
+ An optional parameter used for link expansion to embed more resources in the response.
+ Only supports `expand=user/{userId}` and must be used with the `user.id eq "{userId}"` filter query for the same user.
+ Returns the assigned [Application User](/openapi/okta-management/management/tag/ApplicationUsers/) in the `_embedded` property.
+ schema:
+ type: string
+ example: user/0oa1gjh63g214q0Hq0g4
+ queryExpand:
+ name: expand
+ in: query
+ schema:
+ type: string
+ description: 'Valid value: `scope`. If specified, scope details are included in the `_embedded` attribute.'
queryExpandBrand:
name: expand
in: query
@@ -22152,6 +46981,61 @@ components:
description: Searches the records for matching value
schema:
type: string
+ queryGroupAssignmentLimit:
+ name: limit
+ in: query
+ description: |-
+ Specifies the number of objects to return per page.
+ If there are multiple pages of results, the Link header contains a `next` link that you need to use as an opaque value (follow it, don't parse it).
+ See [Pagination](/#pagination).
+ examples:
+ min:
+ value: 20
+ summary: Minimum limit value
+ hundred:
+ value: 100
+ summary: Sample limit value
+ max:
+ value: 200
+ summary: Maximum limit value
+ schema:
+ type: integer
+ format: int32
+ default: 20
+ minimum: 20
+ maximum: 200
+ queryGroupAssignmentWithGroupExpand:
+ name: expand
+ in: query
+ description: |-
+ An optional query parameter to return the corresponding assigned [Group](/openapi/okta-management/management/tag/Group/) or
+ the group assignment metadata details in the `_embedded` property.
+ schema:
+ type: string
+ example: group
+ examples:
+ group:
+ value: group
+ summary: Embedded assigned Group
+ metadata:
+ value: metadata
+ summary: Embedded group assignment metadata
+ queryGroupAssignmentWithMetadataExpand:
+ name: expand
+ in: query
+ description: |-
+ An optional query parameter to return the corresponding assigned [Group](/openapi/okta-management/management/tag/Group/) or
+ the group assignment metadata details in the `_embedded` property.
+ schema:
+ type: string
+ example: metadata
+ examples:
+ group:
+ value: group
+ summary: Embedded assigned Group
+ metadata:
+ value: metadata
+ summary: Embedded group assignment metadata
queryLanguage:
name: language
schema:
@@ -22189,24 +47073,90 @@ components:
schema:
type: boolean
required: false
+ queryUserExpand:
+ name: expand
+ in: query
+ description: 'An optional parameter to include metadata in the `_embedded` attribute. Valid value: `blocks`'
+ required: false
+ schema:
+ type: string
+ example: blocks
simulateParameter:
name: expand
- description: Use `expand=EVALUATED` to include a list of evaluated but not matched policies and policy rules. Use `expand=RULE` to include details about why a rule condition was (not) matched.
+ description: Use `expand=EVALUATED` to include a list of evaluated but not matched policies and policy rules. Use `expand=RULE` to include details about why a rule condition wasn't matched.
in: query
schema:
type: string
- example: expand=EVALUATED&expand=RULE
+ example: EVALUATED
+ yubikeyTokenId:
+ name: tokenId
+ description: ID of a Yubikey token
+ in: path
+ required: true
+ schema:
+ type: string
+ example: ykkxdtCA1fKVxyu6R0g3
requestBodies:
AuthenticatorRequestBody:
content:
application/json:
schema:
- $ref: '#/components/schemas/Authenticator'
+ $ref: '#/components/schemas/AuthenticatorBase'
examples:
Duo:
$ref: '#/components/examples/AuthenticatorRequestDuo'
required: true
responses:
+ ErrorAppUserForbidden403:
+ description: Forbidden
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Error'
+ examples:
+ AppUserProvEx:
+ $ref: '#/components/examples/ErrorAppUserForbiddenAction'
+ AccessDenied:
+ $ref: '#/components/examples/ErrorAccessDenied'
+ ErrorAppUserUpdateBadRequest400:
+ description: Bad Request
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Error'
+ examples:
+ AppUserUpdateCredEx:
+ $ref: '#/components/examples/ErrorAppUserUpdateBadRequest'
+ APIValidationFailed:
+ $ref: '#/components/examples/ErrorApiValidationFailed'
+ AuthenticatorResponse:
+ description: OK
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/AuthenticatorBase'
+ examples:
+ Duo:
+ $ref: '#/components/examples/AuthenticatorResponseDuo'
+ Email:
+ $ref: '#/components/examples/AuthenticatorResponseEmail'
+ Password:
+ $ref: '#/components/examples/AuthenticatorResponsePassword'
+ Phone:
+ $ref: '#/components/examples/AuthenticatorResponsePhone'
+ WebAuthn:
+ $ref: '#/components/examples/AuthenticatorResponseWebAuthn'
+ SecurityQuestion:
+ $ref: '#/components/examples/AuthenticatorResponseSecurityQuestion'
+ AuthenticatorResponseInactiveWebAuthn:
+ description: OK
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/AuthenticatorBase'
+ examples:
+ WebAuthn:
+ $ref: '#/components/examples/AuthenticatorResponseInactiveWebAuthn'
ErrorApiValidationFailed400:
description: Bad Request
content:
@@ -22261,26 +47211,121 @@ components:
examples:
TooManyRequests:
$ref: '#/components/examples/ErrorTooManyRequests'
- AuthenticatorResponse:
+ Error502NoConnectedAgents:
+ description: There are no connected agents.
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Error'
+ examples:
+ AgentTimeOut:
+ $ref: '#/components/examples/ErrorAgentTimeOut'
+ Error504AgentTimeOut:
+ description: Timed out waiting for agent.
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Error'
+ examples:
+ AgentTimeOut:
+ $ref: '#/components/examples/ErrorNoConnectedAgents'
+ DRStatusResponse:
description: OK
content:
application/json:
schema:
- $ref: '#/components/schemas/Authenticator'
+ description: List of domains and their disaster recovery status
+ type: array
+ items:
+ $ref: '#/components/schemas/DRStatusItem'
+ headers:
+ Link:
+ description: A link to the next page of responses
+ schema:
+ type: string
+ ErrorResponse:
+ description: |
+ 400 - When request validation fails
+ 401 - When the user is not authenticated or the feature is not enabled
+ 403 - When the user is not authorized
+ 429 - When rate limits are exceeded
+ 500 - When an internal server error is encountred
+ 501 - When the operation is not supported
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/ErrorResponse'
+ GetFactorResponse:
+ description: Success
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/UserFactor'
examples:
- Duo:
- $ref: '#/components/examples/AuthenticatorResponseDuo'
+ SMS:
+ $ref: '#/components/examples/FactorResponseSms'
Email:
- $ref: '#/components/examples/AuthenticatorResponseEmail'
- Password:
- $ref: '#/components/examples/AuthenticatorResponsePassword'
- Phone:
- $ref: '#/components/examples/AuthenticatorResponsePhone'
- WebAuthn:
- $ref: '#/components/examples/AuthenticatorResponseWebAuthn'
- SecurityQuestion:
- $ref: '#/components/examples/AuthenticatorResponseSecurityQuestion'
+ $ref: '#/components/examples/FactorEmail'
+ Error-FF-NotEnabled-Response-401:
+ description: Unauthorized
+ content:
+ application/json:
+ examples:
+ Unauthorized:
+ value:
+ errorCode: E0000015
+ errorSummary: You do not have permission to access the feature you are requesting
+ errorLink: E0000015
+ errorId: oaeStOuPPxDRUm3PJhf-tL7bQ
+ errorCauses: []
+ ErrorInternalServer500:
+ description: Internal Server Error
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Error'
+ examples:
+ InternalServerError:
+ $ref: '#/components/examples/ErrorInternalServer'
+ NzErrorApiValidationFailed400:
+ description: Bad Request
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Error'
+ examples:
+ APIValidationFailed:
+ $ref: '#/components/examples/NzErrorApiValidationFailed'
+ NzErrorResourceNotFound404:
+ description: Not Found
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Error'
+ examples:
+ ResourceNotFound:
+ $ref: '#/components/examples/NzErrorResourceNotFound'
schemas:
+ AAGUIDGroupObject:
+ description: |
+
+ The AAGUID Group object supports the Early Access (Self-Service) Allow List for FIDO2 (WebAuthn) Authenticators feature. Enable the feature for your org from the **Settings** > **Features** page in the Admin Console.
+
+ This feature has several limitations when enrolling a security key:
+ - Enrollment is currently unsupported on Firefox.
+ - Enrollment is currently unsupported on Chrome if User Verification is set to DISCOURAGED and a PIN is set on the security key.
+ - If prompted during enrollment, users must allow Okta to see the make and model of the security key.
+ type: object
+ properties:
+ aaguids:
+ description: A list of YubiKey hardware FIDO2 Authenticator Attestation Global Unique Identifiers (AAGUIDs). The available [AAGUIDs](https://support.yubico.com/hc/en-us/articles/360016648959-YubiKey-Hardware-FIDO2-AAGUIDs) (opens new window) are provided by the FIDO Alliance Metadata Service.
+ type: array
+ items:
+ type: string
+ description: AAGUID
+ name:
+ type: string
+ description: A name to identify the group of YubiKey hardware FIDO2 AAGUIDs
APIServiceIntegrationInstance:
type: object
properties:
@@ -22417,10 +47462,31 @@ components:
- type: object
properties:
conditions:
- $ref: '#/components/schemas/PolicyRuleConditions'
+ type: string
+ description: Policy conditions aren't supported. Conditions are applied at the rule level for this policy type.
+ default: null
+ nullable: true
+ _embedded:
+ type: object
+ properties:
+ resourceType:
+ type: string
+ description: The resource that this policy controls. For the [Okta account management policy](https://developer.okta.com/docs/guides/okta-account-management-policy/main/#example-response), `END_USER_ACCOUNT_MANAGEMENT` is returned. For other policies, `APP` is returned.
+ additionalProperties:
+ type: object
+ properties: {}
AccessPolicyConstraint:
type: object
properties:
+ authenticationMethods:
+ description: This property specifies the precise authenticator and method for authentication.
+ type: array
+ items:
+ $ref: '#/components/schemas/AuthenticationMethodObject'
+ excludedAuthenticationMethods:
+ description: This property specifies the precise authenticator and method to exclude from authentication.
+ items:
+ $ref: '#/components/schemas/AuthenticationMethodObject'
methods:
description: The Authenticator methods that are permitted
items:
@@ -22443,6 +47509,9 @@ components:
reauthenticateIn:
description: The duration after which the user must re-authenticate regardless of user activity. This re-authentication interval overrides the Verification Method object's `reauthenticateIn` interval. The supported values use ISO 8601 period format for recurring time intervals (for example, `PT1H`).
type: string
+ required:
+ description: This property indicates whether the knowledge or possession factor is required by the assurance. It's optional in the request, but is always returned in the response. By default, this field is `true`. If the knowledge or possession constraint has values for `excludedAuthenticationMethods` the `required` value is false.
+ type: boolean
types:
description: The Authenticator types that are permitted
items:
@@ -22456,36 +47525,6 @@ components:
- APP
- FEDERATED
type: array
- authenticationMethods:
- x-okta-lifecycle:
- features:
- - ASSURANCE_GRANULAR_AUTHENTICATOR_CONSTRAINTS
- description: This property specifies the precise authenticator and method for authentication.
- type: array
- items:
- $ref: '#/components/schemas/AuthenticationMethodObject'
- excludedAuthenticationMethods:
- x-okta-lifecycle:
- features:
- - ASSURANCE_GRANULAR_AUTHENTICATOR_CONSTRAINTS
- description: This property specifies the precise authenticator and method to exclude from authentication.
- items:
- $ref: '#/components/schemas/AuthenticationMethodObject'
- required:
- x-okta-lifecycle:
- features:
- - ASSURANCE_GRANULAR_AUTHENTICATOR_CONSTRAINTS
- description: This property indicates whether the knowledge or possession factor is required by the assurance. It's optional in the request, but is always returned in the response. By default, this field is `true`. If the knowledge or possession constraint has values for`excludedAuthenticationMethods` the `required` value is false.
- type: boolean
- AuthenticationMethodObject:
- type: object
- properties:
- key:
- type: string
- description: A label that identifies the authenticator
- method:
- type: string
- description: Specifies the method used for the authenticator
AccessPolicyConstraints:
type: object
properties:
@@ -22493,6 +47532,10 @@ components:
$ref: '#/components/schemas/KnowledgeConstraint'
possession:
$ref: '#/components/schemas/PossessionConstraint'
+ AccessPolicyLink:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the app access policy resource
AccessPolicyRule:
allOf:
- $ref: '#/components/schemas/PolicyRule'
@@ -22513,24 +47556,39 @@ components:
type: object
properties:
access:
- type: string
+ $ref: '#/components/schemas/AccessPolicyRuleApplicationSignOnAccess'
verificationMethod:
$ref: '#/components/schemas/VerificationMethod'
+ AccessPolicyRuleApplicationSignOnAccess:
+ type: string
+ enum:
+ - ALLOW
+ - DENY
AccessPolicyRuleConditions:
allOf:
- - $ref: '#/components/schemas/PolicyRuleConditions'
- type: object
properties:
device:
$ref: '#/components/schemas/DeviceAccessPolicyRuleCondition'
elCondition:
$ref: '#/components/schemas/AccessPolicyRuleCustomCondition'
+ network:
+ $ref: '#/components/schemas/PolicyNetworkCondition'
+ people:
+ $ref: '#/components/schemas/PolicyPeopleCondition'
+ platform:
+ $ref: '#/components/schemas/PlatformPolicyRuleCondition'
+ riskScore:
+ $ref: '#/components/schemas/RiskScorePolicyRuleCondition'
userType:
$ref: '#/components/schemas/UserTypeCondition'
AccessPolicyRuleCustomCondition:
properties:
condition:
type: string
+ description: expression to match
+ required:
+ - condition
AcsEndpoint:
description: An array of ACS endpoints. You can configure a maximum of 100 endpoints.
type: object
@@ -22547,19 +47605,28 @@ components:
required:
- url
- index
- ActivateFactorRequest:
+ Actions:
type: object
properties:
- attestation:
- type: string
- clientData:
- type: string
- passCode:
- type: string
- registrationData:
- type: string
- stateToken:
- type: string
+ assignUserToRealm:
+ $ref: '#/components/schemas/AssignUserToRealm'
+ AdminConsoleSettings:
+ title: Okta Admin Console Settings
+ description: Settings specific to the Okta Admin Console
+ type: object
+ properties:
+ sessionIdleTimeoutMinutes:
+ description: The maximum idle time before the Okta Admin Console session expires. Must be no more than 12 hours.
+ type: integer
+ minimum: 5
+ maximum: 720
+ default: 15
+ sessionMaxLifetimeMinutes:
+ description: The absolute maximum session lifetime of the Okta Admin Console. Must be no more than 7 days.
+ type: integer
+ minimum: 5
+ maximum: 10080
+ default: 720
Agent:
description: Agent details
type: object
@@ -22590,6 +47657,15 @@ components:
type: string
_links:
$ref: '#/components/schemas/LinksSelf'
+ AgentAction:
+ description: Details about the AD Group membership update
+ type: object
+ properties:
+ id:
+ type: string
+ description: ID of the AD group to update
+ parameters:
+ $ref: '#/components/schemas/Parameters'
AgentPool:
description: An AgentPool is a collection of agents that serve a common purpose. An AgentPool has a unique ID within an org, and contains a collection of agents disjoint to every other AgentPool (i.e. no two AgentPools share an Agent).
type: object
@@ -22689,12 +47765,45 @@ components:
- Scheduled
- Success
AllowedForEnum:
+ description: The allowed types of uses for the Authenticator
type: string
enum:
- any
- none
- recovery
- sso
+ AndroidZeroTrust:
+ description: Android Zero Trust integration provider
+ type: object
+ properties:
+ deviceIntegrityLevel:
+ $ref: '#/components/schemas/DeviceIntegrity'
+ networkProxyDisabled:
+ description: Indicates whether a device has a network proxy disabled
+ type: boolean
+ playProtectVerdict:
+ $ref: '#/components/schemas/PlayProtectVerdict'
+ requireMajorVersionUpdate:
+ description: |
+ Indicates whether the device needs to be on the latest major version available to the device
+
+ **Note:** This option requires an `osVersion.dynamicVersionRequirement` value to be supplied with the `osVersion.dynamicVersionRequirement.type` as either `MINIMUM` or `EXACT`.
+ type: boolean
+ requirePatchVersionUpdate:
+ description: |
+ Indicates whether the device needs to be on the latest patch version available to the device
+
+ **Note:** This property mirrors `osVersion.dynamicVersionRequirement.latestSecurityPatch` and is meant for informational purposes only.
+ type: boolean
+ readOnly: true
+ screenLockComplexity:
+ $ref: '#/components/schemas/ScreenLockComplexity'
+ usbDebuggingDisabled:
+ description: Indicates whether Android Debug Bridge (adb) over USB is disabled
+ type: boolean
+ wifiSecured:
+ description: Indicates whether a device is on a password-protected Wi-Fi network
+ type: boolean
ApiToken:
title: API Token
description: An API token for an Okta User. This token is NOT scoped any further and can be used for any API the user has permissions to call.
@@ -22720,6 +47829,23 @@ components:
readOnly: true
name:
type: string
+ network:
+ type: object
+ description: The Network Condition of the API Token
+ properties:
+ connection:
+ type: string
+ description: The connection type of the Network Condition
+ include:
+ type: array
+ description: List of included IP network zones
+ items:
+ type: string
+ exclude:
+ type: array
+ description: List of excluded IP network zones
+ items:
+ type: string
tokenWindow:
$ref: '#/components/schemas/TimeDuration'
userId:
@@ -22728,6 +47854,82 @@ components:
$ref: '#/components/schemas/LinksSelf'
required:
- name
+ ApiTokenUpdate:
+ title: API Token Update
+ description: An API Token Update Object for an Okta user. This token is NOT scoped any further and can be used for any API that the user has permissions to call.
+ type: object
+ properties:
+ clientName:
+ type: string
+ description: The client name associated with the API Token
+ readOnly: true
+ created:
+ type: string
+ description: The creation date of the API Token
+ format: date-time
+ readOnly: true
+ name:
+ type: string
+ description: The name associated with the API Token
+ network:
+ type: object
+ description: The Network Condition of the API Token
+ properties:
+ connection:
+ type: string
+ description: The connection type of the Network Condition
+ include:
+ type: array
+ description: List of included IP network zones
+ items:
+ type: string
+ exclude:
+ type: array
+ description: List of excluded IP network zones
+ items:
+ type: string
+ userId:
+ type: string
+ description: The userId of the user who created the API Token
+ AppAccountContainerDetails:
+ description: Container details for resource type APP_ACCOUNT
+ type: object
+ properties:
+ appName:
+ type: string
+ description: The application name
+ readOnly: true
+ example: google
+ containerId:
+ type: string
+ description: The application ID associated with the privileged account
+ example: 0oa103099SBEb3Z2b0g4
+ displayName:
+ type: string
+ description: Human-readable name of the container that owns the privileged resource
+ readOnly: true
+ example: Google App1
+ globalAppId:
+ type: string
+ description: The application global ID
+ readOnly: true
+ example: 964b82aa-85b4-5645-b790-83312c473480
+ passwordPushSupported:
+ type: boolean
+ description: Indicates if the application supports password push
+ readOnly: true
+ example: true
+ provisioningEnabled:
+ type: boolean
+ description: Indicates if provisioning is enabled for this application
+ readOnly: true
+ example: true
+ status:
+ $ref: '#/components/schemas/AppInstanceContainerStatus'
+ _links:
+ $ref: '#/components/schemas/appLink'
+ required:
+ - containerId
AppAndInstanceConditionEvaluatorAppOrInstance:
type: object
properties:
@@ -22745,17 +47947,55 @@ components:
properties:
exclude:
type: array
+ description: The list of applications to exclude
items:
$ref: '#/components/schemas/AppAndInstanceConditionEvaluatorAppOrInstance'
include:
type: array
+ description: The list of apps or app instances to match on
items:
$ref: '#/components/schemas/AppAndInstanceConditionEvaluatorAppOrInstance'
AppAndInstanceType:
+ description: Type of app
type: string
enum:
- APP
- APP_TYPE
+ AppCsrPkcs10:
+ description: Base64URL-encoded CSR in DER format
+ format: base64
+ type: string
+ AppCustomHrefObject:
+ type: object
+ properties:
+ hints:
+ type: object
+ description: Describes allowed HTTP verbs for the `href`
+ properties:
+ allow:
+ type: array
+ items:
+ type: string
+ href:
+ type: string
+ description: Link URI
+ title:
+ type: string
+ description: Link name
+ type:
+ type: string
+ description: The media type of the link. If omitted, it is implicitly `application/json`.
+ required:
+ - href
+ readOnly: true
+ AppInstanceContainerStatus:
+ description: Current status of the application instance
+ type: string
+ enum:
+ - ACTIVE
+ - DELETED
+ - INACTIVE
+ readOnly: true
AppInstancePolicyRuleCondition:
type: object
properties:
@@ -22800,32 +48040,41 @@ components:
sortOrder:
type: integer
readOnly: true
+ AppResourceHrefObject:
+ type: object
+ properties:
+ href:
+ type: string
+ description: Link URI
+ example: https://{yourOktaDomain}/api/v1/apps/0oabskvc6442nkvQO0h7
+ title:
+ type: string
+ description: Link name
+ example: My App
AppUser:
title: Application User
- description: The App User object defines a user's app-specific profile and credentials for an app.
+ description: The Application User object defines a user's app-specific profile and credentials for an app
type: object
properties:
created:
- type: string
- description: Timestamp when the App User object was created
- format: date-time
- readOnly: true
- example: '2014-06-24T15:27:59.000Z'
+ allOf:
+ - $ref: '#/components/schemas/createdProperty'
+ - example: '2014-06-24T15:27:59.000Z'
credentials:
$ref: '#/components/schemas/AppUserCredentials'
externalId:
type: string
description: |-
- The ID of the user in the target app that's linked to the Okta App User object.
+ The ID of the user in the target app that's linked to the Okta Application User object.
This value is the native app-specific identifier or primary key for the user in the target app.
- The `externalId` is set during import when the user is confirmed (reconciled) or during provisioning when the user has been successfully created in the target app.
+ The `externalId` is set during import when the user is confirmed (reconciled) or during provisioning when the user is created in the target app.
This value isn't populated for SSO app assignments (for example, SAML or SWA) because it isn't synchronized with a target app.
readOnly: true
example: 70c14cc17d3745e8a9f98d599a68329c
id:
type: string
- description: Unique identifier of the App User object (only required for apps with `signOnMode` or authentication schemes that don't require credentials)
+ description: Unique identifier for the Okta User
example: 00u11z6WHMYCGPCHCRFK
lastSync:
type: string
@@ -22834,14 +48083,12 @@ components:
readOnly: true
example: '2014-06-24T15:27:59.000Z'
lastUpdated:
- type: string
- description: Timestamp when App User was last updated
- format: date-time
- readOnly: true
- example: '2014-06-24T15:28:14.000Z'
+ allOf:
+ - $ref: '#/components/schemas/lastUpdatedProperty'
+ - example: '2014-06-24T15:28:14.000Z'
passwordChanged:
type: string
- description: Timestamp when the App User password was last changed
+ description: Timestamp when the Application User password was last changed
format: date-time
readOnly: true
nullable: true
@@ -22850,7 +48097,7 @@ components:
$ref: '#/components/schemas/AppUserProfile'
scope:
type: string
- description: Toggles the assignment between user or group scope
+ description: Indicates if the assignment is direct (`USER`) or by group membership (`GROUP`).
enum:
- USER
- GROUP
@@ -22859,7 +48106,7 @@ components:
$ref: '#/components/schemas/AppUserStatus'
statusChanged:
type: string
- description: Timestamp when the App User status was last changed
+ description: Timestamp when the Application User status was last changed
format: date-time
readOnly: true
example: '2014-06-24T15:28:14.000Z'
@@ -22867,34 +48114,46 @@ components:
$ref: '#/components/schemas/AppUserSyncState'
_embedded:
type: object
- description: Embedded resources related to the App User using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification
+ description: Embedded resources related to the Application User using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification
additionalProperties:
type: object
properties: {}
readOnly: true
_links:
$ref: '#/components/schemas/LinksAppAndUser'
- required:
- - created
- - lastUpdated
- - scope
- - status
- - statusChanged
- - _links
+ AppUserAssignRequest:
+ allOf:
+ - $ref: '#/components/schemas/AppUser'
+ - required:
+ - id
AppUserCredentials:
- description: Specifies a user's credentials for the app. The authentication scheme of the app determines whether a username or password can be assigned to a user.
+ description: |
+ Specifies a user's credentials for the app.
+ This parameter can be omitted for apps with [sign-on mode](/openapi/okta-management/management/tag/Application/#tag/Application/operation/getApplication!c=200&path=0/signOnMode&t=response) (`signOnMode`) or [authentication schemes](/openapi/okta-management/management/tag/Application/#tag/Application/operation/getApplication!c=200&path=0/credentials/scheme&t=response) (`credentials.scheme`) that don't require credentials.
type: object
properties:
password:
$ref: '#/components/schemas/AppUserPasswordCredential'
userName:
type: string
- description: Username for the app
+ description: |-
+ The user's username in the app
+
+ > **Note:** The [userNameTemplate](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication!path=0/credentials/userNameTemplate&t=request) in the Application object defines the default username generated when a user is assigned to that app.
+ > If you attempt to assign a username or password to an app with an incompatible [authentication scheme](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication!path=0/credentials/scheme&t=request), the following error is returned:
+ > "Credentials should not be set on this resource based on the scheme."
minLength: 1
maxLength: 100
- example: testuser
+ example: testuser@example.com
+ AppUserCredentialsRequestPayload:
+ title: Credentials
+ description: Updates the assigned user credentials
+ type: object
+ properties:
+ credentials:
+ $ref: '#/components/schemas/AppUserCredentials'
AppUserPasswordCredential:
- description: Specifies a password for a user. This is a write-only property. An empty `password` object is returned to indicate that a password value exists.
+ description: The user's password. This is a write-only property. An empty `password` object is returned to indicate that a password value exists.
type: object
properties:
value:
@@ -22903,17 +48162,24 @@ components:
format: password
writeOnly: true
AppUserProfile:
- description: |-
- App user profiles are app-specific and can be customized by the Profile Editor in the Admin Console.
- SSO apps typically don't support app user profiles, while apps with user provisioning features have app-specific profiles.
+ description: |
+ Specifies the default and custom profile properties for a user.
Properties that are visible in the Admin Console for an app assignment can also be assigned through the API.
Some properties are reference properties that are imported from the target app and can't be configured.
- additionalProperties:
- type: object
- properties: {}
+ See [profile](/openapi/okta-management/management/tag/User/#tag/User/operation/getUser!c=200&path=profile&t=response).
+ additionalProperties: true
+ type: object
+ AppUserProfileRequestPayload:
+ title: Profile
+ description: |-
+ Updates the assigned user profile
+ > **Note:** The Okta API currently doesn't support entity tags for conditional updates. As long as you're the only user updating the the user profile, Okta recommends you fetch the most recent profile with [Retrieve an Application User](/openapi/okta-management/management/tag/ApplicationUsers/#tag/ApplicationUsers/operation/getApplicationUser), apply your profile update, and then `POST` back the updated profile.
type: object
+ properties:
+ profile:
+ $ref: '#/components/schemas/AppUserProfile'
AppUserStatus:
- description: Status of an App User
+ description: Status of an Application User
example: ACTIVE
type: string
enum:
@@ -22931,24 +48197,24 @@ components:
- SUSPENDED
- UNASSIGNED
x-enumDescriptions:
- ACTIVE: The App User is provisioned and is enabled to use the app. This status also occurs if the app has the `IMPORT_PROFILE_UPDATES` feature enabled and user import is confirmed, or if the app doesn't have provisioning enabled.
- INACTIVE: The App User is provisioned, but isn't enabled to use the app. App Users in this status can be reactivated with a password reset or permanently deleted.
- IMPORTED: The App User is created based on imported data.
- MATCHED: The imported user is matched with an existing App User.
- UNASSIGNED: The App User was imported, but the user-matching operation was skipped.
- SUSPENDED: The App User is provisioned, but isn't enabled to use the app. App Users in this status can be reactivated without a password reset.
- PENDING: The App User is provisioned, but in a pending state and can't use the app. The status moves to `ACTIVE` when the App User is activated.
- APPROVED: The App User was created but not provisioned. This status can occur when manual provisioning acknowledgment is required.
- REVOKED: The App User is disabled and waiting for deprovisioning acknowledgment. The App User can be deleted after deprovisioning acknowledgment.
- IMPLICIT: The App User is now migrated to use implicit app assignment.
- STAGED: The App User doesn't have `externalId` set and the background provisioning operation is queued. This applies to apps with the `PUSH_NEW_USERS` feature enabled.
- PROVISIONED: The background provisioning operation completed and the App User was assigned an `externalId` successfully.
+ ACTIVE: The Application User is provisioned and is enabled to use the app. This status also occurs if the app has the `IMPORT_PROFILE_UPDATES` feature enabled and user import is confirmed, or if the app doesn't have provisioning enabled.
+ INACTIVE: The Application User is provisioned, but isn't enabled to use the app. Application Users in this status can be reactivated with a password reset or permanently deleted.
+ IMPORTED: The Application User is created based on imported data.
+ MATCHED: The imported user is matched with an existing Application User.
+ UNASSIGNED: The Application User was imported, but the user-matching operation was skipped.
+ SUSPENDED: The Application User is provisioned, but isn't enabled to use the app. Application Users in this status can be reactivated without a password reset.
+ PENDING: The Application User is provisioned, but in a pending state and can't use the app. The status moves to `ACTIVE` when the Application User is activated.
+ APPROVED: The Application User was created but not provisioned. This status can occur when manual provisioning acknowledgment is required.
+ REVOKED: The Application User is disabled and waiting for deprovisioning acknowledgment. The Application User can be deleted after deprovisioning acknowledgment.
+ IMPLICIT: The Application User is now migrated to use implicit app assignment.
+ STAGED: The Application User doesn't have `externalId` set and the background provisioning operation is queued. This applies to apps with the `PUSH_NEW_USERS` feature enabled.
+ PROVISIONED: The background provisioning operation completed and the Application User was assigned an `externalId` successfully.
DEPROVISIONED: The user was removed by the provisioning operation and the `externalId` property is unassigned.
readOnly: true
AppUserSyncState:
description: |-
- The synchronization state for the App User.
- The App User's `syncState` depends on whether the `PROFILE_MASTERING` feature is enabled for the app.
+ The synchronization state for the Application User.
+ The Application User's `syncState` depends on whether the `PROFILE_MASTERING` feature is enabled for the app.
> **Note:** User provisioning currently must be configured through the Admin Console.
example: SYNCHRONIZED
@@ -22961,11 +48227,36 @@ components:
- SYNCING
x-enumDescriptions:
DISABLED: The provisioning feature is disabled for the app (`PROFILE_MASTERING` feature is disabled).
- OUT_OF_SYNC: The App User has changes that haven't been pushed to the target app.
+ OUT_OF_SYNC: The Application User has changes that haven't been pushed to the target app.
SYNCING: A background provisioning operation is running to update the user's profile in the target app.
- SYNCHRONIZED: All changes to the App User profile have successfully been synchronized with the target app.
+ SYNCHRONIZED: All changes to the Application User profile have successfully been synchronized with the target app.
ERROR: A background provisioning operation failed to update the user's profile in the target app. You must resolve the provisioning task in the Admin Console before you retry the operation.
readOnly: true
+ AppUserUpdateRequest:
+ oneOf:
+ - $ref: '#/components/schemas/AppUserCredentialsRequestPayload'
+ - $ref: '#/components/schemas/AppUserProfileRequestPayload'
+ AppleClientSigning:
+ description: |-
+ Information used to generate the secret JSON Web Token for the token requests to Apple IdP
+ > **Note:** The `privateKey` property is required for a CREATE request. For an UPDATE request, it can be null and keeps the existing value if it's null. The `privateKey` property isn't returned for LIST and GET requests or UPDATE requests if it's null.
+ type: object
+ properties:
+ kid:
+ type: string
+ description: The Key ID that you obtained from Apple when you created the private key for the client
+ maxLength: 1024
+ example: test key id
+ privateKey:
+ type: string
+ description: The PKCS \#8 encoded private key that you created for the client and downloaded from Apple
+ maxLength: 1024
+ example: MIGTAgEAMBM........Cb9PnybCnzDv+3cWSGWqpAIsQQZ
+ teamId:
+ type: string
+ description: The Team ID associated with your Apple developer account
+ maxLength: 1024
+ example: test team id
Application:
type: object
properties:
@@ -22975,26 +48266,127 @@ components:
type: string
format: date-time
readOnly: true
+ description: Timestamp when the Application object was created
features:
type: array
+ description: |
+ Enabled app features
+ > **Note:** Some apps can support optional provisioning features. See [Application Features](/openapi/okta-management/management/tag/ApplicationFeatures/)
items:
type: string
+ enum:
+ - GROUP_PUSH
+ - IMPORT_NEW_USERS
+ - IMPORT_PROFILE_UPDATES
+ - IMPORT_USER_SCHEMA
+ - PROFILE_MASTERING
+ - PUSH_NEW_USERS
+ - PUSH_PASSWORD_UPDATES
+ - PUSH_PROFILE_UPDATES
+ - PUSH_USER_DEACTIVATION
+ - REACTIVATE_USERS
+ - OUTBOUND_DEL_AUTH
+ - DESKTOP_SSO
+ - FEDERATED_PROFILE
+ - SUPPRESS_ACTIVATION_EMAIL
+ - PUSH_PENDING_USERS
+ - MFA
+ - UPDATE_EXISTING_USERNAME
+ - EXCLUDE_USERNAME_UPDATE_ON_PROFILE_PUSH
+ - EXCHANGE_ACTIVE_SYNC
+ - IMPORT_SYNC
+ - IMPORT_SYNC_CONTACTS
+ - DEVICE_COMPLIANCE
+ - VPN_CONFIG
+ - IMPORT_SCHEMA_ENUM_VALUES
+ - SCIM_PROVISIONING
+ - DEVICE_FILTER_IN_SIGN_ON_RULES
+ - PROFILE_TEMPLATE_UPGRADE
+ - DEFAULT_PUSH_STATUS_TO_PUSH
+ - REAL_TIME_SYNC
+ - SSO
+ - AUTHN_CONTEXT
+ - JIT_PROVISIONING
+ - GROUP_SYNC
+ - OPP_SCIM_INCREMENTAL_IMPORTS
+ - IN_MEMORY_APP_USER
+ - LOG_STREAMING
+ - OAUTH_INTEGRATION
+ - IDP
+ - PUSH_NEW_USERS_WITHOUT_PASSWORD
+ - SKYHOOK_SERVICE
+ - ENTITLEMENT_MANAGEMENT
+ - PUSH_NEW_USERS_WITH_HASHED_PASSWORD
+ x-enumDescriptions:
+ GROUP_PUSH: Creates or links a group in the app when a mapping is defined for a group in Okta. Okta is the source for group memberships and all group members in Okta who are also assigned to the app are synced as group members to the app.
+ IMPORT_NEW_USERS: Creates or links a user in Okta to a user from the app
+ IMPORT_PROFILE_UPDATES: Updates a linked user's app profile during manual or scheduled imports
+ IMPORT_USER_SCHEMA: Discovers the profile schema for a user from the app automatically
+ PROFILE_MASTERING: Designates the app as the identity lifecycle and profile attribute authority for linked users. The user's profile in Okta is read-only.
+ PUSH_NEW_USERS: Creates or links a user account in the app when assigning the app to a user in Okta
+ PUSH_PASSWORD_UPDATES: Updates the user's app password when their password changes in Okta
+ PUSH_PROFILE_UPDATES: Updates a user's profile in the app when the user's profile changes in Okta (the profile source)
+ PUSH_USER_DEACTIVATION: Deactivates a user's account in the app when unassigned from the app in Okta or deactivated
+ REACTIVATE_USERS: Reactivates an existing inactive user when provisioning a user to the app
+ OUTBOUND_DEL_AUTH: Okta user authentication requests are delegated to a third-party app
+ DESKTOP_SSO: Okta user authentication requests are handled by desktop SSO negotiation (if possible)
+ FEDERATED_PROFILE: App User profiles are synchronized at sign-in and profile-view instances instead of during bulk imports
+ SUPPRESS_ACTIVATION_EMAIL: Activation emails aren't sent to users sourced by AD and orgs with DelAuth enabled
+ PUSH_PENDING_USERS: Users are in PENDING state in Okta and are created but not active in the sourced app user
+ MFA: App can verify credentials as a second factor
+ UPDATE_EXISTING_USERNAME: App can update the user name for existing users
+ EXCLUDE_USERNAME_UPDATE_ON_PROFILE_PUSH: Exclude username update during profile push
+ EXCHANGE_ACTIVE_SYNC: App supports synchronizing credentials with OMM enrolled devices
+ IMPORT_SYNC: Synchronize import events
+ IMPORT_SYNC_CONTACTS: Synchronize contacts
+ DEVICE_COMPLIANCE: Apps support device compliance rules
+ VPN_CONFIG: App supports pushing VPN configuration to OMM enrolled devices
+ IMPORT_SCHEMA_ENUM_VALUES: App supports downloading schema enum values. You can download custom objects and integrating them with UD without being tied to the type metadata system.
+ SCIM_PROVISIONING: App supports generic SCIM client provisioning and can leverage SCIM standard for provisioning and push custom attributes to a third-party app
+ DEVICE_FILTER_IN_SIGN_ON_RULES: App supports filtering by client type in app sign-on rules
+ PROFILE_TEMPLATE_UPGRADE: App supports profile template upgrades. This is primarily to help roll out the profile template upgrade feature for individual apps
+ DEFAULT_PUSH_STATUS_TO_PUSH: App defaults Push status to `PUSH`. This feature is for apps, such as SharePoint, that want to receive App User profile updates even though they didn't implement traditional PUSH_PROFILE_UPDATES in the client API.
+ REAL_TIME_SYNC: Apps support real-time synchronization
+ SSO: Apps support establishing a subject based on claims from an IdP
+ AUTHN_CONTEXT: Apps support establishing an authentication context based on claims from an IdP
+ JIT_PROVISIONING: Apps support provisioning a user based on claims from an IdP
+ GROUP_SYNC: Apps support syncing group information based on claims from an IdP
+ OPP_SCIM_INCREMENTAL_IMPORTS: Apps support incremental imports. Used for SCIM app instances
+ IN_MEMORY_APP_USER: Apps support in-memory App Users. This feature is used as an alternative to Implicit App Assignment for a non-persisted App User.
+ LOG_STREAMING: Apps support Log Streaming
+ OAUTH_INTEGRATION: App is an OAuth 2.0 Integration
+ IDP: Apps support IdP functionalities
+ PUSH_NEW_USERS_WITHOUT_PASSWORD: Don't send generated password for new users
+ SKYHOOK_SERVICE: Use the Skyhook microservice for LCM operations
+ ENTITLEMENT_MANAGEMENT: Marker to showcase which OIN apps are entitlement enabled
+ PUSH_NEW_USERS_WITH_HASHED_PASSWORD: Send hashed password for new users. This feature is only used for CIS to CIC migration.
id:
type: string
readOnly: true
+ description: Unique ID for the app instance
label:
$ref: '#/components/schemas/ApplicationLabel'
lastUpdated:
type: string
format: date-time
readOnly: true
+ description: Timestamp when the Application object was last updated
licensing:
$ref: '#/components/schemas/ApplicationLicensing'
+ orn:
+ type: string
+ readOnly: true
+ description: The Okta resource name (ORN) for the current app instance
profile:
type: object
- additionalProperties:
- type: object
- properties: {}
+ description: |-
+ Contains any valid JSON schema for specifying properties that can be referenced from a request (only available to OAuth 2.0 client apps).
+ For example, add an app manager contact email address or define an allowlist of groups that you can then reference using the Okta Expression Language `getFilteredGroups` function.
+
+ > **Notes:**
+ > * `profile` isn't encrypted, so don't store sensitive data in it.
+ > * `profile` doesn't limit the level of nesting in the JSON schema you created, but there is a practical size limit. Okta recommends a JSON schema size of 1 MB or less for best performance.
+ additionalProperties: true
signOnMode:
$ref: '#/components/schemas/ApplicationSignOnMode'
status:
@@ -23003,12 +48395,20 @@ components:
$ref: '#/components/schemas/ApplicationVisibility'
_embedded:
type: object
- additionalProperties:
- type: object
- properties: {}
+ description: Embedded resources related to the app using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. If the `expand=user/{userId}` query parameter is specified, then the assigned [Application User](/openapi/okta-management/management/tag/ApplicationUsers/) is embedded.
+ properties:
+ user:
+ type: object
+ description: The specified [Application User](/openapi/okta-management/management/tag/ApplicationUsers/) assigned to the app
+ additionalProperties:
+ type: object
+ properties: {}
readOnly: true
_links:
$ref: '#/components/schemas/ApplicationLinks'
+ required:
+ - signOnMode
+ - label
discriminator:
propertyName: signOnMode
mapping:
@@ -23017,20 +48417,27 @@ components:
BOOKMARK: '#/components/schemas/BookmarkApplication'
BROWSER_PLUGIN: '#/components/schemas/BrowserPluginApplication'
OPENID_CONNECT: '#/components/schemas/OpenIdConnectApplication'
- SAML_1_1: '#/components/schemas/SamlApplication'
+ SAML_1_1: '#/components/schemas/Saml11Application'
SAML_2_0: '#/components/schemas/SamlApplication'
SECURE_PASSWORD_STORE: '#/components/schemas/SecurePasswordStoreApplication'
WS_FEDERATION: '#/components/schemas/WsFederationApplication'
ApplicationAccessibility:
+ description: Specifies access settings for the app
type: object
properties:
errorRedirectUrl:
type: string
+ description: Custom error page URL for the app
loginRedirectUrl:
type: string
+ description: |-
+ Custom login page URL for the app
+ > **Note:** The `loginRedirectUrl` property is deprecated in Identity Engine. This property is used with the custom app login feature. Orgs that actively use this feature can continue to do so. See [Okta-hosted sign-in (redirect authentication)](https://developer.okta.com/docs/guides/redirect-authentication/) or [configure IdP routing rules](https://help.okta.com/okta_help.htm?type=oie&id=ext-cfg-routing-rules) to redirect users to the appropriate sign-in app for orgs that don't use the custom app login feature.
selfService:
type: boolean
+ description: Represents whether the app can be self-assignable by users
ApplicationCredentials:
+ description: Credentials for the specified `signOnMode`
type: object
properties:
signing:
@@ -23042,13 +48449,37 @@ components:
properties:
autoKeyRotation:
type: boolean
+ description: Requested key rotation mode
+ default: true
client_id:
type: string
+ maxLength: 100
+ minLength: 6
+ description: |-
+ Unique identifier for the OAuth 2.0 client app
+
+ > **Notes:**
+ > * If you don't specify the `client_id`, this immutable property is populated with the [Application instance ID](/openapi/okta-management/management/tag/Application/#tag/Application/operation/getApplication!c=200&path=4/id&t=response).
+ > * The `client_id` must consist of alphanumeric characters or the following special characters: `$-_.+!*'(),`.
+ > * You can't use the reserved word `ALL_CLIENTS`.
client_secret:
type: string
+ maxLength: 100
+ minLength: 14
+ description: |-
+ OAuth 2.0 client secret string (used for confidential clients)
+
+ > **Notes:** If a `client_secret` isn't provided on creation, and the `token_endpoint_auth_method` requires one, Okta generates a random `client_secret` for the client app.
+ > The `client_secret` is only shown when an OAuth 2.0 client app is created or updated (and only if the `token_endpoint_auth_method` requires a client secret).
+ pkce_required:
+ type: boolean
+ description: Requires Proof Key for Code Exchange (PKCE) for additional verification. If `token_endpoint_auth_method` is `none`, then `pkce_required` must be `true`. The default is `true` for browser and native app types.
+ default: true
token_endpoint_auth_method:
$ref: '#/components/schemas/OAuthEndpointAuthenticationMethod'
ApplicationCredentialsScheme:
+ description: |
+ Apps with `BASIC_AUTH`, `BROWSER_PLUGIN`, or `SECURE_PASSWORD_STORE` sign-on modes have credentials vaulted by Okta and can be configured with the following schemes.
type: string
enum:
- ADMIN_SETS_CREDENTIALS
@@ -23056,62 +48487,99 @@ components:
- EDIT_USERNAME_AND_PASSWORD
- EXTERNAL_PASSWORD_SYNC
- SHARED_USERNAME_AND_PASSWORD
+ x-enumDescriptions:
+ ADMIN_SETS_CREDENTIALS: Admin sets username and password
+ EDIT_PASSWORD_ONLY: Admin sets username, user sets password
+ EDIT_USERNAME_AND_PASSWORD: User sets username and password
+ EXTERNAL_PASSWORD_SYNC: Admin sets username, password is the same as user's Okta password
+ SHARED_USERNAME_AND_PASSWORD: Users share a single username and password set by the admin
ApplicationCredentialsSigning:
+ description: |
+ App signing key properties
+ > **Note:** Only apps with SAML_2_0, SAML_1_1, WS_FEDERATION, or OPENID_CONNECT `signOnMode` support the key rotation feature.
type: object
properties:
kid:
type: string
+ description: |-
+ Key identifier used for signing assertions
+ > **Note:** Currently, only the X.509 JWK format is supported for apps with SAML_2_0 `signOnMode`.
lastRotated:
type: string
+ description: Timestamp when the signing key was last rotated
format: date-time
readOnly: true
nextRotation:
type: string
+ description: The scheduled time for the next signing key rotation
format: date-time
readOnly: true
rotationMode:
type: string
+ description: The mode of key rotation
use:
$ref: '#/components/schemas/ApplicationCredentialsSigningUse'
ApplicationCredentialsSigningUse:
+ description: Specifies the intended use of the key
type: string
enum:
- sig
ApplicationCredentialsUsernameTemplate:
+ description: The template used to generate the username when the app is assigned through a group or directly to a user
type: object
properties:
pushStatus:
type: string
+ description: Determines if the username is pushed to the app on updates for CUSTOM `type`
+ enum:
+ - PUSH
+ - DONT_PUSH
+ - NOT_CONFIGURED
template:
type: string
+ description: |-
+ Mapping expression used to generate usernames.
+
+ The following are supported mapping expressions that are used with the `BUILT_IN` template type:
+
+ | Name | Template Expression |
+ | ------------------------------- | ---------------------------------------------- |
+ | AD Employee ID | `${source.employeeID}` |
+ | AD SAM Account Name | `${source.samAccountName}` |
+ | AD SAM Account Name (lowercase) | `${fn:toLowerCase(source.samAccountName)}` |
+ | AD User Principal Name | `${source.userName}` |
+ | AD User Principal Name prefix | `${fn:substringBefore(source.userName, "@")}` |
+ | Email | `${source.email}` |
+ | Email (lowercase) | `${fn:toLowerCase(source.email)}` |
+ | Email prefix | `${fn:substringBefore(source.email, "@")}` |
+ | LDAP UID + custom suffix | `${source.userName}${instance.userSuffix}` |
+ | Okta username | `${source.login}` |
+ | Okta username prefix | `${fn:substringBefore(source.login, "@")}` |
+ default: ${source.login}
type:
type: string
+ description: Type of mapping expression. Empty string is allowed.
+ enum:
+ - NONE
+ - BUILT_IN
+ - CUSTOM
+ default: BUILT_IN
userSuffix:
type: string
+ description: An optional suffix appended to usernames for `BUILT_IN` mapping expressions
ApplicationFeature:
description: |
- The Feature object is used to configure application feature settings.
-
- The only feature currently supported is `USER_PROVISIONING` for the Org2Org application type.
+ The Feature object is used to configure app feature settings.
type: object
properties:
- capabilities:
- allOf:
- - $ref: '#/components/schemas/CapabilitiesObject'
description:
type: string
description: Description of the feature
- example: Settings for provisioning users from Okta to a downstream application
+ example: Settings for provisioning users from Okta to a downstream app
readOnly: true
name:
- type: string
- description: Identifying name of the feature
+ $ref: '#/components/schemas/ApplicationFeatureType'
readOnly: true
- example: USER_PROVISIONING
- enum:
- - USER_PROVISIONING
- x-enumDescriptions:
- USER_PROVISIONING: Represents the **To App** provisioning feature setting in the Admin Console
status:
allOf:
- $ref: '#/components/schemas/EnabledStatus'
@@ -23122,32 +48590,71 @@ components:
allOf:
- $ref: '#/components/schemas/LinksSelf'
- readOnly: true
+ discriminator:
+ propertyName: name
+ mapping:
+ USER_PROVISIONING: '#/components/schemas/UserProvisioningApplicationFeature'
+ INBOUND_PROVISIONING: '#/components/schemas/InboundProvisioningApplicationFeature'
+ ApplicationFeatureType:
+ description: |
+ Key name of the feature
+
+ | Feature name | Description |
+ | --------- | ------------- |
+ | USER_PROVISIONING | User profiles are pushed from Okta to the third-party app. Represents the **To App** provisioning feature setting in the Admin Console. |
+ | INBOUND_PROVISIONING | User profiles are imported from the third-party app into Okta. This feature represents the **To Okta** provisioning feature setting in the Admin Console. |
+
+ Select the feature:
+ example: USER_PROVISIONING
+ type: string
+ enum:
+ - USER_PROVISIONING
+ - USER_PROVISIONING
+ - INBOUND_PROVISIONING
ApplicationGroupAssignment:
+ title: Application Group Assignment
+ description: The Application Group object that defines a group of users' app-specific profile and credentials for an app
type: object
properties:
id:
type: string
+ description: ID of the [Group](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Group/)
readOnly: true
+ example: 00g4hb1HChfUriNgW0g4
lastUpdated:
- type: string
- format: date-time
- readOnly: true
+ allOf:
+ - $ref: '#/components/schemas/lastUpdatedProperty'
+ - example: '2014-06-24T15:28:14.000Z'
priority:
type: integer
+ description: |-
+ Priority assigned to the group. If an app has more than one group assigned to the same user, then the group with the higher priority has its profile applied to the [Application User](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/ApplicationUsers/).
+ If a priority value isn't specified, then the next highest priority is assigned by default.
+ See [Assign attribute group priority](https://help.okta.com/okta_help.htm?type=oie&id=ext-usgp-app-group-priority) and the [sample priority use case](https://help.okta.com/okta_help.htm?type=oie&id=ext-usgp-combine-values-use).
+ example: 99
profile:
- type: object
- additionalProperties:
- type: object
- properties: {}
+ $ref: '#/components/schemas/GroupAssignmentProfile'
_embedded:
type: object
+ description: |-
+ Embedded resource related to the Application Group using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification.
+ If the `expand=group` query parameter is specified, then the [Group](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Group/) object is embedded.
+ If the `expand=metadata` query parameter is specified, then the group assignment metadata is embedded.
additionalProperties:
type: object
properties: {}
readOnly: true
_links:
- $ref: '#/components/schemas/LinksSelf'
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - type: object
+ properties:
+ app:
+ $ref: '#/components/schemas/HrefObjectAppLink'
+ group:
+ $ref: '#/components/schemas/HrefObjectGroupLink'
ApplicationLabel:
+ description: User-defined display name for app
type: string
ApplicationLayout:
type: object
@@ -23199,11 +48706,14 @@ components:
$ref: '#/components/schemas/HrefObject'
type: array
ApplicationLicensing:
+ description: Licenses for the app
type: object
properties:
seatCount:
type: integer
+ description: Number of licenses purchased for the app
ApplicationLifecycleStatus:
+ description: App instance status
type: string
enum:
- ACTIVE
@@ -23211,73 +48721,127 @@ components:
- INACTIVE
readOnly: true
ApplicationLinks:
+ description: Discoverable resources related to the app
properties:
accessPolicy:
- $ref: '#/components/schemas/HrefObject'
+ $ref: '#/components/schemas/AccessPolicyLink'
activate:
$ref: '#/components/schemas/HrefObjectActivateLink'
+ appLinks:
+ type: array
+ description: List of app link resources
+ items:
+ $ref: '#/components/schemas/HrefObject'
deactivate:
$ref: '#/components/schemas/HrefObjectDeactivateLink'
groups:
- $ref: '#/components/schemas/HrefObject'
+ $ref: '#/components/schemas/GroupsLink'
+ help:
+ $ref: '#/components/schemas/HelpLink'
logo:
type: array
+ description: List of app logo resources
items:
$ref: '#/components/schemas/HrefObject'
metadata:
- $ref: '#/components/schemas/HrefObject'
+ $ref: '#/components/schemas/MetadataLink'
self:
$ref: '#/components/schemas/HrefObjectSelfLink'
users:
- $ref: '#/components/schemas/HrefObject'
+ $ref: '#/components/schemas/UsersLink'
+ readOnly: true
ApplicationSettings:
+ description: App settings
type: object
properties:
identityStoreId:
type: string
+ description: Identifies an additional identity store app, if your app supports it. The `identityStoreId` value must be a valid identity store app ID. This identity store app must be created in the same org as your app.
implicitAssignment:
type: boolean
+ description: Controls whether Okta automatically assigns users to the app based on the user's role or group membership.
inlineHookId:
type: string
+ description: Identifier of an inline hook. Inline hooks are outbound calls from Okta to your own custom code, triggered at specific points in Okta process flows. They allow you to integrate custom functionality into those flows. See [Inline hooks](/openapi/okta-management/management/tag/InlineHook/).
notes:
$ref: '#/components/schemas/ApplicationSettingsNotes'
notifications:
$ref: '#/components/schemas/ApplicationSettingsNotifications'
ApplicationSettingsNotes:
+ description: App notes visible to either the admin or end user
type: object
properties:
admin:
type: string
+ description: An app message that's visible to admins
enduser:
type: string
+ description: A message that's visible in the End-User Dashboard
ApplicationSettingsNotifications:
+ description: Specifies notifications settings for the app
type: object
properties:
vpn:
$ref: '#/components/schemas/ApplicationSettingsNotificationsVpn'
ApplicationSettingsNotificationsVpn:
+ description: Sends customizable messages with conditions to end users when a VPN connection is required
type: object
properties:
helpUrl:
type: string
+ description: An optional URL to a help page to assist your end users in signing in to your company VPN
message:
type: string
+ description: A VPN requirement message that's displayed to users
network:
$ref: '#/components/schemas/ApplicationSettingsNotificationsVpnNetwork'
+ required:
+ - network
ApplicationSettingsNotificationsVpnNetwork:
+ description: Defines network zones for VPN notification
type: object
properties:
connection:
type: string
+ description: Specifies the VPN connection details required to access the app
+ enum:
+ - DISABLED
+ - ANYWHERE
+ - ON_NETWORK
+ - OFF_NETWORK
+ - ZONE
+ x-enumDescriptions:
+ DISABLED: The default state. Retain this setting for apps that don't require a VPN connection.
+ ANYWHERE: Displays VPN connection information regardless of the browser's client IP. The notification appears before the end user can access the app.
+ ON_NETWORK: Displays VPN connection information only when a browser's client IP matches the configured Public Gateway IPs. The notification appears before the end user can access the app.
+ OFF_NETWORK: Displays VPN connection information only when the browser's client IP doesn't match the configured Public Gateway IPs. The notification appears before the end user can access the app.
exclude:
type: array
+ description: Defines the IP addresses or network ranges that are excluded from the VPN requirement
items:
type: string
include:
type: array
+ description: Defines the IP addresses or network ranges that are required to use the VPN
items:
type: string
ApplicationSignOnMode:
+ description: |
+ Authentication mode for the app
+
+ | signOnMode | Description |
+ | ---------- | ----------- |
+ | AUTO_LOGIN | Secure Web Authentication (SWA) |
+ | BASIC_AUTH | HTTP Basic Authentication with Okta Browser Plugin |
+ | BOOKMARK | Just a bookmark (no-authentication) |
+ | BROWSER_PLUGIN | Secure Web Authentication (SWA) with Okta Browser Plugin |
+ | OPENID_CONNECT | Federated Authentication with OpenID Connect (OIDC) |
+ | SAML_1_1 | Federated Authentication with SAML 1.1 WebSSO (not supported for custom apps) |
+ | SAML_2_0 | Federated Authentication with SAML 2.0 WebSSO |
+ | SECURE_PASSWORD_STORE | Secure Web Authentication (SWA) with POST (plugin not required) |
+ | WS_FEDERATION | Federated Authentication with WS-Federation Passive Requestor Profile |
+
+ Select the `signOnMode` for your custom app:
type: string
enum:
- AUTO_LOGIN
@@ -23289,26 +48853,45 @@ components:
- SAML_2_0
- SECURE_PASSWORD_STORE
- WS_FEDERATION
+ ApplicationType:
+ description: 'The type of client application. Default value: `web`.'
+ type: string
+ enum:
+ - browser
+ - native
+ - service
+ - web
ApplicationVisibility:
+ description: Specifies visibility settings for the app
type: object
properties:
appLinks:
type: object
+ description: Links or icons that appear on the End-User Dashboard if they're set to `true`.
additionalProperties:
type: boolean
autoLaunch:
type: boolean
+ description: Automatically signs in to the app when user signs into Okta
autoSubmitToolbar:
type: boolean
+ description: Automatically sign in when user lands on the sign-in page
hide:
$ref: '#/components/schemas/ApplicationVisibilityHide'
ApplicationVisibilityHide:
+ description: Hides the app for specific end-user apps
type: object
properties:
iOS:
type: boolean
+ description: Okta Mobile for iOS or Android (pre-dates Android)
+ default: false
+ example: false
web:
type: boolean
+ description: Okta End-User Dashboard on a web browser
+ default: false
+ example: true
AssignGroupOwnerRequestBody:
type: object
properties:
@@ -23322,6 +48905,11 @@ components:
properties:
type:
$ref: '#/components/schemas/RoleType'
+ AssignUserToRealm:
+ type: object
+ properties:
+ realmId:
+ type: string
AssociatedServerMediated:
type: object
properties:
@@ -23330,14 +48918,160 @@ components:
description: A list of the authorization server IDs
items:
type: string
+ AssuranceMethod:
+ allOf:
+ - $ref: '#/components/schemas/VerificationMethod'
+ - type: object
+ properties:
+ constraints:
+ items:
+ $ref: '#/components/schemas/AccessPolicyConstraints'
+ type: array
+ factorMode:
+ $ref: '#/components/schemas/AssuranceMethodFactorMode'
+ inactivityPeriod:
+ type: string
+ description: The inactivity duration after which the user must re-authenticate. Use the ISO 8601 period format (for example, PT2H).
+ reauthenticateIn:
+ type: string
+ description: The duration after which the user must re-authenticate, regardless of user activity. Keep in mind that the re-authentication intervals for constraints take precedent over this value. Use the ISO 8601 period format for recurring time intervals (for example, PT2H, PT0S, PT43800H, and so on).
+ AssuranceMethodFactorMode:
+ type: string
+ enum:
+ - 1FA
+ - 2FA
+ AttackProtectionAuthenticatorSettings:
+ type: object
+ properties:
+ verifyKnowledgeSecondWhen2faRequired:
+ type: boolean
+ description: If true, requires users to verify a possession factor before verifying a knowledge factor when the assurance requires two-factor authentication (2FA).
+ default: false
+ AuthServerLinks:
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - type: object
+ properties:
+ claims:
+ allOf:
+ - description: Link to the authorization server claims
+ - $ref: '#/components/schemas/HrefObject'
+ deactivate:
+ allOf:
+ - $ref: '#/components/schemas/HrefObjectDeactivateLink'
+ metadata:
+ description: Link to the authorization server metadata
+ type: array
+ items:
+ $ref: '#/components/schemas/HrefObject'
+ policies:
+ allOf:
+ - description: Link to the authorization server policies
+ - $ref: '#/components/schemas/HrefObject'
+ rotateKey:
+ allOf:
+ - description: Link to the authorization server key rotation
+ - $ref: '#/components/schemas/HrefObject'
+ scopes:
+ allOf:
+ - description: Link to the authorization server scopes
+ - $ref: '#/components/schemas/HrefObject'
+ AuthenticationMethod:
+ type: object
+ properties:
+ hardwareProtection:
+ type: string
+ description: Indicates if any secrets or private keys used during authentication must be hardware protected and not exportable. This property is only set for `POSSESSION` constraints.
+ enum:
+ - OPTIONAL
+ - REQUIRED
+ default: OPTIONAL
+ id:
+ type: string
+ description: An ID that identifies the authenticator
+ key:
+ type: string
+ description: A label that identifies the authenticator
+ method:
+ type: string
+ description: Specifies the method used for the authenticator
+ phishingResistant:
+ type: string
+ description: Indicates if phishing-resistant Factors are required. This property is only set for `POSSESSION` constraints
+ enum:
+ - OPTIONAL
+ - REQUIRED
+ default: OPTIONAL
+ userVerification:
+ type: string
+ description: Indicates the user interaction requirement (PIN or biometrics) to ensure verification of a possession factor
+ enum:
+ - OPTIONAL
+ - REQUIRED
+ default: OPTIONAL
+ required:
+ - key
+ - method
+ AuthenticationMethodChain:
+ type: object
+ properties:
+ authenticationMethods:
+ items:
+ $ref: '#/components/schemas/AuthenticationMethod'
+ type: array
+ next:
+ type: array
+ description: The next steps of the authentication method chain. This is an array of `AuthenticationMethodChain`. Only supports one item in the array.
+ items:
+ type: object
+ reauthenticateIn:
+ type: string
+ description: |-
+ Specifies how often the user should be prompted for authentication using duration format for the time period.
+ For example, `PT2H30M` for two and a half hours. This parameter can't be set at the same time as the `reauthenticateIn` property on the `verificationMethod`.
+ AuthenticationMethodChainMethod:
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: true
+ allOf:
+ - $ref: '#/components/schemas/VerificationMethod'
+ - type: object
+ properties:
+ chains:
+ items:
+ $ref: '#/components/schemas/AuthenticationMethodChain'
+ type: array
+ description: Authentication method chains. Only supports 5 items in the array. Each chain can support maximum 3 steps.
+ reauthenticateIn:
+ description: |-
+ Specifies how often the user should be prompted for authentication using duration format for the time period.
+ For example, `PT2H30M` for two and a half hours. Don't set this parameter if you're setting the `reauthenticateIn` parameter in `chains`.
+ type: string
+ AuthenticationMethodObject:
+ type: object
+ properties:
+ key:
+ type: string
+ description: A label that identifies the authenticator
+ method:
+ type: string
+ description: Specifies the method used for the authenticator
+ required:
+ - key
AuthenticationProvider:
+ description: Specifies the authentication provider that validates the user's password credential. The user's current provider is managed by the **Delegated Authentication** settings for your org. The provider object is **read-only**.
type: object
properties:
name:
type: string
+ description: The name of the authentication provider
+ readOnly: true
+ example: OKTA
type:
$ref: '#/components/schemas/AuthenticationProviderType'
+ readOnly: true
AuthenticationProviderType:
+ description: The type of authentication provider
type: string
enum:
- ACTIVE_DIRECTORY
@@ -23346,40 +49080,390 @@ components:
- LDAP
- OKTA
- SOCIAL
- Authenticator:
+ x-enumDescriptions:
+ ACTIVE_DIRECTORY: Specifies the directory instance name as the `name` property
+ FEDERATION: Doesn't support a `password` or `recovery question` credential and must authenticate through a trusted Identity Provider
+ IMPORT: Specifies a hashed password that was imported from an external source
+ LDAP: Specifies the directory instance name as the `name` property
+ OKTA: Specifies the Okta Identity Provider
+ SOCIAL: Doesn't support a `password` or `recovery question` credential and must authenticate through a trusted Identity Provider
+ readOnly: true
+ AuthenticatorBase:
type: object
properties:
created:
+ description: Timestamp when the Authenticator was created
format: date-time
readOnly: true
type: string
id:
+ description: A unique identifier for the Authenticator
readOnly: true
type: string
key:
- type: string
+ $ref: '#/components/schemas/AuthenticatorKeyEnum'
lastUpdated:
+ description: Timestamp when the Authenticator was last modified
format: date-time
readOnly: true
type: string
name:
+ description: Display name of the Authenticator
type: string
- provider:
- $ref: '#/components/schemas/AuthenticatorProvider'
- settings:
- $ref: '#/components/schemas/AuthenticatorSettings'
status:
+ description: Status of the Authenticator
$ref: '#/components/schemas/LifecycleStatus'
type:
$ref: '#/components/schemas/AuthenticatorType'
_links:
+ description: Link relations for this object
$ref: '#/components/schemas/AuthenticatorLinks'
+ discriminator:
+ propertyName: key
+ mapping:
+ custom_app: '#/components/schemas/AuthenticatorKeyCustomApp'
+ duo: '#/components/schemas/AuthenticatorKeyDuo'
+ okta_email: '#/components/schemas/AuthenticatorKeyEmail'
+ google_otp: '#/components/schemas/AuthenticatorKeyGoogleOtp'
+ external_idp: '#/components/schemas/AuthenticatorKeyExternalIdp'
+ okta_password: '#/components/schemas/AuthenticatorKeyPassword'
+ okta_verify: '#/components/schemas/AuthenticatorKeyOktaVerify'
+ onprem_mfa: '#/components/schemas/AuthenticatorKeyOnprem'
+ phone_number: '#/components/schemas/AuthenticatorKeyPhone'
+ security_key: '#/components/schemas/AuthenticatorKeySecurityKey'
+ security_question: '#/components/schemas/AuthenticatorKeySecurityQuestion'
+ symantec_vip: '#/components/schemas/AuthenticatorKeySymantecVip'
+ smart_card_idp: '#/components/schemas/AuthenticatorKeySmartCard'
+ webauthn: '#/components/schemas/AuthenticatorKeyWebauthn'
+ yubikey_token: '#/components/schemas/AuthenticatorKeyYubikey'
+ AuthenticatorEnrollmentPolicy:
+ allOf:
+ - $ref: '#/components/schemas/Policy'
+ - type: object
+ properties:
+ conditions:
+ $ref: '#/components/schemas/AuthenticatorEnrollmentPolicyConditions'
+ settings:
+ $ref: '#/components/schemas/AuthenticatorEnrollmentPolicySettings'
+ AuthenticatorEnrollmentPolicyAuthenticatorSettings:
+ type: object
+ properties:
+ constraints:
+ description: Constraints for the authenticator
+ nullable: true
+ minimum: 0
+ type: object
+ properties:
+ aaguidGroups:
+ type: array
+ description: The list of FIDO2 WebAuthn authenticator groups allowed for enrollment
+ items:
+ type: string
+ uniqueItems: true
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
+ enroll:
+ type: object
+ description: Enrollment requirements for the authenticator
+ properties:
+ self:
+ $ref: '#/components/schemas/AuthenticatorEnrollmentPolicyAuthenticatorStatus'
+ key:
+ $ref: '#/components/schemas/AuthenticatorEnrollmentPolicyAuthenticatorType'
+ AuthenticatorEnrollmentPolicyAuthenticatorStatus:
+ description: Requirements for the user-initiated enrollment
+ default: NOT_ALLOWED
+ type: string
+ enum:
+ - NOT_ALLOWED
+ - OPTIONAL
+ - REQUIRED
+ AuthenticatorEnrollmentPolicyAuthenticatorType:
+ description: A label that identifies the authenticator
+ type: string
+ enum:
+ - custom_app
+ - custom_otp
+ - duo
+ - external_idp
+ - google_otp
+ - okta_email
+ - okta_password
+ - okta_verify
+ - onprem_mfa
+ - phone_number
+ - rsa_token
+ - security_question
+ - symantec_vip
+ - webauthn
+ - yubikey_token
+ AuthenticatorEnrollmentPolicyConditions:
+ allOf:
+ - type: object
+ properties:
+ people:
+ type: object
+ description: Identifies Users and Groups that are used together
+ properties:
+ groups:
+ type: object
+ description: Specifies a set of Groups whose Users are to be included or excluded
+ properties:
+ include:
+ type: array
+ description: Groups to be included
+ items:
+ type: string
+ AuthenticatorEnrollmentPolicyRule:
+ allOf:
+ - $ref: '#/components/schemas/PolicyRule'
+ - type: object
+ properties:
+ actions:
+ $ref: '#/components/schemas/AuthenticatorEnrollmentPolicyRuleActions'
+ conditions:
+ $ref: '#/components/schemas/AuthenticatorEnrollmentPolicyRuleConditions'
+ AuthenticatorEnrollmentPolicyRuleActionEnroll:
+ description: Specifies whether the User is to be enrolled the first time they `LOGIN`, the next time they are in the `CHALLENGE` process, or `NEVER`
+ type: object
+ properties:
+ self:
+ type: string
+ enum:
+ - CHALLENGE
+ - LOGIN
+ - NEVER
+ AuthenticatorEnrollmentPolicyRuleActions:
+ allOf:
+ - $ref: '#/components/schemas/PolicyRuleActions'
+ - type: object
+ properties:
+ enroll:
+ $ref: '#/components/schemas/AuthenticatorEnrollmentPolicyRuleActionEnroll'
+ AuthenticatorEnrollmentPolicyRuleConditions:
+ type: object
+ properties:
+ network:
+ $ref: '#/components/schemas/PolicyNetworkCondition'
+ people:
+ type: object
+ description: Identifies Users and Groups that are used together
+ properties:
+ users:
+ type: object
+ description: Specifies a set of Users to be included or excluded
+ properties:
+ exclude:
+ type: array
+ description: Users to be excluded
+ items:
+ type: string
+ AuthenticatorEnrollmentPolicySettings:
+ description: '**Note:** In Identity Engine, the Multifactor (MFA) Enrollment Policy name has changed to authenticator enrollment policy. The policy type of `MFA_ENROLL` remains unchanged. However, the `settings` data is updated for authenticators. Policy `settings` are included only for those authenticators that are enabled.'
+ type: object
+ properties:
+ authenticators:
+ description: |
+ List of authenticator policy settings
+
+ For orgs with the Authenticator enrollment policy feature enabled, the new default authenticator enrollment policy created by Okta contains the `authenticators` property in the policy settings. Existing default authenticator enrollment policies from a migrated Classic Engine org remain unchanged. The policies still use the `factors` property in their settings. The `authenticators` parameter allows you to configure all available authenticators, including authentication and recovery. The `factors` parameter only allows you to configure multifactor authentication.
+ items:
+ $ref: '#/components/schemas/AuthenticatorEnrollmentPolicyAuthenticatorSettings'
+ type: array
+ type:
+ $ref: '#/components/schemas/AuthenticatorEnrollmentPolicySettingsType'
+ AuthenticatorEnrollmentPolicySettingsType:
+ description: |
+ Type of policy configuration object
+
+ The `type` property in the policy `settings` is only applicable to the authenticator enrollment policy available in Identity Engine.
+ default: FACTORS
+ type: string
+ enum:
+ - AUTHENTICATORS
+ - FACTORS
AuthenticatorIdentity:
description: Represents a particular authenticator serving as a constraint on a method
type: object
properties:
key:
type: string
+ AuthenticatorKeyCustomApp:
+ allOf:
+ - $ref: '#/components/schemas/AuthenticatorSimple'
+ - type: object
+ properties:
+ agreeToTerms:
+ type: boolean
+ description: A value of `true` indicates that the administrator accepts the [terms](https://www.okta.com/privacy-policy/)for creating a new authenticator. Okta requires that you accept the terms when creating a new `custom_app` authenticator. Other authenticators don't require this field.
+ provider:
+ type: object
+ properties:
+ type:
+ type: string
+ description: Provider type
+ enum:
+ - PUSH
+ configuration:
+ type: object
+ description: The configuration of the provider
+ properties:
+ apns:
+ type: object
+ properties:
+ id:
+ type: string
+ description: ID of the APNs (Apple Push Notification Service) [configurations](https://developer.okta.com/docs/reference/api/push-providers/)
+ appBundleId:
+ type: string
+ description: AppBundleId of the APNs (Apple Push Notification Service) [configurations](https://developer.okta.com/docs/reference/api/push-providers/)
+ debugAppBundleId:
+ type: string
+ description: DebugAppBundleId of the APNs (Apple Push Notification Service) [configurations](https://developer.okta.com/docs/reference/api/push-providers/)
+ fcm:
+ type: object
+ properties:
+ id:
+ type: string
+ description: ID of the FCM (Firebase Cloud Messaging Service) [configurations](https://developer.okta.com/docs/reference/api/push-providers/)
+ settings:
+ type: object
+ properties:
+ userVerification:
+ $ref: '#/components/schemas/CustomAppUserVerificationEnum'
+ appInstanceId:
+ type: string
+ description: The application instance ID. For custom_app, you need to create an OIDC native app using the [Apps API](https://developer.okta.com/docs/reference/api/apps/) with `Authorization Code` and `Refresh Token` grant types. You can leave both `Sign-in redirect URIs` and `Sign-out redirect URIs` as the default values.
+ AuthenticatorKeyDuo:
+ allOf:
+ - $ref: '#/components/schemas/AuthenticatorSimple'
+ - type: object
+ properties:
+ provider:
+ type: object
+ properties:
+ type:
+ type: string
+ description: Provider type
+ enum:
+ - DUO
+ configuration:
+ type: object
+ properties:
+ host:
+ type: string
+ description: The Duo Security API hostname
+ integrationKey:
+ type: string
+ description: The Duo Security integration key
+ secretKey:
+ type: string
+ description: The Duo Security secret key
+ userNameTemplate:
+ type: object
+ properties:
+ template:
+ type: string
+ description: The Duo Security user template name
+ AuthenticatorKeyEmail:
+ allOf:
+ - $ref: '#/components/schemas/AuthenticatorSimple'
+ - type: object
+ properties:
+ settings:
+ type: object
+ properties:
+ allowedFor:
+ $ref: '#/components/schemas/AllowedForEnum'
+ tokenLifetimeInMinutes:
+ description: Specifies the lifetime of an email token. Default value is 5 minutes.
+ type: number
+ default: 5
+ AuthenticatorKeyEnum:
+ description: A human-readable string that identifies the Authenticator
+ type: string
+ enum:
+ - custom_app
+ - duo
+ - external_idp
+ - google_otp
+ - okta_email
+ - okta_password
+ - okta_verify
+ - onprem_mfa
+ - phone_number
+ - security_key
+ - security_question
+ - smart_card_idp
+ - symantec_vip
+ - webauthn
+ - yubikey_token
+ AuthenticatorKeyExternalIdp:
+ allOf:
+ - $ref: '#/components/schemas/AuthenticatorSimple'
+ AuthenticatorKeyGoogleOtp:
+ allOf:
+ - $ref: '#/components/schemas/AuthenticatorSimple'
+ AuthenticatorKeyOktaVerify:
+ allOf:
+ - $ref: '#/components/schemas/AuthenticatorSimple'
+ - type: object
+ properties:
+ settings:
+ type: object
+ properties:
+ channelBinding:
+ $ref: '#/components/schemas/ChannelBinding'
+ compliance:
+ $ref: '#/components/schemas/Compliance'
+ userVerification:
+ $ref: '#/components/schemas/UserVerificationEnum'
+ appInstanceId:
+ type: string
+ description: The application instance ID
+ AuthenticatorKeyOnprem:
+ allOf:
+ - $ref: '#/components/schemas/AuthenticatorSimple'
+ AuthenticatorKeyPassword:
+ allOf:
+ - $ref: '#/components/schemas/AuthenticatorSimple'
+ AuthenticatorKeyPhone:
+ allOf:
+ - $ref: '#/components/schemas/AuthenticatorSimple'
+ - type: object
+ properties:
+ settings:
+ type: object
+ properties:
+ allowedFor:
+ $ref: '#/components/schemas/AllowedForEnum'
+ AuthenticatorKeySecurityKey:
+ allOf:
+ - $ref: '#/components/schemas/AuthenticatorSimple'
+ AuthenticatorKeySecurityQuestion:
+ allOf:
+ - $ref: '#/components/schemas/AuthenticatorSimple'
+ - type: object
+ properties:
+ settings:
+ type: object
+ properties:
+ allowedFor:
+ $ref: '#/components/schemas/AllowedForEnum'
+ AuthenticatorKeySmartCard:
+ allOf:
+ - $ref: '#/components/schemas/AuthenticatorSimple'
+ AuthenticatorKeySymantecVip:
+ allOf:
+ - $ref: '#/components/schemas/AuthenticatorSimple'
+ AuthenticatorKeyWebauthn:
+ allOf:
+ - $ref: '#/components/schemas/AuthenticatorSimple'
+ AuthenticatorKeyYubikey:
+ allOf:
+ - $ref: '#/components/schemas/AuthenticatorSimple'
AuthenticatorLinks:
allOf:
- $ref: '#/components/schemas/LinksSelfAndLifecycle'
@@ -23390,7 +49474,6 @@ components:
allOf:
- $ref: '#/components/schemas/HrefObject'
AuthenticatorMethodAlgorithm:
- description: The encryption algorithm for this authenticator method
type: string
enum:
- ES256
@@ -23399,6 +49482,7 @@ components:
type: object
properties:
status:
+ description: The status of the authenticator method
$ref: '#/components/schemas/LifecycleStatus'
type:
$ref: '#/components/schemas/AuthenticatorMethodType'
@@ -23421,17 +49505,16 @@ components:
duo: '#/components/schemas/AuthenticatorMethodWithVerifiableProperties'
cert: '#/components/schemas/AuthenticatorMethodWithVerifiableProperties'
AuthenticatorMethodConstraint:
- description: |-
- Limits the authenticators that can be used for a given method. Currently, only the `otp` method supports constraints, and Google authenticator (key : 'google_otp') is the only allowed authenticator.
+ description: 'Limits the authenticators that can be used for a given method. Currently, only the `otp` method supports constraints, and Google authenticator (key : ''google_otp'') is the only allowed authenticator.'
type: object
properties:
- method:
- enum:
- - otp
allowedAuthenticators:
type: array
items:
$ref: '#/components/schemas/AuthenticatorIdentity'
+ method:
+ enum:
+ - otp
AuthenticatorMethodOtp:
allOf:
- $ref: '#/components/schemas/AuthenticatorMethodWithVerifiableProperties'
@@ -23439,6 +49522,7 @@ components:
properties:
acceptableAdjacentIntervals:
type: integer
+ description: The number of acceptable adjacent intervals, also known as the clock drift interval. This setting allows you to build in tolerance for any time difference between the token and the server. For example, with a `timeIntervalInSeconds` of 60 seconds and an `acceptableAdjacentIntervals` value of 5, Okta accepts passcodes within 300 seconds (60 * 5) before or after the end user enters their code.
minimum: 0
maximum: 10
algorithm:
@@ -23447,15 +49531,14 @@ components:
$ref: '#/components/schemas/OtpTotpEncoding'
factorProfileId:
type: string
+ description: The `id` value of the factor profile
+ example: aut1nd8PQhGcQtSxB0g4
passCodeLength:
- type: integer
- minimum: 6
- maximum: 10
- multipleOf: 2
+ $ref: '#/components/schemas/OtpTotpPassCodeLength'
protocol:
$ref: '#/components/schemas/OtpProtocol'
timeIntervalInSeconds:
- type: integer
+ $ref: '#/components/schemas/OtpTotpTimeIntervalInSeconds'
AuthenticatorMethodProperty:
type: string
enum:
@@ -23510,19 +49593,20 @@ components:
type: object
properties:
timeIntervalInSeconds:
- type: integer
+ $ref: '#/components/schemas/OtpTotpTimeIntervalInSeconds'
encoding:
- type: string
+ $ref: '#/components/schemas/OtpTotpEncoding'
algorithm:
- type: string
+ $ref: '#/components/schemas/OtpTotpAlgorithm'
passCodeLength:
- type: integer
+ $ref: '#/components/schemas/OtpTotpPassCodeLength'
AuthenticatorMethodTransactionType:
type: string
enum:
- CIBA
- LOGIN
AuthenticatorMethodType:
+ description: The type of authenticator method
type: string
enum:
- cert
@@ -23546,6 +49630,11 @@ components:
settings:
type: object
properties:
+ aaguidGroups:
+ description: The FIDO2 AAGUID groups available to the WebAuthn authenticator
+ type: array
+ items:
+ $ref: '#/components/schemas/AAGUIDGroupObject'
userVerification:
$ref: '#/components/schemas/UserVerificationEnum'
attachment:
@@ -23559,44 +49648,11 @@ components:
type: array
items:
$ref: '#/components/schemas/AuthenticatorMethodProperty'
- AuthenticatorProvider:
- properties:
- configuration:
- $ref: '#/components/schemas/AuthenticatorProviderConfiguration'
- type:
- type: string
- AuthenticatorProviderConfiguration:
- properties:
- authPort:
- type: integer
- hostName:
- type: string
- instanceId:
- type: string
- sharedSecret:
- type: string
- userNameTemplate:
- $ref: '#/components/schemas/AuthenticatorProviderConfigurationUserNameTemplate'
- AuthenticatorProviderConfigurationUserNameTemplate:
- properties:
- template:
- type: string
- AuthenticatorSettings:
- type: object
- properties:
- allowedFor:
- $ref: '#/components/schemas/AllowedForEnum'
- appInstanceId:
- type: string
- channelBinding:
- $ref: '#/components/schemas/ChannelBinding'
- compliance:
- $ref: '#/components/schemas/Compliance'
- tokenLifetimeInMinutes:
- type: integer
- userVerification:
- $ref: '#/components/schemas/UserVerificationEnum'
+ AuthenticatorSimple:
+ allOf:
+ - $ref: '#/components/schemas/AuthenticatorBase'
AuthenticatorType:
+ description: The type of Authenticator
type: string
enum:
- app
@@ -23611,6 +49667,7 @@ components:
properties:
audiences:
type: array
+ description: The recipients that the tokens are intended for. This becomes the `aud` claim in an access token. Okta currently supports only one audience.
items:
type: string
created:
@@ -23621,29 +49678,46 @@ components:
$ref: '#/components/schemas/AuthorizationServerCredentials'
description:
type: string
+ description: The description of the custom authorization server
id:
type: string
+ description: The ID of the custom authorization server
readOnly: true
issuer:
type: string
+ description: The complete URL for the custom authorization server. This becomes the `iss` claim in an access token.
issuerMode:
- $ref: '#/components/schemas/IssuerMode'
+ type: string
+ description: |-
+ Indicates which value is specified in the issuer of the tokens that a custom authorization server returns: the Okta org domain URL or a custom domain URL.
+
+ `issuerMode` is visible if you have a custom URL domain configured or the Dynamic Issuer Mode feature enabled. If you have a custom URL domain configured, you can set a custom domain URL in a custom authorization server, and this property is returned in the appropriate responses.
+
+ When set to `ORG_URL`, then in responses, `issuer` is the Okta org domain URL: `https://${yourOktaDomain}`.
+
+ When set to `CUSTOM_URL`, then in responses, `issuer` is the custom domain URL configured in the administration user interface.
+
+ When set to `DYNAMIC`, then in responses, `issuer` is the custom domain URL if the OAuth 2.0 request was sent to the custom domain, or is the Okta org's domain URL if the OAuth 2.0 request was sent to the original Okta org domain.
+
+ After you configure a custom URL domain, all new custom authorization servers use `CUSTOM_URL` by default. If the Dynamic Issuer Mode feature is enabled, then all new custom authorization servers use `DYNAMIC` by default. All existing custom authorization servers continue to use the original value until they're changed using the Admin Console or the API. This way, existing integrations with the client and resource server continue to work after the feature is enabled.
lastUpdated:
type: string
format: date-time
readOnly: true
name:
type: string
+ description: The name of the custom authorization server
status:
$ref: '#/components/schemas/LifecycleStatus'
_links:
- $ref: '#/components/schemas/LinksSelf'
+ $ref: '#/components/schemas/AuthServerLinks'
AuthorizationServerCredentials:
type: object
properties:
signing:
$ref: '#/components/schemas/AuthorizationServerCredentialsSigningConfig'
AuthorizationServerCredentialsRotationMode:
+ description: The Key rotation mode for the authorization server
type: string
enum:
- AUTO
@@ -23653,12 +49727,16 @@ components:
properties:
kid:
type: string
+ description: The ID of the JSON Web Key used for signing tokens issued by the authorization server
+ readOnly: true
lastRotated:
type: string
+ description: The timestamp when the authorization server started using the `kid` for signing tokens
format: date-time
readOnly: true
nextRotation:
type: string
+ description: The timestamp when the authorization server changes the Key for signing tokens. This is only returned when `rotationMode` is set to `AUTO`.
format: date-time
readOnly: true
rotationMode:
@@ -23666,25 +49744,151 @@ components:
use:
$ref: '#/components/schemas/AuthorizationServerCredentialsUse'
AuthorizationServerCredentialsUse:
+ description: How the key is used
type: string
enum:
- sig
+ AuthorizationServerJsonWebKey:
+ type: object
+ properties:
+ alg:
+ description: 'The algorithm used with the Key. Valid value: `RS256`'
+ type: string
+ e:
+ description: RSA key value (public exponent) for Key binding
+ type: string
+ readOnly: true
+ kid:
+ description: Unique identifier for the key
+ type: string
+ readOnly: true
+ kty:
+ description: 'Cryptographic algorithm family for the certificate''s keypair. Valid value: `RSA`'
+ type: string
+ readOnly: true
+ 'n':
+ description: RSA modulus value that is used by both the public and private keys and provides a link between them
+ type: string
+ status:
+ description: |-
+ An `ACTIVE` Key is used to sign tokens issued by the authorization server. Supported values: `ACTIVE`, `NEXT`, or `EXPIRED`
+ A `NEXT` Key is the next Key that the authorization server uses to sign tokens when Keys are rotated. The `NEXT` Key might not be listed if it hasn't been generated.
+ An `EXPIRED` Key is the previous Key that the authorization server used to sign tokens. The `EXPIRED` Key might not be listed if no Key has expired or the expired Key was deleted.
+ type: string
+ use:
+ description: 'Acceptable use of the key. Valid value: `sig`'
+ type: string
+ readOnly: true
+ _links:
+ $ref: '#/components/schemas/LinksSelf'
AuthorizationServerPolicy:
allOf:
- - $ref: '#/components/schemas/Policy'
- type: object
properties:
+ id:
+ type: string
+ description: ID of the Policy
+ type:
+ type: string
+ description: Indicates that the Policy is an authorization server Policy
+ enum:
+ - OAUTH_AUTHORIZATION_POLICY
+ name:
+ type: string
+ description: Name of the Policy
conditions:
- $ref: '#/components/schemas/PolicyRuleConditions'
+ $ref: '#/components/schemas/AuthorizationServerPolicyConditions'
+ description:
+ type: string
+ description: Description of the Policy
+ priority:
+ type: integer
+ description: Specifies the order in which this Policy is evaluated in relation to the other Policies in a custom authorization server
+ status:
+ type: string
+ description: Specifies whether requests have access to this Policy
+ enum:
+ - ACTIVE
+ - INACTIVE
+ system:
+ type: boolean
+ description: Specifies whether Okta created this Policy
+ created:
+ type: string
+ format: date-time
+ readOnly: true
+ description: Timestamp when the Policy was created
+ lastUpdated:
+ type: string
+ format: date-time
+ readOnly: true
+ description: Timestamp when the Policy was last updated
+ _links:
+ allOf:
+ - $ref: '#/components/schemas/LinksSelfAndLifecycle'
+ - type: object
+ properties:
+ rules:
+ allOf:
+ - description: Link to the authorization server policy's rules
+ - $ref: '#/components/schemas/HrefObject'
+ AuthorizationServerPolicyConditions:
+ type: object
+ properties:
+ clients:
+ $ref: '#/components/schemas/ClientPolicyCondition'
+ AuthorizationServerPolicyPeopleCondition:
+ description: Identifies Users and Groups that are used together
+ type: object
+ properties:
+ groups:
+ $ref: '#/components/schemas/AuthorizationServerPolicyRuleGroupCondition'
+ users:
+ $ref: '#/components/schemas/AuthorizationServerPolicyRuleUserCondition'
AuthorizationServerPolicyRule:
- allOf:
- - $ref: '#/components/schemas/PolicyRule'
- - type: object
- properties:
- actions:
- $ref: '#/components/schemas/AuthorizationServerPolicyRuleActions'
- conditions:
- $ref: '#/components/schemas/AuthorizationServerPolicyRuleConditions'
+ type: object
+ properties:
+ actions:
+ $ref: '#/components/schemas/AuthorizationServerPolicyRuleActions'
+ conditions:
+ $ref: '#/components/schemas/AuthorizationServerPolicyRuleConditions'
+ created:
+ type: string
+ format: date-time
+ readOnly: true
+ description: Timestamp when the rule was created
+ id:
+ type: string
+ description: Identifier of the rule
+ readOnly: true
+ lastUpdated:
+ type: string
+ format: date-time
+ readOnly: true
+ description: Timestamp when the rule was last modified
+ name:
+ type: string
+ description: Name of the rule
+ priority:
+ type: integer
+ description: Priority of the rule
+ status:
+ type: string
+ description: Status of the rule
+ enum:
+ - ACTIVE
+ - INACTIVE
+ system:
+ type: boolean
+ description: Set to `true` for system rules. You can't delete system rules.
+ type:
+ type: string
+ description: Rule type
+ enum:
+ - RESOURCE_ACCESS
+ _links:
+ allOf:
+ - $ref: '#/components/schemas/LinksSelfAndLifecycle'
AuthorizationServerPolicyRuleActions:
allOf:
- $ref: '#/components/schemas/PolicyRuleActions'
@@ -23693,18 +49897,58 @@ components:
token:
$ref: '#/components/schemas/TokenAuthorizationServerPolicyRuleAction'
AuthorizationServerPolicyRuleConditions:
+ type: object
+ properties:
+ grantTypes:
+ $ref: '#/components/schemas/GrantTypePolicyRuleCondition'
+ people:
+ $ref: '#/components/schemas/AuthorizationServerPolicyPeopleCondition'
+ scopes:
+ $ref: '#/components/schemas/OAuth2ScopesMediationPolicyRuleCondition'
+ AuthorizationServerPolicyRuleGroupCondition:
+ description: Specifies a set of Groups whose Users are to be included
+ type: object
+ properties:
+ include:
+ type: array
+ description: Groups to be included
+ items:
+ type: string
+ AuthorizationServerPolicyRuleRequest:
allOf:
- - $ref: '#/components/schemas/PolicyRuleConditions'
+ - $ref: '#/components/schemas/AuthorizationServerPolicyRule'
- type: object
- properties:
- clients:
- $ref: '#/components/schemas/ClientPolicyCondition'
- grantTypes:
- $ref: '#/components/schemas/GrantTypePolicyRuleCondition'
- people:
- $ref: '#/components/schemas/PolicyPeopleCondition'
- scopes:
- $ref: '#/components/schemas/OAuth2ScopesMediationPolicyRuleCondition'
+ required:
+ - name
+ - conditions
+ - type
+ AuthorizationServerPolicyRuleUserCondition:
+ description: Specifies a set of Users to be included
+ type: object
+ properties:
+ include:
+ description: Users to be included
+ type: array
+ items:
+ type: string
+ AuthorizationServerResourceHrefObject:
+ type: object
+ properties:
+ href:
+ type: string
+ description: Link URI
+ example: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7
+ title:
+ type: string
+ description: Link name
+ example: Example Authorization Server
+ AutoAssignAdminAppSetting:
+ description: The org setting that automatically assigns the Okta Admin Console when an admin role is assigned
+ type: object
+ properties:
+ autoAssignAdminAppSetting:
+ type: boolean
+ description: Automatically assigns the Okta Admin Console to the user when an admin role is assigned
AutoLoginApplication:
allOf:
- $ref: '#/components/schemas/Application'
@@ -23714,6 +49958,8 @@ components:
$ref: '#/components/schemas/SchemeApplicationCredentials'
name:
type: string
+ description: A unique key is generated for the custom SWA app instance when you use AUTO_LOGIN `signOnMode`.
+ readOnly: true
settings:
$ref: '#/components/schemas/AutoLoginApplicationSettings'
AutoLoginApplicationSettings:
@@ -23728,8 +49974,12 @@ components:
properties:
loginUrl:
type: string
+ description: Primary URL of the sign-in page for this app
redirectUrl:
type: string
+ description: Secondary URL of the sign-in page for this app
+ required:
+ - loginUrl
AutoUpdateSchedule:
description: The schedule of auto-update configured by admin.
type: object
@@ -23782,6 +50032,110 @@ components:
- us-east-2
- us-west-1
- us-west-2
+ BaseContext:
+ description: This object contains a number of sub-objects, each of which provide some type of contextual information.
+ type: object
+ properties:
+ request:
+ $ref: '#/components/schemas/InlineHookRequestObject'
+ session:
+ description: Details of the user session
+ type: object
+ properties:
+ id:
+ description: The unique identifier for the user's session
+ type: string
+ example: 102LN9Bnuc4S_ewfc9BYwageA
+ userId:
+ description: The unique identifier for the user
+ type: string
+ example: 00uq8tMo3zV0OfJON0g3
+ login:
+ description: The username used to identify the user. This is often the user's email address.
+ type: string
+ example: user@example.com
+ createdAt:
+ description: Timestamp of when the session was created
+ type: string
+ format: date-time
+ example: '2019-03-28T16:45:55.000Z'
+ expiresAt:
+ description: Timestamp of when the session expires
+ type: string
+ format: date-time
+ example: '2019-03-28T21:15:23.000Z'
+ status:
+ description: Represents the current status of the user's session
+ type: string
+ example: ACTIVE
+ lastPasswordVerification:
+ description: Timestamp of when the user was last authenticated
+ type: string
+ format: date-time
+ example: '2019-03-28T16:45:55.000Z'
+ amr:
+ description: The authentication method reference
+ type: array
+ items:
+ type: string
+ example:
+ - PASSWORD
+ idp:
+ $ref: '#/components/schemas/SessionIdentityProvider'
+ mfaActive:
+ description: Describes whether multifactor authentication was enabled
+ type: boolean
+ example: false
+ user:
+ description: Identifies the Okta user that the token was generated to authenticate and provides details of their Okta user profile
+ type: object
+ properties:
+ id:
+ description: The unique identifier for the user
+ type: string
+ example: 00uq8tMo3zV0OfJON0g3
+ passwordChanged:
+ description: The timestamp when the user's password was last updated
+ type: string
+ format: date-time
+ example: '2018-09-11T23:19:12.000Z'
+ profile:
+ type: object
+ properties:
+ login:
+ description: The username used to identify the user. This is often the user's email address.
+ type: string
+ example: user@example.com
+ firstName:
+ description: The first name of the user
+ type: string
+ example: John
+ lastName:
+ description: The last name of the user
+ type: string
+ example: Smith
+ locale:
+ description: |-
+ The user's default location for purposes of localizing items such as currency, date time format, numerical representations, and so on.
+ A locale value is a concatenation of the [ISO 639-1](https://en.wikipedia.org/wiki/List_of_ISO_639_language_codes) two-letter language code, an underscore, and the [ISO 3166-1](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2) two-letter country code. For example, `en_US` specifies the language English and country US. This value is `en_US` by default.
+ type: string
+ example: en_US
+ timeZone:
+ description: The user's timezone
+ type: string
+ example: America/Los_Angeles
+ _links:
+ description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of the user. These links are used to discover what groups the user is a part of and what factors they have enrolled.
+ type: object
+ properties:
+ groups:
+ description: URL to retrieve the individual user's group memberships
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ factors:
+ description: URL to retrieve individual user's factor enrollments
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
BaseEmailDomain:
type: object
properties:
@@ -23797,19 +50151,36 @@ components:
properties:
alias:
type: string
- description: A name to identify this configuration
+ description: Human-readable name for your SMTP server
+ example: CustomServer1
enabled:
type: boolean
- description: True if and only if all email traffic should be routed through this SMTP Server
+ description: If `true`, routes all email traffic through your SMTP server
host:
type: string
- description: The address of the SMTP Server
+ description: Hostname or IP address of your SMTP server
+ example: 192.168.160.1
port:
type: integer
- description: The port number of the SMTP Server
+ description: Port number of your SMTP server
+ example: 587
username:
type: string
- description: The username to use with your SMTP Server
+ description: Username used to access your SMTP server
+ example: aUser
+ BaseToken:
+ type: object
+ properties:
+ claims:
+ description: Claims included in the token. Consists of name-value pairs for each included claim. For descriptions of the claims that you can include, see the Okta [OpenID Connect and OAuth 2.0 API reference](/openapi/okta-oauth/guides/overview/#claims).
+ type: object
+ lifetime:
+ description: Lifetime of the token
+ type: object
+ properties:
+ expiration:
+ description: Time in seconds until the token expires
+ type: integer
BasicApplicationSettings:
allOf:
- $ref: '#/components/schemas/ApplicationSettings'
@@ -23822,8 +50193,13 @@ components:
properties:
authURL:
type: string
+ description: The URL of the authenticating site for this app
url:
type: string
+ description: The URL of the sign-in page for this app
+ required:
+ - authURL
+ - url
BasicAuthApplication:
x-okta-defined-as:
name: template_basic_auth
@@ -23835,9 +50211,14 @@ components:
$ref: '#/components/schemas/SchemeApplicationCredentials'
name:
type: string
- default: template_basic_auth
+ description: '`template_basic_auth` is the key name for a Basic Authentication scheme app instance'
+ enum:
+ - template_basic_auth
settings:
$ref: '#/components/schemas/BasicApplicationSettings'
+ required:
+ - name
+ - settings
BeforeScheduledActionPolicyRuleCondition:
type: object
properties:
@@ -23970,6 +50351,13 @@ components:
properties:
settings:
$ref: '#/components/schemas/BehaviorRuleSettingsVelocity'
+ BindingMethod:
+ description: The method used to bind the out-of-band channel with the primary channel.
+ type: string
+ enum:
+ - none
+ - prompt
+ - transfer
BookmarkApplication:
x-okta-defined-as:
name: bookmark
@@ -23981,9 +50369,14 @@ components:
$ref: '#/components/schemas/ApplicationCredentials'
name:
type: string
- default: bookmark
+ description: '`bookmark` is the key name for a Bookmark app'
+ enum:
+ - bookmark
settings:
$ref: '#/components/schemas/BookmarkApplicationSettings'
+ required:
+ - name
+ - settings
BookmarkApplicationSettings:
allOf:
- $ref: '#/components/schemas/ApplicationSettings'
@@ -23996,27 +50389,37 @@ components:
properties:
requestIntegration:
type: boolean
+ description: Would you like Okta to add an integration for this app?
+ default: false
url:
type: string
+ description: The URL of the launch page for this app
+ required:
+ - url
BouncesRemoveListError:
type: object
properties:
emailAddress:
type: string
+ description: An email address with a validation error
reason:
type: string
+ description: Validation error reason
BouncesRemoveListObj:
type: object
properties:
emailAddresses:
type: array
+ description: A list of email addresses to remove from the email-service bounce list
items:
type: string
+ description: Email address
BouncesRemoveListResult:
type: object
properties:
errors:
type: array
+ description: A list of emails that wasn't added to the email-bounced remove list and the error reason
items:
$ref: '#/components/schemas/BouncesRemoveListError'
Brand:
@@ -24024,24 +50427,33 @@ components:
properties:
agreeToCustomPrivacyPolicy:
type: boolean
+ description: Consent for updating the custom privacy URL. Not required when resetting the URL.
customPrivacyPolicyUrl:
type: string
+ description: Custom privacy policy URL
+ default: null
defaultApp:
$ref: '#/components/schemas/DefaultApp'
emailDomainId:
type: string
+ description: The ID of the email domain
id:
readOnly: true
type: string
+ description: The Brand ID
isDefault:
readOnly: true
type: boolean
+ description: If `true`, the Brand is used for the Okta subdomain
locale:
$ref: '#/components/schemas/Language'
name:
type: string
+ description: The name of the Brand
removePoweredByOkta:
type: boolean
+ default: false
+ description: Removes "Powered by Okta" from the sign-in page in redirect authentication deployments, and "© [current year] Okta, Inc." from the Okta End-User Dashboard
BrandDomains:
title: BrandDomains
items:
@@ -24052,18 +50464,26 @@ components:
properties:
agreeToCustomPrivacyPolicy:
type: boolean
+ description: Consent for updating the custom privacy URL. Not required when resetting the URL.
customPrivacyPolicyUrl:
type: string
+ description: Custom privacy policy URL
defaultApp:
$ref: '#/components/schemas/DefaultApp'
emailDomainId:
type: string
+ description: The ID of the email domain
locale:
$ref: '#/components/schemas/Language'
name:
type: string
+ description: The name of the Brand
removePoweredByOkta:
type: boolean
+ default: false
+ description: Removes "Powered by Okta" from the sign-in page in redirect authentication deployments, and "© [current year] Okta, Inc." from the Okta End-User Dashboard
+ required:
+ - name
BrandWithEmbedded:
allOf:
- $ref: '#/components/schemas/Brand'
@@ -24098,8 +50518,18 @@ components:
$ref: '#/components/schemas/SchemeApplicationCredentials'
name:
type: string
+ description: The key name for the app definition
+ enum:
+ - template_swa
+ - template_swa3field
+ x-enumDescriptions:
+ template_swa: The key name for a SWA app instance that requires a browser plugin
+ template_swa3field: The key name for a SWA app instance that requires a browser plugin and supports three CSS selectors
settings:
$ref: '#/components/schemas/SwaApplicationSettings'
+ required:
+ - name
+ - settings
BulkDeleteRequestBody:
type: object
properties:
@@ -24121,7 +50551,61 @@ components:
profiles:
type: array
items:
- $ref: '#/components/schemas/IdentitySourceUserProfileForUpsert'
+ type: object
+ properties:
+ externalId:
+ type: string
+ description: The external ID of the entity that needs to be created or updated in Okta
+ maxLength: 512
+ profile:
+ $ref: '#/components/schemas/IdentitySourceUserProfileForUpsert'
+ BundleEntitlement:
+ type: object
+ properties:
+ description:
+ type: string
+ id:
+ type: string
+ name:
+ type: string
+ role:
+ type: string
+ _links:
+ allOf:
+ - properties:
+ values:
+ $ref: '#/components/schemas/HrefObject'
+ BundleEntitlementsResponse:
+ type: object
+ properties:
+ entitlements:
+ type: array
+ items:
+ $ref: '#/components/schemas/BundleEntitlement'
+ _links:
+ type: object
+ description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification
+ readOnly: true
+ properties:
+ next:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the next resource
+ self:
+ $ref: '#/components/schemas/HrefObjectSelfLink'
+ bundle:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the bundle resource
+ ByDateTimeExpiry:
+ allOf:
+ - $ref: '#/components/schemas/DateTime'
+ ByDurationExpiry:
+ allOf:
+ - $ref: '#/components/schemas/TimeDuration'
+ description: |-
+ A time duration specified as an [ISO-8601 duration](https://en.wikipedia.org/wiki/ISO_8601#Durations).
+ Must be between 1 and 180 days inclusive.
CAPTCHAInstance:
title: CAPTCHAInstance
description: ''
@@ -24151,32 +50635,207 @@ components:
enum:
- HCAPTCHA
- RECAPTCHA_V2
- CallUserFactor:
- allOf:
- - $ref: '#/components/schemas/UserFactor'
- - type: object
- properties:
- profile:
- $ref: '#/components/schemas/CallUserFactorProfile'
- CallUserFactorProfile:
+ CSRLinks:
+ description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of a CSR object using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations.
+ properties:
+ publish:
+ $ref: '#/components/schemas/HrefCsrPublishLink'
+ self:
+ $ref: '#/components/schemas/HrefCsrSelfLink'
+ readOnly: true
+ CaepDeviceComplianceChangeEvent:
+ description: The subject's device compliance was revoked
type: object
properties:
- phoneExtension:
+ current_status:
type: string
- phoneNumber:
+ description: Current device compliance status
+ enum:
+ - compliant
+ - not-compliant
+ example: non-compliant
+ event_timestamp:
+ type: integer
+ format: int64
+ description: The time of the event (UNIX timestamp)
+ example: 1702448550
+ initiating_entity:
+ type: string
+ description: The entity that initiated the event
+ enum:
+ - admin
+ - user
+ - policy
+ - system
+ previous_status:
+ type: string
+ description: Previous device compliance status
+ enum:
+ - compliant
+ - not-compliant
+ reason_admin:
+ allOf:
+ - $ref: '#/components/schemas/SecurityEventReason'
+ - type: object
+ description: A localized administrative message intended for logging and auditing.
Either `reason_admin` or `reason_user` is required.
+ reason_user:
+ allOf:
+ - $ref: '#/components/schemas/SecurityEventReason'
+ - type: object
+ description: A localized message intended for the end user.
Either `reason_admin` or `reason_user` is required.
+ subject:
+ $ref: '#/components/schemas/SecurityEventSubject'
+ required:
+ - event_timestamp
+ - subject
+ - current_status
+ - previous_status
+ CaepSecurityEvent:
+ type: object
+ properties:
+ event_timestamp:
+ type: integer
+ format: int64
+ description: The time of the event (UNIX timestamp)
+ example: 1702448550
+ initiating_entity:
+ type: string
+ description: The entity that initiated the event
+ enum:
+ - admin
+ - user
+ - policy
+ - system
+ reason_admin:
+ allOf:
+ - $ref: '#/components/schemas/SecurityEventReason'
+ - type: object
+ description: A localized administrative message intended for logging and auditing.
Either `reason_admin` or `reason_user` is required.
+ reason_user:
+ allOf:
+ - $ref: '#/components/schemas/SecurityEventReason'
+ - type: object
+ description: A localized message intended for the end user.
Either `reason_admin` or `reason_user` is required.
+ subject:
+ $ref: '#/components/schemas/SecurityEventSubject'
+ required:
+ - event_timestamp
+ - subject
+ CaepSessionRevokedEvent:
+ description: The session of the subject was revoked
+ type: object
+ properties:
+ current_ip:
+ type: string
+ description: Current IP of the session
+ example: 123.4.5.6
+ current_user_agent:
+ type: string
+ description: Current User Agent of the session
+ example: CurrentUserAgent
+ event_timestamp:
+ type: integer
+ format: int64
+ description: The time of the event (UNIX timestamp)
+ example: 1702448550
+ initiating_entity:
type: string
+ description: The entity that initiated the event
+ enum:
+ - admin
+ - user
+ - policy
+ - system
+ last_known_ip:
+ type: string
+ description: Last known IP of the session
+ example: 123.4.5.6
+ last_known_user_agent:
+ type: string
+ description: Last known User Agent of the session
+ example: LastUserAgent
+ reason_admin:
+ allOf:
+ - $ref: '#/components/schemas/SecurityEventReason'
+ - type: object
+ description: A localized administrative message intended for logging and auditing.
Either `reason_admin` or `reason_user` is required.
+ reason_user:
+ allOf:
+ - $ref: '#/components/schemas/SecurityEventReason'
+ - type: object
+ description: A localized message intended for the end user.
Either `reason_admin` or `reason_user` is required.
+ subject:
+ $ref: '#/components/schemas/SecurityEventSubject'
+ required:
+ - event_timestamp
+ - subject
CapabilitiesCreateObject:
description: |
- Determines whether Okta assigns a new application account to each user managed by Okta.
+ Determines whether Okta assigns a new app account to each user managed by Okta.
- Okta doesn't create a new account if it detects that the username specified in Okta already exists in the application.
+ Okta doesn't create a new account if it detects that the username specified in Okta already exists in the app.
The user's Okta username is assigned by default.
type: object
properties:
lifecycleCreate:
$ref: '#/components/schemas/LifecycleCreateSettingObject'
+ CapabilitiesImportRulesObject:
+ description: Defines user import rules
+ type: object
+ properties:
+ userCreateAndMatch:
+ $ref: '#/components/schemas/CapabilitiesImportRulesUserCreateAndMatchObject'
+ CapabilitiesImportRulesUserCreateAndMatchObject:
+ description: Rules for matching and creating users
+ type: object
+ properties:
+ allowPartialMatch:
+ type: boolean
+ description: Allows user import upon partial matching. Partial matching occurs when the first and last names of an imported user match those of an existing Okta user, even if the username or email attributes don't match.
+ autoActivateNewUsers:
+ type: boolean
+ description: If set to `true`, imported new users are automatically activated.
+ autoConfirmExactMatch:
+ type: boolean
+ description: If set to `true`, exact-matched users are automatically confirmed on activation. If set to `false`, exact-matched users need to be confirmed manually.
+ autoConfirmNewUsers:
+ type: boolean
+ description: If set to `true`, imported new users are automatically confirmed on activation. This doesn't apply to imported users that already exist in Okta.
+ autoConfirmPartialMatch:
+ type: boolean
+ description: If set to `true`, partially matched users are automatically confirmed on activation. If set to `false`, partially matched users need to be confirmed manually.
+ exactMatchCriteria:
+ type: string
+ description: Determines the attribute to match users
+ enum:
+ - EMAIL
+ - USERNAME
+ CapabilitiesImportSettingsObject:
+ description: Defines import settings
+ type: object
+ properties:
+ schedule:
+ $ref: '#/components/schemas/ImportScheduleObject'
+ username:
+ $ref: '#/components/schemas/ImportUsernameObject'
+ CapabilitiesInboundProvisioningObject:
+ title: INBOUND_PROVISIONING
+ description: Defines the configuration for the INBOUND_PROVISIONING feature
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ type: object
+ properties:
+ importRules:
+ $ref: '#/components/schemas/CapabilitiesImportRulesObject'
+ importSettings:
+ $ref: '#/components/schemas/CapabilitiesImportSettingsObject'
+ required:
+ - importSettings
+ - importRules
CapabilitiesObject:
- description: Defines the configurations related to an application feature
+ title: USER_PROVISIONING
+ description: Defines the configurations for the USER_PROVISIONING feature
type: object
properties:
create:
@@ -24184,7 +50843,7 @@ components:
update:
$ref: '#/components/schemas/CapabilitiesUpdateObject'
CapabilitiesUpdateObject:
- description: Determines whether updates to a user's profile are pushed to the application
+ description: Determines whether updates to a user's profile are pushed to the app
type: object
properties:
lifecycleDeactivate:
@@ -24232,8 +50891,13 @@ components:
enum:
- ACTIVE
- INACTIVE
+ ChallengeType:
+ type: string
+ enum:
+ - http://auth0.com/oauth/grant-type/mfa-oob
+ - http://auth0.com/oauth/grant-type/mfa-otp
ChangeEnum:
- description: Determines whether a change in a user's password also updates the user's password in the application
+ description: Determines whether a change in a user's password also updates the user's password in the app
default: KEEP_EXISTING
example: CHANGE
type: string
@@ -24249,6 +50913,15 @@ components:
$ref: '#/components/schemas/PasswordCredential'
revokeSessions:
type: boolean
+ description: When set to `true`, revokes all user sessions, except for the current session
+ default: false
+ Channel:
+ description: The out-of-band channel for use with authentication. Required for all `/oob-authenticate` requests and any `/challenge` request with an out-of-band authenticator.
+ type: string
+ enum:
+ - push
+ - sms
+ - voice
ChannelBinding:
type: object
properties:
@@ -24256,26 +50929,212 @@ components:
$ref: '#/components/schemas/RequiredEnum'
style:
type: string
+ enum:
+ - NUMBER_CHALLENGE
+ ChildOrg:
+ type: object
+ properties:
+ admin:
+ $ref: '#/components/schemas/OrgCreationAdmin'
+ created:
+ description: Timestamp when the org was created
+ type: string
+ format: date-time
+ readOnly: true
+ example: '2022-08-25T00:05:00.000Z'
+ edition:
+ description: Edition for the org. `SKU` is the only supported value.
+ type: string
+ enum:
+ - SKU
+ example: SKU
+ id:
+ type: string
+ description: Org ID
+ readOnly: true
+ example: 00o1n8sbwArJ7OQRw406
+ lastUpdated:
+ description: Timestamp when the org was last updated
+ type: string
+ format: date-time
+ readOnly: true
+ example: '2022-08-25T00:05:00.000Z'
+ name:
+ description: |-
+ Unique name of the org.
+ This name appears in the HTML `
` tag of the new org sign-in page.
+ Only less than 4-width UTF-8 encoded characters are allowed.
+ type: string
+ format: utf-8
+ minimum: 1
+ maximum: 100
+ example: My Child Org 1
+ settings:
+ description: Settings associated with the created org
+ readOnly: true
+ type: object
+ additionalProperties: true
+ status:
+ description: Status of the org. `ACTIVE` is returned after the org is created.
+ type: string
+ readOnly: true
+ enum:
+ - ACTIVE
+ subdomain:
+ description: Subdomain of the org. Must be unique and include no spaces.
+ type: string
+ minimum: 1
+ maximum: 57
+ example: my-child-org-1
+ token:
+ description: |-
+ API token associated with the child org super admin account.
+ Use this API token to provision resources (such as policies, apps, and groups) on the newly created child org.
+ This token is revoked if the super admin account is deactivated.
+ > **Note:** If this API token expires, sign in to the Admin Console as the super admin user and create a new API token. See [Create an API token](https://developer.okta.com/docs/guides/create-an-api-token/).
+ type: string
+ readOnly: true
+ tokenType:
+ description: Type of returned `token`. See [Okta API tokens](https://developer.okta.com/docs/guides/create-an-api-token/main/#okta-api-tokens).
+ type: string
+ readOnly: true
+ example: SSWS
+ enum:
+ - SSWS
+ website:
+ description: Default website for the org
+ type: string
+ example: https://www.okta.com
+ _links:
+ description: Specifies available link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification
+ readOnly: true
+ type: object
+ additionalProperties: true
+ required:
+ - admin
+ - edition
+ - name
+ - subdomain
ChromeBrowserVersion:
description: Current version of the Chrome Browser
type: object
properties:
minimum:
type: string
- ClientPolicyCondition:
+ Claim:
+ type: string
+ Client:
type: object
+ properties:
+ application_type:
+ $ref: '#/components/schemas/ApplicationType'
+ client_id:
+ type: string
+ description: Unique key for the client application. The `client_id` is immutable. When you create a client Application, you can't specify the `client_id` because Okta uses the application ID for the `client_id`.
+ readOnly: true
+ client_id_issued_at:
+ type: integer
+ readOnly: true
+ description: Time at which the `client_id` was issued (measured in unix seconds)
+ client_name:
+ type: string
+ description: Human-readable string name of the client application
+ client_secret:
+ type: string
+ readOnly: true
+ description: OAuth 2.0 client secret string (used for confidential clients). The `client_secret` is shown only on the response of the creation or update of a client Application (and only if the `token_endpoint_auth_method` is one that requires a client secret). You can't specify the `client_secret`. If the `token_endpoint_auth_method` requires one, Okta generates a random `client_secret` for the client Application.
+ nullable: true
+ client_secret_expires_at:
+ type: integer
+ readOnly: true
+ description: Time at which the `client_secret` expires or 0 if it doesn't expire (measured in unix seconds)
+ minimum: 0
+ nullable: true
+ frontchannel_logout_session_required:
+ type: boolean
+ description: Include user session details
+ frontchannel_logout_uri:
+ type: string
+ description: URL where Okta sends the logout request
+ nullable: true
+ grant_types:
+ type: array
+ description: 'Array of OAuth 2.0 grant type strings. Default value: `[authorization_code]`'
+ items:
+ $ref: '#/components/schemas/GrantType'
+ initiate_login_uri:
+ type: string
+ description: URL that a third party can use to initiate a login by the client
+ jwks_uri:
+ type: string
+ description: URL string that references a [JSON Web Key Set](https://tools.ietf.org/html/rfc7517#section-5) for validating JWTs presented to Okta
+ logo_uri:
+ type: string
+ description: URL string that references a logo for the client consent dialog (not the sign-in dialog)
+ nullable: true
+ policy_uri:
+ type: string
+ description: URL string of a web page providing the client's policy document
+ nullable: true
+ post_logout_redirect_uris:
+ type: string
+ description: Array of redirection URI strings for use for relying party initiated logouts
+ items:
+ type: string
+ redirect_uris:
+ type: array
+ description: 'Array of redirection URI strings for use in redirect-based flows. All redirect URIs must be absolute URIs and must not include a fragment component. At least one redirect URI and response type is required for all client types, with the following exceptions: If the client uses the Resource Owner Password flow (if `grant_type` contains the value password) or the Client Credentials flow (if `grant_type` contains the value `client_credentials`), then no redirect URI or response type is necessary. In these cases, you can pass either null or an empty array for these attributes.'
+ items:
+ type: string
+ request_object_signing_alg:
+ type: array
+ description: The type of [JSON Web Key Set](https://tools.ietf.org/html/rfc7517#section-5) algorithm that must be used for signing request objects
+ items:
+ $ref: '#/components/schemas/SigningAlgorithm'
+ response_types:
+ type: array
+ description: 'Array of OAuth 2.0 response type strings. Default value: `[code]`'
+ items:
+ $ref: '#/components/schemas/ResponseType'
+ token_endpoint_auth_method:
+ $ref: '#/components/schemas/EndpointAuthMethod'
+ tos_uri:
+ type: string
+ description: URL string of a web page providing the client's terms of service document
+ nullable: true
+ ClientPolicyCondition:
description: Specifies which clients are included in the Policy
+ type: object
properties:
include:
type: array
description: Which clients are included in the Policy
items:
type: string
+ ClientPrivilegesSetting:
+ description: The org setting that assigns the super admin role by default to a public client app
+ type: object
+ properties:
+ clientPrivilegesSetting:
+ type: boolean
+ description: If true, assigns the super admin role by default to new public client apps
+ example: true
+ CodeChallengeMethod:
+ type: string
+ enum:
+ - S256
Compliance:
type: object
properties:
fips:
$ref: '#/components/schemas/FipsEnum'
+ Conditions:
+ type: object
+ properties:
+ expression:
+ $ref: '#/components/schemas/Expression'
+ profileSourceId:
+ type: string
ContentSecurityPolicySetting:
type: object
properties:
@@ -24303,8 +51162,25 @@ components:
properties:
name:
type: string
+ description: The name of the Brand
required:
- name
+ CreateGroupRuleRequest:
+ type: object
+ properties:
+ actions:
+ $ref: '#/components/schemas/GroupRuleAction'
+ conditions:
+ $ref: '#/components/schemas/GroupRuleConditions'
+ name:
+ type: string
+ description: Name of the Group rule
+ minLength: 1
+ maxLength: 50
+ type:
+ type: string
+ enum:
+ - group_rule
CreateIamRoleRequest:
type: object
properties:
@@ -24316,13 +51192,29 @@ components:
description: Unique label for the role
permissions:
type: array
- description: Array of permissions that the role will grant. See [Permission Types](https://developer.okta.com/docs/concepts/role-assignment/#permission-types).
+ description: Array of permissions that the Role grants. See [Permissions](/openapi/okta-management/guides/roles/#permissions).
items:
$ref: '#/components/schemas/RolePermissionType'
required:
- label
- description
- permissions
+ CreateRealmAssignmentRequest:
+ type: object
+ properties:
+ actions:
+ $ref: '#/components/schemas/Actions'
+ conditions:
+ $ref: '#/components/schemas/Conditions'
+ name:
+ type: string
+ priority:
+ type: integer
+ CreateRealmRequest:
+ type: object
+ properties:
+ profile:
+ $ref: '#/components/schemas/RealmProfile'
CreateResourceSetRequest:
type: object
properties:
@@ -24331,11 +51223,17 @@ components:
description: Description of the Resource Set
label:
type: string
- description: Unique label for the Resource Set
+ description: Unique name for the Resource Set
resources:
type: array
+ description: The endpoint (URL) that references all resource objects included in the Resource Set. Resources are identified by either an Okta Resource Name (ORN) or by a REST URL format. See [Okta Resource Name](/openapi/okta-management/guides/roles/#okta-resource-name-orn).
+ maximum: 1000
items:
type: string
+ required:
+ - description
+ - label
+ - resources
CreateSessionRequest:
type: object
properties:
@@ -24347,8 +51245,6 @@ components:
type: object
properties:
uiSchema:
- type: object
- description: Updated schema property expressions (Okta object or App Instance object)
$ref: '#/components/schemas/UISchemaObject'
CreateUpdateIamRolePermissionRequest:
type: object
@@ -24368,31 +51264,91 @@ components:
$ref: '#/components/schemas/UserProfile'
realmId:
type: string
- description: The ID of the realm in which the user is residing
+ description:
The ID of the realm in which the user is residing
example: guo1bfiNtSnZYILxO0g4
x-okta-lifecycle:
- features:
- - UD_REALMS
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
type:
- $ref: '#/components/schemas/UserType'
+ type: object
+ description: |-
+ The ID of the user type. Add this value if you want to create a user with a non-default [User Type](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/).
+ The user type determines which [schema](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/) applies to that user. After a user has been created, the user can
+ only be assigned a different user type by an administrator through a full replacement (`PUT`) operation.
+ properties:
+ id:
+ type: string
+ description: The ID of the user type
required:
- profile
- Csr:
+ Created:
+ format: date-time
+ description: Timestamp when the object was created
+ example: '2016-01-03T18:15:47.000Z'
+ type: string
+ readOnly: true
+ CredentialSyncInfo:
type: object
properties:
- created:
+ errorCode:
+ type: string
+ description: The error code for the type of error
+ readOnly: true
+ errorReason:
type: string
+ description: A short description of the error
+ readOnly: true
+ secretVersionId:
+ type: string
+ description: The version ID of the password secret from the OPA vault.
+ minLength: 1
+ maxLength: 36
+ example: 9f8400-e29b-41d4-a716-926655440034
+ syncState:
+ $ref: '#/components/schemas/CredentialSyncState'
+ example: NOT_SYNCED
+ syncTime:
+ type: string
+ description: Timestamp when the credential was changed
format: date-time
readOnly: true
+ example: '2024-06-10T11:30:01.000Z'
+ CredentialSyncState:
+ description: Current credential sync status of the privileged resource
+ type: string
+ enum:
+ - NOT_SYNCED
+ - SYNCED
+ - SYNCING
+ - SYNC_FAILED
+ x-enumDescriptions:
+ NOT_SYNCED: Credentials are not yet synced
+ SYNCING: Credentials are currently being synced
+ SYNCED: Credentials are successfully synced
+ SYNC_FAILED: Credential sync failed
+ readOnly: true
+ Csr:
+ type: object
+ properties:
+ created:
+ $ref: '#/components/schemas/createdProperty'
csr:
type: string
readOnly: true
+ example: MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9/tKvvbFN59T4raoCs/78KRm4fSefHQOv1TKLXo4wTLbsqYWRWc5u0sd5orUMQgPQOyj3i6qh13mALY4BzrT057EG1BUNjGg29QgYlnOk2iX890e5BIDMQQEIKFrvOi2V8cLUkLvE2ydRn0VO1Q1frbUkYeStJYC5Api2JQsYRwa+1ZeDH1ITnIzUaugWhW2WB2lSnwZkenne5KtffxMPYVu+IhNRHoKaRA6Z51YNhMJIx17JM2hs/H4Ka3drk6kzDf7ofk/yBpb9yBWyU7CTSQhdoHidxqFprMDaT66W928t3AeOENHBuwn8c2K9WeGG+bELNyQRJVmawIDAQABoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggxkZXYub2t0YS5jb20wDQYJKoZIhvcNAQELBQADggEBAA2hsVJRVM+A83X9MekjTnIbt19UNT8wX7wlE9jUKirWsxceLiZBpVGn9qfKhhVIpvdaIRSeoFYS2Kg/m1G6bCvjmZLcrQ5FcEBjZH2NKfNppGVnfC2ugtUkBtCB+UUzOhKhRKJtGugenKbP33zRWWIqnd2waF6Cy8TIuqQVPbwEDN9bCbAs7ND6CFYNguY7KYjWzQOeAR716eqpEEXuPYAS4nx/ty4ylonR8cv+gpq51rvq80A4k/36aoeM0Y6I4w64vhTfuvWW2UYFUD+/+y2FA2CSP4JfctySrf1s525v6fzTFZ3qZbB5OZQtP2b8xYWktMzywsxGKDoVDB4wkH4=
id:
type: string
readOnly: true
+ example: h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50
kty:
type: string
readOnly: true
+ example: RSA
+ _links:
+ $ref: '#/components/schemas/CSRLinks'
+ readOnly: true
+ nullable: false
CsrMetadata:
type: object
properties:
@@ -24405,42 +51361,128 @@ components:
properties:
commonName:
type: string
+ description: Common name of the subject
+ example: SP Issuer
countryName:
type: string
+ description: Country name or code
+ example: US
localityName:
type: string
+ description: Locality (city) name
+ example: San Francisco
organizationalUnitName:
type: string
+ description: Name of the smaller organization, for example, the department or the division
+ example: Dev
organizationName:
type: string
+ description: Large organization name
+ example: Okta, Inc.
stateOrProvinceName:
type: string
+ description: State or province name
+ example: California
CsrMetadataSubjectAltNames:
type: object
properties:
dnsNames:
type: array
+ description: DNS names of the subject
items:
type: string
- CustomHotpUserFactor:
- allOf:
- - $ref: '#/components/schemas/UserFactor'
- - type: object
- properties:
- factorProfileId:
- type: string
- profile:
- $ref: '#/components/schemas/CustomHotpUserFactorProfile'
- CustomHotpUserFactorProfile:
+ example: dev.okta.com
+ CsrPublishHrefHints:
+ description: Describes allowed HTTP verbs for the `href`
type: object
properties:
- sharedSecret:
+ allow:
+ type: array
+ items:
+ type: string
+ enum:
+ - POST
+ CsrSelfHrefHints:
+ description: Describes allowed HTTP verbs for the `href`
+ type: object
+ properties:
+ allow:
+ type: array
+ items:
+ type: string
+ enum:
+ - GET
+ - DELETE
+ CustomAppUserVerificationEnum:
+ description: User verification setting
+ type: string
+ enum:
+ - PREFERRED
+ - REQUIRED
+ CustomRole:
+ title: Custom Role Assignment
+ type: object
+ properties:
+ assignmentType:
+ $ref: '#/components/schemas/RoleAssignmentType'
+ created:
+ type: string
+ description: Timestamp when the object was created
+ format: date-time
+ readOnly: true
+ id:
+ type: string
+ description: Binding Object ID
+ readOnly: true
+ label:
+ type: string
+ description: Label for the custom role assignment
+ readOnly: true
+ lastUpdated:
+ type: string
+ description: Timestamp when the object was last updated
+ format: date-time
+ readOnly: true
+ resource-set:
type: string
+ description: Resource Set ID
+ readOnly: true
+ role:
+ type: string
+ description: Custom Role ID
+ readOnly: true
+ status:
+ allOf:
+ - $ref: '#/components/schemas/LifecycleStatus'
+ - description: Status of the Custom Role Assignment
+ type:
+ type: string
+ description: CUSTOM for a custom role
+ enum:
+ - CUSTOM
+ _links:
+ $ref: '#/components/schemas/LinksCustomRoleResponse'
+ CustomRoleAssignmentSchema:
+ title: Custom Role
+ type: object
+ properties:
+ resource-set:
+ type: string
+ description: Resource Set ID
+ role:
+ type: string
+ description: Custom Role ID
+ type:
+ type: string
+ description: The type of role. Specify `CUSTOM` for a custom role.
+ enum:
+ - CUSTOM
CustomizablePage:
type: object
properties:
pageContent:
type: string
+ description: The HTML for the page
DNSRecord:
description: DNS TXT and CNAME records to be registered for the Domain
type: object
@@ -24467,6 +51509,17 @@ components:
enum:
- CNAME
- TXT
+ DRStatusItem:
+ description: Provides the status whether a domain has been failed over or not
+ type: object
+ properties:
+ domain:
+ type: string
+ description: domain
+ isFailedOver:
+ type: boolean
+ description: Indicates if the domain has been failed over
+ nullable: false
DTCChromeOS:
description: Google Chrome Device Trust Connector provider
type: object
@@ -24485,16 +51538,19 @@ components:
deviceEnrollmentDomain:
description: Enrollment domain of the customer that is currently managing the device
type: string
- diskEnrypted:
+ diskEncrypted:
description: Indicates whether the main disk is encrypted
type: boolean
keyTrustLevel:
$ref: '#/components/schemas/KeyTrustLevelOSMode'
+ managedDevice:
+ description: Indicates whether the device is enrolled in ChromeOS device management
+ type: boolean
osFirewall:
description: Indicates whether a firewall is enabled at the OS-level on the device
type: boolean
osVersion:
- $ref: '#/components/schemas/OSVersion'
+ $ref: '#/components/schemas/OSVersionFourComponents'
passwordProtectionWarningTrigger:
$ref: '#/components/schemas/PasswordProtectionWarningTrigger'
realtimeUrlCheckMode:
@@ -24523,7 +51579,7 @@ components:
deviceEnrollmentDomain:
description: Enrollment domain of the customer that is currently managing the device
type: string
- diskEnrypted:
+ diskEncrypted:
description: Indicates whether the main disk is encrypted
type: boolean
keyTrustLevel:
@@ -24532,7 +51588,7 @@ components:
description: Indicates whether a firewall is enabled at the OS-level on the device
type: boolean
osVersion:
- $ref: '#/components/schemas/OSVersion'
+ $ref: '#/components/schemas/OSVersionThreeComponents'
passwordProtectionWarningTrigger:
$ref: '#/components/schemas/PasswordProtectionWarningTrigger'
realtimeUrlCheckMode:
@@ -24567,7 +51623,7 @@ components:
deviceEnrollmentDomain:
description: Enrollment domain of the customer that is currently managing the device
type: string
- diskEnrypted:
+ diskEncrypted:
description: Indicates whether the main disk is encrypted
type: boolean
keyTrustLevel:
@@ -24576,7 +51632,7 @@ components:
description: Indicates whether a firewall is enabled at the OS-level on the device
type: boolean
osVersion:
- $ref: '#/components/schemas/OSVersion'
+ $ref: '#/components/schemas/OSVersionFourComponents'
passwordProtectionWarningTrigger:
$ref: '#/components/schemas/PasswordProtectionWarningTrigger'
realtimeUrlCheckMode:
@@ -24602,15 +51658,90 @@ components:
windowsUserDomain:
description: Windows domain for the current OS user
type: string
+ DateTime:
+ description: An [ISO-8601](https://en.wikipedia.org/wiki/ISO_8601#Combined_date_and_time_representations) formatted date and time.
+ format: date-time
+ example: '2024-12-01T00:00:00Z'
+ type: string
DefaultApp:
type: object
properties:
appInstanceId:
type: string
+ description: ID for the App instance
appLinkName:
type: string
+ description: Name for the app instance
classicApplicationUri:
type: string
+ description: Application URI for classic Orgs
+ DesktopMFAEnforceNumberMatchingChallengeOrgSetting:
+ type: object
+ properties:
+ desktopMFAEnforceNumberMatchingChallengeEnabled:
+ type: boolean
+ description: Indicates whether or not the Desktop MFA Enforce Number Matching Challenge push notifications feature is enabled
+ default: false
+ DesktopMFARecoveryPinOrgSetting:
+ type: object
+ properties:
+ desktopMFARecoveryPinEnabled:
+ type: boolean
+ description: Indicates whether or not the Desktop MFA Recovery PIN feature is enabled
+ default: false
+ DetailedHookKeyInstance:
+ title: DetailedHookKeyInstance
+ description: A key object with public key details
+ type: object
+ properties:
+ created:
+ type: string
+ format: date-time
+ description: Timestamp when the key was created
+ readOnly: true
+ nullable: true
+ id:
+ type: string
+ description: The unique Okta ID of this key record
+ readOnly: true
+ nullable: false
+ isUsed:
+ type: string
+ format: boolean
+ description: Whether this key is currently in use by other applications
+ nullable: false
+ readOnly: true
+ keyId:
+ type: string
+ description: The alias of the public key
+ nullable: false
+ readOnly: true
+ lastUpdated:
+ type: string
+ format: date-time
+ description: Timestamp when the key was updated
+ readOnly: true
+ nullable: true
+ name:
+ type: string
+ description: Display name of the key
+ readOnly: false
+ nullable: false
+ minLength: 1
+ maxLength: 255
+ _embedded:
+ $ref: '#/components/schemas/_embedded'
+ DetectedRiskEvents:
+ type: string
+ enum:
+ - ADMIN_REPORTED_USER_RISK
+ - BRUTE_FORCE_ATTACK
+ - ENTITY_CRITICAL_ACTION_FROM_HIGH_THREAT_IP
+ - OKTA_THREAT_INTELLIGENCE
+ - SECURITY_EVENTS_PROVIDER_REPORTED_RISK
+ - SESSION_INFLUENCED_USER_RISK
+ - SUSPICIOUS_APP_ACCESS
+ - USER_REPORTED_SUSPICIOUS_ACTIVITY
Device:
type: object
properties:
@@ -24648,23 +51779,19 @@ components:
_links:
$ref: '#/components/schemas/LinksSelfAndFullUsersLifecycle'
DeviceAccessPolicyRuleCondition:
- allOf:
- - $ref: '#/components/schemas/DevicePolicyRuleCondition'
- - type: object
- properties:
- managed:
- type: boolean
- registered:
- type: boolean
- assurance:
- $ref: '#/components/schemas/DevicePolicyRuleConditionAssurance'
- DevicePolicyRuleConditionAssurance:
+ description: Specifies the device condition to match on
type: object
properties:
- include:
- type: array
- items:
- type: string
+ assurance:
+ $ref: '#/components/schemas/DevicePolicyRuleConditionAssurance'
+ managed:
+ type: boolean
+ description: Indicates if the device is managed. A device is considered managed if it's part of a device management system.
+ registered:
+ type: boolean
+ description: |
+ Indicates if the device is registered. A device is registered if the User enrolls with Okta Verify that's installed on the device.
+ When the `managed` property is passed, you must also include the `registered` property and set it to `true`.
DeviceAssurance:
title: DeviceAssurance
type: object
@@ -24678,15 +51805,15 @@ components:
id:
type: string
readOnly: true
- lastUpdatedBy:
+ lastUpdate:
type: string
readOnly: true
- lastUpdatedDate:
+ lastUpdatedBy:
type: string
readOnly: true
name:
type: string
- description: Display name of the Device Assurance Policy
+ description: Display name of the device assurance policy
platform:
$ref: '#/components/schemas/Platform'
_links:
@@ -24710,7 +51837,7 @@ components:
include:
type: array
items:
- $ref: '#/components/schemas/DiskEncryptionType'
+ $ref: '#/components/schemas/DiskEncryptionTypeAndroid'
jailbreak:
type: boolean
osVersion:
@@ -24726,8 +51853,9 @@ components:
type: boolean
DeviceAssuranceChromeOSPlatform:
x-okta-lifecycle:
- features:
- - GOOGLE_DEVICE_CONTEXT_CONNECTOR
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
allOf:
- $ref: '#/components/schemas/DeviceAssurance'
- type: object
@@ -24743,13 +51871,6 @@ components:
- $ref: '#/components/schemas/DeviceAssurance'
- type: object
properties:
- diskEncryptionType:
- type: object
- properties:
- include:
- type: array
- items:
- $ref: '#/components/schemas/DiskEncryptionType'
jailbreak:
type: boolean
osVersion:
@@ -24761,8 +51882,6 @@ components:
type: array
items:
$ref: '#/components/schemas/ScreenLockType'
- secureHardwarePresent:
- type: boolean
DeviceAssuranceMacOSPlatform:
allOf:
- $ref: '#/components/schemas/DeviceAssurance'
@@ -24774,9 +51893,7 @@ components:
include:
type: array
items:
- $ref: '#/components/schemas/DiskEncryptionType'
- jailbreak:
- type: boolean
+ $ref: '#/components/schemas/DiskEncryptionTypeDesktop'
osVersion:
$ref: '#/components/schemas/OSVersion'
screenLockType:
@@ -24790,8 +51907,9 @@ components:
type: boolean
thirdPartySignalProviders:
x-okta-lifecycle:
- features:
- - GOOGLE_DEVICE_CONTEXT_CONNECTOR
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
type: object
description: Settings for third-party signal providers (based on the `MACOS` platform)
properties:
@@ -24808,11 +51926,27 @@ components:
include:
type: array
items:
- $ref: '#/components/schemas/DiskEncryptionType'
- jailbreak:
- type: boolean
+ $ref: '#/components/schemas/DiskEncryptionTypeDesktop'
osVersion:
- $ref: '#/components/schemas/OSVersion'
+ $ref: '#/components/schemas/OSVersionFourComponents'
+ osVersionConstraints:
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
+ type: array
+ description: |
+
Specifies the Windows version requirements for the assurance policy. Each requirement must correspond to a different major version (Windows 11 or Windows 10). If a requirement isn't specified for a major version, then devices on that major version satisfy the condition.
+
+ There are two types of OS requirements:
+ * **Static**: A specific Windows version requirement that doesn't change until you update the policy. A static OS Windows requirement is specified with `majorVersionConstraint` and `minimum`.
+ * **Dynamic**: A Windows version requirement that is relative to the latest major release and security patch. A dynamic OS Windows requirement is specified with `majorVersionConstraint` and `dynamicVersionRequirement`.
+
+ > **Note:** Dynamic OS requirements are available only if the **Dynamic OS version compliance** [self-service EA](/openapi/okta-management/guides/release-lifecycle/#early-access-ea) feature is enabled. The `osVersionConstraints` property is only supported for the Windows platform. You can't specify both `osVersion.minimum` and `osVersionConstraints` properties at the same time.
+ items:
+ $ref: '#/components/schemas/OSVersionConstraint'
+ minItems: 1
+ maxItems: 2
screenLockType:
type: object
properties:
@@ -24824,13 +51958,68 @@ components:
type: boolean
thirdPartySignalProviders:
x-okta-lifecycle:
- features:
- - GOOGLE_DEVICE_CONTEXT_CONNECTOR
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
type: object
description: Settings for third-party signal providers (based on the `WINDOWS` platform)
properties:
dtc:
$ref: '#/components/schemas/DTCWindows'
+ DeviceCheck:
+ title: DeviceCheck
+ type: object
+ properties:
+ createdBy:
+ type: string
+ readOnly: true
+ description: User who created the Device Check
+ example: 00u217pyf72CdUrBt1c5
+ createdDate:
+ type: string
+ readOnly: true
+ description: Time the Device Check was created
+ example: '2019-10-02T18:03:07.000Z'
+ description:
+ type: string
+ description: Description of the Device Check
+ example: Query macOS devices to check if firewall is enabled
+ id:
+ type: string
+ readOnly: true
+ description: The ID of the Device Check
+ example: dch3m8o4rWhwReDeM1c5
+ lastUpdate:
+ type: string
+ readOnly: true
+ description: Time the Device Check was updated
+ example: '2019-10-02T18:03:07.000Z'
+ lastUpdatedBy:
+ type: string
+ readOnly: true
+ description: User who updated the Device Check
+ example: 00u217pyf72CdUrBt1c5
+ name:
+ type: string
+ description: Display name of the Device Check
+ example: Device Check macOS
+ platform:
+ $ref: '#/components/schemas/DeviceChecksPlatform'
+ query:
+ type: string
+ description: OSQuery for the Device Check
+ example: SELECT CASE WHEN global_state = 0 THEN 0 ELSE 1 END AS firewall_enabled FROM alf;
+ variableName:
+ type: string
+ description: Unique name of the Device Check
+ example: macOSFirewall
+ _links:
+ $ref: '#/components/schemas/LinksSelf'
+ DeviceChecksPlatform:
+ type: string
+ enum:
+ - MACOS
+ - WINDOWS
DeviceDisplayName:
description: Display name of the device
type: object
@@ -24839,6 +52028,31 @@ components:
type: boolean
value:
type: string
+ DeviceIntegrity:
+ description: Indicates how well a device can enforce app integrity
+ type: string
+ enum:
+ - MEETS_BASIC_INTEGRITY
+ - MEETS_DEVICE_INTEGRITY
+ - MEETS_STRONG_INTEGRITY
+ x-enumDescriptions:
+ MEETS_BASIC_INTEGRITY: The app is running on a device that passes basic system integrity checks. The device may not meet Android compatibility requirements and may not be approved to run Google Play services.
+ MEETS_DEVICE_INTEGRITY: The app is running on an Android-powered device with Google Play services. The device passes system integrity checks and meets Android compatibility requirements.
+ MEETS_STRONG_INTEGRITY: The app is running on an Android-powered device with Google Play services. It has a strong guarantee of system integrity such as a hardware-backed proof of boot integrity. The device passes system integrity checks and meets Android compatibility requirements.
+ DeviceList:
+ allOf:
+ - $ref: '#/components/schemas/Device'
+ - properties:
+ _embedded:
+ type: object
+ description: List of associated users for the device if the `expand=user` query parameter is specified in the request. Use `expand=userSummary` to get only a summary of each associated user for the device.
+ properties:
+ users:
+ description: Users for the device
+ type: array
+ items:
+ $ref: '#/components/schemas/DeviceUser'
+ readOnly: true
DevicePlatform:
description: OS platform of the device
type: string
@@ -24871,6 +52085,13 @@ components:
type: boolean
trustLevel:
$ref: '#/components/schemas/DevicePolicyTrustLevel'
+ DevicePolicyRuleConditionAssurance:
+ type: object
+ properties:
+ include:
+ type: array
+ items:
+ type: string
DevicePolicyRuleConditionPlatform:
type: object
properties:
@@ -24939,7 +52160,7 @@ components:
maxLength: 256
tpmPublicKeyHash:
type: string
- description: Windows Trsted Platform Module hash value
+ description: Windows Trusted Platform Module hash value
udid:
type: string
description: macOS Unique Device identifier of the device
@@ -24986,14 +52207,14 @@ components:
user:
$ref: '#/components/schemas/User'
DigestAlgorithm:
+ description: Algorithm used to generate the key. Only required for the PBKDF2 algorithm.
type: string
enum:
- SHA256_HMAC
- SHA512_HMAC
- DiskEncryptionType:
+ DiskEncryptionTypeAndroid:
type: string
enum:
- - ALL_INTERNAL_VOLUMES
- FULL
- USER
DiskEncryptionTypeDef:
@@ -25013,6 +52234,10 @@ components:
USER: Encryption key is tied to the user or profile. Only applicable to `ANDROID` platform.
ALL_INTERNAL_VOLUMES: All internal disks are encrypted. Only applicable to `WINDOWS` and `MACOS` platforms.
SYSTEM_VOLUME: Only the system volume is encrypted. Only applicable to `WINDOWS` and `MACOS` platforms.
+ DiskEncryptionTypeDesktop:
+ type: string
+ enum:
+ - ALL_INTERNAL_VOLUMES
DomainCertificate:
description: Defines the properties of the certificate
type: object
@@ -25141,19 +52366,96 @@ components:
Duration:
type: object
properties:
- number:
- type: integer
- unit:
+ number:
+ type: integer
+ unit:
+ type: string
+ DynamicNetworkZone:
+ allOf:
+ - $ref: '#/components/schemas/NetworkZone'
+ - title: Dynamic Network Zone
+ - type: object
+ properties:
+ asns:
+ allOf:
+ - $ref: '#/components/schemas/NetworkZoneAsns'
+ - description: An array of ASNs for a Network Zone
+ proxyType:
+ type: string
+ description: The proxy type used for a Dynamic Network Zone
+ enum:
+ - 'null'
+ - Any
+ - Tor
+ - NotTorAnonymizer
+ x-enumDescriptions:
+ 'null': (Or `""`) No proxy used
+ Any: Use any proxy type for the Dynamic Zone.
+ Tor: Use Tor Anonymizer proxy for the Dynamic Zone.
+ NotTorAnonymizer: Use a non Tor Anonymizer proxy for the Dynamic Zone.
+ locations:
+ allOf:
+ - $ref: '#/components/schemas/NetworkZoneLocationArray'
+ - description: An array of geolocations for a Dynamic Network Zone
+ ECKeyJWK:
+ description: Elliptic Curve Key in JWK format, currently used during enrollment to encrypt fulfillment requests to Yubico, or during activation to verify Yubico's JWS objects in fulfillment responses. The currently agreed protocol uses P-384.
+ type: object
+ properties:
+ crv:
+ type: string
+ enum:
+ - P-384
+ kid:
+ type: string
+ description: The unique identifier of the key
+ kty:
+ type: string
+ enum:
+ - EC
+ description: The type of public key
+ use:
+ type: string
+ description: The intended use for the key. The ECKeyJWK is always `enc` because Okta uses it to encrypt requests to Yubico.
+ enum:
+ - enc
+ x:
type: string
+ description: The public x coordinate for the elliptic curve point
+ 'y':
+ type: string
+ description: The public y coordinate for the elliptic curve point
+ required:
+ - x
+ - 'y'
+ - kty
+ - crv
+ - use
+ - kid
EmailContent:
type: object
properties:
body:
type: string
- description: The email's HTML body. May contain [variable references](https://velocity.apache.org/engine/1.7/user-guide.html#references).
+ description: |
+ The HTML body of the email. May contain [variable references](https://velocity.apache.org/engine/1.7/user-guide.html#references).
+
+ Not required if Custom languages for Okta Email Templates is enabled. A `null` body is replaced with a default value from one of the following in priority order:
+
+ 1. An existing default email customization, if one exists
+ 2. Okta-provided translated content for the specified language, if one exists
+ 3. Okta-provided translated content for the brand locale, if it's set
+ 4. Okta-provided content in English
subject:
type: string
- description: The email's subject. May contain [variable references](https://velocity.apache.org/engine/1.7/user-guide.html#references).
+ description: |
+ The email subject. May contain [variable references](https://velocity.apache.org/engine/1.7/user-guide.html#references).
+
+ Not required if Custom languages for Okta Email Templates is enabled. A `null` subject is replaced with a default value from one of the following in priority order:
+
+ 1. An existing default email customization, if one exists
+ 2. Okta-provided translated content for the specified language, if one exists
+ 3. Okta-provided translated content for the brand locale, if it's set
+ 4. Okta-provided content in English
required:
- subject
- body
@@ -25220,6 +52522,10 @@ components:
type: string
domain:
type: string
+ validationSubdomain:
+ type: string
+ description: Subdomain for the email sender's custom mail domain. Specify your subdomain when you configure a custom mail domain.
+ default: mail
required:
- domain
- brandId
@@ -25252,6 +52558,10 @@ components:
type: string
validationStatus:
$ref: '#/components/schemas/EmailDomainStatus'
+ validationSubdomain:
+ type: string
+ description: The subdomain for the email sender's custom mail domain
+ default: mail
EmailDomainResponseWithEmbedded:
allOf:
- $ref: '#/components/schemas/EmailDomainResponse'
@@ -25318,13 +52628,14 @@ components:
- properties:
password:
type: string
- description: The password to use with your SMTP server
+ description: Password used to access your SMTP server
EmailServerResponse:
allOf:
- $ref: '#/components/schemas/BaseEmailServer'
- properties:
id:
type: string
+ description: ID of your SMTP server
EmailSettings:
type: object
properties:
@@ -25336,7 +52647,24 @@ components:
- NO_USERS
required:
- recipients
- EmailTemplate:
+ EmailSettingsResponse:
+ type: object
+ properties:
+ recipients:
+ type: string
+ enum:
+ - ALL_USERS
+ - ADMINS_ONLY
+ - NO_USERS
+ _links:
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - properties:
+ self:
+ $ref: '#/components/schemas/HrefObject'
+ template:
+ $ref: '#/components/schemas/HrefObject'
+ EmailTemplateResponse:
type: object
properties:
name:
@@ -25347,7 +52675,7 @@ components:
type: object
properties:
settings:
- $ref: '#/components/schemas/EmailSettings'
+ $ref: '#/components/schemas/EmailSettingsResponse'
customizationCount:
type: integer
readOnly: true
@@ -25364,34 +52692,30 @@ components:
test:
$ref: '#/components/schemas/HrefObject'
EmailTemplateTouchPointVariant:
+ description: |
+ Variant for email templates. You can publish a theme for email templates with different combinations of assets. Variants are preset combinations of those assets.
+ default: OKTA_DEFAULT
type: string
enum:
- FULL_THEME
- OKTA_DEFAULT
+ x-enumDescriptions:
+ FULL_THEME: Uses the Okta logo and Okta colors in email templates
+ OKTA_DEFAULT: Uses the logo from the Theme. Uses `primaryColorHex` as the background color for buttons.
EmailTestAddresses:
type: object
properties:
from:
type: string
- description: An email address to send the test email from
+ description: Email address that sends test emails
+ example: sender@host.com
to:
type: string
- description: An email address to send the test email to
+ description: Email address that receives test emails
+ example: receiver@host.com
required:
- from
- to
- EmailUserFactor:
- allOf:
- - $ref: '#/components/schemas/UserFactor'
- - type: object
- properties:
- profile:
- $ref: '#/components/schemas/EmailUserFactorProfile'
- EmailUserFactorProfile:
- type: object
- properties:
- email:
- type: string
EnabledStatus:
description: Setting status
type: string
@@ -25399,12 +52723,298 @@ components:
- DISABLED
- ENABLED
EndUserDashboardTouchPointVariant:
+ description: |
+ Variant for the Okta End-User Dashboard. You can publish a theme for end-user dashboard with different combinations of assets. Variants are preset combinations of those assets.
+ default: OKTA_DEFAULT
type: string
enum:
- FULL_THEME
- LOGO_ON_FULL_WHITE_BACKGROUND
- OKTA_DEFAULT
- WHITE_LOGO_BACKGROUND
+ x-enumDescriptions:
+ FULL_THEME: Uses the logo and favicon from the Theme. Uses `primaryColorHex` for the logo and the side navigation bar background color.
+ LOGO_ON_FULL_WHITE_BACKGROUND: Uses the logo and favicon from the Theme. Uses white background color for the logo and the side navigation bar background color.
+ OKTA_DEFAULT: Uses the Okta logo and favicon. Uses a white background color for the logo and the side navigation bar background color.
+ WHITE_LOGO_BACKGROUND: Uses the logo and favicon from the Theme, with a white background color for the logo. Uses `primaryColorHex` for the side navigation bar background color.
+ EndpointAuthMethod:
+ description: Requested authentication method for OAuth 2.0 endpoints.
+ type: string
+ enum:
+ - client_secret_basic
+ - client_secret_jwt
+ - client_secret_post
+ - none
+ - private_key_jwt
+ EnhancedDynamicNetworkZone:
+ allOf:
+ - $ref: '#/components/schemas/NetworkZone'
+ - title: Enhanced Dynamic Network Zone
+ - type: object
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
+ properties:
+ asns:
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
+ type: object
+ description: The list of ASNs associated with an Enhanced Dynamic Network Zone
+ properties:
+ include:
+ allOf:
+ - $ref: '#/components/schemas/NetworkZoneAsns'
+ - description: An array of ASNs to include for an Enhanced Dynamic Network Zone
+ locations:
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
+ type: object
+ description: The list of geolocations to include or exclude for an Enhanced Dynamic Network Zone
+ properties:
+ include:
+ allOf:
+ - $ref: '#/components/schemas/NetworkZoneLocationArray'
+ - description: An array of geolocations to include for an Enhanced Dynamic Network Zone
+ exclude:
+ allOf:
+ - $ref: '#/components/schemas/NetworkZoneLocationArray'
+ - description: An array of geolocations to exclude for an Enhanced Dynamic Network Zone
+ ipServiceCategories:
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: false
+ SKUs: []
+ type: object
+ description: IP services, such as a proxy or VPN, to include or exclude for an Enhanced Dynamic Network Zone
+ properties:
+ include:
+ type: array
+ description: IP services to include for an Enhanced Dynamic Network Zone
+ items:
+ $ref: '#/components/schemas/IPServiceCategory'
+ maximum: 75
+ exclude:
+ type: array
+ description: IP services to exclude for an Enhanced Dynamic Network Zone
+ items:
+ $ref: '#/components/schemas/IPServiceCategory'
+ maximum: 75
+ EnrollmentActivationRequest:
+ description: Enrollment Initialization Request
+ type: object
+ properties:
+ credResponses:
+ description: List of credential responses from the fulfillment provider
+ type: array
+ items:
+ $ref: '#/components/schemas/WebAuthnCredResponse'
+ fulfillmentProvider:
+ description: Name of the fulfillment provider for the WebAuthn Preregistration Factor
+ type: string
+ enum:
+ - yubico
+ pinResponseJwe:
+ description: Encrypted JWE of PIN response from the fulfillment provider
+ type: string
+ serial:
+ description: Serial number of the YubiKey
+ type: string
+ userId:
+ description: ID of an existing Okta user
+ type: string
+ version:
+ description: Firmware version of the YubiKey
+ type: string
+ yubicoSigningJwks:
+ description: List of usable signing keys from Yubico (in JWKS format) used to verify the JWS inside the JWE
+ type: array
+ items:
+ $ref: '#/components/schemas/ECKeyJWK'
+ EnrollmentActivationResponse:
+ description: Enrollment Initialization Response
+ type: object
+ properties:
+ authenticatorEnrollmentIds:
+ description: List of IDs for preregistered WebAuthn Factors in Okta
+ type: array
+ items:
+ type: string
+ fulfillmentProvider:
+ description: Name of the fulfillment provider for the WebAuthn Preregistration Factor
+ type: string
+ enum:
+ - yubico
+ userId:
+ description: ID of an existing Okta user
+ type: string
+ EnrollmentInitializationRequest:
+ description: Enrollment Initialization Request
+ type: object
+ properties:
+ enrollmentRpIds:
+ description: List of Relying Party hostnames to register on the YubiKey.
+ type: array
+ items:
+ type: string
+ fulfillmentProvider:
+ description: Name of the fulfillment provider for the WebAuthn Preregistration Factor
+ type: string
+ enum:
+ - yubico
+ userId:
+ description: ID of an existing Okta user
+ type: string
+ yubicoTransportKeyJWK:
+ $ref: '#/components/schemas/ECKeyJWK'
+ EnrollmentInitializationResponse:
+ description: Yubico Transport Key in the form of a JWK, used to encrypt our fulfillment request to Yubico. The currently agreed protocol uses P-384.
+ type: object
+ properties:
+ credRequests:
+ description: List of credential requests for the fulfillment provider
+ type: array
+ items:
+ $ref: '#/components/schemas/WebAuthnCredRequest'
+ fulfillmentProvider:
+ description: Name of the fulfillment provider for the WebAuthn Preregistration Factor
+ type: string
+ enum:
+ - yubico
+ pinRequestJwe:
+ description: Encrypted JWE of PIN request for the fulfillment provider
+ type: string
+ userId:
+ description: ID of an existing Okta user
+ type: string
+ EntitlementValue:
+ type: object
+ properties:
+ id:
+ type: string
+ name:
+ type: string
+ value:
+ type: string
+ _links:
+ type: object
+ description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification
+ readOnly: true
+ properties:
+ group:
+ $ref: '#/components/schemas/HrefObjectGroupLink'
+ app:
+ $ref: '#/components/schemas/HrefObjectAppLink'
+ resource-set:
+ $ref: '#/components/schemas/HrefObjectResourceSetLink'
+ EntitlementValuesResponse:
+ type: object
+ properties:
+ entitlementValues:
+ type: array
+ items:
+ $ref: '#/components/schemas/EntitlementValue'
+ _links:
+ anyOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - $ref: '#/components/schemas/LinksNext'
+ - properties:
+ bundle:
+ $ref: '#/components/schemas/HrefObject'
+ entitlements:
+ $ref: '#/components/schemas/HrefObject'
+ EntityRiskPolicy:
+ allOf:
+ - $ref: '#/components/schemas/Policy'
+ - type: object
+ properties:
+ conditions:
+ type: string
+ description: Policy conditions aren't supported for this policy type.
+ default: null
+ nullable: true
+ EntityRiskPolicyRule:
+ allOf:
+ - $ref: '#/components/schemas/PolicyRule'
+ - type: object
+ properties:
+ actions:
+ type: object
+ description: The action to take based on the risk event
+ properties:
+ entityRisk:
+ type: object
+ description: The object that contains the `actions` array
+ properties:
+ actions:
+ type: array
+ description: The `entityRisk` object's `actions` array can be empty or contain one of two `action` object value pairs. This object determines the specific response to a risk event.
+ items:
+ $ref: '#/components/schemas/EntityRiskPolicyRuleActionsObject'
+ conditions:
+ $ref: '#/components/schemas/EntityRiskPolicyRuleConditions'
+ EntityRiskPolicyRuleActionRunWorkflow:
+ type: object
+ properties:
+ action:
+ type: string
+ enum:
+ - RUN_WORKFLOW
+ workflow:
+ type: object
+ description: This action runs a workflow
+ properties:
+ id:
+ type: integer
+ description: The `id` of the workflow that runs.
+ EntityRiskPolicyRuleActionTerminateAllSessions:
+ type: object
+ properties:
+ action:
+ type: string
+ description: This action revokes or terminates all of the user's active sessions.
+ enum:
+ - TERMINATE_ALL_SESSIONS
+ EntityRiskPolicyRuleActionsObject:
+ type: object
+ properties:
+ action:
+ type: string
+ enum:
+ - RUN_WORKFLOW
+ - TERMINATE_ALL_SESSIONS
+ discriminator:
+ propertyName: action
+ mapping:
+ RUN_WORKFLOW: '#/components/schemas/EntityRiskPolicyRuleActionRunWorkflow'
+ TERMINATE_ALL_SESSIONS: '#/components/schemas/EntityRiskPolicyRuleActionTerminateAllSessions'
+ EntityRiskPolicyRuleConditions:
+ allOf:
+ - type: object
+ properties:
+ entityRisk:
+ $ref: '#/components/schemas/EntityRiskScorePolicyRuleCondition'
+ people:
+ $ref: '#/components/schemas/PolicyPeopleCondition'
+ riskDetectionTypes:
+ $ref: '#/components/schemas/RiskDetectionTypesPolicyRuleCondition'
+ EntityRiskScorePolicyRuleCondition:
+ description: The risk score level of the entity risk policy rule
+ type: object
+ properties:
+ level:
+ type: string
+ enum:
+ - ANY
+ - LOW
+ - MEDIUM
+ - HIGH
+ required:
+ - level
Error:
title: Error
type: object
@@ -25412,10 +53022,7 @@ components:
errorCauses:
type: array
items:
- type: object
- properties:
- errorSummary:
- type: string
+ $ref: '#/components/schemas/ErrorCause'
errorCode:
type: string
description: An Okta code for this type of error
@@ -25428,6 +53035,11 @@ components:
errorSummary:
type: string
description: A short description of what caused this error. Sometimes this contains dynamically-generated information about your specific error.
+ ErrorCause:
+ type: object
+ properties:
+ errorSummary:
+ type: string
ErrorPage:
allOf:
- $ref: '#/components/schemas/CustomizablePage'
@@ -25436,39 +53048,95 @@ components:
contentSecurityPolicySetting:
$ref: '#/components/schemas/ContentSecurityPolicySetting'
ErrorPageTouchPointVariant:
+ description: |
+ Variant for the error page. You can publish a theme for error page with different combinations of assets. Variants are preset combinations of those assets.
+ default: OKTA_DEFAULT
type: string
enum:
- BACKGROUND_IMAGE
- BACKGROUND_SECONDARY_COLOR
- OKTA_DEFAULT
+ x-enumDescriptions:
+ BACKGROUND_IMAGE: Uses the logo, favicon, and background image from the Theme
+ BACKGROUND_SECONDARY_COLOR: Uses the logo and favicon from the Theme. Uses `secondaryColorHex` as the background color for the error page.
+ OKTA_DEFAULT: Uses the Okta logo, favicon, and background color
+ ErrorResponse:
+ type: object
+ properties:
+ errorCause:
+ type: string
+ description: The reason or cause for the error in the org domain for the dr operation
+ nullable: true
+ errorCode:
+ type: string
+ description: An error code unique to the error
+ errorId:
+ type: string
+ description: The unique identifier of this error
+ nullable: true
+ errorLink:
+ type: string
+ description: An indicator where to look out to troubleshoot the error
+ nullable: true
+ errorSummary:
+ type: string
+ description: An error code description, detailing the error
+ required:
+ - errorCode
+ - errorSummary
EventHook:
type: object
properties:
channel:
$ref: '#/components/schemas/EventHookChannel'
created:
+ description: Timestamp of the event hook creation
type: string
format: date-time
readOnly: true
createdBy:
+ description: The ID of the user who created the event hook
+ type: string
+ readOnly: true
+ description:
+ description: Description of the event hook
type: string
+ nullable: true
events:
$ref: '#/components/schemas/EventSubscriptions'
id:
type: string
+ description: Unique key for the event hook
readOnly: true
lastUpdated:
+ description: Date of the last event hook update
type: string
format: date-time
readOnly: true
name:
+ description: Display name for the event hook
type: string
status:
- $ref: '#/components/schemas/LifecycleStatus'
+ description: Status of the event hook
+ type: string
+ enum:
+ - ACTIVE
+ - INACTIVE
+ readOnly: true
verificationStatus:
$ref: '#/components/schemas/EventHookVerificationStatus'
_links:
- $ref: '#/components/schemas/LinksSelf'
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - properties:
+ deactivate:
+ $ref: '#/components/schemas/HrefObject'
+ verify:
+ $ref: '#/components/schemas/HrefObject'
+ required:
+ - name
+ - events
+ - channel
EventHookChannel:
type: object
properties:
@@ -25477,63 +53145,157 @@ components:
type:
$ref: '#/components/schemas/EventHookChannelType'
version:
+ description: Version of the channel. Currently the only supported version is `1.0.0``.
type: string
+ required:
+ - type
+ - config
+ - version
EventHookChannelConfig:
type: object
properties:
authScheme:
$ref: '#/components/schemas/EventHookChannelConfigAuthScheme'
headers:
+ description: |-
+ Optional list of key/value pairs for headers that can be sent with the request to the external service. For example,
+ `X-Other-Header` is an example of an optional header, with a value of `my-header-value`, that you want Okta to pass to your
+ external service.
type: array
items:
$ref: '#/components/schemas/EventHookChannelConfigHeader'
+ method:
+ description: The method of the Okta event hook request
+ type: string
+ readOnly: true
uri:
+ description: The external service endpoint called to execute the event hook handler
type: string
+ required:
+ - uri
EventHookChannelConfigAuthScheme:
+ description: |-
+ The authentication scheme used for this request.
+
+ To use Basic Auth for authentication, set `type` to `HEADER`,
+ `key` to `Authorization`, and `value` to the Base64-encoded string of "username:password". Ensure that you include
+ the scheme (including space) as part of the `value` parameter. For example, `Basic YWRtaW46c3VwZXJzZWNyZXQ=`.
type: object
properties:
key:
+ description: The name for the authorization header
type: string
type:
$ref: '#/components/schemas/EventHookChannelConfigAuthSchemeType'
value:
+ description: |-
+ The header value. This secret key is passed to your external service endpoint for security verification.
+ This property is not returned in the response.
type: string
+ writeOnly: true
EventHookChannelConfigAuthSchemeType:
+ description: The authentication scheme type. Currently only supports `HEADER`.
type: string
enum:
- HEADER
EventHookChannelConfigHeader:
+ nullable: true
type: object
properties:
key:
+ description: The optional field or header name
type: string
value:
+ description: The value for the key
type: string
EventHookChannelType:
+ description: The channel type. Currently supports `HTTP`.
type: string
enum:
- HTTP
+ EventHookFilterMap:
+ description: The object that maps the filter to the event type
+ items:
+ $ref: '#/components/schemas/EventHookFilterMapObject'
+ type: array
+ EventHookFilterMapObject:
+ type: object
+ properties:
+ condition:
+ $ref: '#/components/schemas/EventHookFilterMapObjectCondition'
+ event:
+ type: string
+ description: The filtered event type
+ EventHookFilterMapObjectCondition:
+ type: object
+ properties:
+ expression:
+ type: string
+ description: The Okta Expression language statement that filters the event type
+ version:
+ type: string
+ nullable: true
+ description: Internal field
+ readOnly: true
+ EventHookFilters:
+ nullable: true
+ description: |-
+ The optional filter defined on a specific event type
+
+ > **Note:** Event hook filters is a [self-service Early Access (EA)](/openapi/okta-management/guides/release-lifecycle/#early-access-ea) to enable.
+ If you want to disable this feature, it's recommended to first remove all event filters.
+ type: object
+ properties:
+ eventFilterMap:
+ $ref: '#/components/schemas/EventHookFilterMap'
+ type:
+ type: string
+ description: The type of filter. Currently only supports `EXPRESSION_LANGUAGE`
+ readOnly: true
+ EventHookSubscribedEventTypes:
+ description: |-
+ The subscribed event types that trigger the event hook. When you register an event hook
+ you need to specify which events you want to subscribe to. To see the list of event types
+ currently eligible for use in event hooks, use the [Event Types catalog](https://developer.okta.com/docs/reference/api/event-types/#catalog)
+ and search with the parameter `event-hook-eligible`.
+ items:
+ type: string
+ type: array
EventHookVerificationStatus:
+ description: Verification status of the event hook. `UNVERIFIED` event hooks won't receive any events.
type: string
enum:
- UNVERIFIED
- VERIFIED
+ readOnly: true
EventSubscriptionType:
+ description: The events object type. Currently supports `EVENT_TYPE`.
type: string
enum:
- EVENT_TYPE
- - FLOW_EVENT
EventSubscriptions:
type: object
properties:
+ filter:
+ $ref: '#/components/schemas/EventHookFilters'
items:
- type: array
- items:
- type: string
+ $ref: '#/components/schemas/EventHookSubscribedEventTypes'
type:
$ref: '#/components/schemas/EventSubscriptionType'
- discriminator:
- propertyName: type
+ required:
+ - type
+ - items
+ ExpiresAt:
+ format: date-time
+ description: Timestamp when the object expires
+ example: '2016-01-03T18:15:47.000Z'
+ type: string
+ readOnly: true
+ Expression:
+ type: object
+ properties:
+ value:
+ type: string
FCMConfiguration:
properties:
fileName:
@@ -25554,66 +53316,40 @@ components:
properties:
configuration:
$ref: '#/components/schemas/FCMConfiguration'
- FactorProvider:
- type: string
- enum:
- - CUSTOM
- - DUO
- - FIDO
- - GOOGLE
- - OKTA
- - RSA
- - SYMANTEC
- - YUBICO
- FactorResultType:
- type: string
- enum:
- - CANCELLED
- - CHALLENGE
- - ERROR
- - FAILED
- - PASSCODE_REPLAYED
- - REJECTED
- - SUCCESS
- - TIMEOUT
- - TIME_WINDOW_EXCEEDED
- - WAITING
- FactorStatus:
+ FailbackRequestSchema:
+ description: List of domains to failback
+ items:
+ type: string
+ description: Okta or custom domain to failback
+ example: yourOktaDomain.okta.com
+ type: array
+ FailbackResponseSchema:
+ description: successful failback message
type: string
- enum:
- - ACTIVE
- - DISABLED
- - ENROLLED
- - EXPIRED
- - INACTIVE
- - NOT_SETUP
- - PENDING_ACTIVATION
- FactorType:
+ FailoverRequestSchema:
+ description: List of domains to failover
+ items:
+ type: string
+ description: Okta or custom domain to failover
+ example: yourOktaDomain.okta.com
+ type: array
+ FailoverResponseSchema:
+ description: successful failover message
type: string
- enum:
- - call
- - email
- - push
- - question
- - signed_nonce
- - sms
- - token
- - token:hardware
- - token:hotp
- - token:software:totp
- - u2f
- - web
- - webauthn
Feature:
+ description: Specifies feature release cycle information
type: object
properties:
description:
type: string
+ description: Brief description of the feature and what it provides
id:
type: string
+ description: Unique identifier for this feature
readOnly: true
name:
type: string
+ description: Name of the feature
stage:
$ref: '#/components/schemas/FeatureStage'
status:
@@ -25621,14 +53357,40 @@ components:
type:
$ref: '#/components/schemas/FeatureType'
_links:
- $ref: '#/components/schemas/LinksSelf'
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - properties:
+ dependents:
+ description: Link to feature dependents
+ type: object
+ readOnly: true
+ properties:
+ href:
+ description: Link URI
+ type: string
+ readOnly: true
+ dependencies:
+ description: Link to feature dependencies
+ type: object
+ readOnly: true
+ properties:
+ href:
+ description: Link URI
+ type: string
+ readOnly: true
FeatureLifecycle:
- example: enable
+ example: ENABLE
type: string
enum:
- - disable
- - enable
+ - DISABLE
+ - ENABLE
FeatureStage:
+ description: |-
+ Current release cycle stage of a feature
+
+ If a feature's stage value is `EA`, the state is `null` and not returned. If the value is `BETA`, the state is `OPEN` or `CLOSED` depending on whether the `BETA` feature is manageable.
+
+ > **Note:** If a feature's stage is `OPEN BETA`, you can update it only in Preview cells. If a feature's stage is `CLOSED BETA`, you can disable it only in Preview cells.
type: object
properties:
state:
@@ -25636,16 +53398,19 @@ components:
value:
$ref: '#/components/schemas/FeatureStageValue'
FeatureStageState:
+ description: Indicates the release state of the feature
type: string
enum:
- CLOSED
- OPEN
FeatureStageValue:
+ description: Current release stage of the feature
type: string
enum:
- BETA
- EA
FeatureType:
+ description: Type of feature
type: string
enum:
- self-service
@@ -25660,6 +53425,150 @@ components:
resetPasswordUrl:
type: string
readOnly: true
+ FulfillmentData:
+ description: Fulfillment provider details
+ type: object
+ properties:
+ customizationId:
+ description: ID for the set of custom configurations of the requested Factor
+ type: string
+ inventoryProductId:
+ description: ID for the specific inventory bucket of the requested Factor
+ type: string
+ productId:
+ description: ID for the make and model of the requested Factor
+ type: string
+ FulfillmentRequest:
+ description: Fulfillment Request
+ type: object
+ properties:
+ fulfillmentData:
+ $ref: '#/components/schemas/FulfillmentData'
+ fulfillmentProvider:
+ description: Name of the fulfillment provider for the WebAuthn Preregistration Factor
+ type: string
+ enum:
+ - yubico
+ userId:
+ description: ID of an existing Okta user
+ type: string
+ GoogleApplication:
+ title: Google Workspace
+ x-tags:
+ - Application
+ x-okta-defined-as:
+ name: google
+ example:
+ name: google
+ label: Sample Google App
+ signOnMode: SAML_2_0
+ settings:
+ app:
+ domain: my-company-domain
+ description: |
+ Schema for the Google Workspace app (key name: `google`)
+
+ To create a Google Workspace app, use the [Create an Application](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) request with the following parameters in the request body.
+ > **Note:** The Google Workspace app only supports `BROWSER_PLUGIN` and `SAML_2_0` sign-on modes.
+ allOf:
+ - $ref: '#/components/schemas/OINApplication'
+ - type: object
+ - required:
+ - name
+ - label
+ - settings
+ properties:
+ name:
+ enum:
+ - google
+ example: google
+ signOnMode:
+ enum:
+ - BROWSER_PLUGIN
+ - SAML_2_0
+ example: BROWSER_PLUGIN
+ settings:
+ $ref: '#/components/schemas/GoogleApplicationSettings'
+ GoogleApplicationSettings:
+ allOf:
+ - $ref: '#/components/schemas/ApplicationSettings'
+ - type: object
+ - required:
+ - app
+ properties:
+ app:
+ $ref: '#/components/schemas/GoogleApplicationSettingsApplication'
+ signOn:
+ $ref: '#/components/schemas/OINSaml20ApplicationSettingsSignOn'
+ GoogleApplicationSettingsApplication:
+ description: Google app instance properties
+ type: object
+ properties:
+ domain:
+ type: string
+ description: Your Google company domain
+ rpId:
+ type: string
+ description: RPID
+ required:
+ - domain
+ GovernanceBundle:
+ type: object
+ properties:
+ description:
+ type: string
+ id:
+ type: string
+ name:
+ type: string
+ orn:
+ type: string
+ status:
+ type: string
+ _links:
+ allOf:
+ - properties:
+ entitlements:
+ $ref: '#/components/schemas/HrefObject'
+ GovernanceBundleCreateRequest:
+ type: object
+ properties:
+ description:
+ type: string
+ entitlements:
+ type: array
+ items:
+ $ref: '#/components/schemas/IAMBundleEntitlement'
+ name:
+ type: string
+ GovernanceBundleUpdateRequest:
+ type: object
+ properties:
+ description:
+ type: string
+ entitlements:
+ type: array
+ items:
+ $ref: '#/components/schemas/IAMBundleEntitlement'
+ name:
+ type: string
+ GovernanceBundlesResponse:
+ type: object
+ properties:
+ bundles:
+ type: array
+ items:
+ $ref: '#/components/schemas/GovernanceBundle'
+ _links:
+ anyOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - $ref: '#/components/schemas/LinksNext'
+ GovernanceSourceType:
+ description: The grant type
+ type: string
+ enum:
+ - CUSTOM
+ - ENTITLEMENT-BUNDLE
GrantOrTokenStatus:
description: Status
example: ACTIVE
@@ -25668,13 +53577,39 @@ components:
- ACTIVE
- REVOKED
readOnly: true
- GrantTypePolicyRuleCondition:
+ GrantResourcesHrefObject:
type: object
+ properties:
+ href:
+ type: string
+ description: Link URI
+ example: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7/clients/0oabskvc6442nkvQO0h7/grants
+ GrantType:
+ description: Determines the mechanism Okta uses to authorize the creation of the tokens.
+ type: string
+ enum:
+ - authorization_code
+ - client_credentials
+ - implicit
+ - interaction_code
+ - password
+ - refresh_token
+ - urn:ietf:params:oauth:grant-type:device_code
+ - urn:ietf:params:oauth:grant-type:jwt-bearer
+ - urn:ietf:params:oauth:grant-type:saml2-bearer
+ - urn:ietf:params:oauth:grant-type:token-exchange
+ - urn:openid:params:grant-type:ciba
+ - urn:okta:params:oauth:grant-type:otp
+ - urn:okta:params:oauth:grant-type:oob
+ - http://auth0.com/oauth/grant-type/mfa-otp
+ - http://auth0.com/oauth/grant-type/mfa-oob
+ GrantTypePolicyRuleCondition:
description: Array of grant types that this condition includes. Determines the mechanism that Okta uses to authorize the creation of the tokens.
+ type: object
properties:
include:
type: array
- description: Array of grant types thagt this condition includes.
+ description: Array of grant types that this condition includes.
items:
type: string
Group:
@@ -25684,20 +53619,26 @@ components:
type: string
format: date-time
readOnly: true
+ description: Timestamp when the Group was created
id:
type: string
readOnly: true
+ example: 0gabcd1234
+ description: Unique ID for the Group
lastMembershipUpdated:
type: string
format: date-time
readOnly: true
+ description: Timestamp when the Groups memberships were last updated
lastUpdated:
type: string
format: date-time
readOnly: true
+ description: Timestamp when the Group's Profile was last updated
objectClass:
type: array
readOnly: true
+ description: Determines the Group's `profile`
items:
type: string
profile:
@@ -25706,11 +53647,13 @@ components:
$ref: '#/components/schemas/GroupType'
_embedded:
type: object
+ description: Embedded resources related to the Group
additionalProperties:
type: object
properties: {}
readOnly: true
_links:
+ description: '[Discoverable resources](/openapi/okta-management/management/tag/Group/#tag/Group/operation/listGroups!c=200&path=_links&t=response) related to the Group'
allOf:
- $ref: '#/components/schemas/LinksSelf'
- properties:
@@ -25724,9 +53667,15 @@ components:
$ref: '#/components/schemas/HrefObject'
users:
$ref: '#/components/schemas/HrefObject'
- GroupCondition:
+ GroupAssignmentProfile:
+ description: |-
+ Specifies the profile properties applied to [Application Users](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/ApplicationUsers/) that are assigned to the app through group membership.
+ Some reference properties are imported from the target app and can't be configured. See [profile](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/getUser!c=200&path=profile&t=response).
+ additionalProperties: true
type: object
+ GroupCondition:
description: Specifies a set of Groups whose Users are to be included or excluded
+ type: object
properties:
exclude:
type: array
@@ -25738,6 +53687,9 @@ components:
description: Groups to be included
items:
type: string
+ required:
+ - exclude
+ - include
GroupOwner:
type: object
properties:
@@ -25776,8 +53728,8 @@ components:
- GROUP
- USER
GroupPolicyRuleCondition:
- type: object
description: Specifies a set of Groups whose Users are to be included or excluded
+ type: object
properties:
exclude:
type: array
@@ -25790,14 +53742,15 @@ components:
items:
type: string
GroupProfile:
- additionalProperties: true
- type: object
- properties:
- description:
- type: string
- name:
- type: string
- x-okta-extensible: true
+ description: |-
+ Specifies required and optional properties for a Group. The `objectClass` of a Group determines which additional properties are available.
+
+ You can extend Group Profiles with custom properties, but you must first add the properties to the Group Profile schema before you can reference them. Use the Profile Editor in the Admin Console or the [Schemas API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/)to manage schema extensions.
+
+ Custom properties can contain HTML tags. It is the client's responsibility to escape or encode this data before displaying it. Use [best-practices](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) to prevent cross-site scripting.
+ anyOf:
+ - $ref: '#/components/schemas/OktaUserGroupProfile'
+ - $ref: '#/components/schemas/OktaActiveDirectoryGroupProfile'
GroupRule:
type: object
properties:
@@ -25809,25 +53762,34 @@ components:
type: string
format: date-time
readOnly: true
+ description: Creation date for group rule
id:
type: string
readOnly: true
+ description: ID of the group rule
lastUpdated:
type: string
format: date-time
readOnly: true
+ description: Date group rule was last updated
name:
type: string
+ description: Name of the Group rule
+ minLength: 1
+ maxLength: 50
status:
$ref: '#/components/schemas/GroupRuleStatus'
type:
type: string
+ description: Type to indicate a Group rule operation. Only `group_rule` is allowed.
GroupRuleAction:
+ description: Defines which users and groups to assign
type: object
properties:
assignUserToGroups:
$ref: '#/components/schemas/GroupRuleGroupAssignment'
GroupRuleConditions:
+ description: Defines group rule conditions
type: object
properties:
expression:
@@ -25835,31 +53797,36 @@ components:
people:
$ref: '#/components/schemas/GroupRulePeopleCondition'
GroupRuleExpression:
+ description: Defines Okta specific [group-rules expression](https://developer.okta.com/docs/reference/okta-expression-language/#expressions-in-group-rules)
type: object
properties:
type:
type: string
+ description: Expression type. Only valid value is '`urn:okta:expression:1.0`'.
value:
type: string
+ description: Okta expression that would result in a Boolean value
+ example: user.role==\"Engineer\"
GroupRuleGroupAssignment:
+ description: Contains the `groupIds` array
type: object
properties:
groupIds:
+ description: Array of `groupIds` to which Users are added
type: array
items:
type: string
GroupRuleGroupCondition:
+ description: Currently not supported
type: object
properties:
exclude:
type: array
- items:
- type: string
- include:
- type: array
+ description: Currently not supported
items:
type: string
GroupRulePeopleCondition:
+ description: Defines conditions for `people` in a group rule
type: object
properties:
groups:
@@ -25867,20 +53834,19 @@ components:
users:
$ref: '#/components/schemas/GroupRuleUserCondition'
GroupRuleStatus:
+ description: Status of group rule
type: string
enum:
- ACTIVE
- INACTIVE
- INVALID
GroupRuleUserCondition:
+ description: Defines conditions specific to user exclusion
type: object
properties:
exclude:
type: array
- items:
- type: string
- include:
- type: array
+ description: Excluded `userIds` when processing rules
items:
type: string
GroupSchema:
@@ -25889,29 +53855,38 @@ components:
$schema:
readOnly: true
type: string
+ description: JSON Schema version identifier
created:
readOnly: true
type: string
+ description: Timestamp when the Schema was created
definitions:
$ref: '#/components/schemas/GroupSchemaDefinitions'
description:
type: string
+ description: Description for the Schema
id:
readOnly: true
type: string
+ description: URI of Group Schema
lastUpdated:
readOnly: true
type: string
+ description: Timestamp when the Schema was last updated
name:
readOnly: true
type: string
+ description: Name of the Schema
properties:
$ref: '#/components/schemas/UserSchemaProperties'
+ description: Group object properties
title:
type: string
+ description: User-defined display name for the Schema
type:
readOnly: true
type: string
+ description: Type of [root Schema](https://tools.ietf.org/html/draft-zyp-json-schema-04#section-3.4)
_links:
$ref: '#/components/schemas/LinksSelf'
x-okta-allow-null-property-value-for-updates: true
@@ -25920,81 +53895,160 @@ components:
properties:
description:
type: string
+ description: Description of the property
enum:
items:
- type: string
+ anyOf:
+ - type: string
+ - type: integer
type: array
+ nullable: true
+ description: |-
+ Enumerated value of the property.
+
+ The value of the property is limited to one of the values specified in the enum definition. The list of values for the enum must consist of unique elements.
externalName:
type: string
+ description: Name of the property as it exists in an external application
externalNamespace:
type: string
+ description: Namespace from the external application
+ format:
+ description: Identifies the type of data represented by the string
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttributeFormat'
items:
$ref: '#/components/schemas/UserSchemaAttributeItems'
+ nullable: true
master:
- $ref: '#/components/schemas/UserSchemaAttributeMaster'
+ description: Identifies where the property is mastered
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttributeMaster'
maxLength:
type: integer
+ nullable: true
+ description: Maximum character length of a string property
minLength:
type: integer
+ nullable: true
+ description: Minimum character length of a string property
mutability:
- type: string
+ description: Defines the mutability of the property
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttributeMutabilityString'
oneOf:
items:
$ref: '#/components/schemas/UserSchemaAttributeEnum'
type: array
+ nullable: true
+ description: |-
+ Non-empty array of valid JSON schemas.
+
+ Okta only supports `oneOf` for specifying display names for an `enum`. Each schema has the following format:
+
+ ```
+ {
+ "const": "enumValue",
+ "title": "display name"
+ }
+ ```json
+
+ When `enum` is used in conjunction with `oneOf`, you must keep the set of enumerated values and their order.
+
+ ```
+ {"enum": ["S","M","L","XL"],
+ "oneOf": [
+ {"const": "S", "title": "Small"},
+ {"const": "M", "title": "Medium"},
+ {"const": "L", "title": "Large"},
+ {"const": "XL", "title": "Extra Large"}
+ ]
+ }
+ ```json
+
+ The `oneOf` key is only supported in conjunction with `enum` and provides a mechanism to return a display name for the `enum` value.
permissions:
+ description: Access control permissions for the property
items:
$ref: '#/components/schemas/UserSchemaAttributePermission'
type: array
+ nullable: true
required:
type: boolean
+ nullable: true
+ description: Determines whether the property is required
scope:
- $ref: '#/components/schemas/UserSchemaAttributeScope'
+ description: Determines whether a group attribute can be set at the individual or group level
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttributeScope'
title:
type: string
+ minLength: 1
+ description: User-defined display name for the property
type:
- $ref: '#/components/schemas/UserSchemaAttributeType'
- union:
- $ref: '#/components/schemas/UserSchemaAttributeUnion'
+ description: Type of property
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttributeType'
unique:
- type: string
+ description: Determines whether property values must be unique
+ type: boolean
+ nullable: true
GroupSchemaBase:
type: object
properties:
id:
readOnly: true
type: string
+ description: The subschema name
properties:
- $ref: '#/components/schemas/GroupSchemaBaseProperties'
+ description: The `#base` object properties
+ allOf:
+ - $ref: '#/components/schemas/GroupSchemaBaseProperties'
required:
items:
type: string
type: array
+ description: A collection indicating required property names
+ readOnly: true
type:
+ description: The object type
type: string
+ readOnly: true
GroupSchemaBaseProperties:
+ description: All Okta-defined Profile properties are defined in a Profile subschema with the resolution scope `#base`. These properties can't be removed or edited, regardless of any attempt to do so.
type: object
properties:
description:
- $ref: '#/components/schemas/GroupSchemaAttribute'
+ description: Human readable description of the Group
+ allOf:
+ - $ref: '#/components/schemas/GroupSchemaAttribute'
name:
- $ref: '#/components/schemas/GroupSchemaAttribute'
+ description: Unique identifier for the Group
+ allOf:
+ - $ref: '#/components/schemas/GroupSchemaAttribute'
GroupSchemaCustom:
+ description: All custom Profile properties are defined in a Profile subschema with the resolution scope `#custom`
type: object
properties:
id:
readOnly: true
type: string
+ description: The subschema name
properties:
additionalProperties:
$ref: '#/components/schemas/GroupSchemaAttribute'
type: object
+ description: The `#custom` object properties
required:
items:
type: string
type: array
+ description: A collection indicating required property names
+ readOnly: true
type:
type: string
+ description: The object type
+ readOnly: true
GroupSchemaDefinitions:
type: object
properties:
@@ -26003,54 +54057,67 @@ components:
custom:
$ref: '#/components/schemas/GroupSchemaCustom'
GroupType:
+ description: Determines how a Group's Profile and memberships are managed
type: string
enum:
- APP_GROUP
- BUILT_IN
- OKTA_GROUP
- HardwareUserFactor:
+ x-enumDescriptions:
+ APP_GROUP: Group Profile and memberships are imported and must be managed within the app (such as Active Directory or LDAP) that imported the Group
+ BUILT_IN: Group Profile and memberships are managed by Okta and can't be modified
+ OKTA_GROUP: Group Profile and memberships are directly managed in Okta via static assignments or indirectly through Group rules
+ GroupsLink:
allOf:
- - $ref: '#/components/schemas/UserFactor'
- - type: object
- properties:
- profile:
- $ref: '#/components/schemas/HardwareUserFactorProfile'
- HardwareUserFactorProfile:
- type: object
- properties:
- credentialId:
- type: string
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the [Application Groups](/openapi/okta-management/management/tag/ApplicationGroups/#tag/ApplicationGroups/operation/listApplicationGroupAssignments) resource
+ HelpLink:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the app help resource
HookKey:
+ title: HookKeyInstance
+ description: |-
+ The `id` property in the response as `id` serves as the unique ID for the key, which you can specify when invoking other CRUD operations.
+
+ The `keyId` provided in the response is the alias of the public key that you can use to get details of the public key data in a separate call.
type: object
properties:
created:
type: string
format: date-time
- description: Timestamp when the key was created.
+ description: Timestamp when the key was created
readOnly: true
+ nullable: true
id:
type: string
- description: The unique identifier for the key.
+ description: The unique identifier for the key
readOnly: true
+ nullable: false
isUsed:
type: string
format: boolean
- description: Whether this key is currently in use by other hooks.
+ description: Whether this key is currently in use by other applications
+ nullable: false
+ readOnly: true
keyId:
type: string
- description: The alias of the public key.
+ description: The alias of the public key
+ nullable: false
readOnly: true
lastUpdated:
type: string
format: date-time
- description: Timestamp when the key was updated.
+ description: Timestamp when the key was updated
readOnly: true
+ nullable: true
name:
type: string
- description: Display name of the key.
+ description: Display name of the key
readOnly: false
- _embedded:
- $ref: '#/components/schemas/JsonWebKey'
+ nullable: false
+ minLength: 1
+ maxLength: 255
HostedPage:
type: object
properties:
@@ -26065,42 +54132,76 @@ components:
enum:
- EXTERNALLY_HOSTED
- OKTA_DEFAULT
- HrefObject:
+ HrefCsrPublishLink:
title: Link Object
+ description: Link to publish CSR
type: object
- additionalProperties: true
properties:
hints:
- type: object
- description: Describes allowed HTTP verbs for the `href`
+ $ref: '#/components/schemas/CsrPublishHrefHints'
+ href:
+ type: string
+ description: Link URI
+ example: https://{yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50/lifecycle/publish
+ required:
+ - href
+ readOnly: true
+ HrefCsrSelfLink:
+ title: Link Object
+ description: Link to the resource (self)
+ type: object
+ properties:
+ hints:
+ $ref: '#/components/schemas/CsrSelfHrefHints'
+ href:
+ type: string
+ description: Link URI
+ example: https://{yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50
+ required:
+ - href
+ readOnly: true
+ HrefHints:
+ description: Describes allowed HTTP verbs for the `href`
+ type: object
+ properties:
+ allow:
+ type: array
+ items:
+ $ref: '#/components/schemas/HttpMethod'
+ HrefHintsGuidanceObject:
+ allOf:
+ - $ref: '#/components/schemas/HrefHints'
+ - description: Describes allowed HTTP verbs and guidance for the `href`
+ - type: object
properties:
- allow:
+ guidance:
type: array
+ description: |
+ Specifies the URI to invoke for granting scope consent required to complete the OAuth 2.0 connection
items:
- $ref: '#/components/schemas/HttpMethod'
+ type: string
+ HrefObject:
+ title: Link Object
+ additionalProperties: true
+ type: object
+ properties:
+ hints:
+ $ref: '#/components/schemas/HrefHints'
href:
type: string
description: Link URI
name:
type: string
description: Link name
+ templated:
+ type: boolean
+ description: Indicates whether the Link Object's `href` property is a URI template.
type:
type: string
description: The media type of the link. If omitted, it is implicitly `application/json`.
- templated:
- type: boolean
- description: Indicates whether the Link Object's "href" property is a URI Template.
required:
- href
readOnly: true
- HrefObjectMappingsLink:
- allOf:
- - $ref: '#/components/schemas/HrefObject'
- - description: Link to the mappings resource
- HrefObjectRulesLink:
- allOf:
- - $ref: '#/components/schemas/HrefObject'
- - description: Link to the rules resource
HrefObjectActivateLink:
allOf:
- $ref: '#/components/schemas/HrefObject'
@@ -26109,6 +54210,25 @@ components:
allOf:
- $ref: '#/components/schemas/HrefObject'
- description: Link to the app resource
+ HrefObjectAssigneeLink:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the assignee resource
+ HrefObjectAuthorizeLink:
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ description: Link to authorize scopes
+ type: object
+ properties:
+ hints:
+ $ref: '#/components/schemas/HrefHintsGuidanceObject'
+ href:
+ type: string
+ description: Link URI
+ required:
+ - href
+ readOnly: true
HrefObjectClientLink:
allOf:
- $ref: '#/components/schemas/HrefObject'
@@ -26121,10 +54241,54 @@ components:
allOf:
- $ref: '#/components/schemas/HrefObject'
- description: Link to delete the resource
+ HrefObjectGovernanceResourcesLink:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the resources
+ HrefObjectGrantAerialConsent:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to grant Okta Aerial access to your Org
+ HrefObjectGroupLink:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the group resource
HrefObjectLogoLink:
allOf:
- $ref: '#/components/schemas/HrefObject'
- description: Link to the logo resource
+ HrefObjectMappingsLink:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the mappings resource
+ HrefObjectMemberLink:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the member resource
+ HrefObjectPermissionsLink:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the permissions resource
+ HrefObjectResourceSetLink:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the resource-set resource
+ HrefObjectRetrieveAerialConsent:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to retrieve Okta Aerial consent for your Org
+ HrefObjectRevokeAerialConsent:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to revoke Okta Aerial consent for your Org
+ HrefObjectRoleLink:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the role resource
+ HrefObjectRulesLink:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the rules resource
HrefObjectSelfLink:
allOf:
- $ref: '#/components/schemas/HrefObject'
@@ -26148,6 +54312,62 @@ components:
- GET
- POST
- PUT
+ IAMBundleEntitlement:
+ type: object
+ properties:
+ resourceSets:
+ type: array
+ items:
+ type: string
+ role:
+ type: string
+ targets:
+ type: array
+ items:
+ type: string
+ IPNetworkZone:
+ allOf:
+ - $ref: '#/components/schemas/NetworkZone'
+ - title: IP Network Zone
+ - type: object
+ properties:
+ gateways:
+ type: array
+ items:
+ $ref: '#/components/schemas/NetworkZoneAddress'
+ description: |-
+ The IP addresses (range or CIDR form) for an IP Network Zone.
+ The maximum array length is 150 entries for admin-created IP zones, 1000 entries for IP blocklist zones, and 5000 entries for the default system IP Zone.
+ proxies:
+ type: array
+ items:
+ $ref: '#/components/schemas/NetworkZoneAddress'
+ nullable: true
+ description: |-
+ The IP addresses (range or CIDR form) that are allowed to forward a request from gateway addresses for an IP Network Zone.
+ These proxies are automatically trusted by Threat Insights and used to identify the client IP of a request.
+ The maximum array length is 150 entries for admin-created zones and 5000 entries for the default system IP Zone.
+ IPServiceCategory:
+ description: An IP service offered by a provider, such as a proxy or VPN
+ type: string
+ enum:
+ - ALL_ANONYMIZERS
+ - ALL_ANONYMIZERS_EXCEPT_TOR
+ - ALL_IP_SERVICES
+ - ALL_PROXIES_VPNS
+ - ANONYMIZER_TOR
+ - APPLE_ICLOUD_RELAY_PROXY
+ - AVAST_VPN
+ - GLOBALPROTECT_VPN
+ - GOOGLE_VPN
+ - MULLVAD_VPN
+ - NORD_VPN
+ - OXYLABS_PROXY
+ - SAMSUNG_VPN
+ - SURFSHARK_VPN
+ - SYMANTEC_VPN
+ - TRENDMICRO_VPN
+ - ULTRASURF_VPN
IamRole:
type: object
properties:
@@ -26189,31 +54409,114 @@ components:
$ref: '#/components/schemas/IamRole'
_links:
$ref: '#/components/schemas/LinksNext'
- IdentityProvider:
+ IdPCertificateCredential:
+ type: object
+ properties:
+ x5c:
+ $ref: '#/components/schemas/X5c'
+ required:
+ - x5c
+ IdPCsr:
+ description: Defines a CSR for a signature or decryption credential for an IdP
type: object
properties:
created:
+ $ref: '#/components/schemas/Created'
+ csr:
+ description: Base64-encoded CSR in DER format
type: string
- format: date-time
readOnly: true
- nullable: true
+ example: MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9/tKvvbFN59T4raoCs/78KRm4fSefHQOv1TKLXo4wTLbsqYWRWc5u0sd5orUMQgPQOyj3i6qh13mALY4BzrT057EG1BUNjGg29QgYlnOk2iX890e5BIDMQQEIKFrvOi2V8cLUkLvE2ydRn0VO1Q1frbUkYeStJYC5Api2JQsYRwa+1ZeDH1ITnIzUaugWhW2WB2lSnwZkenne5KtffxMPYVu+IhNRHoKaRA6Z51YNhMJIx17JM2hs/H4Ka3drk6kzDf7ofk/yBpb9yBWyU7CTSQhdoHidxqFprMDaT66W928t3AeOENHBuwn8c2K9WeGG+bELNyQRJVmawIDAQABoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggxkZXYub2t0YS5jb20wDQYJKoZIhvcNAQELBQADggEBAA2hsVJRVM+A83X9MekjTnIbt19UNT8wX7wlE9jUKirWsxceLiZBpVGn9qfKhhVIpvdaIRSeoFYS2Kg/m1G6bCvjmZLcrQ5FcEBjZH2NKfNppGVnfC2ugtUkBtCB+UUzOhKhRKJtGugenKbP33zRWWIqnd2waF6Cy8TIuqQVPbwEDN9bCbAs7ND6CFYNguY7KYjWzQOeAR716eqpEEXuPYAS4nx/ty4ylonR8cv+gpq51rvq80A4k/36aoeM0Y6I4w64vhTfuvWW2UYFUD+/+y2FA2CSP4JfctySrf1s525v6fzTFZ3qZbB5OZQtP2b8xYWktMzywsxGKDoVDB4wkH4=
id:
+ description: Unique identifier for the CSR
type: string
readOnly: true
- issuerMode:
- $ref: '#/components/schemas/IssuerMode'
+ example: h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50
+ kty:
+ description: Cryptographic algorithm family for the CSR's keypair
+ type: string
+ example: RSA
+ _links:
+ type: object
+ additionalProperties: true
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - properties:
+ publish:
+ description: Publish the CSR
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ IdPCsrPkcs10:
+ description: Base64URL-encoded CSR in DER format
+ format: base64
+ type: string
+ IdPKeyCredential:
+ description: A [JSON Web Key](https://tools.ietf.org/html/rfc7517) for a signature or encryption credential for an IdP
+ additionalProperties: true
+ type: object
+ properties:
+ created:
+ $ref: '#/components/schemas/Created'
+ e:
+ description: The exponent value for the RSA public key
+ type: string
+ example: AQAB
+ expiresAt:
+ $ref: '#/components/schemas/ExpiresAt'
+ kid:
+ description: Unique identifier for the key
+ type: string
+ example: your-key-id
+ kty:
+ description: 'Identifies the cryptographic algorithm family used with the key (Supported value: `RSA`)'
+ type: string
+ example: RSA
lastUpdated:
+ $ref: '#/components/schemas/LastUpdated'
+ 'n':
+ description: The modulus value for the RSA public key
+ type: string
+ example: '101438407598598116085679865987760095721749307901605456708912786847324207000576780508113360584555007890315805735307890113536927352312915634368993759211767770602174860126854831344273970871509573365292777620005537635317282520456901584213746937262823585533063042033441296629204165064680610660631365266976782082747'
+ use:
+ description: 'Intended use of the public key (Supported value: `sig`)'
+ type: string
+ example: sig
+ x5c:
+ $ref: '#/components/schemas/X5c'
+ x5t#S256:
+ description: Base64url-encoded SHA-256 thumbprint of the DER encoding of an X.509 certificate
+ type: string
+ example: wzPVobIrveR1x-PCbjsFGNV-6zn7Rm9KuOWOG4Rk6jE
+ IdentityProvider:
+ type: object
+ properties:
+ created:
+ $ref: '#/components/schemas/Created'
+ id:
type: string
- format: date-time
readOnly: true
+ description: Unique key for the IdP
+ example: 0oaWma58liwx40w6boYD
+ issuerMode:
+ $ref: '#/components/schemas/IdentityProviderIssuerMode'
+ lastUpdated:
+ $ref: '#/components/schemas/LastUpdated'
name:
type: string
+ maxLength: 100
+ description: Unique name for the IdP
+ example: Sample Identity Provider
policy:
$ref: '#/components/schemas/IdentityProviderPolicy'
properties:
$ref: '#/components/schemas/IdentityProviderProperties'
protocol:
- $ref: '#/components/schemas/Protocol'
+ description: IdP-specific protocol settings for endpoints, bindings, and algorithms used to connect with the IdP and validate messages
+ oneOf:
+ - $ref: '#/components/schemas/ProtocolSaml'
+ - $ref: '#/components/schemas/ProtocolOAuth'
+ - $ref: '#/components/schemas/ProtocolOidc'
+ - $ref: '#/components/schemas/ProtocolMtls'
status:
$ref: '#/components/schemas/LifecycleStatus'
type:
@@ -26239,7 +54542,7 @@ components:
metadata:
description: 'Federation metadata document for the IdP (for example: SAML 2.0 Metadata)'
allOf:
- - $ref: '#/components/schemas/HrefObject'
+ - $ref: '#/components/schemas/HrefObject'
users:
description: IdP users
allOf:
@@ -26260,105 +54563,110 @@ components:
type: object
properties:
created:
- type: string
+ $ref: '#/components/schemas/Created'
externalId:
type: string
+ description: Unique IdP-specific identifier for the User
+ readOnly: true
+ maxLength: 512
+ example: saml.jackson@example.com
id:
type: string
+ description: Unique key of the User
readOnly: true
lastUpdated:
- type: string
+ $ref: '#/components/schemas/LastUpdated'
profile:
type: object
+ description: |-
+ IdP-specific profile for the User.
+
+ Identity Provider User profiles are IdP-specific but may be customized by the Profile Editor in the Admin Console.
+
+ > **Note:** Okta variable names have reserved characters that may conflict with the name of an IdP assertion attribute. You can use the **External name** to define the attribute name as defined in an IdP assertion such as a SAML attribute name.
additionalProperties:
type: object
properties: {}
+ example:
+ lastName: Jackson
+ subjectNameQualifier: example.com
+ subjectSpNameQualifier: urn:federation:example
+ authnContextClassRef: null
+ subjectNameId: saml.jackson@example.com
+ subjectConfirmationAddress: null
+ displayName: Saml Jackson
+ mobilePhone: +1-415-555-5141
+ email: saml.jackson@example.com
+ subjectNameFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
+ firstName: Saml
+ subjectSpProvidedId: null
+ subjectConfirmationMethod: null
_embedded:
type: object
+ description: Embedded resources related to the IdP User
additionalProperties:
type: object
properties: {}
readOnly: true
_links:
- $ref: '#/components/schemas/LinksSelf'
- IdentityProviderCredentials:
- type: object
- properties:
- client:
- $ref: '#/components/schemas/IdentityProviderCredentialsClient'
- signing:
- $ref: '#/components/schemas/IdentityProviderCredentialsSigning'
- trust:
- $ref: '#/components/schemas/IdentityProviderCredentialsTrust'
- IdentityProviderCredentialsClient:
- type: object
- properties:
- client_id:
- type: string
- client_secret:
- type: string
- IdentityProviderCredentialsSigning:
- type: object
- properties:
- kid:
- type: string
- IdentityProviderCredentialsTrust:
- type: object
- properties:
- audience:
- type: string
- issuer:
- type: string
- kid:
- type: string
- revocation:
- $ref: '#/components/schemas/IdentityProviderCredentialsTrustRevocation'
- revocationCacheLifetime:
- type: integer
- IdentityProviderCredentialsTrustRevocation:
+ type: object
+ additionalProperties: true
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - $ref: '#/components/schemas/LinksNext'
+ - properties:
+ idp:
+ description: The IdP instance
+ example:
+ href: https://{yourOktaDomain}/api/v1/idps/0oa1k5d68qR2954hb0g4
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ user:
+ description: The linked Okta User
+ example:
+ href: https://{yourOktaDomain}/api/v1/users/00ulwodIu7wCfdiVR0g3
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ IdentityProviderIssuerMode:
+ description: Indicates whether Okta uses the original Okta org domain URL or a custom domain URL in the request to the social IdP
+ default: DYNAMIC
type: string
enum:
- - CRL
- - DELTA_CRL
- - OCSP
+ - CUSTOM_URL
+ - DYNAMIC
+ - ORG_URL
+ x-enumDescriptions:
+ ORG_URL: In the authorize request to the social IdP, Okta uses the Okta org's original domain URL (`https://${yourOktaDomain}`) as the domain in the `redirect_uri`.
+ CUSTOM_URL: In the authorize request to the social IdP, Okta uses the custom domain URL as the domain in the `redirect_uri`. You can set `issuerMode` to `CUSTOM_URL` only if you have a custom URL domain configured.
+ DYNAMIC: In the authorize request to the social IdP, Okta uses the custom domain URL as the domain in the `redirect_uri` if the request was made from the custom domain URL. Otherwise, Okta uses the Okta org's original domain URL if the request was made from the Okta org domain.
IdentityProviderPolicy:
+ description: |-
+ Policy settings for the IdP.
+ The following provisioning and account linking actions are supported by each IdP provider:
+ | IdP type | User provisioning actions | Group provisioning actions | Account link actions | Account link filters |
+ | ----------------------------------------------------------------- | ------------------------- | ------------------------------------- | -------------------- | -------------------- |
+ | `SAML2` | `AUTO` or `DISABLED` | `NONE`, `ASSIGN`, `APPEND`, or `SYNC` | `AUTO`, `DISABLED` | `groups` |
+ | `X509` | `DISABLED` | No support for JIT provisioning | | |
+ | All social IdP types (any IdP type that isn't `SAML2` or `X509`) | `AUTO`, `DISABLED` | `NONE` or `ASSIGN` | `AUTO`, `DISABLED` | `groups` |
allOf:
- type: object
properties:
accountLink:
$ref: '#/components/schemas/PolicyAccountLink'
- mapAMRClaims:
- type: boolean
- description: Enable mapping AMR from IdP to Okta to downstream apps
- default: false
- x-okta-lifecycle:
- features:
- - IDP_AMR_CLAIMS_MAPPING
maxClockSkew:
type: integer
+ description: Maximum allowable clock skew when processing messages from the IdP
+ example: 120000
provisioning:
$ref: '#/components/schemas/Provisioning'
subject:
$ref: '#/components/schemas/PolicySubject'
- IdpDiscoveryPolicy:
- allOf:
- - $ref: '#/components/schemas/Policy'
- - type: object
- properties:
- conditions:
- type: object
- nullable: true
IdentityProviderPolicyProvider:
type: string
enum:
- ANY
- OKTA
- SPECIFIC_IDP
- IdpSelectionType:
- type: string
- enum:
- - DYNAMIC
- - SPECIFIC
IdentityProviderPolicyRuleCondition:
type: object
properties:
@@ -26370,44 +54678,113 @@ components:
$ref: '#/components/schemas/IdentityProviderPolicyProvider'
IdentityProviderProperties:
nullable: true
+ description: The properties in the Identity Provider Properties object vary depending on the IdP type
type: object
properties:
+ aalValue:
+ type: string
+ nullable: true
+ description: |-
+ The [authentication assurance level](https://developers.login.gov/oidc/#aal-values) (AAL) value for the Login.gov IdP.
+ See [Add a Login.gov IdP](https://developer.okta.com/docs/guides/add-logingov-idp/). Applies to `LOGINGOV` and `LOGINGOV_SANDBOX` IdP types.
additionalAmr:
type: array
+ description: The additional Assurance Methods References (AMR) values for Smart Card IdPs. Applies to `X509` IdP type.
nullable: true
items:
type: string
+ enum:
+ - sc
+ - hwk
+ - pin
+ - mfa
+ x-enumDescriptions:
+ sc: Smart card
+ hwk: Hardware-secured key
+ pin: Personal identification number
+ mfa: Multifactor authentication
+ ialValue:
+ type: string
+ nullable: true
+ description: |-
+ The [type of identity verification](https://developers.login.gov/oidc/#ial-values) (IAL) value for the Login.gov IdP.
+ See [Add a Login.gov IdP](https://developer.okta.com/docs/guides/add-logingov-idp/). Applies to `LOGINGOV` and `LOGINGOV_SANDBOX` IdP types.
IdentityProviderType:
+ description: |-
+ The Identity Provider object's `type` property identifies the social or enterprise Identity Provider used for authentication.
+ Each Identity Provider uses a specific protocol, therefore the `protocol` property must correspond with the IdP `type`.
+ If the protocol is OAuth 2.0-based, the Protocol object's `scopes` property must also correspond with the scopes supported by the IdP `type`.
+ For policy actions supported by each IdP type, see [IdP type policy actions](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=policy&t=request).
+
+ | Type | Description | Corresponding protocol | Corresponding protocol scopes |
+ | ------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------- | -------------------------------------------------------------------- |
+ | `AMAZON` | [Amazon](https://developer.amazon.com/settings/console/registration?return_to=/) as the Identity Provider | OpenID Connect | `profile`, `profile:user_id` |
+ | `APPLE` | [Apple](https://developer.apple.com/sign-in-with-apple/) as the Identity Provider | OpenID Connect | `names`, `email`, `openid` |
+ | `DISCORD` | [Discord](https://discord.com/login) as the Identity Provider | OAuth 2.0 | `identify`, `email` |
+ | `FACEBOOK` | [Facebook](https://developers.facebook.com) as the Identity Provider | OAuth 2.0 | `public_profile`, `email` |
+ | `GITHUB` | [GitHub](https://github.com/join) as the Identity Provider | OAuth 2.0 | `user` |
+ | `GITLAB` | [GitLab](https://gitlab.com/users/sign_in) as the Identity Provider | OpenID Connect | `openid`, `read_user`, `profile`, `email` |
+ | `GOOGLE` | [Google](https://accounts.google.com/signup) as the Identity Provider | OpenID Connect | `openid`, `email`, `profile` |
+ | `LINKEDIN` | [LinkedIn](https://developer.linkedin.com/) as the Identity Provider | OAuth 2.0 | `r_emailaddress`, `r_liteprofile` |
+ | `LOGINGOV` | [Login.gov](https://developers.login.gov/) as the Identity Provider | OpenID Connect | `email`, `profile`, `profile:name` |
+ | `LOGINGOV_SANDBOX` | [Login.gov's identity sandbox](https://developers.login.gov/testing/) as the Identity Provider | OpenID Connect | `email`, `profile`, `profile:name` |
+ | `MICROSOFT` | [Microsoft Enterprise SSO](https://azure.microsoft.com/) as the Identity Provider | OpenID Connect | `openid`, `email`, `profile`, `https://graph.microsoft.com/User.Read` |
+ | `OIDC` | IdP provider that supports [OpenID Connect](https://openid.net/specs/openid-connect-core-1_0.html) | OpenID Connect | `openid`, `email`, `profile` |
+ | `PAYPAL` | [Paypal](https://www.paypal.com/signin) as the Identity Provider | OpenID Connect | `openid`, `email`, `profile` |
+ | `PAYPAL_SANDBOX` | [Paypal Sandbox](https://developer.paypal.com/tools/sandbox/) as the Identity Provider | OpenID Connect | `openid`, `email`, `profile` |
+ | `SALESFORCE` | [SalesForce](https://login.salesforce.com/) as the Identity Provider | OAuth 2.0 | `id`, `email`, `profile` |
+ | `SAML2` | Enterprise IdP provider that supports the [SAML 2.0 Web Browser SSO Profile](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf) | SAML 2.0 | |
+ | `SPOTIFY` | [Spotify](https://developer.spotify.com/) as the Identity Provider | OpenID Connect | `user-read-email`, `user-read-private` |
+ | `X509` | [Smart Card IdP](https://tools.ietf.org/html/rfc5280) | Mutual TLS | |
+ | `XERO` | [Xero](https://www.xero.com/us/signup/api/) as the Identity Provider | OpenID Connect | `openid`, `profile`, `email` |
+ | `YAHOO` | [Yahoo](https://login.yahoo.com/) as the Identity Provider | OpenID Connect | `openid`, `profile`, `email` |
+ | `YAHOOJP` | [Yahoo Japan](https://login.yahoo.co.jp/config/login) as the Identity Provider | OpenID Connect | `openid`, `profile`, `email` |
type: string
enum:
- - AgentlessDSSO
+ - AMAZON
+ - APPLE
+ - DISCORD
- FACEBOOK
+ - GITHUB
+ - GITLAB
- GOOGLE
- - IWA
- LINKEDIN
+ - LOGINGOV
+ - LOGINGOV_SANDBOX
- MICROSOFT
- OIDC
- - OKTA
+ - PAYPAL
+ - PAYPAL_SANDBOX
+ - SALESFORCE
- SAML2
+ - SPOTIFY
- X509
+ - XERO
+ - YAHOO
+ - YAHOOJP
IdentitySourceSession:
type: object
properties:
created:
type: string
+ description: The timestamp when the Identity Source Session was created
format: date-time
readOnly: true
id:
type: string
+ description: The ID of the Identity Source Session
readOnly: true
identitySourceId:
type: string
+ description: The ID of the custom Identity Source for which the session is created
readOnly: true
importType:
type: string
+ description: The type of import. All imports are `INCREMENTAL` imports.
readOnly: true
lastUpdated:
type: string
+ description: The timestamp when the Identity Source Session was created
format: date-time
readOnly: true
status:
@@ -26422,47 +54799,93 @@ components:
- EXPIRED
- IN_PROGRESS
- TRIGGERED
+ x-enumDescriptions:
+ CREATED: This is a new Identity Source Session that hasn't been processed. You can upload bulk data in this stage.
+ IN_PROGRESS: The bulk data is being uploaded to Okta.
+ TRIGGERED: Okta is processing the import data in this session. You can't load bulk data in this stage.
+ COMPLETED: The bulk data was processed and imported into Okta.
+ CLOSED: The Identity Source Session was canceled and isn't available for further activity.
+ EXPIRED: This Identity Source Session had the `CREATED` status and timed-out after 24 hours of inactivity.
+ ERROR: The processing of import data in the session encountered an error. You need to open a new session to upload the data again.
IdentitySourceUserProfileForDelete:
type: object
properties:
externalId:
type: string
+ description: The external ID of the entity that needs to be deleted in Okta
maxLength: 512
IdentitySourceUserProfileForUpsert:
- additionalProperties: {}
type: object
properties:
email:
type: string
format: email
+ description: Email address of the user
minLength: 5
maxLength: 100
firstName:
type: string
+ description: First name of the user
minLength: 1
maxLength: 50
nullable: true
homeAddress:
type: string
+ description: Home address of the user
maxLength: 4096
nullable: true
lastName:
type: string
+ description: Last name of the user
minLength: 1
maxLength: 50
nullable: true
mobilePhone:
type: string
+ description: Mobile phone number of the user
maxLength: 100
nullable: true
secondEmail:
type: string
+ description: Alternative email address of the user
format: email
minLength: 5
maxLength: 100
userName:
type: string
+ description: Username of the user
maxLength: 100
+ IdpDiscoveryPolicy:
+ allOf:
+ - $ref: '#/components/schemas/Policy'
+ - type: object
+ properties:
+ conditions:
+ type: string
+ description: Policy conditions aren't supported for this policy type.
+ default: null
+ nullable: true
+ IdpDiscoveryPolicyRule:
+ allOf:
+ - $ref: '#/components/schemas/PolicyRule'
+ - type: object
+ properties:
+ actions:
+ $ref: '#/components/schemas/IdpPolicyRuleAction'
+ conditions:
+ $ref: '#/components/schemas/IdpDiscoveryPolicyRuleCondition'
+ IdpDiscoveryPolicyRuleCondition:
+ allOf:
+ - type: object
+ properties:
+ app:
+ $ref: '#/components/schemas/AppAndInstancePolicyRuleCondition'
+ network:
+ $ref: '#/components/schemas/PolicyNetworkCondition'
+ userIdentifier:
+ $ref: '#/components/schemas/UserIdentifierPolicyRuleCondition'
+ platform:
+ $ref: '#/components/schemas/PlatformPolicyRuleCondition'
IdpPolicyRuleAction:
type: object
properties:
@@ -26485,13 +54908,13 @@ components:
IdpPolicyRuleActionMatchCriteria:
type: object
properties:
+ propertyName:
+ type: string
+ description: The IdP property that the evaluated string should match to
providerExpression:
type: string
description: |
You can provide an Okta Expression Language expression with the Login Context that's evaluated with the IdP. For example, the value `login.identifier` refers to the user's username. If the user is signing in with the username `john.doe@mycompany.com`, the expression `login.identifier.substringAfter(@))` is evaluated to the domain name of the user, for example: `mycompany.com`.
- propertyName:
- type: string
- description: The IdP property that the evaluated string should match to
IdpPolicyRuleActionProvider:
type: object
properties:
@@ -26503,6 +54926,12 @@ components:
description: Provider `name` in Okta. Optional. Supported in `IDENTITY ENGINE`.
type:
$ref: '#/components/schemas/IdentityProviderType'
+ IdpSelectionType:
+ description: Determines whether the rule should use expression language or a specific IdP
+ type: string
+ enum:
+ - DYNAMIC
+ - SPECIFIC
IframeEmbedScopeAllowedApps:
type: string
enum:
@@ -26513,6 +54942,51 @@ components:
url:
readOnly: true
type: string
+ ImportScheduleObject:
+ description: Import schedule configuration
+ type: object
+ properties:
+ fullImport:
+ allOf:
+ - $ref: '#/components/schemas/ImportScheduleSettings'
+ - description: Determines the full import schedule
+ incrementalImport:
+ allOf:
+ - $ref: '#/components/schemas/ImportScheduleSettings'
+ - description: Determines the incremental import schedule
+ status:
+ $ref: '#/components/schemas/EnabledStatus'
+ ImportScheduleSettings:
+ type: object
+ properties:
+ expression:
+ type: string
+ description: The import schedule in UNIX cron format
+ example: 00 21 * * Mon,Thu,Fri,Sat
+ timezone:
+ type: string
+ description: The import schedule time zone in Internet Assigned Numbers Authority (IANA) time zone name format
+ minLength: 1
+ maxLength: 64
+ example: America/Los_Angeles
+ required:
+ - expression
+ ImportUsernameObject:
+ description: Determines the Okta username for the imported user
+ type: object
+ properties:
+ userNameExpression:
+ type: string
+ description: For `usernameFormat=CUSTOM`, specifies the Okta Expression Language statement for a username format that imported users use to sign in to Okta
+ usernameFormat:
+ type: string
+ description: Determines the username format when users sign in to Okta
+ default: EMAIL
+ enum:
+ - EMAIL
+ - CUSTOM
+ required:
+ - usernameFormat
InactivityPolicyRuleCondition:
type: object
properties:
@@ -26520,7 +54994,15 @@ components:
type: integer
unit:
type: string
+ InboundProvisioningApplicationFeature:
+ allOf:
+ - $ref: '#/components/schemas/ApplicationFeature'
+ - type: object
+ - properties:
+ capabilities:
+ $ref: '#/components/schemas/CapabilitiesInboundProvisioningObject'
InlineHook:
+ description: An inline hook object that specifies the details of the inline hook
type: object
properties:
channel:
@@ -26529,23 +55011,54 @@ components:
type: string
format: date-time
readOnly: true
+ description: Date of the inline hook creation
id:
type: string
readOnly: true
+ description: The unique identifier for the inline hook
lastUpdated:
type: string
format: date-time
readOnly: true
+ description: Date of the last inline hook update
name:
type: string
+ description: The display name of the inline hook
+ maximum: 255
+ minimum: 1
status:
$ref: '#/components/schemas/InlineHookStatus'
type:
$ref: '#/components/schemas/InlineHookType'
version:
type: string
+ description: Version of the inline hook type. The currently supported version is `1.0.0`.
+ readOnly: true
_links:
- $ref: '#/components/schemas/LinksSelf'
+ $ref: '#/components/schemas/InlineHookLinks'
+ InlineHookBasePayload:
+ type: object
+ properties:
+ cloudEventVersion:
+ description: The inline hook cloud version
+ example: 0.1
+ type: string
+ contentType:
+ description: The inline hook request header content
+ example: application/JSON
+ type: string
+ eventId:
+ type: string
+ description: The individual inline hook request ID
+ example: 3o9jBzq1SmOGmmsDsqyyeQ
+ eventTime:
+ type: string
+ description: The time the inline hook request was sent
+ example: '2020-01-17T21:23:56.000Z'
+ eventTypeVersion:
+ description: The inline hook version
+ example: 1
+ type: string
InlineHookChannel:
type: object
properties:
@@ -26553,47 +55066,105 @@ components:
$ref: '#/components/schemas/InlineHookChannelType'
version:
type: string
+ description: Version of the inline hook type. The currently supported version is `1.0.0`.
discriminator:
propertyName: type
mapping:
HTTP: '#/components/schemas/InlineHookChannelHttp'
OAUTH: '#/components/schemas/InlineHookChannelOAuth'
InlineHookChannelConfig:
+ description: Properties of the communications channel that are used to contact your external service
type: object
properties:
- authScheme:
- $ref: '#/components/schemas/InlineHookChannelConfigAuthScheme'
headers:
type: array
+ description: An optional list of key/value pairs for headers that you can send with the request to the external service
items:
$ref: '#/components/schemas/InlineHookChannelConfigHeaders'
method:
type: string
+ description: The method of the Okta inline hook request
uri:
type: string
- InlineHookChannelConfigAuthScheme:
+ description: The external service endpoint that executes the inline hook handler. It must begin with `https://` and be reachable by Okta. No white space is allowed in the URI.
+ maximum: 1024
+ InlineHookChannelConfigAuthSchemeBody:
+ description: The authentication scheme to use for this request
+ nullable: true
type: object
properties:
key:
type: string
+ description: The header name for the authorization server
type:
type: string
+ description: The authentication scheme type. Supported type—`HEADER`.
value:
type: string
+ description: The header value. This secret value is passed to your external service endpoint. Your external service can check it as a security measure.
+ InlineHookChannelConfigAuthSchemeResponse:
+ description: The authentication scheme to use for this request
+ nullable: true
+ type: object
+ properties:
+ key:
+ type: string
+ description: The header name for the authorization server
+ type:
+ type: string
+ description: The authentication scheme type. Supported type—`HEADER`
+ InlineHookChannelConfigCreate:
+ description: Properties of the communications channel that are used to contact your external service
+ type: object
+ properties:
+ headers:
+ type: array
+ description: An optional list of key/value pairs for headers that you can send with the request to the external service.
+ items:
+ $ref: '#/components/schemas/InlineHookChannelConfigHeaders'
+ method:
+ type: string
+ description: The method of the Okta inline hook request
+ uri:
+ type: string
+ description: The external service endpoint that executes the inline hook handler. It must begin with `https://` and be reachable by Okta. No white space is allowed in the URI.
+ maximum: 1024
InlineHookChannelConfigHeaders:
type: object
properties:
key:
type: string
+ description: The optional field or header name
value:
type: string
+ description: The value for the key
+ InlineHookChannelCreate:
+ type: object
+ properties:
+ type:
+ $ref: '#/components/schemas/InlineHookChannelType'
+ version:
+ type: string
+ description: Version of the inline hook type. The currently supported version is `1.0.0`.
+ discriminator:
+ propertyName: type
+ mapping:
+ HTTP: '#/components/schemas/InlineHookChannelHttpCreate'
+ OAUTH: '#/components/schemas/InlineHookChannelOAuthCreate'
InlineHookChannelHttp:
allOf:
- $ref: '#/components/schemas/InlineHookChannel'
- type: object
properties:
config:
- $ref: '#/components/schemas/InlineHookChannelConfig'
+ $ref: '#/components/schemas/InlineHookHttpConfig'
+ InlineHookChannelHttpCreate:
+ allOf:
+ - $ref: '#/components/schemas/InlineHookChannelCreate'
+ - type: object
+ properties:
+ config:
+ $ref: '#/components/schemas/InlineHookHttpConfigCreate'
InlineHookChannelOAuth:
allOf:
- $ref: '#/components/schemas/InlineHookChannel'
@@ -26601,11 +55172,117 @@ components:
properties:
config:
$ref: '#/components/schemas/InlineHookOAuthChannelConfig'
+ InlineHookChannelOAuthCreate:
+ allOf:
+ - $ref: '#/components/schemas/InlineHookChannelCreate'
+ - type: object
+ properties:
+ config:
+ $ref: '#/components/schemas/InlineHookOAuthChannelConfigCreate'
InlineHookChannelType:
type: string
enum:
- HTTP
- OAUTH
+ InlineHookCreate:
+ description: An inline hook object that specifies the details of the inline hook
+ type: object
+ properties:
+ channel:
+ $ref: '#/components/schemas/InlineHookChannelCreate'
+ name:
+ type: string
+ description: The display name of the inline hook
+ maximum: 255
+ minimum: 1
+ type:
+ $ref: '#/components/schemas/InlineHookType'
+ version:
+ type: string
+ description: Version of the inline hook type. The currently supported version is `1.0.0`.
+ InlineHookCreateResponse:
+ description: An inline hook object that specifies the details of the inline hook
+ type: object
+ properties:
+ channel:
+ $ref: '#/components/schemas/InlineHookChannel'
+ created:
+ type: string
+ format: date-time
+ readOnly: true
+ description: Date of the inline hook creation
+ id:
+ type: string
+ readOnly: true
+ description: The unique identifier for the inline hook
+ lastUpdated:
+ type: string
+ format: date-time
+ readOnly: true
+ description: Date of the last inline hook update
+ name:
+ type: string
+ description: The display name of the inline hook
+ maximum: 255
+ minimum: 1
+ status:
+ $ref: '#/components/schemas/InlineHookStatus'
+ type:
+ $ref: '#/components/schemas/InlineHookType'
+ version:
+ type: string
+ description: Version of the inline hook type. The currently supported version is `1.0.0`.
+ readOnly: true
+ _links:
+ $ref: '#/components/schemas/InlineHookLinksCreate'
+ InlineHookHttpConfig:
+ allOf:
+ - $ref: '#/components/schemas/InlineHookChannelConfig'
+ type: object
+ properties:
+ authScheme:
+ $ref: '#/components/schemas/InlineHookChannelConfigAuthSchemeResponse'
+ InlineHookHttpConfigCreate:
+ allOf:
+ - $ref: '#/components/schemas/InlineHookChannelConfigCreate'
+ type: object
+ properties:
+ authScheme:
+ $ref: '#/components/schemas/InlineHookChannelConfigAuthSchemeBody'
+ InlineHookLinks:
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - type: object
+ properties:
+ activate:
+ description: URL to activate the inline hook
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ deactivate:
+ description: URL to deactivate the inline hook
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ delete:
+ description: URL to delete the inline hook
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ execute:
+ description: URL to test the inline hook
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ InlineHookLinksCreate:
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - type: object
+ properties:
+ deactivate:
+ description: URL to deactivate the inline hook
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ execute:
+ description: URL to test the inline hook
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
InlineHookOAuthBasicConfig:
allOf:
- $ref: '#/components/schemas/InlineHookChannelConfig'
@@ -26615,37 +55292,107 @@ components:
type: string
clientId:
type: string
+ description: A publicly exposed string provided by the service that's used to identify the OAuth app and build authorization URLs
scope:
type: string
+ description: Include the scopes that allow you to perform the actions on the hook endpoint that you want to access
tokenUrl:
type: string
+ description: The URI where inline hooks can exchange an authorization code for access and refresh tokens
InlineHookOAuthChannelConfig:
type: object
properties:
authType:
type: string
+ description: The authentication method for the token endpoint
discriminator:
propertyName: authType
mapping:
client_secret_post: '#/components/schemas/InlineHookOAuthClientSecretConfig'
private_key_jwt: '#/components/schemas/InlineHookOAuthPrivateKeyJwtConfig'
+ InlineHookOAuthChannelConfigCreate:
+ type: object
+ properties:
+ authType:
+ type: string
+ description: The authentication method for the token endpoint
+ discriminator:
+ propertyName: authType
+ mapping:
+ client_secret_post: '#/components/schemas/InlineHookOAuthClientSecretConfigCreate'
+ private_key_jwt: '#/components/schemas/InlineHookOAuthPrivateKeyJwtConfig'
InlineHookOAuthClientSecretConfig:
+ allOf:
+ - $ref: '#/components/schemas/InlineHookOAuthBasicConfig'
+ type: object
+ properties:
+ authScheme:
+ type: string
+ description: Not applicable. Must be `null`.
+ nullable: true
+ InlineHookOAuthClientSecretConfigCreate:
allOf:
- $ref: '#/components/schemas/InlineHookOAuthBasicConfig'
type: object
properties:
clientSecret:
type: string
+ description: A private value provided by the service used to authenticate the identity of the app to the service
+ method:
+ type: string
+ description: The method of the Okta inline hook request. Only accepts `POST`.
InlineHookOAuthPrivateKeyJwtConfig:
allOf:
- $ref: '#/components/schemas/InlineHookOAuthBasicConfig'
type: object
properties:
+ authScheme:
+ type: string
+ description: Not applicable. Must be `null`.
+ nullable: true
hookKeyId:
type: string
+ description: An ID value of the hook key pair generated from the [Hook Keys API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/HookKey/#tag/HookKey)
+ method:
+ type: string
+ description: The method of the Okta inline hook request. Only accepts `POST`.
InlineHookPayload:
type: object
x-okta-extensible: true
+ InlineHookReplace:
+ description: An inline hook object that specifies the details of the inline hook
+ type: object
+ properties:
+ channel:
+ $ref: '#/components/schemas/InlineHookChannelCreate'
+ name:
+ type: string
+ description: The display name of the inline hook
+ maximum: 255
+ minimum: 1
+ version:
+ type: string
+ description: Version of the inline hook type. The currently supported version is `1.0.0`.
+ InlineHookRequestObject:
+ description: The API request that triggered the inline hook
+ type: object
+ properties:
+ id:
+ type: string
+ description: The unique identifier that Okta assigned to the API request
+ ipAddress:
+ type: string
+ description: The IP address of the client that made the API request
+ method:
+ type: string
+ description: The HTTP request method of the API request
+ url:
+ type: object
+ description: The URL of the API endpoint
+ properties:
+ value:
+ type: string
+ description: The URL value of the API endpoint
InlineHookResponse:
type: object
properties:
@@ -26677,11 +55424,13 @@ components:
- ACTIVE
- INACTIVE
InlineHookType:
+ description: One of the inline hook types
type: string
enum:
- com.okta.import.transform
- com.okta.oauth2.tokens.transform
- com.okta.saml.tokens.transform
+ - com.okta.telephony.provider
- com.okta.user.credential.password.import
- com.okta.user.pre-registration
IssuerMode:
@@ -26690,62 +55439,102 @@ components:
- CUSTOM_URL
- DYNAMIC
- ORG_URL
- JsonWebKey:
+ JsonPatchOperation:
+ description: The update action
type: object
properties:
- alg:
+ op:
+ $ref: '#/components/schemas/PatchAction'
+ path:
type: string
+ description: The resource path of the attribute to update
+ value:
+ type: object
+ description: The update operation value
+ JsonWebKey:
+ type: object
+ properties:
created:
- type: string
- format: date-time
+ $ref: '#/components/schemas/createdProperty'
e:
+ description: RSA key value (public exponent) for Key binding
type: string
+ readOnly: true
expiresAt:
+ description: Timestamp when the certificate expires
type: string
format: date-time
- key_ops:
- type: array
- items:
- type: string
+ readOnly: true
kid:
+ description: Unique identifier for the certificate
type: string
+ readOnly: true
kty:
+ description: 'Cryptographic algorithm family for the certificate''s keypair. Valid value: `RSA`'
type: string
+ readOnly: true
lastUpdated:
type: string
format: date-time
+ $ref: '#/components/schemas/lastUpdatedProperty'
'n':
- type: string
- status:
+ description: RSA modulus value that is used by both the public and private keys and provides a link between them
type: string
use:
+ description: 'Acceptable use of the certificate. Valid value: `sig`'
type: string
+ readOnly: true
x5c:
+ description: X.509 certificate chain that contains a chain of one or more certificates
type: array
items:
type: string
- x5t:
- type: string
+ readOnly: true
x5t#S256:
+ description: X.509 certificate SHA-256 thumbprint, which is the base64url-encoded SHA-256 thumbprint (digest) of the DER encoding of an X.509 certificate
type: string
- x5u:
- type: string
- _links:
- $ref: '#/components/schemas/LinksSelf'
+ readOnly: true
JwkUse:
type: object
properties:
use:
$ref: '#/components/schemas/JwkUseType'
JwkUseType:
+ description: Purpose of the certificate. The only supported value is `sig`.
type: string
enum:
- sig
+ KeepCurrent:
+ type: object
+ properties:
+ keepCurrent:
+ description: Skip deleting the user's current session when set to `true`
+ type: boolean
+ default: true
+ KeepMeSignedIn:
+ type: object
+ properties:
+ postAuth:
+ description: Whether the post-authentication Keep Me Signed In flow is allowed
+ type: string
+ enum:
+ - ALLOWED
+ - NOT_ALLOWED
+ postAuthPromptFrequency:
+ description: If allowed, how often to display the post-authentication Keep Me Signed In prompt
+ default: P30D
+ $ref: '#/components/schemas/TimeDuration'
KeyRequest:
type: object
properties:
name:
+ description: Display name for the key
type: string
+ uniqueItems: true
+ readOnly: false
+ minLength: 1
+ maxLength: 255
+ nullable: false
KeyTrustLevelBrowserKey:
description: Represents the attestation strength used by the Chrome Verified Access API
example: CHROME_BROWSER_HW_KEY
@@ -26772,8 +55561,14 @@ components:
Language:
description: The language specified as an [IETF BCP 47 language tag](https://datatracker.ietf.org/doc/html/rfc5646)
type: string
+ LastUpdated:
+ format: date-time
+ description: Timestamp when the object was last updated
+ example: '2016-01-03T18:15:47.000Z'
+ type: string
+ readOnly: true
LifecycleCreateSettingObject:
- description: Determines whether to update a user in the application when a user in Okta is updated
+ description: Determines whether to update a user in the app when a user in Okta is updated
type: object
properties:
status:
@@ -26802,7 +55597,19 @@ components:
enum:
- ACTIVE
- INACTIVE
+ LinkedHrefObject:
+ title: Link Object
+ additionalProperties: true
+ type: object
+ properties:
+ href:
+ type: string
+ description: Link URI
+ required:
+ - href
+ readOnly: true
LinkedObject:
+ title: LinkedObject
type: object
properties:
associated:
@@ -26810,31 +55617,139 @@ components:
primary:
$ref: '#/components/schemas/LinkedObjectDetails'
_links:
- $ref: '#/components/schemas/LinksSelf'
+ $ref: '#/components/schemas/LinkedObjectLinksSelf'
LinkedObjectDetails:
+ title: LinkedObjectDetails
type: object
properties:
description:
type: string
+ description: Description of the `primary` or the `associated` relationship
name:
type: string
+ description: 'API name of the `primary` or the `associated` link. The `name` parameter can''t start with a number and can only contain the following characters: `a-z`, `A-Z`,` 0-9`, and `_`.'
title:
type: string
+ description: Display name of the `primary` or the `associated` link
type:
$ref: '#/components/schemas/LinkedObjectDetailsType'
+ required:
+ - name
+ - title
+ - type
LinkedObjectDetailsType:
+ description: The object type for this relationship
type: string
enum:
- USER
+ x-enumDescriptions:
+ USER: Specifies the type of object
+ LinkedObjectLinksSelf:
+ description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of an application using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations.
+ type: object
+ properties:
+ self:
+ $ref: '#/components/schemas/LinkedHrefObject'
+ LinksActivate:
+ type: object
+ properties:
+ activate:
+ allOf:
+ - description: Activates an enrolled Factor. See [Activate a Factor](/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/activateFactor).
+ - $ref: '#/components/schemas/HrefObject'
+ readOnly: true
+ LinksAerialConsentGranted:
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - type: object
+ properties:
+ revoke:
+ $ref: '#/components/schemas/HrefObjectRevokeAerialConsent'
+ LinksAerialConsentRevoked:
+ allOf:
+ - type: object
+ properties:
+ grant:
+ $ref: '#/components/schemas/HrefObjectGrantAerialConsent'
LinksAppAndUser:
- description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of resources related to the App User.
+ description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of resources related to the Application User.
type: object
properties:
app:
$ref: '#/components/schemas/HrefObjectAppLink'
+ group:
+ $ref: '#/components/schemas/HrefObjectGroupLink'
user:
$ref: '#/components/schemas/HrefObjectUserLink'
readOnly: true
+ LinksAssignee:
+ description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification.
+ type: object
+ properties:
+ assignee:
+ $ref: '#/components/schemas/HrefObjectAssigneeLink'
+ LinksCancel:
+ type: object
+ properties:
+ cancel:
+ allOf:
+ - description: Cancels a `push` factor challenge with a `WAITING` status
+ - $ref: '#/components/schemas/HrefObject'
+ readOnly: true
+ LinksCustomRoleResponse:
+ description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources.
+ type: object
+ properties:
+ assignee:
+ $ref: '#/components/schemas/HrefObjectAssigneeLink'
+ member:
+ $ref: '#/components/schemas/HrefObjectMemberLink'
+ permissions:
+ $ref: '#/components/schemas/HrefObjectPermissionsLink'
+ resource-set:
+ $ref: '#/components/schemas/HrefObjectResourceSetLink'
+ role:
+ $ref: '#/components/schemas/HrefObjectRoleLink'
+ LinksDeactivate:
+ type: object
+ properties:
+ deactivate:
+ allOf:
+ - description: Deactivates the Factor. See [Unenroll a Factor](/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/unenrollFactor).
+ - $ref: '#/components/schemas/HrefObject'
+ readOnly: true
+ LinksEnroll:
+ type: object
+ properties:
+ enroll:
+ allOf:
+ - description: Enrolls a supported Factor. See [Enroll a Factor](/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/enrollFactor).
+ - $ref: '#/components/schemas/HrefObject'
+ readOnly: true
+ LinksFactor:
+ type: object
+ properties:
+ factor:
+ allOf:
+ - description: Link to the Factor resource
+ - $ref: '#/components/schemas/HrefObject'
+ readOnly: true
+ LinksGovernanceResources:
+ description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the resources using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification.
+ type: object
+ properties:
+ resources:
+ $ref: '#/components/schemas/HrefObjectGovernanceResourcesLink'
+ readOnly: true
+ LinksGovernanceSources:
+ description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the sources using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification.
+ type: object
+ properties:
+ assignee:
+ $ref: '#/components/schemas/HrefObjectUserLink'
+ self:
+ $ref: '#/components/schemas/HrefObjectSelfLink'
+ readOnly: true
LinksNext:
description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of an application using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. Use the `LinksNext` object for dynamic discovery of related resources and lifecycle operations.
type: object
@@ -26842,8 +55757,49 @@ components:
next:
$ref: '#/components/schemas/HrefObject'
readOnly: true
+ LinksNextForRoleAssignments:
+ description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification.
+ type: object
+ properties:
+ next:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: The next page of results if [pagination](#pagination) is required
+ readOnly: true
+ LinksPoll:
+ type: object
+ properties:
+ poll:
+ allOf:
+ - description: Polls the Factor resource for status information. Always use the `poll` link instead of manually constructing your own URL.
+ - $ref: '#/components/schemas/HrefObject'
+ readOnly: true
+ LinksQrcode:
+ type: object
+ properties:
+ qrcode:
+ allOf:
+ - description: QR code that encodes the push activation code needed for enrollment on the device
+ - $ref: '#/components/schemas/HrefObject'
+ readOnly: true
+ LinksQuestions:
+ type: object
+ properties:
+ question:
+ allOf:
+ - description: Lists all supported security questions. See [List all Supported Security Questions](/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/listSupportedSecurityQuestions).
+ - $ref: '#/components/schemas/HrefObject'
+ readOnly: true
+ LinksResend:
+ type: object
+ properties:
+ resend:
+ allOf:
+ - description: Resends the factor enrollment challenge. See [Resend a Factor enrollment](/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/resendEnrollFactor).
+ - $ref: '#/components/schemas/HrefObject'
+ readOnly: true
LinksSelf:
- description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of an application using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations.
+ description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations.
type: object
properties:
self:
@@ -26877,7 +55833,49 @@ components:
- type: object
properties:
roles:
- $ref: '#/components/schemas/HrefObject'
+ $ref: '#/components/schemas/HrefObjectRoleLink'
+ LinksSelfForRoleAssignment:
+ description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources.
+ type: object
+ properties:
+ self:
+ $ref: '#/components/schemas/HrefObjectSelfLink'
+ LinksSelfLifecycleAndAuthorize:
+ allOf:
+ - $ref: '#/components/schemas/LinksSelfAndLifecycle'
+ - type: object
+ properties:
+ authorize:
+ $ref: '#/components/schemas/HrefObjectAuthorizeLink'
+ LinksSend:
+ type: object
+ properties:
+ send:
+ allOf:
+ - description: Sends an activation link through email or sms for users who can't scan the QR code
+ - $ref: '#/components/schemas/HrefObject'
+ readOnly: true
+ LinksUser:
+ type: object
+ properties:
+ user:
+ allOf:
+ - description: Returns information on the specified user
+ - $ref: '#/components/schemas/HrefObject'
+ readOnly: true
+ LinksUserRef:
+ type: object
+ properties:
+ user:
+ $ref: '#/components/schemas/HrefObjectUserLink'
+ LinksVerify:
+ type: object
+ properties:
+ verify:
+ allOf:
+ - description: Verifies the Factor resource. See [Verify a Factor](/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/verifyFactor).
+ - $ref: '#/components/schemas/HrefObject'
+ readOnly: true
ListProfileMappings:
description: |-
A collection of the profile mappings that include a subset of the profile mapping object's properties. The Profile Mapping object describes a mapping between an Okta User's and an App User's properties using [JSON Schema Draft 4](https://datatracker.ietf.org/doc/html/draft-zyp-json-schema-04).
@@ -26890,20 +55888,22 @@ components:
description: Unique identifier for profile mapping
readOnly: true
source:
- type: object
- description: Source of the schema property expressions (Okta object or App Instance object)
$ref: '#/components/schemas/ProfileMappingSource'
target:
- type: object
- description: Target of the schema property expressions (Okta object or App Instance object)
$ref: '#/components/schemas/ProfileMappingTarget'
_links:
$ref: '#/components/schemas/LinksSelf'
LoadingPageTouchPointVariant:
+ description: |
+ Variant for the Okta loading page. You can publish a theme for Okta loading page with different combinations of assets. Variants are preset combinations of those assets.
+ default: OKTA_DEFAULT
type: string
enum:
- NONE
- OKTA_DEFAULT
+ x-enumDescriptions:
+ NONE: Uses no loading page animation during the redirect
+ OKTA_DEFAULT: Uses the default Okta loading page animation during the redirect
LocationGranularity:
type: string
enum:
@@ -26912,32 +55912,55 @@ components:
- LAT_LONG
- SUBDIVISION
LogActor:
+ description: Describes the user, app, client, or other entity (actor) who performs an action on a target. The actor is dependent on the action that is performed. All events have actors.
type: object
properties:
alternateId:
+ description: Alternative ID of the actor
type: string
readOnly: true
detailEntry:
+ description: Further details about the actor
type: object
- additionalProperties:
- type: object
- properties: {}
+ additionalProperties: true
readOnly: true
displayName:
+ description: Display name of the actor
type: string
readOnly: true
id:
+ description: ID of the actor
type: string
readOnly: true
type:
+ description: Type of actor
type: string
readOnly: true
LogAuthenticationContext:
+ description: |-
+ All authentication relies on validating one or more credentials that prove the authenticity of the actor's identity. Credentials are sometimes provided by the actor, as is the case with passwords, and at other times provided by a third party, and validated by the authentication provider.
+
+ The authenticationContext contains metadata about how the actor is authenticated. For example, an authenticationContext for an event, where a user authenticates with Integrated Windows Authentication (IWA), looks like the following:
+ ```
+ {
+ "authenticationProvider": "ACTIVE_DIRECTORY",
+ "authenticationStep": 0,
+ "credentialProvider": null,
+ "credentialType": "IWA",
+ "externalSessionId": "102N1EKyPFERROGvK9wizMAPQ",
+ "interface": null,
+ "issuer": null
+ }
+ ```
+ In this case, the user enters an IWA credential to authenticate against an Active Directory instance. All of the user's future-generated events in this sign-in session are going to share the same `externalSessionId`.
+
+ Among other operations, this response object can be used to scan for suspicious sign-in activity or perform analytics on user authentication habits (for example, how often authentication scheme X is used versus authentication scheme Y).
type: object
properties:
authenticationProvider:
$ref: '#/components/schemas/LogAuthenticationProvider'
authenticationStep:
+ description: The zero-based step number in the authentication pipeline. Currently unused and always set to `0`.
type: integer
readOnly: true
credentialProvider:
@@ -26945,14 +55968,17 @@ components:
credentialType:
$ref: '#/components/schemas/LogCredentialType'
externalSessionId:
+ description: A proxy for the actor's [session ID](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html)
type: string
readOnly: true
interface:
+ description: The third-party user interface that the actor authenticates through, if any.
type: string
readOnly: true
issuer:
$ref: '#/components/schemas/LogIssuer'
LogAuthenticationProvider:
+ description: The system that proves the identity of an actor using the credentials provided to it
type: string
enum:
- ACTIVE_DIRECTORY
@@ -26962,25 +55988,31 @@ components:
- OKTA_AUTHENTICATION_PROVIDER
- SOCIAL
LogClient:
+ description: When an event is triggered by an HTTP request, the `client` object describes the [client](https://datatracker.ietf.org/doc/html/rfc2616) that issues the HTTP request. For instance, the web browser is the client when a user accesses Okta. When this request is received and processed, a sign-in event is fired. When the event isn't sourced to an HTTP request, such as an automatic update, the `client` object field is blank.
type: object
properties:
device:
+ description: Type of device that the client operates from (for example, computer)
type: string
readOnly: true
geographicalContext:
$ref: '#/components/schemas/LogGeographicalContext'
id:
+ description: For OAuth requests, this is the ID of the OAuth [client](https://datatracker.ietf.org/doc/html/rfc6749#section-1.1) making the request. For SSWS token requests, this is the ID of the agent making the request.
type: string
readOnly: true
ipAddress:
+ description: IP address that the client is making its request from
type: string
readOnly: true
userAgent:
$ref: '#/components/schemas/LogUserAgent'
zone:
+ description: The `name` of the [Zone](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/NetworkZone/#tag/NetworkZone/operation/getNetworkZone) that the client's location is mapped to
type: string
readOnly: true
LogCredentialProvider:
+ description: A credential provider is a software service that manages identities and their associated credentials. When authentication occurs through credentials provided by a credential provider, the credential provider is recorded here.
type: string
enum:
- DUO
@@ -26991,25 +56023,98 @@ components:
- SYMANTEC
- YUBIKEY
LogCredentialType:
+ description: The underlying technology/scheme used in the credential
type: string
enum:
- ASSERTION
+ - CERTIFICATE
+ - DEVICE_UDID
- EMAIL
- IWA
- JWT
- OAuth 2.0
+ - OKTA_CLIENT_SESSION
- OTP
- PASSWORD
+ - PRE_SHARED_SYMMETRIC_KEY
- SMS
LogDebugContext:
+ description: |-
+ For some kinds of events (for example, OLM provisioning, sign-in request, second factor SMS, and so on), the fields that are provided in other response objects aren't sufficient to adequately describe the operations that the event has performed. In such cases, the `debugContext` object provides a way to store additional information.
+
+ For example, an event where a second factor SMS token is sent to a user may have a `debugContext` that looks like the following:
+ ```
+ {
+ "debugData": {
+ "requestUri": "/api/v1/users/00u3gjksoiRGRAZHLSYV/factors/smsf8luacpZJAva10x45/verify",
+ "smsProvider": "TELESIGN",
+ "transactionId": "268632458E3C100F5F5F594C6DC689D4"
+ }
+ }
+ ```
+ By inspecting the debugData field, you can find the URI that is used to trigger the second factor SMS (`/api/v1/users/00u3gjksoiRGRAZHLSYV/factors/smsf8luacpZJAva10x45/verify`), the SMS provider (`TELESIGN`), and the ID used by Telesign to identify this transaction (`268632458E3C100F5F5F594C6DC689D4`).
+
+ If for some reason the information that is needed to implement a feature isn't provided in other response objects, you should scan the `debugContext.debugData` field for potentially useful fields.
+ > **Important:** The information contained in `debugContext.debugData` is intended to add context when troubleshooting customer platform issues. Both key names and values may change from release to release and aren't guaranteed to be stable. Therefore, they shouldn't be viewed as a data contract but as a debugging aid instead.
type: object
properties:
debugData:
type: object
- additionalProperties:
- type: object
- properties: {}
+ description: A dynamic field that contains miscellaneous information that is dependent on the event type.
+ additionalProperties: true
+ readOnly: true
+ LogDevice:
+ description: The entity that describes a device enrolled with passwordless authentication using Okta Verify.
+ example:
+ LogDeviceObject:
+ $ref: '#/components/examples/LogDeviceObject'
+ type: object
+ properties:
+ device_integrator:
+ description: The integration platform or software used with the device
+ type: object
+ readOnly: true
+ disk_encryption_type:
+ $ref: '#/components/schemas/LogDiskEncryptionType'
+ id:
+ description: ID of the device
+ type: string
+ readOnly: true
+ jailbreak:
+ description: If the device has removed software restrictions
+ type: boolean
+ readOnly: true
+ managed:
+ description: Indicates if the device is configured for device management and is registered with Okta
+ type: boolean
readOnly: true
+ name:
+ type: string
+ readOnly: true
+ os_platform:
+ type: string
+ readOnly: true
+ os_version:
+ type: string
+ readOnly: true
+ registered:
+ description: Indicates if the device is registered with an Okta org and is bound to an Okta Verify instance on the device
+ type: boolean
+ readOnly: true
+ screen_lock_type:
+ $ref: '#/components/schemas/LogScreenLockType'
+ secure_hardware_present:
+ description: The availability of hardware security on the device
+ type: boolean
+ readOnly: true
+ LogDiskEncryptionType:
+ type: string
+ enum:
+ - ALL_INTERNAL_VALUES
+ - FULL
+ - NONE
+ - SYSTEM_VOLUME
+ - USER
LogEvent:
type: object
properties:
@@ -27022,17 +56127,21 @@ components:
debugContext:
$ref: '#/components/schemas/LogDebugContext'
displayMessage:
+ description: The display message for an event
type: string
readOnly: true
eventType:
+ description: Type of event that is published
type: string
readOnly: true
legacyEventType:
+ description: Associated Events API Action `objectType` attribute value
type: string
readOnly: true
outcome:
$ref: '#/components/schemas/LogOutcome'
published:
+ description: Timestamp when the event is published
type: string
format: date-time
readOnly: true
@@ -27050,36 +56159,46 @@ components:
transaction:
$ref: '#/components/schemas/LogTransaction'
uuid:
+ description: Unique identifier for an individual event
type: string
readOnly: true
version:
+ description: Versioning indicator
type: string
readOnly: true
LogGeographicalContext:
+ description: Geographical context describes a set of geographic coordinates. In addition to containing latitude and longitude data, the `GeographicalContext` object also contains address data of postal code-level granularity. Within the `Client` object, the geographical context refers to the physical location of the client when it sends the request that triggers this event. All `Transaction` events with `type` equal to `WEB` have a geographical context set. `Transaction` events with `type` equal to `JOB` don't have a geographical context set. The geographical context data can be missing if the geographical data for a request can't be resolved.
type: object
properties:
city:
+ description: The city that encompasses the area that contains the geolocation coordinates, if available (for example, Seattle, San Francisco)
type: string
readOnly: true
country:
+ description: Full name of the country that encompasses the area that contains the geolocation coordinates (for example, France, Uganda)
type: string
readOnly: true
geolocation:
$ref: '#/components/schemas/LogGeolocation'
postalCode:
+ description: Postal code of the area that encompasses the geolocation coordinates
type: string
readOnly: true
state:
+ description: Full name of the state or province that encompasses the area that contains the geolocation coordinates (for example, Montana, Ontario)
type: string
readOnly: true
LogGeolocation:
+ description: The latitude and longitude of the geolocation where an action was performed. The object is formatted according to the [ISO-6709](https://www.iso.org/obp/ui/fr/#iso:std:iso:6709:ed-3:v1:en) standard.
type: object
properties:
lat:
+ description: Latitude which uses two digits for the [integer part](https://www.iso.org/obp/ui/fr/#iso:std:iso:6709:ed-3:v1:en#Latitude)
type: number
format: double
readOnly: true
lon:
+ description: Longitude which uses three digits for the [integer part](https://www.iso.org/obp/ui/fr/#iso:std:iso:6709:ed-3:v1:en#Longitude)
type: number
format: double
readOnly: true
@@ -27089,59 +56208,92 @@ components:
geographicalContext:
$ref: '#/components/schemas/LogGeographicalContext'
ip:
+ description: IP address
type: string
readOnly: true
source:
+ description: Details regarding the source
type: string
readOnly: true
version:
+ description: IP address version
type: string
readOnly: true
LogIssuer:
+ description: Describes the issuer of the authorization server when the authentication is performed through OAuth. This is the location where well-known resources regarding the details of the authorization servers are published.
type: object
properties:
id:
+ description: Varies depending on the type of authentication. If authentication is SAML 2.0, `id` is the issuer in the SAML assertion. For social login, `id` is the issuer of the token.
type: string
readOnly: true
type:
+ description: Information on the `issuer` and source of the SAML assertion or token
type: string
readOnly: true
LogOutcome:
type: object
properties:
reason:
+ description: Reason for the result, for example, `INVALID_CREDENTIALS`
type: string
readOnly: true
+ minLength: 1
+ maxLength: 255
result:
+ description: Result of the action
type: string
readOnly: true
+ enum:
+ - SUCCESS
+ - FAILURE
+ - SKIPPED
+ - ALLOW
+ - DENY
+ - CHALLENGE
+ - UNKNOWN
LogRequest:
+ description: The `Request` object describes details that are related to the HTTP request that triggers this event, if available. When the event isn't sourced to an HTTP request, such as an automatic update on the Okta servers, the `Request` object still exists, but the `ipChain` field is empty.
type: object
properties:
ipChain:
+ description: If the incoming request passes through any proxies, the IP addresses of those proxies are stored here in the format of clientIp, proxy1, proxy2, and so on. This field is useful when working with trusted proxies.
type: array
readOnly: true
items:
$ref: '#/components/schemas/LogIpAddress'
+ LogScreenLockType:
+ type: string
+ enum:
+ - BIOMETRIC
+ - NONE
+ - PASSCODE
LogSecurityContext:
+ description: The `securityContext` object provides security information that is directly related to the evaluation of the event's IP reputation. IP reputation is a trustworthiness rating that evaluates how likely a sender is to be malicious and is based on the sender's IP address. As the name implies, the `securityContext` object is useful for security applications-flagging and inspecting suspicious events.
type: object
properties:
asNumber:
+ description: The [Autonomous system](https://docs.telemetry.mozilla.org/datasets/other/asn_aggregates/reference) number that's associated with the autonomous system the event request was sourced to
type: integer
readOnly: true
asOrg:
+ description: The organization that is associated with the autonomous system that the event request is sourced to
type: string
readOnly: true
domain:
+ description: The domain name that's associated with the IP address of the inbound event request
type: string
readOnly: true
isp:
+ description: The Internet service provider that's used to send the event's request
type: string
readOnly: true
isProxy:
+ description: Specifies whether an event's request is from a known proxy
type: boolean
readOnly: true
LogSeverity:
+ description: Indicates how severe the event is
type: string
enum:
- DEBUG
@@ -27274,31 +56426,48 @@ components:
$schema:
type: string
readOnly: true
- created:
- type: string
- readOnly: true
+ description: JSON Schema version identifier
errorMessage:
type: object
+ description: A collection of error messages for individual properties in the schema. Okta implements a subset of [ajv-errors](https://github.com/ajv-validator/ajv-errors).
id:
type: string
readOnly: true
- lastUpdated:
- type: string
- readOnly: true
- name:
+ description: URI of Log Stream Schema
+ oneOf:
+ items:
+ $ref: '#/components/schemas/UserSchemaAttributeEnum'
+ type: array
+ nullable: true
+ description: |-
+ Non-empty array of valid JSON schemas.
+
+ Okta only supports `oneOf` for specifying display names for an `enum`. Each schema has the following format:
+
+ ```
+ {
+ "const": "enumValue",
+ "title": "display name"
+ }
+ ```json
+ pattern:
type: string
- readOnly: true
+ description: For `string` Log Stream Schema property type, specifies the regular expression used to validate the property
properties:
type: object
+ description: Log Stream Schema properties object
required:
type: array
items:
type: string
+ description: Required properties for this Log Stream Schema object
title:
type: string
+ description: Name of the Log Streaming integration
type:
type: string
readOnly: true
+ description: Type of Log Stream Schema property
_links:
$ref: '#/components/schemas/LinksSelf'
LogStreamSelfLink:
@@ -27376,51 +56545,106 @@ components:
- aws_eventbridge
- splunk_cloud_logstreaming
LogTarget:
+ description: The entity that an actor performs an action on. Targets can be anything, such as an app user, a sign-in token, or anything else.
type: object
properties:
alternateId:
type: string
+ description: The alternate ID of the target
readOnly: true
+ changeDetails:
+ type: object
+ example:
+ LogTargetChangeDetails:
+ $ref: '#/components/examples/LogTargetChangeDetails'
+ description: |-
+ Details on the target's changes. Not all event types support the `changeDetails` property, and not all
+ `target` objects contain the `changeDetails` property. You must include a property within the object.
+
+ > **Note:** When querying the `changeDetails` property, you can't search on the `to` or `from` objects alone. You must include a property within the object.
+ properties:
+ from:
+ type: object
+ description: The original properties of the target
+ additionalProperties: true
+ to:
+ type: object
+ description: The updated properties of the target
+ additionalProperties: true
detailEntry:
type: object
- additionalProperties:
- type: object
- properties: {}
+ description: Further details on the target
+ additionalProperties: true
readOnly: true
displayName:
type: string
+ description: The display name of the target
readOnly: true
id:
type: string
+ description: The ID of the target
readOnly: true
type:
type: string
+ description: The type of target
readOnly: true
LogTransaction:
+ description: |-
+ A `transaction` object comprises contextual information associated with its respective event.
+ This information is useful for understanding sequences of correlated events.
+ For example, a `transaction` object such as the following:
+ ```
+ {
+ "id": "Wn4f-0RQ8D8lTSLkAmkKdQAADqo",
+ "type": "WEB",
+ "detail": null
+ }
+ ```
+ indicates that a `WEB` request with `id` `Wn4f-0RQ8D8lTSLkAmkKdQAADqo` has created this event.
+
+ A `transaction` object with a `requestApiTokenId` in the `detail` object, for example :
+ ```
+ {
+ "id": "YjSlblAAqnKY7CdyCkXNBgAAAIU",
+ "type": "WEB",
+ "detail": {
+ "requestApiTokenId": "00T94e3cn9kSEO3c51s5"
+ }
+ }
+ ```
+ indicates that this event was the result of an action performed through an API using the token identified by 00T94e3cn9kSEO3c51s5. The token ID is visible in the Admin Console, **Security** > **API**. See [API token management](https://help.okta.com/okta_help.htm?id=Security_API). For more information on API tokens, see [Create an API token](https://developer.okta.com/docs/guides/create-an-api-token/).
type: object
properties:
detail:
+ description: Details for this transaction.
type: object
- additionalProperties:
- type: object
- properties: {}
+ additionalProperties: true
readOnly: true
id:
+ description: Unique identifier for this transaction.
type: string
readOnly: true
type:
+ description: Describes the kind of transaction. `WEB` indicates a web request. `JOB` indicates an asynchronous task.
type: string
readOnly: true
LogUserAgent:
+ description: |
+ "A user agent is software (a software agent) that is acting on behalf of a user." ([Definition of User Agent](https://developer.mozilla.org/en-US/docs/Glossary/User_agent))
+
+ In the Okta event data object, the `UserAgent` object provides specifications about the client software that makes event-triggering HTTP requests. User agent identification is often useful for identifying interoperability problems between servers and clients, and also for browser and operating system usage analytics.
type: object
properties:
browser:
+ description: If the client is a web browser, this field identifies the type of web browser (for example, CHROME, FIREFOX)
type: string
readOnly: true
os:
+ description: The operating system that the client runs on (for example, Windows 10)
type: string
readOnly: true
rawUserAgent:
+ description: A raw string representation of the user agent that is formatted according to [section 5.5.3 of HTTP/1.1 Semantics and Content](https://datatracker.ietf.org/doc/html/rfc7231#section-5.5.3). Both the `browser` and the `OS` fields can be derived from this field.
type: string
readOnly: true
MDMEnrollmentPolicyEnrollment:
@@ -27435,153 +56659,110 @@ components:
type: boolean
enrollment:
$ref: '#/components/schemas/MDMEnrollmentPolicyEnrollment'
- MultifactorEnrollmentPolicy:
+ MetadataLink:
allOf:
- - $ref: '#/components/schemas/Policy'
- - type: object
- properties:
- conditions:
- $ref: '#/components/schemas/PolicyRuleConditions'
- settings:
- $ref: '#/components/schemas/MultifactorEnrollmentPolicySettings'
- MultifactorEnrollmentPolicyAuthenticatorSettings:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the [SAML metadata](/openapi/okta-management/management/tag/ApplicationSSO/#tag/ApplicationSSO/operation/previewSAMLmetadataForApplication) for SSO
+ MtlsCredentials:
+ description: Certificate chain description for verifying assertions from the Smart Card
type: object
properties:
- constraints:
- nullable: true
- minimum: 0
- type: object
- properties:
- aaguidGroups:
- type: array
- items:
- type: string
- uniqueItems: true
- x-okta-lifecycle:
- features:
- - WEBAUTHN_MDS_CATALOG_BASED_AAGUID_ALLOWLIST
- enroll:
- type: object
- properties:
- self:
- $ref: '#/components/schemas/MultifactorEnrollmentPolicyAuthenticatorStatus'
- key:
- $ref: '#/components/schemas/MultifactorEnrollmentPolicyAuthenticatorType'
- MultifactorEnrollmentPolicyAuthenticatorStatus:
- type: string
- enum:
- - NOT_ALLOWED
- - OPTIONAL
- - REQUIRED
- MultifactorEnrollmentPolicyAuthenticatorType:
- type: string
- enum:
- - custom_app
- - custom_otp
- - duo
- - external_idp
- - google_otp
- - okta_email
- - okta_password
- - okta_verify
- - onprem_mfa
- - phone_number
- - rsa_token
- - security_question
- - symantec_vip
- - webauthn
- - yubikey_token
- MultifactorEnrollmentPolicySettings:
+ trust:
+ $ref: '#/components/schemas/MtlsTrustCredentials'
+ MtlsEndpoints:
type: object
properties:
- authenticators:
- items:
- $ref: '#/components/schemas/MultifactorEnrollmentPolicyAuthenticatorSettings'
- type: array
- type:
- $ref: '#/components/schemas/MultifactorEnrollmentPolicySettingsType'
- MultifactorEnrollmentPolicySettingsType:
+ sso:
+ $ref: '#/components/schemas/MtlsSsoEndpoint'
+ MtlsSsoEndpoint:
+ description: The Single Sign-On (SSO) endpoint is the IdP's `SingleSignOnService` endpoint
+ type: object
+ properties:
+ url:
+ type: string
+ maxLength: 1014
+ example: https://{yourOktaDomain}.okta.com/login/cert
+ MtlsTrustCredentials:
+ type: object
+ properties:
+ audience:
+ type: string
+ description: Not used
+ example: null
+ issuer:
+ type: string
+ description: Description of the certificate issuer
+ maxLength: 1024
+ example: CN=Test Smart Card, OU=Test OU, O=Test O, C=US
+ kid:
+ $ref: '#/components/schemas/ProtocolCredentialsKeyId'
+ revocation:
+ $ref: '#/components/schemas/MtlsTrustCredentialsRevocation'
+ revocationCacheLifetime:
+ type: number
+ description: Time in minutes to cache the certificate revocation information
+ maximum: 4320
+ example: 2880
+ MtlsTrustCredentialsRevocation:
+ description: Mechanism to validate the certificate
+ example: CRL
type: string
enum:
- - AUTHENTICATORS
+ - CRL
+ - DELTA_CRL
+ - OCSP
NetworkZone:
type: object
properties:
- asns:
- type: array
- items:
- type: string
- description: Dynamic network zone property. array of strings that represent an ASN numeric value
- maximum: 75
created:
type: string
format: date-time
- description: Timestamp when the network zone was created
+ description: Timestamp when the object was created
readOnly: true
- gateways:
- type: array
- items:
- $ref: '#/components/schemas/NetworkZoneAddress'
- description: |-
- IP network zone property: the IP addresses (range or CIDR form) of this zone.
- The maximum array length is 150 entries for admin-created IP zones, 1000 entries for IP blocklist zones, and 5000 entries for the default system IP Zone.
id:
type: string
- description: Unique identifier for the network zone
+ description: Unique identifier for the Network Zone
readOnly: true
lastUpdated:
type: string
format: date-time
- description: Timestamp when the network zone was last modified
+ description: Timestamp when the object was last modified
readOnly: true
- locations:
- type: array
- items:
- $ref: '#/components/schemas/NetworkZoneLocation'
- description: 'Dynamic network zone property: an array of geolocations of this network zone'
- maximum: 75
name:
type: string
- description: Unique name for this network zone. Maximum of 128 characters.
- proxies:
- type: array
- items:
- $ref: '#/components/schemas/NetworkZoneAddress'
- nullable: true
- description: |-
- IP network zone property: the IP addresses (range or CIDR form) that are allowed to forward a request from gateway addresses
- These proxies are automatically trusted by Threat Insights, and used to identify the client IP of a request.
- The maximum array length is 150 entries for admin-created zones and 5000 entries for the default system IP Zone.
- proxyType:
- type: string
- description: 'Dynamic network zone property: the proxy type used'
- enum:
- - 'null'
- - Any
- - Tor
- - NotTorAnonymizer
- x-enumDescriptions:
- 'null': (Or `""`) No proxy used
- Any: Use any proxy type for the dynamic zone.
- Tor: Use TorAnonymizer as the proxy type for the dynamic zone.
- NotTorAnonymizer: Use NotTorAnonymizer as the proxy type for the dynamic zone.
+ description: Unique name for this Network Zone
+ maxLength: 128
status:
$ref: '#/components/schemas/NetworkZoneStatus'
system:
type: boolean
- description: |-
- Indicates if this is a system network zone. For admin-created zones, this is always `false`.
- The system IP Policy Network Zone (`LegacyIpZone`) is included by default in your Okta org. Notice that `system=true` for the `LegacyIpZone` object. Admin users can modify the name of this default system Zone and can add up to 5000 gateway or proxy IP entries.
+ readOnly: true
+ description: |
+ Indicates a system Network Zone:
+ * `true` for system Network Zones
+ * `false` for custom Network Zones
+
+ The Okta org provides the following default system Network Zones:
+ * `LegacyIpZone`
+ * `BlockedIpZone`
+ * `DefaultEnhancedDynamicZone`
+
+ Admins can modify the name of the default system Network Zone and add up to 5000 gateway or proxy IP entries.
type:
$ref: '#/components/schemas/NetworkZoneType'
usage:
$ref: '#/components/schemas/NetworkZoneUsage'
- _links:
- allOf:
- - $ref: '#/components/schemas/LinksSelf'
- - properties:
- deactivate:
- $ref: '#/components/schemas/HrefObject'
+ _links:
+ $ref: '#/components/schemas/LinksSelfAndLifecycle'
+ required:
+ - name
+ - type
+ discriminator:
+ propertyName: type
+ mapping:
+ IP: '#/components/schemas/IPNetworkZone'
+ DYNAMIC: '#/components/schemas/DynamicNetworkZone'
+ DYNAMIC_V2: '#/components/schemas/EnhancedDynamicNetworkZone'
NetworkZoneAddress:
description: Specifies the value of an IP address expressed using either `range` or `CIDR` form.
type: object
@@ -27590,42 +56771,56 @@ components:
$ref: '#/components/schemas/NetworkZoneAddressType'
value:
type: string
- description: Value in CIDR/range form depending on the type specified
+ description: Value in CIDR/range form, depending on the `type` specified
NetworkZoneAddressType:
- description: Format of the value
+ description: Format of the IP addresses
type: string
enum:
- CIDR
- RANGE
+ NetworkZoneAsns:
+ items:
+ type: string
+ maximum: 75
+ type: array
NetworkZoneLocation:
type: object
properties:
country:
type: string
description: |-
- Format of the country value: length 2 [ISO-3166-1](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2) country code.
- Do not use continent codes as they are treated as generic codes for undesignated countries.
- example: US
+ The two-character ISO-3166-1 country code.
+ Don't use continent codes since they are treated as generic codes for undesignated countries.
+
For example: `US`
+ maxLength: 2
+ minLength: 2
region:
type: string
description: |-
- Format of the region value (optional): region code [ISO-3166-2](https://en.wikipedia.org/wiki/ISO_3166-2) appended to country code (`countryCode-regionCode`), or `null` if empty.
- Do not use continent codes as they are treated as generic codes for undesignated regions.
- example: US-CA
+ (Optional) The ISO-3166-2 region code appended to the country code (`countryCode-regionCode`), or `null` if empty.
+ Don't use continent codes since they are treated as generic codes for undesignated regions.
+
For example: `CA` (for `US-CA` country and region code)
+ NetworkZoneLocationArray:
+ items:
+ $ref: '#/components/schemas/NetworkZoneLocation'
+ maximum: 75
+ nullable: true
+ type: array
NetworkZoneStatus:
- description: Network zone status
+ description: Network Zone status
type: string
enum:
- ACTIVE
- INACTIVE
NetworkZoneType:
- description: The type of network zone
+ description: The type of Network Zone
type: string
enum:
- DYNAMIC
- IP
+ - DYNAMIC_V2
NetworkZoneUsage:
- description: The usage of the network zone
+ description: The usage of the Network Zone
type: string
enum:
- BLOCKLIST
@@ -27636,6 +56831,7 @@ components:
enum:
- AD_AGENT
- AGENT_AUTO_UPDATE_NOTIFICATION
+ - AGENT_AUTO_UPDATE_NOTIFICATION_LDAP
- APP_IMPORT
- CONNECTOR_AGENT
- IWA_AGENT
@@ -27668,8 +56864,8 @@ components:
id:
type: string
description: User ID
- example: 00uu3u0ujW1P6AfZC1d7
readOnly: true
+ example: 00u5t60iloOHN9pBi0h7
type:
type: string
description: Type of user
@@ -27680,6 +56876,7 @@ components:
properties:
alwaysIncludeInToken:
type: boolean
+ description: Specifies whether to include Claims in the token. The value is always `TRUE` for access token Claims. If the value is set to `FALSE` for an ID token claim, the Claim isn't included in the ID token when the token is requested with the access token or with the `authorization_code`. The client instead uses the access token to get Claims from the `/userinfo` endpoint.
claimType:
$ref: '#/components/schemas/OAuth2ClaimType'
conditions:
@@ -27688,20 +56885,25 @@ components:
$ref: '#/components/schemas/OAuth2ClaimGroupFilterType'
id:
type: string
+ description: ID of the Claim
readOnly: true
name:
type: string
+ description: Name of the Claim
status:
$ref: '#/components/schemas/LifecycleStatus'
system:
+ description: When `true`, indicates that Okta created the Claim
type: boolean
value:
+ description: Specifies the value of the Claim. This value must be a string literal if `valueType` is `GROUPS`, and the string literal is matched with the selected `group_filter_type`. The value must be an Okta EL expression if `valueType` is `EXPRESSION`.
type: string
valueType:
$ref: '#/components/schemas/OAuth2ClaimValueType'
_links:
$ref: '#/components/schemas/LinksSelf'
OAuth2ClaimConditions:
+ description: Specifies the scopes for the Claim
type: object
properties:
scopes:
@@ -27709,18 +56911,31 @@ components:
items:
type: string
OAuth2ClaimGroupFilterType:
+ description: |-
+ Specifies the type of group filter if `valueType` is `GROUPS`
+
+ If `valueType` is `GROUPS`, then the groups returned are filtered according to the value of `group_filter_type`.
+
+ If you have complex filters for Groups, you can [create a Groups allowlist](https://developer.okta.com/docs/guides/customize-tokens-groups-claim/main/) to put them all in a Claim.
type: string
enum:
- CONTAINS
- EQUALS
- REGEX
- STARTS_WITH
+ x-enumDescriptions:
+ STARTS_WITH: Group names start with `value` (not case-sensitive). For example, if `value` is `group1`, then `group123` and `Group123` are included.
+ EQUALS: Group name is the same as `value` (not case-sensitive). For example, if `value` is `group1`, then `group1` and `Group1` are included, but `group123` isn't.
+ CONTAINS: Group names contain `value` (not case-sensitive). For example, if `value` is `group1`, then `MyGroup123` and `group1` are included.
+ REGEX: Group names match the regular expression in `value` (case-sensitive). For example if `value` is `/^[a-z0-9_-]{3,16}$/`, then any Group name that has at least three letters, no more than 16, and contains lowercase letters, a hyphen, or numbers is a match.
OAuth2ClaimType:
+ description: Specifies whether the Claim is for an access token (`RESOURCE`) or an ID token (`IDENTITY`)
type: string
enum:
- IDENTITY
- RESOURCE
OAuth2ClaimValueType:
+ description: Specifies whether the Claim is an Okta Expression Language (EL) expression (`EXPRESSION`), a set of groups (`GROUPS`), or a system claim (`SYSTEM`)
type: string
enum:
- EXPRESSION
@@ -27730,59 +56945,307 @@ components:
type: object
properties:
client_id:
+ description: Unique key for the client application. The `client_id` is immutable.
type: string
readOnly: true
+ example: 0oabskvc6442nkvQO0h7
client_name:
+ description: Human-readable string name of the client application
type: string
readOnly: true
+ example: My App
client_uri:
type: string
readOnly: true
+ example: https://www.example.com
logo_uri:
+ description: URL string that references a logo for the client consent dialog (not the sign-in dialog)
type: string
readOnly: true
+ example: https://www.example.com/logo.png
_links:
- $ref: '#/components/schemas/LinksSelf'
- OAuth2RefreshToken:
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - type: object
+ properties:
+ grants:
+ description: Link to the grant resources
+ allOf:
+ - $ref: '#/components/schemas/GrantResourcesHrefObject'
+ tokens:
+ description: Link to the token resources
+ allOf:
+ - $ref: '#/components/schemas/TokenResourcesHrefObject'
+ OAuth2ClientJsonWebKey:
type: object
properties:
- clientId:
+ alg:
type: string
+ description: Algorithm used in the key
+ example: RS256
+ nullable: false
created:
type: string
- format: date-time
+ description: Timestamp when the OAuth Client 2.0 JSON Web Key was created
+ example: '2023-02-21T20:08:24.000Z'
readOnly: true
- createdBy:
- $ref: '#/components/schemas/OAuth2Actor'
+ nullable: false
+ e:
+ type: string
+ description: RSA key value (exponent) for key binding
+ example: AQAB
+ nullable: false
+ id:
+ type: string
+ description: The unique ID of the OAuth Client JSON Web Key
+ example: pks2f4zrZbs8nUa7p0g4
+ readOnly: true
+ nullable: false
+ kid:
+ type: string
+ description: Unique identifier of the JSON Web Key in the OAUth 2.0 Client's JWKS
+ example: SIMcCQNY3uwXoW3y0vf6VxiBb5n9pf8L2fK8d-FIbm4
+ nullable: true
+ kty:
+ type: string
+ description: Cryptographic algorithm family for the certificate's key pair
+ example: RSA
+ nullable: false
+ lastUpdated:
+ type: string
+ description: Timestamp when the OAuth Client 2.0 JSON Web Key was updated
+ example: '2023-02-21T20:08:24.000Z'
+ readOnly: true
+ nullable: false
+ 'n':
+ type: string
+ description: RSA key value (modulus) for key binding
+ example: mkC6yAJVvFwUlmM9gKjb2d-YK5qHFt-mXSsbjWKKs4EfNm-BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL_q7n0f_SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH-bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQ
+ nullable: false
+ status:
+ type: string
+ enum:
+ - ACTIVE
+ - INACTIVE
+ description: Status of the OAuth 2.0 Client JSON Web Key
+ example: ACTIVE
+ nullable: false
+ default: ACTIVE
+ use:
+ type: string
+ description: Acceptable use of the JSON Web Key
+ example: sig
+ nullable: false
+ _links:
+ $ref: '#/components/schemas/OAuthClientSecretLinks'
+ readOnly: true
+ nullable: false
+ OAuth2ClientJsonWebKeyRequestBody:
+ type: object
+ properties:
+ alg:
+ type: string
+ description: Algorithm used in the key
+ example: RS256
+ nullable: false
+ e:
+ type: string
+ description: RSA key value (exponent) for key binding
+ example: AQAB
+ nullable: false
+ kid:
+ type: string
+ description: Unique identifier of the JSON Web Key in the OAUth 2.0 Client's JWKS
+ example: SIMcCQNY3uwXoW3y0vf6VxiBb5n9pf8L2fK8d-FIbm4
+ nullable: true
+ kty:
+ type: string
+ description: Cryptographic algorithm family for the certificate's key pair
+ example: RSA
+ nullable: false
+ 'n':
+ type: string
+ description: RSA key value (modulus) for key binding
+ example: mkC6yAJVvFwUlmM9gKjb2d-YK5qHFt-mXSsbjWKKs4EfNm-BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL_q7n0f_SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH-bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQ
+ nullable: false
+ status:
+ type: string
+ enum:
+ - ACTIVE
+ - INACTIVE
+ description: Status of the OAuth 2.0 Client JSON Web Key
+ example: ACTIVE
+ use:
+ type: string
+ description: Acceptable use of the JSON Web Key
+ example: sig
+ nullable: false
+ OAuth2ClientSecret:
+ type: object
+ properties:
+ client_secret:
+ type: string
+ description: The OAuth 2.0 client secret string
+ example: DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B
+ readOnly: true
+ nullable: false
+ created:
+ type: string
+ description: Timestamp when the OAuth Client 2.0 Secret was created
+ example: '2023-02-21T20:08:24.000Z'
+ readOnly: true
+ nullable: false
+ id:
+ type: string
+ description: The unique ID of the OAuth Client Secret
+ example: ocs2f4zrZbs8nUa7p0g4
+ readOnly: true
+ nullable: false
+ lastUpdated:
+ type: string
+ description: Timestamp when the OAuth Client 2.0 Secret was updated
+ example: '2023-02-21T20:08:24.000Z'
+ readOnly: true
+ nullable: false
+ secret_hash:
+ type: string
+ description: OAuth 2.0 client secret string hash
+ example: yk4SVx4sUWVJVbHt6M-UPA
+ readOnly: true
+ nullable: false
+ status:
+ type: string
+ enum:
+ - ACTIVE
+ - INACTIVE
+ description: Status of the OAuth 2.0 Client Secret
+ example: ACTIVE
+ nullable: false
+ default: ACTIVE
+ _links:
+ $ref: '#/components/schemas/OAuthClientSecretLinks'
+ readOnly: true
+ nullable: false
+ OAuth2ClientSecretRequestBody:
+ type: object
+ properties:
+ client_secret:
+ type: string
+ description: The OAuth 2.0 client secret string
+ example: DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B
+ status:
+ type: string
+ enum:
+ - ACTIVE
+ - INACTIVE
+ description: Status of the OAuth 2.0 Client Secret
+ example: ACTIVE
+ OAuth2RefreshToken:
+ type: object
+ properties:
+ clientId:
+ type: string
+ description: Client ID
+ created:
+ $ref: '#/components/schemas/createdProperty'
expiresAt:
type: string
+ description: Expiration time of the OAuth 2.0 Token
format: date-time
readOnly: true
id:
type: string
+ description: ID of the Token object
readOnly: true
+ example: oar579Mcp7OUsNTlo0g3
issuer:
type: string
+ description: The complete URL of the authorization server that issued the Token
+ example: https://{yourOktaDomain}/oauth2/ausain6z9zIedDCxB0h7
lastUpdated:
- type: string
- format: date-time
- readOnly: true
+ $ref: '#/components/schemas/lastUpdatedProperty'
scopes:
type: array
+ description: The scope names attached to the Token
items:
type: string
+ example: offline_access
status:
$ref: '#/components/schemas/GrantOrTokenStatus'
userId:
type: string
+ description: The ID of the user associated with the Token
+ example: 00u5t60iloOHN9pBi0h7
_embedded:
type: object
- additionalProperties:
- type: object
- properties: {}
+ description: The embedded resources related to the object if the `expand` query parameter is specified
+ properties:
+ scopes:
+ type: array
+ description: The scope objects attached to the Token
+ items:
+ $ref: '#/components/schemas/OAuth2RefreshTokenScope'
readOnly: true
_links:
- $ref: '#/components/schemas/LinksSelf'
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - type: object
+ properties:
+ app:
+ description: Link to the app resource
+ allOf:
+ - $ref: '#/components/schemas/AppResourceHrefObject'
+ revoke:
+ description: Link to revoke the refresh Token
+ allOf:
+ - $ref: '#/components/schemas/RevokeRefreshTokenHrefObject'
+ - properties:
+ hints:
+ properties:
+ allow:
+ items:
+ enum:
+ - DELETE
+ default: DELETE
+ client:
+ description: Link to the client resource
+ allOf:
+ - $ref: '#/components/schemas/AppResourceHrefObject'
+ user:
+ description: Link to the user resource
+ allOf:
+ - $ref: '#/components/schemas/UserResourceHrefObject'
+ authorizationServer:
+ description: Link to the Token authorization server resource
+ allOf:
+ - $ref: '#/components/schemas/AuthorizationServerResourceHrefObject'
+ OAuth2RefreshTokenScope:
+ type: object
+ properties:
+ description:
+ type: string
+ description: Description of the Scope
+ example: Requests a refresh token by default, used to obtain more access tokens without re-prompting the user for authentication
+ displayName:
+ type: string
+ description: Name of the end user displayed in a consent dialog
+ id:
+ type: string
+ description: Scope object ID
+ readOnly: true
+ example: scppb56cIl4GvGxy70g3
+ name:
+ type: string
+ description: Scope name
+ example: offline_access
+ _links:
+ description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of an application using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations.
+ type: object
+ properties:
+ scope:
+ description: Link to Scope resource
+ allOf:
+ - $ref: '#/components/schemas/OfflineAccessScopeResourceHrefObject'
OAuth2Scope:
type: object
properties:
@@ -27790,19 +57253,35 @@ components:
$ref: '#/components/schemas/OAuth2ScopeConsentType'
default:
type: boolean
+ description: Indicates if this Scope is a default scope
+ default: false
description:
type: string
+ description: Description of the Scope
displayName:
type: string
+ description: Name of the end user displayed in a consent dialog
id:
type: string
+ description: Scope object ID
readOnly: true
metadataPublish:
$ref: '#/components/schemas/OAuth2ScopeMetadataPublish'
name:
type: string
+ description: Scope name
+ optional:
+ type: boolean
+ description: Indicates whether the Scope is optional. When set to `true`, the user can skip consent for the scope.
+ default: false
system:
type: boolean
+ description: Indicates if Okta created the Scope
+ default: false
+ _links:
+ $ref: '#/components/schemas/LinksSelf'
+ required:
+ - name
OAuth2ScopeConsentGrant:
description: Grant object that represents an app consent scope grant
type: object
@@ -27810,31 +57289,23 @@ components:
clientId:
type: string
description: Client ID of the app integration
- example: 0oafxqCAJWWGELFTYASJ
readOnly: true
+ example: oag3ih1zrm1cBFOiq0h6
created:
- type: string
- description: Timestamp when the Grant object was created
- format: date-time
- example: '2023-06-28T16:40:10.000Z'
- readOnly: true
+ $ref: '#/components/schemas/createdProperty'
createdBy:
$ref: '#/components/schemas/OAuth2Actor'
id:
type: string
description: ID of the Grant object
- example: oagsebt2ltaSlR6t81d6
readOnly: true
+ example: oag3ih1zrm1cBFOiq0h6
issuer:
type: string
description: The issuer of your org authorization server. This is typically your Okta domain.
example: https://my_test_okta_org.oktapreview.com
lastUpdated:
- type: string
- description: Timestamp when the Grant object was last updated
- format: date-time
- example: '2023-06-28T16:40:10.000Z'
- readOnly: true
+ $ref: '#/components/schemas/lastUpdatedProperty'
scopeId:
type: string
description: The name of the [Okta scope](https://developer.okta.com/docs/api/oauth2/#oauth-20-scopes) for which consent is granted
@@ -27847,6 +57318,7 @@ components:
type: string
description: User ID that granted consent (if `source` is `END_USER`)
readOnly: true
+ example: 00u5t60iloOHN9pBi0h7
_embedded:
type: object
description: Embedded resources related to the Grant
@@ -27865,13 +57337,25 @@ components:
- type: object
properties:
app:
- description: Link to app
+ description: Link to the app resource
allOf:
- - $ref: '#/components/schemas/HrefObject'
+ - $ref: '#/components/schemas/AppResourceHrefObject'
client:
- description: Link to client
+ description: Link to the client resource
allOf:
- - $ref: '#/components/schemas/HrefObject'
+ - $ref: '#/components/schemas/AppResourceHrefObject'
+ scope:
+ description: Link to the scope resource
+ allOf:
+ - $ref: '#/components/schemas/ScopeResourceHrefObject'
+ user:
+ description: Link to the user resource
+ allOf:
+ - $ref: '#/components/schemas/UserResourceHrefObject'
+ authorizationServer:
+ description: Link to the authorization server resource
+ allOf:
+ - $ref: '#/components/schemas/AuthorizationServerResourceHrefObject'
- readOnly: true
required:
- issuer
@@ -27885,17 +57369,22 @@ components:
- END_USER
readOnly: true
OAuth2ScopeConsentType:
+ description: Indicates whether a consent dialog is needed for the Scope
+ default: IMPLICIT
type: string
enum:
- - ADMIN
+ - FLEXIBLE
- IMPLICIT
- REQUIRED
OAuth2ScopeMetadataPublish:
+ description: Indicates whether the Scope is included in the metadata
+ default: NO_CLIENTS
type: string
enum:
- ALL_CLIENTS
- NO_CLIENTS
OAuth2ScopesMediationPolicyRuleCondition:
+ description: Array of scopes that the condition includes
type: object
properties:
include:
@@ -27907,25 +57396,28 @@ components:
properties:
clientId:
type: string
- created:
- type: string
- format: date-time
+ description: Client ID
+ example: 0oabskvc6442nkvQO0h7
readOnly: true
+ created:
+ $ref: '#/components/schemas/createdProperty'
expiresAt:
type: string
+ description: Expiration time of the OAuth 2.0 Token
format: date-time
readOnly: true
id:
type: string
+ description: ID of the Token object
readOnly: true
issuer:
type: string
+ description: The complete URL of the authorization server that issued the Token
lastUpdated:
- type: string
- format: date-time
- readOnly: true
+ $ref: '#/components/schemas/lastUpdatedProperty'
scopes:
type: array
+ description: Name of scopes attached to the Token
items:
type: string
status:
@@ -27934,6 +57426,7 @@ components:
type: string
_embedded:
type: object
+ description: Embedded resources related to the object if the `expand` query parameter is specified
additionalProperties:
type: object
properties: {}
@@ -27947,7 +57440,61 @@ components:
properties:
oauthClient:
$ref: '#/components/schemas/ApplicationCredentialsOAuthClient'
+ OAuthAuthorizationEndpoint:
+ description: Endpoint for an [OAuth 2.0 Authorization Server (AS)](https://tools.ietf.org/html/rfc6749#page-18)
+ type: object
+ properties:
+ binding:
+ $ref: '#/components/schemas/ProtocolEndpointBinding'
+ url:
+ type: string
+ description: URL of the IdP Authorization Server (AS) authorization endpoint
+ example: https://idp.example.com/authorize
+ OAuthClientSecretLinks:
+ description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of an application using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations.
+ properties:
+ activate:
+ $ref: '#/components/schemas/HrefObjectActivateLink'
+ deactivate:
+ $ref: '#/components/schemas/HrefObjectDeactivateLink'
+ delete:
+ $ref: '#/components/schemas/HrefObjectDeleteLink'
+ readOnly: true
+ OAuthCredentials:
+ description: Client authentication credentials for an [OAuth 2.0 Authorization Server](https://tools.ietf.org/html/rfc6749#section-2.3)
+ type: object
+ properties:
+ client:
+ $ref: '#/components/schemas/OAuthCredentialsClient'
+ signing:
+ $ref: '#/components/schemas/AppleClientSigning'
+ OAuthCredentialsClient:
+ description: |-
+ OAuth 2.0 and OpenID Connect Client object
+ > **Note:** You must complete client registration with the IdP Authorization Server for your Okta IdP instance to obtain client credentials.
+ type: object
+ properties:
+ client_id:
+ type: string
+ description: The [Unique identifier](https://tools.ietf.org/html/rfc6749#section-2.2) issued by the AS for the Okta IdP instance
+ maxLength: 1024
+ example: your-client-id
+ client_secret:
+ type: string
+ description: The [Client secret](https://tools.ietf.org/html/rfc6749#section-2.3.1) issued by the AS for the Okta IdP instance
+ maxLength: 1024
+ example: your-client-secret
+ pkce_required:
+ type: boolean
+ description: Require Proof Key for Code Exchange (PKCE) for additional verification
+ token_endpoint_auth_method:
+ type: string
+ description: Client authentication methods supported by the token endpoint
+ enum:
+ - private_key_jwt
OAuthEndpointAuthenticationMethod:
+ description: Requested authentication method for the token endpoint
+ default: client_secret_basic
type: string
enum:
- client_secret_basic
@@ -27955,7 +57502,23 @@ components:
- client_secret_post
- none
- private_key_jwt
+ OAuthEndpoints:
+ description: |-
+ The `OAUTH2` and `OIDC` protocols support the `authorization` and `token` endpoints. Also, the `OIDC` protocol supports the `userInfo` and `jwks` endpoints.
+
+ The IdP Authorization Server (AS) endpoints are currently defined as part of the [IdP provider]((https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=type&t=request)) and are read-only.
+ type: object
+ properties:
+ authorization:
+ $ref: '#/components/schemas/OAuthAuthorizationEndpoint'
+ jwks:
+ $ref: '#/components/schemas/OidcJwksEndpoint'
+ token:
+ $ref: '#/components/schemas/OAuthTokenEndpoint'
+ userInfo:
+ $ref: '#/components/schemas/OidcUserInfoEndpoint'
OAuthGrantType:
+ description: Array of OAuth 2.0 grant type strings
type: string
enum:
- authorization_code
@@ -27968,18 +57531,644 @@ components:
- urn:ietf:params:oauth:grant-type:jwt-bearer
- urn:ietf:params:oauth:grant-type:saml2-bearer
- urn:ietf:params:oauth:grant-type:token-exchange
+ - urn:openid:params:grant-type:ciba
+ OAuthMetadata:
+ type: object
+ properties:
+ authorization_endpoint:
+ type: string
+ description: URL of the authorization server's authorization endpoint.
+ backchannel_authentication_request_signing_alg_values_supported:
+ description:
A list of signing algorithms that this authorization server supports for signed requests.
+ type: array
+ items:
+ $ref: '#/components/schemas/SigningAlgorithm'
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
+ backchannel_token_delivery_modes_supported:
+ description:
The delivery modes that this authorization server supports for Client-Initiated Backchannel Authentication.
+ type: array
+ items:
+ $ref: '#/components/schemas/TokenDeliveryMode'
+ x-okta-lifecycle:
+ lifecycle: LIMITED_GA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
+ claims_supported:
+ description: A list of the claims supported by this authorization server.
+ type: array
+ items:
+ $ref: '#/components/schemas/Claim'
+ code_challenge_methods_supported:
+ description: A list of PKCE code challenge methods supported by this authorization server.
+ type: array
+ items:
+ $ref: '#/components/schemas/CodeChallengeMethod'
+ device_authorization_endpoint:
+ type: string
+ dpop_signing_alg_values_supported:
+ description: A list of signing algorithms supported by this authorization server for Demonstrating Proof-of-Possession (DPoP) JWTs.
+ type: array
+ items:
+ type: string
+ enum:
+ - ES256
+ - ES384
+ - ES512
+ - RS256
+ - RS384
+ - RS512
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ end_session_endpoint:
+ description: URL of the authorization server's logout endpoint.
+ type: string
+ grant_types_supported:
+ description: A list of the grant type values that this authorization server supports.
+ type: array
+ items:
+ $ref: '#/components/schemas/GrantType'
+ introspection_endpoint:
+ description: URL of the authorization server's introspection endpoint.
+ type: string
+ introspection_endpoint_auth_methods_supported:
+ description: A list of client authentication methods supported by this introspection endpoint.
+ type: array
+ items:
+ $ref: '#/components/schemas/EndpointAuthMethod'
+ issuer:
+ type: string
+ description: The authorization server's issuer identifier. In the context of this document, this is your authorization server's base URL. This becomes the `iss` claim in an access token.
+ jwks_uri:
+ description: URL of the authorization server's JSON Web Key Set document.
+ type: string
+ pushed_authorization_request_endpoint:
+ type: string
+ registration_endpoint:
+ description: URL of the authorization server's JSON Web Key Set document.
+ type: string
+ request_object_signing_alg_values_supported:
+ description: A list of signing algorithms that this authorization server supports for signed requests.
+ type: array
+ items:
+ $ref: '#/components/schemas/SigningAlgorithm'
+ request_parameter_supported:
+ description: Indicates if Request Parameters are supported by this authorization server.
+ type: boolean
+ response_modes_supported:
+ description: A list of the `response_mode` values that this authorization server supports. More information here.
+ type: array
+ items:
+ $ref: '#/components/schemas/ResponseMode'
+ response_types_supported:
+ description: A list of the `response_type` values that this authorization server supports. Can be a combination of `code`, `token`, and `id_token`.
+ type: array
+ items:
+ $ref: '#/components/schemas/ResponseTypesSupported'
+ revocation_endpoint:
+ description: URL of the authorization server's revocation endpoint.
+ type: string
+ revocation_endpoint_auth_methods_supported:
+ description: A list of client authentication methods supported by this revocation endpoint.
+ type: array
+ items:
+ $ref: '#/components/schemas/EndpointAuthMethod'
+ scopes_supported:
+ description: A list of the scope values that this authorization server supports.
+ type: array
+ items:
+ $ref: '#/components/schemas/Scope'
+ subject_types_supported:
+ description: A list of the Subject Identifier types that this authorization server supports. Valid types include `pairwise` and `public`, but only `public` is currently supported. See the [Subject Identifier Types](https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes) section in the OpenID Connect specification.
+ type: array
+ items:
+ $ref: '#/components/schemas/SubjectType'
+ token_endpoint:
+ description: URL of the authorization server's token endpoint.
+ type: string
+ token_endpoint_auth_methods_supported:
+ description: A list of client authentication methods supported by this token endpoint.
+ type: array
+ items:
+ $ref: '#/components/schemas/EndpointAuthMethod'
+ OAuthProvisioningEnabledApp:
+ description: Application name for the provisioning connection
+ type: string
+ enum:
+ - google
+ - office365
+ - slack
+ - zoomus
OAuthResponseType:
+ description: Array of OAuth 2.0 response type strings
type: string
enum:
- code
- id_token
- token
+ OAuthTokenEndpoint:
+ description: Endpoint for an [OAuth 2.0 Authorization Server (AS)](https://tools.ietf.org/html/rfc6749#page-18)
+ type: object
+ properties:
+ binding:
+ $ref: '#/components/schemas/ProtocolEndpointBinding'
+ url:
+ type: string
+ description: URL of the IdP Authorization Server (AS) token endpoint
+ example: https://idp.example.com/token
+ OINApplication:
+ type: object
+ properties:
+ accessibility:
+ $ref: '#/components/schemas/ApplicationAccessibility'
+ credentials:
+ $ref: '#/components/schemas/SchemeApplicationCredentials'
+ label:
+ $ref: '#/components/schemas/ApplicationLabel'
+ licensing:
+ $ref: '#/components/schemas/ApplicationLicensing'
+ name:
+ type: string
+ description: The key name for the OIN app definition
+ profile:
+ type: object
+ description: Contains any valid JSON schema for specifying properties that can be referenced from a request (only available to OAuth 2.0 client apps)
+ additionalProperties:
+ type: object
+ properties: {}
+ signOnMode:
+ type: string
+ description: Authentication mode for the app
+ status:
+ $ref: '#/components/schemas/ApplicationLifecycleStatus'
+ visibility:
+ $ref: '#/components/schemas/ApplicationVisibility'
+ OINSaml11ApplicationSettingsSignOn:
+ title: SAML 1.1 settings
+ description: Contains SAML 1.1 sign-on mode attributes
+ type: object
+ properties:
+ audienceOverride:
+ type: string
+ description: Audience override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm).
+ defaultRelayState:
+ type: string
+ description: Identifies a specific application resource in an IdP-initiated SSO scenario
+ recipientOverride:
+ type: string
+ description: Recipient override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm).
+ ssoAcsUrlOverride:
+ type: string
+ description: Assertion Consumer Service (ACS) URL override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm).
+ OINSaml20ApplicationSettingsSignOn:
+ title: SAML 2.0 settings
+ description: |-
+ Contains SAML 2.0 sign-on mode attributes.
+ > **Note:** Set `destinationOverride` to configure any other SAML 2.0 attributes in this section.
+ type: object
+ properties:
+ audienceOverride:
+ type: string
+ description: Audience override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm).
+ configuredAttributeStatements:
+ type: array
+ items:
+ $ref: '#/components/schemas/SamlAttributeStatement'
+ defaultRelayState:
+ type: string
+ description: Identifies a specific application resource in an IdP-initiated SSO scenario
+ destinationOverride:
+ type: string
+ description: Destination override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm).
+ recipientOverride:
+ type: string
+ description: Recipient override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm).
+ samlAssertionLifetimeSeconds:
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ type: integer
+ description: Determines the SAML app session lifetimes with Okta
+ example: 3600
+ ssoAcsUrlOverride:
+ type: string
+ description: Assertion Consumer Service (ACS) URL override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm).
OSVersion:
- description: Current version of the operating system
+ description: |
+ Specifies the OS requirement for the policy.
+
+ There are two types of OS requirements:
+
+ * **Static**: A specific OS version requirement that doesn't change until you update the policy. A static OS requirement is specified with the `osVersion.minimum` property.
+ * **Dynamic**: An OS version requirement that is relative to the latest major OS release and security patch. A dynamic OS requirement is specified with the `osVersion.dynamicVersionRequirement` property.
+ > **Note:** Dynamic OS requirements are available only if the **Dynamic OS version compliance** [self-service EA](/openapi/okta-management/guides/release-lifecycle/#early-access-ea) feature is enabled. You can't specify both `osVersion.minimum` and `osVersion.dynamicVersionRequirement` properties at the same time.
+ type: object
+ properties:
+ dynamicVersionRequirement:
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
+ description:
Contains the necessary properties for a dynamic version requirement
+ type: object
+ properties:
+ type:
+ type: string
+ description: Indicates the type of the dynamic OS version requirement
+ enum:
+ - MINIMUM
+ - EXACT
+ - EXACT_ANY_SUPPORTED
+ x-enumDescriptions:
+ MINIMUM: The device version must be equal to or newer than the dynamically determined version. `distanceFromLatestMajor` must be specified for this type.
+ EXACT: The device version must be on the same major version as the dynamically determined version. `distanceFromLatestMajor` must be specified for this type.
+ EXACT_ANY_SUPPORTED: The device version must be on a major version which is supported. You can't specify `distanceFromLatestMajor` for this type.
+ distanceFromLatestMajor:
+ description: Indicates the distance from the latest major version
+ type: integer
+ minimum: 0
+ maximum: 1
+ latestSecurityPatch:
+ description: Indicates whether the device needs to be on the latest security patch
+ type: boolean
+ minimum:
+ description: The device version must be equal to or newer than the specified version string (maximum of three components for iOS and macOS, and maximum of four components for Android)
+ type: string
+ example: 12.4.5
+ OSVersionConstraint:
+ type: object
+ properties:
+ dynamicVersionRequirement:
+ type: object
+ description: Contains the necessary properties for a dynamic Windows version requirement
+ properties:
+ type:
+ type: string
+ description: Indicates the type of the dynamic Windows version requirement
+ enum:
+ - MINIMUM
+ - EXACT
+ - EXACT_ANY_SUPPORTED
+ - NOT_ALLOWED
+ x-enumDescriptions:
+ MINIMUM: The device version must be equal to or newer than the dynamically determined Windows version. `distanceFromLatestMajor` must be specified for this type.
+ EXACT: The device version must be on the same major version as the dynamically determined Windows version. `distanceFromLatestMajor` must be specified for this type.
+ EXACT_ANY_SUPPORTED: The device version must be on a Windows major version which is supported. You can't specify `distanceFromLatestMajor` for this type.
+ NOT_ALLOWED: The device version isn't allowed. You can't specify `distanceFromLatestMajor` or `latestSecurityPatch` for this type.
+ distanceFromLatestMajor:
+ description: Indicates the distance from the latest Windows major version
+ type: integer
+ minimum: 0
+ maximum: 1
+ latestSecurityPatch:
+ description: Indicates whether the policy requires Windows devices to be on the latest security patch
+ type: boolean
+ majorVersionConstraint:
+ type: string
+ description: Indicates the Windows major version
+ enum:
+ - WINDOWS_11
+ - WINDOWS_10
+ x-enumDescriptions:
+ WINDOWS_11: The device is on Windows 11
+ WINDOWS_10: The device is on Windows 10 or an older Windows version
+ minimum:
+ description: The Windows device version must be equal to or newer than the specified version
+ type: string
+ example: 12.4.5.9
+ required:
+ - majorVersionConstraint
+ OSVersionFourComponents:
+ description: Current version of the operating system (maximum of four components in the versioning scheme)
+ type: object
+ properties:
+ minimum:
+ type: string
+ example: 12.4.5.9
+ OSVersionThreeComponents:
+ description: Current version of the operating system (maximum of three components in the versioning scheme)
type: object
properties:
minimum:
type: string
+ example: 12.4.5
+ Office365Application:
+ title: Microsoft Office 365
+ x-tags:
+ - Application
+ x-okta-defined-as:
+ name: office365
+ description: |
+ Schema for the Microsoft Office 365 app (key name: `office365`)
+
+ To create a Microsoft Office 365 app, use the [Create an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) request with the following parameters in the request body.
+ > **Note:** The Office 365 app only supports `BROWSER_PLUGIN` and `SAML_1_1` sign-on modes.
+ allOf:
+ - $ref: '#/components/schemas/OINApplication'
+ - type: object
+ - required:
+ - name
+ - label
+ - settings
+ properties:
+ name:
+ type: string
+ enum:
+ - office365
+ example: office365
+ signOnMode:
+ enum:
+ - BROWSER_PLUGIN
+ - SAML_1_1
+ example: BROWSER_PLUGIN
+ settings:
+ $ref: '#/components/schemas/Office365ApplicationSettings'
+ example:
+ name: office365
+ label: Sample Office365 App
+ signOnMode: SAML_1_1
+ settings:
+ app:
+ domain: myintegration.okta365test.net
+ msftTenant: mycompanyinc
+ Office365ApplicationSettings:
+ allOf:
+ - $ref: '#/components/schemas/ApplicationSettings'
+ - type: object
+ - required:
+ - app
+ properties:
+ app:
+ $ref: '#/components/schemas/Office365ApplicationSettingsApplication'
+ signOn:
+ $ref: '#/components/schemas/OINSaml11ApplicationSettingsSignOn'
+ Office365ApplicationSettingsApplication:
+ description: Office365 app instance properties
+ type: object
+ properties:
+ domain:
+ type: string
+ description: The domain for your Office 365 account
+ msftTenant:
+ type: string
+ description: Microsoft tenant name
+ required:
+ - msftTenant
+ - domain
+ Office365ProvisioningSettings:
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ title: Microsoft Office 365 provisioning settings
+ description: Settings required for the Microsoft Office 365 Provisioning Connection
+ type: object
+ properties:
+ adminPassword:
+ type: string
+ description: Microsoft Office 365 global administrator password
+ adminUsername:
+ type: string
+ description: Microsoft Office 365 global administrator username
+ required:
+ - adminUsername
+ - adminPassword
+ OfflineAccessScopeResourceHrefObject:
+ type: object
+ properties:
+ href:
+ type: string
+ description: Link URI
+ example: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7/scopes/scppb56cIl4GvGxy70g3
+ title:
+ type: string
+ description: Link name
+ example: offline_access
+ Oidc:
+ description: OIDC configuration details
+ type: object
+ properties:
+ doc:
+ type: string
+ format: uri
+ description: The URL to your customer-facing instructions for configuring your OIDC integration. See [Customer configuration document guidelines](https://developer.okta.com/docs/guides/submit-app-prereq/main/#customer-configuration-document-guidelines).
+ example: https://example.com/strawberry/help/oidcSetup
+ initiateLoginUri:
+ type: string
+ format: uri
+ description: The URL to redirect users when they click on your app from their Okta End-User Dashboard
+ example: https://${org.subdomain}.example.com/strawberry/oidc/sp-init
+ postLogoutUris:
+ type: array
+ description: The sign-out redirect URIs for your app. You can send a request to `/v1/logout` to sign the user out and redirect them to one of these URIs.
+ items:
+ type: string
+ format: uri
+ description: 'A sign-out redirect URI. You can use the org properties you defined in the `config` array as variables in your URI. For example: `https://${org.subdomain}.example.com/strawberry/oidc/logged-out`'
+ example: https://${org.subdomain}.example.com/strawberry/oidc/logged-out
+ redirectUris:
+ type: array
+ minItems: 1
+ description: List of sign-in redirect URIs
+ items:
+ type: string
+ format: uri
+ description: Sign-in redirect URI
+ example: https://${org.subdomain}.example.com/strawberry/oidc/login
+ required:
+ - redirectUris
+ - doc
+ OidcAlgorithms:
+ type: object
+ properties:
+ request:
+ $ref: '#/components/schemas/OidcRequestAlgorithm'
+ OidcJwksEndpoint:
+ description: Endpoint for the JSON Web Key Set (JWKS) document. This document contains signing keys that are used to validate the signatures from the provider. For more information on JWKS, see [JSON Web Key](https://tools.ietf.org/html/rfc7517).
+ type: object
+ properties:
+ binding:
+ $ref: '#/components/schemas/ProtocolEndpointBinding'
+ url:
+ type: string
+ description: URL of the endpoint to the JWK Set
+ example: https://idp.example.com/keys
+ OidcRequestAlgorithm:
+ description: Algorithm settings used to sign an authorization request
+ type: object
+ properties:
+ signature:
+ $ref: '#/components/schemas/OidcRequestSignatureAlgorithm'
+ OidcRequestSignatureAlgorithm:
+ description: |-
+ Signature Algorithm settings for signing authorization requests sent to the IdP
+ > **Note:** The `algorithm` property is ignored when you disable request signatures (`scope` set as `NONE`).
+ type: object
+ properties:
+ algorithm:
+ $ref: '#/components/schemas/OidcSigningAlgorithm'
+ scope:
+ $ref: '#/components/schemas/ProtocolAlgorithmRequestScope'
+ OidcSigningAlgorithm:
+ type: string
+ enum:
+ - HS256
+ - HS384
+ - HS512
+ - RS256
+ - RS384
+ - RS512
+ OidcUserInfoEndpoint:
+ description: Endpoint for getting identity information about the User. For more information on the `/userinfo` endpoint, see [OpenID Connect](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo).
+ type: object
+ properties:
+ binding:
+ $ref: '#/components/schemas/ProtocolEndpointBinding'
+ url:
+ type: string
+ description: URL of the resource server's `/userinfo` endpoint
+ example: https://idp.example.com/userinfo
+ OktaActiveDirectoryGroupProfile:
+ description: |-
+ Profile for a Group that is imported from Active Directory.
+
+ The `objectClass` for such groups is `okta:windows_security_principal`.
+ type: object
+ properties:
+ description:
+ type: string
+ example: example.com/West Coast/West Coast Users
+ description: Description of the Windows Group
+ dn:
+ type: string
+ example: CN=West Coast Users,OU=West Coast,DC=example,DC=com
+ description: The distinguished name of the Windows Group
+ externalId:
+ type: string
+ example: VKzYZ1C+IkSZxIWlrW5ITg==
+ description: Base-64 encoded GUID (`objectGUID`) of the Windows Group
+ name:
+ type: string
+ example: West Coast Users
+ description: Name of the Windows Group
+ samAccountName:
+ type: string
+ example: West Coast Users
+ description: Pre-Windows 2000 name of the Windows Group
+ windowsDomainQualifiedName:
+ type: string
+ example: EXAMPLE\\West Coast Users
+ description: Fully qualified name of the Windows Group
+ OktaDeviceRiskChangeEvent:
+ description: The device risk level changed
+ type: object
+ properties:
+ current_level:
+ type: string
+ description: Current risk level of the device
+ enum:
+ - low
+ - medium
+ - high
+ - secure
+ - none
+ example: low
+ event_timestamp:
+ type: integer
+ format: int64
+ description: The time of the event (UNIX timestamp)
+ example: 1702448550
+ initiating_entity:
+ type: string
+ description: The entity that initiated the event
+ enum:
+ - admin
+ - user
+ - policy
+ - system
+ previous_level:
+ type: string
+ description: Previous risk level of the device
+ enum:
+ - low
+ - medium
+ - high
+ - secure
+ - none
+ example: medium
+ reason_admin:
+ allOf:
+ - $ref: '#/components/schemas/SecurityEventReason'
+ - type: object
+ description: A localized administrative message intended for logging and auditing.
Either `reason_admin` or `reason_user` is required.
+ reason_user:
+ allOf:
+ - $ref: '#/components/schemas/SecurityEventReason'
+ - type: object
+ description: A localized message intended for the end user.
Either `reason_admin` or `reason_user` is required.
+ subject:
+ $ref: '#/components/schemas/SecurityEventSubject'
+ required:
+ - event_timestamp
+ - subject
+ - current_level
+ - previous_level
+ OktaIpChangeEvent:
+ description: IP changed for the subject's session
+ type: object
+ properties:
+ current_ip_address:
+ type: string
+ description: Current IP address of the subject
+ example: 123.4.5.6
+ event_timestamp:
+ type: integer
+ format: int64
+ description: The time of the event (UNIX timestamp)
+ example: 1702448550
+ initiating_entity:
+ type: string
+ description: The entity that initiated the event
+ enum:
+ - admin
+ - user
+ - policy
+ - system
+ previous_ip_address:
+ type: string
+ description: Previous IP address of the subject
+ example: 123.45.67.8
+ reason_admin:
+ allOf:
+ - $ref: '#/components/schemas/SecurityEventReason'
+ - type: object
+ description: A localized administrative message intended for logging and auditing.
Either `reason_admin` or `reason_user` is required.
+ reason_user:
+ allOf:
+ - $ref: '#/components/schemas/SecurityEventReason'
+ - type: object
+ description: A localized message intended for the end user.
Either `reason_admin` or `reason_user` is required.
+ subject:
+ $ref: '#/components/schemas/SecurityEventSubject'
+ required:
+ - event_timestamp
+ - subject
+ - current_ip_address
+ - previous_ip_address
+ OktaPersonalAdminFeatureSettings:
+ description: Defines a list of Okta Personal settings that can be enabled or disabled for the org
+ type: object
+ properties:
+ enableEnduserEntryPoints:
+ type: boolean
+ description: Allow entry points for an Okta Personal account in a Workforce org
+ enableExportApps:
+ type: boolean
+ description: Allow users to migrate apps from a Workforce account to an Okta Personal account
OktaSignOnPolicy:
allOf:
- $ref: '#/components/schemas/Policy'
@@ -27989,12 +58178,26 @@ components:
$ref: '#/components/schemas/OktaSignOnPolicyConditions'
OktaSignOnPolicyConditions:
allOf:
- - $ref: '#/components/schemas/PolicyRuleConditions'
- type: object
properties:
people:
- $ref: '#/components/schemas/PolicyPeopleCondition'
+ type: object
+ description: Identifies Users and Groups that are used together
+ properties:
+ groups:
+ type: object
+ description: Specifies a set of Groups whose Users are to be included or excluded
+ properties:
+ include:
+ type: array
+ description: Groups to be included
+ items:
+ type: string
OktaSignOnPolicyFactorPromptMode:
+ description: |
+ Indicates if the User should be challenged for a second factor (MFA) based on the device being used, a Factor session lifetime, or on every sign-in attempt
+
+ **Note:** Required only if `requireFactor` is set to `true`.
type: string
enum:
- ALWAYS
@@ -28018,7 +58221,6 @@ components:
$ref: '#/components/schemas/OktaSignOnPolicyRuleSignonActions'
OktaSignOnPolicyRuleConditions:
allOf:
- - $ref: '#/components/schemas/PolicyRuleConditions'
- type: object
properties:
authContext:
@@ -28027,33 +58229,132 @@ components:
$ref: '#/components/schemas/PolicyNetworkCondition'
people:
$ref: '#/components/schemas/PolicyPeopleCondition'
+ identityProvider:
+ $ref: '#/components/schemas/IdentityProviderPolicyRuleCondition'
OktaSignOnPolicyRuleSignonActions:
type: object
properties:
access:
- $ref: '#/components/schemas/PolicyAccess'
+ type: string
+ enum:
+ - ALLOW
+ - DENY
factorLifetime:
type: integer
+ description: |
+ Interval of time that must elapse before the User is challenged for MFA, if the Factor prompt mode is set to `SESSION`
+
+ **Note:** Required only if `requireFactor` is `true`.
factorPromptMode:
$ref: '#/components/schemas/OktaSignOnPolicyFactorPromptMode'
+ primaryFactor:
+ $ref: '#/components/schemas/OktaSignOnPolicyRuleSignonPrimaryFactor'
rememberDeviceByDefault:
type: boolean
+ description: Indicates if Okta should automatically remember the device
default: false
requireFactor:
type: boolean
default: false
+ description: Indicates if multifactor authentication is required
session:
$ref: '#/components/schemas/OktaSignOnPolicyRuleSignonSessionActions'
+ OktaSignOnPolicyRuleSignonPrimaryFactor:
+ description: |-
+ Indicates the primary factor used to establish a session for the org. Supported values: `PASSWORD_IDP_ANY_FACTOR` (users can use any factor required by the app authentication policy to establish a session), `PASSWORD_IDP` (users must always use a password to establish a session).
+
+ **Note:** Required only if `access` is set to `ALLOW`.
+ type: string
+ enum:
+ - PASSWORD_IDP
+ - PASSWORD_IDP_ANY_FACTOR
OktaSignOnPolicyRuleSignonSessionActions:
+ description: Properties governing the User's session lifetime
type: object
properties:
maxSessionIdleMinutes:
+ description: Maximum number of minutes that a User session can be idle before the session is ended
type: integer
+ default: 120
maxSessionLifetimeMinutes:
+ description: Maximum number of minutes from User sign in that a user's session is active. Set this to force Users to sign in again after the number of specified minutes. Disable by setting to `0`. This property is read-only for the default rule of the default global session policy.
type: integer
+ default: 0
usePersistentCookie:
+ description: If set to `false`, user session cookies only last the length of a browser session. If set to `true`, user session cookies last across browser sessions. This setting doesn't impact administrators who can never have persistent session cookies. This property is read-only for the default rule of the default global session policy.
type: boolean
default: false
+ OktaUserGroupProfile:
+ description: |-
+ Profile for any Group that is not imported from Active Directory. Specifies the standard
+ and custom profile properties for a Group.
+
+ The `objectClass` for these groups is `okta:user_group`.
+ type: object
+ properties:
+ description:
+ type: string
+ example: All Users West of The Rockies
+ description: Description of the Group
+ name:
+ type: string
+ example: West Coast Users
+ description: Name of the Group
+ x-okta-extensible: true
+ OktaUserRiskChangeEvent:
+ description: The user risk level changed
+ type: object
+ properties:
+ current_level:
+ type: string
+ description: Current risk level of the user
+ enum:
+ - low
+ - medium
+ - high
+ - secure
+ - none
+ example: low
+ event_timestamp:
+ type: integer
+ format: int64
+ description: The time of the event (UNIX timestamp)
+ example: 1702448550
+ initiating_entity:
+ type: string
+ description: The entity that initiated the event
+ enum:
+ - admin
+ - user
+ - policy
+ - system
+ previous_level:
+ type: string
+ description: Previous risk level of the user
+ enum:
+ - low
+ - medium
+ - high
+ - secure
+ - none
+ example: medium
+ reason_admin:
+ allOf:
+ - $ref: '#/components/schemas/SecurityEventReason'
+ - type: object
+ description: A localized administrative message intended for logging and auditing.
Either `reason_admin` or `reason_user` is required.
+ reason_user:
+ allOf:
+ - $ref: '#/components/schemas/SecurityEventReason'
+ - type: object
+ description: A localized message intended for the end user.
Either `reason_admin` or `reason_user` is required.
+ subject:
+ $ref: '#/components/schemas/SecurityEventSubject'
+ required:
+ - event_timestamp
+ - subject
+ - current_level
+ - previous_level
OpenIdConnectApplication:
x-okta-defined-as:
name: oidc_client
@@ -28065,29 +58366,80 @@ components:
$ref: '#/components/schemas/OAuthApplicationCredentials'
name:
type: string
- default: oidc_client
+ description: '`oidc_client` is the key name for an OAuth 2.0 client app instance'
+ enum:
+ - oidc_client
settings:
$ref: '#/components/schemas/OpenIdConnectApplicationSettings'
+ required:
+ - name
+ - settings
+ - credentials
OpenIdConnectApplicationConsentMethod:
+ description: |
+ Indicates whether user consent is required or implicit.
+ A consent dialog appears for the end user depending on the values of three elements:
+
+ * [prompt](/openapi/okta-oauth/oauth/tag/OrgAS/#tag/OrgAS/operation/authorize!in=query&path=prompt&t=request): A query parameter that is used in requests to `/authorize`
+ * `consent_method` (this property)
+ * [consent](/openapi/okta-management/management/tag/AuthorizationServerScopes/#tag/AuthorizationServerScopes/operation/createOAuth2Scope!path=consent&t=request): A [Scope](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/AuthorizationServerScopes/) property that allows you to enable or disable user consent for an individual scope
+
+ | `prompt` | `consent_method` | `consent` | Result
+ | ---------- | ----------- | ---------- | ----------- |
+ | CONSENT | TRUSTED or REQUIRED | REQUIRED | Prompted |
+ | CONSENT | TRUSTED or REQUIRED | FLEXIBLE | Prompted |
+ | CONSENT | TRUSTED | IMPLICIT | Not prompted |
+ | NONE | TRUSTED | FLEXIBLE, IMPLICIT, or REQUIRED | Not prompted |
+ | NONE | REQUIRED | FLEXIBLE or REQUIRED | Prompted |
+ | NONE | REQUIRED | IMPLICIT | Not prompted |
+
+ > **Notes:**
+ > * If you request a scope that requires consent while using the `client_credentials` flow, an error is returned because the flow doesn't support user consent.
+ > * If the `prompt` value is set to `NONE`, but the `consent_method` and the consent values are set to `REQUIRED`, then an error occurs.
+ > * When a scope is requested during a Client Credentials grant flow and `consent` is set to `FLEXIBLE`, the scope is granted in the access token with no consent prompt. This occurs because there is no user involved in a two-legged OAuth 2.0 [Client Credentials](https://developer.okta.com/docs/guides/implement-grant-type/clientcreds/main/) grant flow.
+ default: TRUSTED
type: string
enum:
- REQUIRED
- TRUSTED
+ x-enumDescriptions:
+ TRUSTED: The client is fully trusted (for example, a first-party app). The default consent method for app instances created with a [Create an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) request
+ REQUIRED: The client requires consent (for example, a third-party app). The default consent method for app instances created with a [Create a Client Application](/openapi/okta-oauth/oauth/tag/Client/#tag/Client/operation/createClient) request
OpenIdConnectApplicationIdpInitiatedLogin:
+ description: The type of IdP-initiated sign-in flow that the client supports
type: object
properties:
default_scope:
type: array
+ description: The scopes to use for the request when `mode` is `OKTA`
items:
type: string
mode:
type: string
+ description: |
+ The mode to use for the IdP-initiated sign-in flow. For `OKTA` or `SPEC` modes, the client must have an `initiate_login_uri` registered.
+ > **Note:** For web and SPA apps, if the mode is `SPEC` or `OKTA`, you must set `grant_types` to `authorization_code`, `implicit`, or `interaction_code`.
+ enum:
+ - DISABLED
+ - SPEC
+ - OKTA
+ x-enumDescriptions:
+ DISABLED: The client doesn't support the IdP-initiated sign-in flow.
+ SPEC: The client is redirected to the Relying Party's `initiate_login_uri`.
+ OKTA: Tokens are directly sent to the Relying Party. This corresponds to the **Okta Simplified** option in the Admin Console.
+ required:
+ - mode
OpenIdConnectApplicationIssuerMode:
+ description: Indicates whether the Okta authorization server uses the original Okta org domain URL or a custom domain URL as the issuer of the ID token for this client
type: string
enum:
- CUSTOM_URL
- DYNAMIC
- ORG_URL
+ x-enumDescriptions:
+ CUSTOM_URL: The issuer is returned in the appropriate OIDC token response. This is the default `issuer_mode` when you configured a custom domain for your org.
+ DYNAMIC: A request for the ID token made from the custom domain has the custom URL as the issuer. A request for the ID token made from an Okta org has the Org URL as the issuer. You can only set `issuer_mode` as DYNAMIC if the Dynamic Issuer Mode feature is enabled. Contact Okta Support to enable this feature.
+ ORG_URL: The issuer is returned based on the URL of your Okta organization. This is useful when you are using Okta’s default domain and do not have a custom domain configured.
OpenIdConnectApplicationSettings:
allOf:
- $ref: '#/components/schemas/ApplicationSettings'
@@ -28100,23 +58452,69 @@ components:
properties:
application_type:
$ref: '#/components/schemas/OpenIdConnectApplicationType'
+ backchannel_authentication_request_signing_alg:
+ description: |
+ The signing algorithm for Client-Initiated Backchannel Authentication (CIBA) signed requests using JWT. If this value isn't set and a JWT-signed request is sent, the request fails.
+ > **Note:** This property appears for clients with `urn:openid:params:grant-type:ciba` defined as one of the `grant_types`.
+ type: string
+ enum:
+ - HS256
+ - HS384
+ - HS512
+ - RS256
+ - RS384
+ - RS512
+ - ES256
+ - ES384
+ - ES512
+ backchannel_custom_authenticator_id:
+ description: |
+ The ID of the custom authenticator that authenticates the user
+ > **Note:** This property appears for clients with `urn:openid:params:grant-type:ciba` defined as one of the `grant_types`.
+ type: string
+ maxLength: 20
+ minLength: 20
+ backchannel_token_delivery_mode:
+ description: |
+ The delivery mode for Client-Initiated Backchannel Authentication (CIBA). Currently, only `poll` is supported.
+ > **Note:** This property appears for clients with `urn:openid:params:grant-type:ciba` defined as one of the `grant_types`.
+ enum:
+ - poll
+ - ping
+ - push
+ type: string
client_uri:
type: string
+ description: URL string of a web page providing information about the client
+ maxLength: 1024
consent_method:
$ref: '#/components/schemas/OpenIdConnectApplicationConsentMethod'
dpop_bound_access_tokens:
type: boolean
- description: Indicates that the client application uses Demonstrating Proof-of-Possession (DPoP) for token requests. If `true`, the authorization server rejects token requests from this client that don't contain the DPoP header.
+ description: |
+ Indicates that the client application uses Demonstrating Proof-of-Possession (DPoP) for token requests. If `true`, the authorization server rejects token requests from this client that don't contain the DPoP header.
+ > **Note:** If `dpop_bound_access_tokens` is true, then `client_credentials` and `implicit` aren't allowed in `grant_types`.
default: false
x-okta-lifecycle:
- features:
- - OAUTH2_DPOP
+ lifecycle: GA
+ isGenerallyAvailable: true
frontchannel_logout_session_required:
- description: Include user session details.
+ description:
Determines whether Okta sends `sid` and `iss` in the logout request
type: boolean
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
frontchannel_logout_uri:
- description: URL where Okta sends the logout request.
+ description:
URL where Okta sends the logout request
type: string
+ maxLength: 1024
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
grant_types:
type: array
items:
@@ -28125,64 +58523,215 @@ components:
$ref: '#/components/schemas/OpenIdConnectApplicationIdpInitiatedLogin'
initiate_login_uri:
type: string
+ description: URL string that a third party can use to initiate the sign-in flow by the client
issuer_mode:
$ref: '#/components/schemas/OpenIdConnectApplicationIssuerMode'
jwks:
$ref: '#/components/schemas/OpenIdConnectApplicationSettingsClientKeys'
jwks_uri:
- description: URL string that references a JSON Web Key Set for validating JWTs presented to Okta.
+ description: URL string that references a JSON Web Key Set for validating JWTs presented to Okta
type: string
logo_uri:
type: string
+ description: The URL string that references a logo for the client. This logo appears on the client tile in the End-User Dashboard. It also appears on the client consent dialog during the client consent flow.
+ maxLength: 1024
participate_slo:
- description: Allows the app to participate in front-channel single logout.
+ description: |
+
Allows the app to participate in front-channel Single Logout
+
+ > **Note:** You can only enable `participate_slo` for `web` and `browser` application types (`application_type`).
type: boolean
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs:
+ - Okta Identity Engine
policy_uri:
type: string
+ description: URL string of a web page providing the client's policy document
post_logout_redirect_uris:
type: array
+ description: Array of redirection URI strings for relying party-initiated logouts
items:
type: string
redirect_uris:
type: array
+ description: |-
+ Array of redirection URI strings for use in redirect-based flows.
+ > **Note:** At least one `redirect_uris` and `response_types` are required for all client types, with exceptions: if the client uses the [Resource Owner Password ](https://tools.ietf.org/html/rfc6749#section-4.3)flow (`grant_types` contains `password`) or [Client Credentials](https://tools.ietf.org/html/rfc6749#section-4.4)flow (`grant_types` contains `client_credentials`), then no `redirect_uris` or `response_types` is necessary. In these cases, you can pass either null or an empty array for these attributes.
items:
type: string
refresh_token:
$ref: '#/components/schemas/OpenIdConnectApplicationSettingsRefreshToken'
+ request_object_signing_alg:
+ description: The type of JSON Web Key Set (JWKS) algorithm that must be used for signing request objects
+ type: string
+ enum:
+ - HS256
+ - HS384
+ - HS512
+ - RS256
+ - RS384
+ - RS512
+ - ES256
+ - ES384
+ - ES512
response_types:
type: array
+ description: Array of OAuth 2.0 response type strings
items:
$ref: '#/components/schemas/OAuthResponseType'
+ sector_identifier_uri:
+ type: string
+ description: The sector identifier used for pairwise `subject_type`. See [OIDC Pairwise Identifier Algorithm](https://openid.net/specs/openid-connect-messages-1_0-20.html#idtype.pairwise.alg)
+ maxLength: 1024
+ subject_type:
+ description: Type of the subject
+ type: string
+ enum:
+ - public
+ - pairwise
tos_uri:
type: string
+ description: URL string of a web page providing the client's terms of service document
wildcard_redirect:
type: string
+ description: Indicates if the client is allowed to use wildcard matching of `redirect_uris`
+ enum:
+ - DISABLED
+ - SUBDOMAIN
+ x-enumDescriptions:
+ DISABLED: All redirect URIs must be absolute URIs and not include a fragment component.
+ SUBDOMAIN: |
+ Any configured redirect URIs may contain a single `*` character in the lowest-level domain (for example, `https://redirect-*-domain.example.com/oidc/redirect`) to act as a wildcard.
+ The wildcard subdomain must have at least one subdomain between it and the top level domain.
+ The wildcard can match any valid hostname characters, but can't span more than one domain.
+ For example, if `https://redirect-*-domain.example.com/oidc/redirect` is configured as a redirect URI, then `https://redirect-1-domain.example.com/oidc/redirect` and `https://redirect-sub-domain.example.com/oidc/redirect` match, but `https://redirect-1.sub-domain.example.com/oidc/redirect` doesn't match.
+ Only the `https` URI scheme can use wildcard redirect URIs.
+ > **Note:** The use of wildcard subdomains is discouraged as an insecure practice, since it may allow malicious actors to have tokens or authorization codes sent to unexpected or attacker-controlled pages. Exercise caution if you decide to include a wildcard redirect URI in your configuration.
+ required:
+ - grant_types
OpenIdConnectApplicationSettingsClientKeys:
+ description: A [JSON Web Key Set](https://tools.ietf.org/html/rfc7517#section-5) for validating JWTs presented to Okta
type: object
properties:
keys:
type: array
items:
- $ref: '#/components/schemas/JsonWebKey'
+ $ref: '#/components/schemas/schemas-JsonWebKey'
OpenIdConnectApplicationSettingsRefreshToken:
+ description: |
+ Refresh token configuration for an OAuth 2.0 client
+
+ When you create or update an OAuth 2.0 client, you can configure refresh token rotation by setting the `rotation_type` and `leeway` properties. If you don't set these properties when you create an app integration, the default values are used.
+ When you update an app integration, your previously configured values are used.
type: object
properties:
leeway:
type: integer
+ minimum: 0
+ maximum: 60
+ description: |
+ The leeway, in seconds, allowed for the OAuth 2.0 client.
+ After the refresh token is rotated, the previous token remains valid for the specified period of time so clients can get the new token.
+
+ > **Note:** A leeway of 0 doesn't necessarily mean that the previous token is immediately invalidated. The previous token is invalidated after the new token is generated and returned in the response.
+ default: 30
+ example: 20
rotation_type:
$ref: '#/components/schemas/OpenIdConnectRefreshTokenRotationType'
+ required:
+ - rotation_type
OpenIdConnectApplicationType:
+ description: |-
+ The type of client app
+ Specific `grant_types` are valid for each `application_type`. See [Create a Client Application](/openapi/okta-oauth/oauth/tag/Client/#tag/Client/operation/createClient).
type: string
enum:
- browser
- native
- service
- web
+ x-enumDescriptions:
+ browser: Single-Page app (SPA)
+ native: Native app
+ service: API service app
+ web: Web app
OpenIdConnectRefreshTokenRotationType:
+ description: The refresh token rotation mode for the OAuth 2.0 client
+ example: STATIC
type: string
enum:
- ROTATE
- STATIC
+ x-enumDescriptions:
+ ROTATE: The default rotation type for single-page apps (SPAs)
+ STATIC: The default rotation type for all clients, except SPAs
+ OperationRequest:
+ type: object
+ properties:
+ assignmentId:
+ type: string
+ OperationResponse:
+ type: object
+ properties:
+ assignmentOperation:
+ type: object
+ properties:
+ configuration:
+ type: object
+ properties:
+ actions:
+ type: object
+ properties:
+ assignUserToRealm:
+ type: object
+ properties:
+ realmId:
+ type: string
+ conditions:
+ $ref: '#/components/schemas/Conditions'
+ id:
+ type: string
+ name:
+ type: string
+ completed:
+ type: string
+ format: date-time
+ readOnly: true
+ created:
+ type: string
+ format: date-time
+ readOnly: true
+ id:
+ type: string
+ readOnly: true
+ numUserMoved:
+ type: number
+ readOnly: true
+ realmId:
+ type: string
+ readOnly: true
+ realmName:
+ type: string
+ readOnly: true
+ started:
+ type: string
+ format: date-time
+ readOnly: true
+ status:
+ type: string
+ readOnly: true
+ enum:
+ - COMPLETED
+ - SCHEDULED
+ - IN_PROGRESS
+ - FAILED
+ type:
+ type: string
+ readOnly: true
+ _links:
+ $ref: '#/components/schemas/LinksSelf'
OperationalStatus:
description: Operational status of a given agent
type: string
@@ -28191,6 +58740,152 @@ components:
- DISRUPTED
- INACTIVE
- OPERATIONAL
+ OptInStatusResponse:
+ type: object
+ properties:
+ optInStatus:
+ type: string
+ enum:
+ - OPTING_IN
+ - OPTED_IN
+ - OPTING_OUT
+ - OPTED_OUT
+ _links:
+ allOf:
+ - properties:
+ optInStatus:
+ $ref: '#/components/schemas/HrefObject'
+ Org2OrgApplication:
+ title: Org2Org
+ x-tags:
+ - Application
+ x-okta-defined-as:
+ name: okta_org2org
+ example:
+ name: okta_org2org
+ label: Okta Org2Org
+ signOnMode: SAML_2_0
+ settings:
+ app:
+ acsUrl: https://example.okta.com/sso/saml2/exampleid
+ audRestriction: https://www.okta.com/saml2/service-provider/exampleid
+ baseUrl: https://example.okta.com
+ description: |
+ Schema for the Okta Org2Org app (key name: `okta_org2org`)
+
+ To create an Org2Org app, use the [Create an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) request with the following parameters in the request body.
+ > **Notes:**
+ > * The Okta Org2Org (`okta_org2org`) app isn't available in Okta Developer Edition orgs. If you need to test this feature in your Developer Edition org, contact your Okta account team.
+ > * The Okta Org2Org app supports `SAML_2_0` and `AUTO_LOGIN` sign-on modes.
+ allOf:
+ - $ref: '#/components/schemas/OINApplication'
+ - type: object
+ - required:
+ - name
+ - label
+ - settings
+ properties:
+ name:
+ type: string
+ enum:
+ - okta_org2org
+ example: okta_org2org
+ signOnMode:
+ default: SAML_2_0
+ enum:
+ - SAML_2_0
+ - AUTO_LOGIN
+ x-enumDescriptions:
+ SAML_2_0: Federated Authentication with SAML 2.0 WebSSO
+ AUTO_LOGIN: Secure Web Authentication (SWA)
+ settings:
+ $ref: '#/components/schemas/Org2OrgApplicationSettings'
+ Org2OrgApplicationSettings:
+ allOf:
+ - $ref: '#/components/schemas/ApplicationSettings'
+ - type: object
+ - required:
+ - app
+ properties:
+ app:
+ $ref: '#/components/schemas/Org2OrgApplicationSettingsApplication'
+ signOn:
+ $ref: '#/components/schemas/OINSaml20ApplicationSettingsSignOn'
+ Org2OrgApplicationSettingsApplication:
+ description: Org2Org app instance properties
+ type: object
+ properties:
+ acsUrl:
+ type: string
+ description: The Assertion Consumer Service (ACS) URL of the source org (for `SAML_2_0` sign-on mode)
+ audRestriction:
+ type: string
+ description: The entity ID of the SP (for `SAML_2_0` sign-on mode)
+ example: https://www.okta.com/saml2/service-provider/exampleid
+ baseUrl:
+ type: string
+ description: The base URL of the target Okta org (for `SAML_2_0` sign-on mode)
+ creationState:
+ type: string
+ description: Used to track and manage the state of the app's creation or the provisioning process between two Okta orgs
+ preferUsernameOverEmail:
+ type: boolean
+ description: Indicates that you don't want to use an email address as the username
+ token:
+ type: string
+ description: An API token from the target org that's used to secure the connection between the orgs
+ tokenEncrypted:
+ type: string
+ description: Encrypted token to enhance security
+ required:
+ - baseUrl
+ OrgAerialConsent:
+ type: object
+ properties:
+ accountId:
+ description: The unique ID of the Aerial account
+ type: string
+ required:
+ - accountId
+ OrgAerialConsentDetails:
+ type: object
+ properties:
+ accountId:
+ description: The unique ID of the Aerial account
+ type: string
+ grantedBy:
+ type: string
+ description: Principal ID of the user who granted the permission
+ example: 00u23ej02I2RLFxS5406
+ grantedDate:
+ type: string
+ description: Date when grant was created
+ example: '2024-07-24T16:01:13.000Z'
+ _links:
+ $ref: '#/components/schemas/LinksAerialConsentGranted'
+ required:
+ - accountId
+ OrgAerialConsentRevoked:
+ type: object
+ properties:
+ _links:
+ $ref: '#/components/schemas/LinksAerialConsentRevoked'
+ OrgAerialGrantNotFound:
+ type: object
+ properties:
+ accountId:
+ description: The unique ID of the Aerial account
+ type: string
+ grantedBy:
+ type: string
+ description: Principal ID of the user who granted the permission
+ example: 00u23ej02I2RLFxS5406
+ grantedDate:
+ type: string
+ description: Date when grant was created
+ example: '2024-07-24T16:01:13.000Z'
+ _links:
+ $ref: '#/components/schemas/LinksAerialConsentGranted'
OrgCAPTCHASettings:
title: OrgCAPTCHASettings
description: ''
@@ -28212,33 +58907,121 @@ components:
$ref: '#/components/schemas/HrefObject'
readOnly: true
OrgContactType:
+ description: Type of contact
type: string
enum:
- BILLING
- TECHNICAL
OrgContactTypeObj:
+ anyOf:
+ - $ref: '#/components/schemas/orgBillingContactType'
+ - $ref: '#/components/schemas/orgTechnicalContactType'
type: object
properties:
contactType:
$ref: '#/components/schemas/OrgContactType'
- _links:
- $ref: '#/components/schemas/LinksSelf'
+ discriminator:
+ propertyName: contactType
+ mapping:
+ BILLING: '#/components/schemas/orgBillingContactType'
+ TECHNICAL: '#/components/schemas/orgTechnicalContactType'
OrgContactUser:
type: object
properties:
userId:
type: string
+ description: Contact user ID
_links:
- $ref: '#/components/schemas/LinksSelf'
+ type: object
+ description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the Contact Type User object using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification
+ readOnly: true
+ properties:
+ user:
+ $ref: '#/components/schemas/HrefObjectUserLink'
+ OrgCreationAdmin:
+ description: |-
+ Profile and credential information for the first super admin user of the child org.
+ If you plan to configure and manage the org programmatically, create a system user with a dedicated email address and a strong password.
+ > **Note:** If you don't provide `credentials`, the super admin user is prompted to set up their credentials when they sign in to the org for the first time.
+ writeOnly: true
+ type: object
+ properties:
+ credentials:
+ type: object
+ description: Specifies primary authentication and recovery credentials for a user. Credential types and requirements vary depending on the provider and security policy of the org.
+ properties:
+ password:
+ type: object
+ description: |-
+ Specifies a password for a user
+ > **Note:** For information on defaults and configuring your password policies, see [Configure the password authenticator](https://help.okta.com/okta_help.htm?type=oie&id=ext-configure-password) in the help documentation.
+ properties:
+ value:
+ type: string
+ writeOnly: true
+ description: Password value (which is validated by the password policy)
+ format: password
+ example: pa$$word
+ recovery_question:
+ $ref: '#/components/schemas/RecoveryQuestionCredential'
+ profile:
+ type: object
+ description: |-
+ Specifies the profile attributes for the first super admin user. The minimal set of required attributes are `email`, `firstName`, `lastName`, and `login`.
+ See [profile](/openapi/okta-management/management/tag/User/#tag/User/operation/getUser!c=200&path=profile&t=response) for additional profile attributes.
+ properties:
+ firstName:
+ type: string
+ description: Given name of the User (`givenName`)
+ minLength: 1
+ maxLength: 50
+ nullable: true
+ lastName:
+ type: string
+ description: The family name of the User (`familyName`)
+ minLength: 1
+ maxLength: 50
+ nullable: true
+ email:
+ type: string
+ description: The primary email address of the User. For validation, see [RFC 5322 Section 3.2.3](https://datatracker.ietf.org/doc/html/rfc5322#section-3.2.3).
+ format: email
+ minLength: 5
+ maxLength: 100
+ login:
+ type: string
+ description: The unique identifier for the User (`username`)
+ maxLength: 100
+ additionalProperties: true
+ required:
+ - email
+ - login
+ - firstName
+ - lastName
+ required:
+ - profile
OrgOktaCommunicationSetting:
type: object
properties:
optOutEmailUsers:
type: boolean
+ description: Indicates whether org users receive Okta communication emails
readOnly: true
_links:
- $ref: '#/components/schemas/LinksSelf'
+ type: object
+ description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for this object using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification
+ readOnly: true
+ properties:
+ optIn:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to opt users in to communication emails
+ optOut:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to opt users out of communication emails
OrgOktaSupportSetting:
+ description: Status of Okta Support Settings
type: string
enum:
- DISABLED
@@ -28249,68 +59032,118 @@ components:
expiration:
format: date-time
type: string
+ description: Expiration of Okta Support
readOnly: true
+ nullable: true
support:
$ref: '#/components/schemas/OrgOktaSupportSetting'
_links:
- $ref: '#/components/schemas/LinksSelf'
+ type: object
+ description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the Okta Support Settings object using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification
+ readOnly: true
+ properties:
+ extend:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to [extend Okta Support Access](/openapi/okta-management/management/tag/OrgSettingSupport/#tag/OrgSettingSupport/operation/extendOktaSupport)
+ revoke:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to [revoke Okta Support Access](/openapi/okta-management/management/tag/OrgSettingSupport/#tag/OrgSettingSupport/operation/revokeOktaSupport)
+ grant:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to [grant Okta Support Access](/openapi/okta-management/management/tag/OrgSettingSupport/#tag/OrgSettingSupport/operation/grantOktaSupport)
OrgPreferences:
type: object
properties:
showEndUserFooter:
type: boolean
+ description: Indicates if the footer is shown on the End-User Dashboard
readOnly: true
_links:
- $ref: '#/components/schemas/LinksSelf'
+ type: object
+ description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for this object using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification
+ readOnly: true
+ properties:
+ hideEndUserFooter:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to hide the footer in the End-User Dashboard
+ showEndUserFooter:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to show the footer on the End-User Dashboard
OrgSetting:
type: object
properties:
address1:
type: string
+ description: Primary address of the organization associated with the org
address2:
type: string
+ description: Secondary address of the organization associated with the org
city:
type: string
+ description: City of the organization associated with the org
companyName:
type: string
+ description: Name of org
country:
type: string
+ description: County of the organization associated with the org
created:
format: date-time
readOnly: true
type: string
+ description: When org was created
endUserSupportHelpURL:
type: string
+ description: Support link of org
expiresAt:
format: date-time
readOnly: true
type: string
+ description: Expiration of org
id:
readOnly: true
type: string
+ description: Org ID
lastUpdated:
format: date-time
readOnly: true
type: string
+ description: When org was last updated
phoneNumber:
type: string
+ description: Phone number of the organization associated with the org
postalCode:
type: string
+ description: Postal code of the organization associated with the org
state:
type: string
+ description: State of the organization associated with the org
status:
readOnly: true
type: string
+ description: Status of org
+ enum:
+ - ACTIVE
+ - INACTIVE
subdomain:
readOnly: true
type: string
+ description: Subdomain of org
supportPhoneNumber:
type: string
+ description: Support help phone of the organization associated with the org
website:
type: string
+ description: Website of the organization associated with the org
_links:
- $ref: '#/components/schemas/LinksSelf'
+ $ref: '#/components/schemas/orgGeneralSettingLinks'
OtpProtocol:
+ description: The protocol used
type: string
enum:
- SYMANTEC
@@ -28324,11 +59157,21 @@ components:
- HMacSHA256
- HMacSHA512
OtpTotpEncoding:
+ description: The shared secret encoding
type: string
enum:
- base32
- base64
- hexadecimal
+ OtpTotpPassCodeLength:
+ description: Number of digits in an OTP value
+ minimum: 6
+ maximum: 10
+ multipleOf: 2
+ type: integer
+ OtpTotpTimeIntervalInSeconds:
+ description: Time interval for TOTP in seconds
+ type: integer
PageRoot:
type: object
properties:
@@ -28358,7 +59201,36 @@ components:
$ref: '#/components/schemas/HrefObject'
preview:
$ref: '#/components/schemas/HrefObject'
+ Parameters:
+ description: Attributes used for processing AD Group membership update
+ type: object
+ properties:
+ action:
+ type: string
+ description: The update action to take
+ enum:
+ - ADD
+ - REMOVE
+ x-enumDescriptions:
+ ADD: Add to the membership of the group
+ REMOVE: Remove from the membership of the group
+ attribute:
+ type: string
+ description: The attribute that tracks group memberships in AD. This should be `member` for AD.
+ values:
+ type: array
+ description: List of user IDs whose group memberships to update
+ items:
+ type: string
+ description: ID of an existing user
PasswordCredential:
+ description: |-
+ Specifies a password for a user.
+
+ When a user has a valid password, imported hashed password, or password hook, and a response object contains
+ a password credential, then the password object is a bare object without the value property defined (for example, `password: {}`). This indicates that a password value exists. You can modify password policy requirements in the Admin Console by editing the Password authenticator: **Security** > **Authenticators** > **Password** (or for Okta Classic orgs, use **Security** > **Authentication** > **Password**).
+
+ For information on defaults and configuring your password policies, see [Configure the password authenticator](https://help.okta.com/okta_help.htm?type=oie&id=ext-configure-password) in the help documentation.
type: object
properties:
hash:
@@ -28367,8 +59239,16 @@ components:
$ref: '#/components/schemas/PasswordCredentialHook'
value:
type: string
+ writeOnly: true
+ description: Specifies the password for a user. The password policy validates this password.
format: password
+ example: pa$$word
PasswordCredentialHash:
+ description: |-
+ Specifies a hashed password to import into Okta. This allows an existing password to be imported into Okta directly
+ from some other store. Okta supports the BCRYPT, SHA-512, SHA-256, SHA-1, MD5, and PBKDF2 hash functions for password import.
+ A hashed password may be specified in a password object when creating or updating a user, but not for other operations.
+ See the **Create user with imported hashed password** section in the [Users API](https://developer.okta.com/docs/reference/api/users/#create-user-with-imported-hashed-password) description. When updating a user with a hashed password, the usermust be in the `STAGED` status.
type: object
properties:
algorithm:
@@ -28377,17 +59257,33 @@ components:
$ref: '#/components/schemas/DigestAlgorithm'
iterationCount:
type: integer
+ description: The number of iterations used when hashing passwords using PBKDF2. Must be >= 4096. Only required for PBKDF2 algorithm.
keySize:
type: integer
+ description: Size of the derived key in bytes. Only required for PBKDF2 algorithm.
salt:
+ description: |-
+ Only required for salted hashes. For BCRYPT, this specifies Radix-64 as the encoded salt used to generate the hash,
+ which must be 22 characters long. For other salted hashes, this specifies the Base64-encoded salt used to
+ generate the hash.
type: string
saltOrder:
type: string
+ description: Specifies whether salt was pre- or postfixed to the password before hashing. Only required for salted algorithms.
value:
+ description: |-
+ For SHA-512, SHA-256, SHA-1, MD5, and PBKDF2, this is the actual base64-encoded hash of the password (and salt, if used).
+ This is the Base64-encoded `value` of the SHA-512/SHA-256/SHA-1/MD5/PBKDF2 digest that was computed by either pre-fixing or post-fixing
+ the `salt` to the `password`, depending on the `saltOrder`. If a `salt` was not used in the `source` system, then this should just be
+ the Base64-encoded `value` of the password's SHA-512/SHA-256/SHA-1/MD5/PBKDF2 digest. For BCRYPT, this is the actual Radix-64 encoded hashed password.
type: string
workFactor:
type: integer
+ description: Governs the strength of the hash and the time required to compute it. Only required for BCRYPT algorithm.
+ minimum: 1
+ maximum: 20
PasswordCredentialHashAlgorithm:
+ description: The algorithm used to generate the hash using the password (and salt, when applicable).
type: string
enum:
- BCRYPT
@@ -28397,20 +59293,25 @@ components:
- SHA-256
- SHA-512
PasswordCredentialHook:
+ description: Specify a [password import inline hook](/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createPasswordImportInlineHook) to trigger verification of the user's password the first time the user signs in. This allows an existing password to be imported into Okta directly from some other store.
type: object
properties:
type:
type: string
+ description: The type of password inline hook. Currently, must be set to default.
PasswordDictionary:
+ description: Weak password dictionary lookup settings
type: object
properties:
common:
$ref: '#/components/schemas/PasswordDictionaryCommon'
PasswordDictionaryCommon:
+ description: Lookup settings for commonly used passwords
type: object
properties:
exclude:
type: boolean
+ description: Indicates whether to check passwords against the common password dictionary
default: false
PasswordExpirationPolicyRuleCondition:
type: object
@@ -28419,6 +59320,72 @@ components:
type: integer
unit:
type: string
+ PasswordImportRequest:
+ type: object
+ properties:
+ data:
+ $ref: '#/components/schemas/PasswordImportRequestData'
+ eventType:
+ type: string
+ description: The type of inline hook. The password import inline hook type is `com.okta.user.credential.password.import`.
+ source:
+ description: The ID and URL of the password import inline hook
+ type: string
+ PasswordImportRequestData:
+ type: object
+ properties:
+ action:
+ type: object
+ description: This object specifies the default action Okta is set to take. Okta takes this action if your external service sends an empty HTTP 204 response. You can override the default action by returning a commands object in your response specifying the action to take.
+ properties:
+ credential:
+ description: The status of the user credential, either `UNVERIFIED` or `VERIFIED`
+ default: UNVERIFIED
+ type: string
+ context:
+ type: object
+ properties:
+ request:
+ $ref: '#/components/schemas/InlineHookRequestObject'
+ credential:
+ type: object
+ properties:
+ username:
+ description: The `username` that the user supplied when attempting to sign in to Okta.
+ type: string
+ password:
+ description: The `password` that the user supplied when attempting to sign in to Okta.
+ type: string
+ PasswordImportRequestExecute:
+ description: Password import inline hook request
+ allOf:
+ - $ref: '#/components/schemas/InlineHookBasePayload'
+ - $ref: '#/components/schemas/PasswordImportRequest'
+ PasswordImportResponse:
+ description: Password import inline hook response
+ type: object
+ properties:
+ commands:
+ description: The `commands` object specifies whether Okta accepts the end user's sign-in credentials as valid or not. For the password import inline hook, you typically only return one `commands` object with one array element in it.
+ type: array
+ items:
+ type: object
+ properties:
+ type:
+ description: The location where you specify the command. For the password import inline hook, there's only one command, `com.okta.action.update`.
+ value:
+ description: |-
+ The parameter value of the command.
+ * To indicate that the supplied credentials are valid, supply a type property set to `com.okta.action.update` together with a value property set to `{"credential": "VERIFIED"}`.
+ * To indicate that the supplied credentials are invalid, supply a type property set to `com.okta.action.update` together with a value property set to `{"credential": "UNVERIFIED"}`.
+ Alternatively, you can send an empty response (`204`). By default, the `data.action.credential` is always set to `UNVERIFIED`.
+ type: object
+ properties:
+ credential:
+ type: string
+ enum:
+ - UNVERIFIED
+ - VERIFIED
PasswordPolicy:
allOf:
- $ref: '#/components/schemas/Policy'
@@ -28446,13 +59413,23 @@ components:
- OKTA
PasswordPolicyConditions:
allOf:
- - $ref: '#/components/schemas/PolicyRuleConditions'
- type: object
properties:
authProvider:
$ref: '#/components/schemas/PasswordPolicyAuthenticationProviderCondition'
people:
- $ref: '#/components/schemas/PolicyPeopleCondition'
+ type: object
+ description: Identifies Users and Groups that are used together
+ properties:
+ groups:
+ type: object
+ description: Specifies a set of Groups whose Users are to be included or excluded
+ properties:
+ include:
+ type: array
+ description: Groups to be included
+ items:
+ type: string
PasswordPolicyDelegationSettings:
type: object
properties:
@@ -28463,6 +59440,8 @@ components:
properties:
skipUnlock:
type: boolean
+ description: Indicates if, when performing an unlock operation on an Active Directory sourced User who is locked out of Okta, the system should also attempt to unlock the User's Windows account
+ default: false
PasswordPolicyPasswordSettings:
type: object
properties:
@@ -28473,49 +59452,81 @@ components:
lockout:
$ref: '#/components/schemas/PasswordPolicyPasswordSettingsLockout'
PasswordPolicyPasswordSettingsAge:
+ description: Age settings
type: object
properties:
expireWarnDays:
type: integer
+ description: 'Specifies the number of days prior to password expiration when a User is warned to reset their password: `0` indicates no warning'
+ default: 0
historyCount:
type: integer
+ description: 'Specifies the number of distinct passwords that a User must create before they can reuse a previous password: `0` indicates none'
+ default: 0
maxAgeDays:
type: integer
+ description: 'Specifies how long (in days) a password remains valid before it expires: `0` indicates no limit'
+ default: 0
minAgeMinutes:
type: integer
+ description: 'Specifies the minimum time interval (in minutes) between password changes: `0` indicates no limit'
+ default: 0
PasswordPolicyPasswordSettingsComplexity:
+ description: Complexity settings
type: object
properties:
dictionary:
$ref: '#/components/schemas/PasswordDictionary'
excludeAttributes:
type: array
+ description: 'The User profile attributes whose values must be excluded from the password: currently only supports `firstName` and `lastName`'
+ default: []
items:
type: string
excludeUsername:
type: boolean
+ description: Indicates if the Username must be excluded from the password
default: true
minLength:
type: integer
+ description: Minimum password length
+ default: 8
minLowerCase:
type: integer
+ description: 'Indicates if a password must contain at least one lower case letter: `0` indicates no, `1` indicates yes'
+ default: 1
minNumber:
type: integer
+ description: 'Indicates if a password must contain at least one number: `0` indicates no, `1` indicates yes'
+ default: 1
minSymbol:
type: integer
+ description: 'Indicates if a password must contain at least one symbol (For example: !@#$%^&*): `0` indicates no, `1` indicates yes'
+ default: 1
minUpperCase:
type: integer
+ description: 'Indicates if a password must contain at least one upper case letter: `0` indicates no, `1` indicates yes'
+ default: 1
PasswordPolicyPasswordSettingsLockout:
+ description: Lockout settings
type: object
properties:
autoUnlockMinutes:
type: integer
+ description: 'Specifies the time interval (in minutes) a locked account remains locked before it is automatically unlocked: `0` indicates no limit'
+ default: 0
maxAttempts:
type: integer
+ description: 'Specifies the number of times Users can attempt to sign in to their accounts with an invalid password before their accounts are locked: `0` indicates no limit'
+ default: 10
showLockoutFailures:
type: boolean
+ description: Indicates if the User should be informed when their account is locked
+ default: false
userLockoutNotificationChannels:
type: array
+ description: How the user is notified when their account becomes locked. The only acceptable values are `[]` and `['EMAIL']`.
+ default: []
items:
type: string
PasswordPolicyRecoveryEmail:
@@ -28534,13 +59545,16 @@ components:
type: object
properties:
tokenLifetimeMinutes:
+ description: Lifetime (in minutes) of the recovery token
type: integer
+ default: 10080
PasswordPolicyRecoveryFactorSettings:
type: object
properties:
status:
$ref: '#/components/schemas/LifecycleStatus'
PasswordPolicyRecoveryFactors:
+ description: Settings for the Factors that can be used for recovery
type: object
properties:
okta_call:
@@ -28562,8 +59576,10 @@ components:
type: object
properties:
minLength:
+ description: Minimum length of the password recovery question answer
type: integer
readOnly: true
+ default: 4
PasswordPolicyRecoveryQuestionProperties:
type: object
properties:
@@ -28600,14 +59616,12 @@ components:
selfServiceUnlock:
$ref: '#/components/schemas/PasswordPolicyRuleAction'
PasswordPolicyRuleConditions:
- allOf:
- - $ref: '#/components/schemas/PolicyRuleConditions'
- - type: object
- properties:
- network:
- $ref: '#/components/schemas/PolicyNetworkCondition'
- people:
- $ref: '#/components/schemas/PolicyPeopleCondition'
+ type: object
+ properties:
+ network:
+ $ref: '#/components/schemas/PolicyNetworkCondition'
+ people:
+ $ref: '#/components/schemas/PolicyPeopleCondition'
PasswordPolicySettings:
type: object
properties:
@@ -28630,7 +59644,7 @@ components:
PASSWORD_REUSE: Password protection warning is triggered by password reuse
PHISHING_REUSE: Password protection warning is triggered by password reuse on a phishing page
PasswordSettingObject:
- description: Determines whether Okta creates and pushes a password in the application for each assigned user
+ description: Determines whether Okta creates and pushes a password in the app for each assigned user
type: object
properties:
change:
@@ -28642,6 +59656,15 @@ components:
- $ref: '#/components/schemas/EnabledStatus'
- default: DISABLED
- example: ENABLED
+ PatchAction:
+ description: The operation (PATCH action)
+ type: string
+ enum:
+ - remove
+ - replace
+ x-enumDescriptions:
+ remove: Removes the attribute in `path`
+ replace: Replaces the attribute in content `path` with the content in `value`
PerClientRateLimitMode:
type: string
enum:
@@ -28695,11 +59718,26 @@ components:
$ref: '#/components/schemas/HrefObject'
PermissionConditions:
x-okta-lifecycle:
- features:
- - CUSTOM_ADMIN_ROLES_CONDITIONS
+ lifecycle: GA
+ isGenerallyAvailable: true
description: Conditions for further restricting a permission
nullable: true
type: object
+ properties:
+ exclude:
+ type: object
+ description: Exclude attributes with specific values for the permission
+ additionalProperties:
+ type: object
+ properties: {}
+ nullable: true
+ include:
+ type: object
+ description: Include attributes with specific values for the permission
+ additionalProperties:
+ type: object
+ properties: {}
+ nullable: true
Permissions:
type: object
properties:
@@ -28707,12 +59745,37 @@ components:
type: array
items:
$ref: '#/components/schemas/Permission'
+ PersonalAppsBlockList:
+ description: Defines a list of email domains with a subset of the properties for each domain
+ type: object
+ properties:
+ domains:
+ type: array
+ description: List of blocked email domains
+ PinRequest:
+ description: Pin Request
+ type: object
+ properties:
+ authenticatorEnrollmentId:
+ description: ID for a WebAuthn Preregistration Factor in Okta
+ type: string
+ fulfillmentProvider:
+ description: Name of the fulfillment provider for the WebAuthn Preregistration Factor
+ type: string
+ enum:
+ - yubico
+ userId:
+ description: ID of an existing Okta user
+ type: string
PipelineType:
- description: The authentication pipeline of the org. `idx` means the org is using the Identity Engine, while `v1` means the org is using the Classic authentication pipeline.
+ description: The authentication pipeline of the org
type: string
enum:
- idx
- v1
+ x-enumDescriptions:
+ idx: Identity Engine
+ v1: Classic Engine
Platform:
type: string
enum:
@@ -28760,6 +59823,17 @@ components:
type: array
items:
$ref: '#/components/schemas/PlatformConditionEvaluatorPlatform'
+ PlayProtectVerdict:
+ description: Indicates if Google Play Protect is enabled on the device and whether it has found known malware
+ type: string
+ enum:
+ - HIGH
+ - LOW
+ - MEDIUM
+ x-enumDescriptions:
+ LOW: Play Protect is turned on and didn't find any app issues on the device
+ MEDIUM: Play Protect is turned on and either hasn't performed a scan yet or has found potentially harmful apps installed on the device
+ HIGH: Play Protect is turned on and has either found dangerous apps installed on the device or its verdict wasn't evaluated. That is, the device isn't trustworthy enough.
Policy:
type: object
properties:
@@ -28768,29 +59842,35 @@ components:
type: string
format: date-time
readOnly: true
+ default: Assigned
description:
- description: Policy description
+ description: Description of the Policy
type: string
+ default: null
id:
- description: Policy ID
+ description: Identifier of the Policy
type: string
readOnly: true
+ default: Assigned
lastUpdated:
- description: Timestamp when the Policy was last updated
+ description: Timestamp when the Policy was last modified
type: string
format: date-time
readOnly: true
+ default: Assigned
name:
- description: Policy name
+ description: Name of the Policy
type: string
priority:
description: Specifies the order in which this Policy is evaluated in relation to the other policies
type: integer
+ default: Last / Lowest Priority, for example `1`
status:
$ref: '#/components/schemas/LifecycleStatus'
system:
description: Specifies whether Okta created the Policy
type: boolean
+ default: false
type:
$ref: '#/components/schemas/PolicyType'
_embedded:
@@ -28801,34 +59881,27 @@ components:
readOnly: true
_links:
$ref: '#/components/schemas/PolicyLinks'
+ required:
+ - name
+ - type
discriminator:
propertyName: type
mapping:
ACCESS_POLICY: '#/components/schemas/AccessPolicy'
IDP_DISCOVERY: '#/components/schemas/IdpDiscoveryPolicy'
- MFA_ENROLL: '#/components/schemas/MultifactorEnrollmentPolicy'
+ MFA_ENROLL: '#/components/schemas/AuthenticatorEnrollmentPolicy'
OKTA_SIGN_ON: '#/components/schemas/OktaSignOnPolicy'
PASSWORD: '#/components/schemas/PasswordPolicy'
PROFILE_ENROLLMENT: '#/components/schemas/ProfileEnrollmentPolicy'
- PolicyLinks:
- type: object
- properties:
- self:
- $ref: '#/components/schemas/HrefObjectSelfLink'
- activate:
- $ref: '#/components/schemas/HrefObjectActivateLink'
- deactivate:
- $ref: '#/components/schemas/HrefObjectDeactivateLink'
- rules:
- $ref: '#/components/schemas/HrefObjectRulesLink'
- mappings:
- $ref: '#/components/schemas/HrefObjectMappingsLink'
+ POST_AUTH_SESSION: '#/components/schemas/PostAuthSessionPolicy'
+ ENTITY_RISK: '#/components/schemas/EntityRiskPolicy'
PolicyAccess:
type: string
enum:
- ALLOW
- DENY
PolicyAccountLink:
+ description: Specifies the behavior for linking an IdP User to an existing Okta User
type: object
properties:
action:
@@ -28836,34 +59909,48 @@ components:
filter:
$ref: '#/components/schemas/PolicyAccountLinkFilter'
PolicyAccountLinkAction:
+ description: Specifies the account linking action for an IdP User
type: string
enum:
- AUTO
- DISABLED
+ x-enumDescriptions:
+ AUTO: The IdP User is automatically linked to an Okta User when the transformed IdP User matches an existing Okta User according to [subject match rules](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=policy/subject&t=request).
+ DISABLED: Okta never attempts to link the IdP User to an existing Okta User, but may still attempt to provision a new Okta User according to the [provisioning action type](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=policy/provisioning/action&t=request).
PolicyAccountLinkFilter:
+ description: Specifies Group memberships to restrict which Users are available for account linking by an IdP
type: object
properties:
groups:
$ref: '#/components/schemas/PolicyAccountLinkFilterGroups'
PolicyAccountLinkFilterGroups:
+ description: Group memberships used to determine link candidates
type: object
properties:
include:
type: array
+ description: Specifies the allowlist of Group identifiers to match against. Group memberships are restricted to type `OKTA_GROUP`.
items:
type: string
+ example: 00gjg5lzfBpn62wuF0g3
PolicyContext:
type: object
properties:
- user:
+ device:
type: object
- description: The user ID for the simulate operation. Only user IDs or Group IDs are allowed, not both.
properties:
- id:
+ platform:
type: string
- description: The unique ID number for the user.
- required:
- - id
+ description: The platform of the device, for example, IOS.
+ registered:
+ type: boolean
+ description: If the device is registered
+ managed:
+ type: boolean
+ description: If the device is managed
+ assuranceId:
+ type: string
+ description: The device assurance policy ID for the simulation
groups:
type: object
description: An array of Group IDs for the simulate operation. Only user IDs or Group IDs are allowed, not both.
@@ -28874,7 +59961,10 @@ components:
type: string
uniqueItems: true
required:
- - ids
+ - ids
+ ip:
+ type: string
+ description: The network rule condition, zone, or IP address
risk:
type: object
description: The risk rule condition level
@@ -28885,31 +59975,40 @@ components:
- LOW
- MEDIUM
- HIGH
- ip:
- type: string
- description: The network rule condition, zone, or IP address
+ user:
+ type: object
+ description: The user ID for the simulate operation. Only user IDs or Group IDs are allowed, not both.
+ properties:
+ id:
+ type: string
+ description: The unique ID number for the user.
+ required:
+ - id
zones:
type: object
+ description: The zone ID under the network rule condition.
properties:
ids:
type: array
items:
type: string
- device:
- type: object
- properties:
- platform:
- type: string
- description: The platform of the device, for example, IOS.
- registered:
- type: boolean
- description: If the device is registered
- managed:
- type: boolean
- description: If the device is managed
required:
- user
- groups
+ PolicyLinks:
+ type: object
+ properties:
+ activate:
+ $ref: '#/components/schemas/HrefObjectActivateLink'
+ deactivate:
+ $ref: '#/components/schemas/HrefObjectDeactivateLink'
+ mappings:
+ $ref: '#/components/schemas/HrefObjectMappingsLink'
+ rules:
+ $ref: '#/components/schemas/HrefObjectRulesLink'
+ self:
+ $ref: '#/components/schemas/HrefObjectSelfLink'
+ readOnly: true
PolicyMapping:
type: object
properties:
@@ -28923,10 +60022,6 @@ components:
allOf:
- $ref: '#/components/schemas/HrefObject'
- description: Link to the mapped application
- authenticator:
- allOf:
- - $ref: '#/components/schemas/HrefObject'
- - description: Link to the mapped authenticator
policy:
allOf:
- $ref: '#/components/schemas/HrefObject'
@@ -28949,24 +60044,31 @@ components:
$ref: '#/components/schemas/PolicyNetworkConnection'
exclude:
type: array
+ description: The zones to exclude. Required only if connection data type is `ZONE`
items:
type: string
include:
type: array
+ description: The zones to include. Required only if connection data type is `ZONE`
items:
type: string
PolicyNetworkConnection:
+ description: Network selection mode
type: string
enum:
- ANYWHERE
- ZONE
PolicyPeopleCondition:
+ description: Identifies Users and Groups that are used together
type: object
properties:
groups:
$ref: '#/components/schemas/GroupCondition'
users:
$ref: '#/components/schemas/UserCondition'
+ required:
+ - groups
+ - users
PolicyPlatformOperatingSystemType:
type: string
enum:
@@ -29015,6 +60117,8 @@ components:
default: false
type:
$ref: '#/components/schemas/PolicyRuleType'
+ _links:
+ $ref: '#/components/schemas/PolicyLinks'
discriminator:
propertyName: type
mapping:
@@ -29024,6 +60128,9 @@ components:
RESOURCE_ACCESS: '#/components/schemas/AuthorizationServerPolicyRule'
SIGN_ON: '#/components/schemas/OktaSignOnPolicyRule'
IDP_DISCOVERY: '#/components/schemas/IdpDiscoveryPolicyRule'
+ POST_AUTH_SESSION: '#/components/schemas/PostAuthSessionPolicyRule'
+ ENTITY_RISK: '#/components/schemas/EntityRiskPolicyRule'
+ MFA_ENROLL: '#/components/schemas/AuthenticatorEnrollmentPolicyRule'
PolicyRuleActions:
type: object
PolicyRuleActionsEnroll:
@@ -29046,6 +60153,7 @@ components:
type: string
enum:
- ANY
+ - LDAP_INTERFACE
- RADIUS
PolicyRuleConditions:
type: object
@@ -29093,31 +60201,52 @@ components:
userStatus:
$ref: '#/components/schemas/UserStatusPolicyRuleCondition'
PolicyRuleType:
+ description: Rule type
type: string
enum:
- ACCESS_POLICY
+ - ENTITY_RISK
- IDP_DISCOVERY
- MFA_ENROLL
- PASSWORD
+ - POST_AUTH_SESSION
- PROFILE_ENROLLMENT
- RESOURCE_ACCESS
- SIGN_ON
+ PolicyRuleVerificationMethodType:
+ description: Verification method type
+ type: string
+ enum:
+ - ASSURANCE
+ - AUTH_METHOD_CHAIN
PolicySubject:
+ description: Specifies the behavior for establishing, validating, and matching a username for an IdP User
type: object
properties:
filter:
type: string
- format:
- type: array
- items:
- type: string
+ description: |-
+ Optional [regular expression pattern](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Regular_expressions) used to filter untrusted IdP usernames.
+ * As a best security practice, you should define a regular expression pattern to filter untrusted IdP usernames. This is especially important if multiple IdPs are connected to your org. The filter prevents an IdP from issuing an assertion for any User, including partners or directory Users in your Okta org.
+ * For example, the filter pattern `(\S+@example\.com)` allows only Users that have an `@example.com` username suffix. It rejects assertions that have any other suffix such as `@corp.example.com` or `@partner.com`.
+ * Only `SAML2` and `OIDC` IdP providers support the `filter` property.
+ maxLength: 1024
+ example: (\S+@example\.com)
matchAttribute:
type: string
+ description: |-
+ Okta User profile attribute for matching a transformed IdP username. Only for matchType `CUSTOM_ATTRIBUTE`.
+ The `matchAttribute` must be a valid Okta User profile attribute of one of the following types:
+ * String (with no format or 'email' format only)
+ * Integer
+ * Number
+ example: login
matchType:
$ref: '#/components/schemas/PolicySubjectMatchType'
userNameTemplate:
$ref: '#/components/schemas/PolicyUserNameTemplate'
PolicySubjectMatchType:
+ description: Determines the Okta User profile attribute match conditions for account linking and authentication of the transformed IdP username
type: string
enum:
- CUSTOM_ATTRIBUTE
@@ -29125,19 +60254,40 @@ components:
- USERNAME
- USERNAME_OR_EMAIL
PolicyType:
+ description: |-
+ All Okta orgs contain only one IdP Discovery Policy with an immutable default Rule routing to your org's sign-in page.
+ Creating or replacing a policy with the `IDP_DISCOVERY` type isn't supported. The following policy types are available with
+ Identity Engine: `ACCESS_POLICY`, `PROFILE_ENROLLMENT`, `POST_AUTH_SESSION`, and `ENTITY_RISK`.
type: string
enum:
- ACCESS_POLICY
+ - ENTITY_RISK
- IDP_DISCOVERY
- MFA_ENROLL
- OKTA_SIGN_ON
- PASSWORD
+ - POST_AUTH_SESSION
+ - PROFILE_ENROLLMENT
+ - RESOURCE_ACCESS
+ PolicyTypeSimulation:
+ type: string
+ enum:
+ - ACCESS_POLICY
+ - MFA_ENROLL
+ - OKTA_SIGN_ON
- PROFILE_ENROLLMENT
PolicyUserNameTemplate:
+ description: |-
+ [Okta Expression Language (EL) expression](https://developer.okta.com/docs/reference/okta-expression-language/) to generate or transform a unique username for the IdP User.
+ * IdP User profile attributes can be referenced with the `idpuser` prefix such as `idpuser.subjectNameId`.
+ * You must define an IdP User profile attribute before it can be referenced in an Okta EL expression. To define an IdP User attribute policy, you may need to create a new IdP instance without a base profile property. Then edit the IdP User profile to update the IdP instance with an expression that references the IdP User profile attribute that you just created.
type: object
properties:
template:
type: string
+ minLength: 9
+ maxLength: 1024
+ example: idpuser.subjectNameId
PolicyUserStatus:
type: string
enum:
@@ -29189,6 +60339,89 @@ components:
- OPTIONAL
- REQUIRED
default: OPTIONAL
+ PostAuthKeepMeSignedInPrompt:
+ type: object
+ properties:
+ acceptButtonText:
+ type: string
+ description: The label on the accept button when prompting for Stay signed in
+ rejectButtonText:
+ type: string
+ description: The label on the reject button when prompting for Stay signed in
+ subtitle:
+ type: string
+ description: The subtitle on the Sign-In Widget when prompting for Stay signed in
+ title:
+ type: string
+ description: The title on the Sign-In Widget when prompting for Stay signed in
+ PostAuthSessionFailureActionsObject:
+ type: object
+ properties:
+ action:
+ type: string
+ enum:
+ - RUN_WORKFLOW
+ - TERMINATE_SESSION
+ discriminator:
+ propertyName: action
+ mapping:
+ RUN_WORKFLOW: '#/components/schemas/PostAuthSessionPolicyRuleRunWorkflow'
+ TERMINATE_SESSION: '#/components/schemas/PostAuthSessionPolicyRuleTerminateSession'
+ PostAuthSessionPolicy:
+ allOf:
+ - $ref: '#/components/schemas/Policy'
+ - type: object
+ properties:
+ conditions:
+ type: string
+ description: Policy conditions aren't supported for this policy type.
+ default: null
+ nullable: true
+ PostAuthSessionPolicyRule:
+ allOf:
+ - $ref: '#/components/schemas/PolicyRule'
+ - type: object
+ properties:
+ actions:
+ type: object
+ description: The action to take in response to a failure of the reevaluated global session policy or authentication polices.
+ properties:
+ postAuthSession:
+ type: object
+ description: This object contains a `failureActions` array that defines the specific action to take when post auth session evaluation detects a failure.
+ properties:
+ failureActions:
+ type: array
+ description: An array of objects that define the action. It can be empty or contain two `action` value pairs.
+ items:
+ $ref: '#/components/schemas/PostAuthSessionFailureActionsObject'
+ conditions:
+ type: object
+ properties:
+ people:
+ $ref: '#/components/schemas/PolicyPeopleCondition'
+ PostAuthSessionPolicyRuleRunWorkflow:
+ type: object
+ properties:
+ action:
+ type: string
+ enum:
+ - RUN_WORKFLOW
+ workflow:
+ type: object
+ description: This action runs a workflow
+ properties:
+ id:
+ type: integer
+ description: The `id` of the workflow that runs.
+ PostAuthSessionPolicyRuleTerminateSession:
+ type: object
+ properties:
+ action:
+ type: string
+ description: The action to take when post auth session evaluation detects a failure.
+ enum:
+ - TERMINATE_SESSION
PreRegistrationInlineHook:
type: object
properties:
@@ -29236,13 +60469,373 @@ components:
type: string
enum:
- SSWS_TOKEN
+ PrivilegedAccount:
+ type: object
+ properties:
+ accountType:
+ $ref: '#/components/schemas/PrivilegedAccountType'
+ created:
+ type: string
+ format: date-time
+ description: Timestamp when the Privileged Account was created
+ readOnly: true
+ description:
+ description: The description of the Privileged Account
+ format: regex
+ maxLength: 255
+ minLength: 0
+ type: string
+ example: This is for accessing AWS Prod-5
+ id:
+ description: The UUID of the Privileged Account
+ format: regex
+ pattern: (?i)^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$
+ readOnly: true
+ type: string
+ example: a747a818-a4c4-4446-8a87-704216495a08
+ lastUpdated:
+ type: string
+ format: date-time
+ description: Timestamp when the Privileged Account was last updated
+ readOnly: true
+ name:
+ description: The human-readable name for the Privileged Account
+ format: regex
+ maxLength: 50
+ minLength: 1
+ pattern: ^[\w\-_. ]+$
+ type: string
+ example: AWS Prod-5 account
+ ownerGroupIds:
+ description: A list of IDs of the Okta groups that own the Privileged Account
+ type: array
+ items:
+ type: string
+ minItems: 0
+ maxItems: 10
+ example:
+ - 00g57qp78yZT2XBA40g7
+ ownerUserIds:
+ description: A list of IDs of the Okta users that own the Privileged Account
+ type: array
+ items:
+ type: string
+ minItems: 0
+ maxItems: 10
+ example:
+ - 00u11s48P9zGW8yqm0g5
+ status:
+ $ref: '#/components/schemas/PrivilegedAccountStatus'
+ statusDetail:
+ $ref: '#/components/schemas/PrivilegedAccountStatusDetail'
+ required:
+ - name
+ - accountType
+ discriminator:
+ propertyName: accountType
+ mapping:
+ APP_ACCOUNT: '#/components/schemas/PrivilegedAccountDetailsAppAccount'
+ OKTA_USER_ACCOUNT: '#/components/schemas/PrivilegedAccountDetailsOktaUserAccount'
+ PrivilegedAccountCredentials:
+ description: Credentials for a Privileged Account
+ type: object
+ properties:
+ password:
+ type: string
+ writeOnly: true
+ description: The password associated with the Privileged Account
+ format: password
+ username:
+ type: string
+ description: The username associated with the Privileged Account
+ minLength: 1
+ maxLength: 100
+ example: testuser@example.com
+ required:
+ - username
+ PrivilegedAccountDetailsAppAccount:
+ description: Details for a SaaS Application Account, which will be managed as a Privileged Account
+ allOf:
+ - $ref: '#/components/schemas/PrivilegedAccount'
+ - type: object
+ properties:
+ details:
+ $ref: '#/components/schemas/PrivilegedAccountDetailsAppAccountSub'
+ required:
+ - details
+ PrivilegedAccountDetailsAppAccountSub:
+ description: Details for a SaaS Application Account, which will be managed as a Privileged Account
+ type: object
+ properties:
+ appGlobalName:
+ description: The name of the SaaS Application in the Okta Integration Network catalog
+ type: string
+ example: Salesforce
+ appInstanceName:
+ description: The instance name of the SaaS Application
+ type: string
+ example: Salesforce Prod
+ credentials:
+ $ref: '#/components/schemas/PrivilegedAccountCredentials'
+ oktaApplicationId:
+ description: The Okta app instance ID of the SaaS Application
+ type: string
+ example: aln1aqcs055ZRoizW0g8
+ required:
+ - oktaApplicationId
+ - credentials
+ PrivilegedAccountDetailsOktaUserAccount:
+ description: Details for managing an Okta Universal Directory Account as a Privileged Account
+ allOf:
+ - $ref: '#/components/schemas/PrivilegedAccount'
+ - type: object
+ properties:
+ details:
+ $ref: '#/components/schemas/PrivilegedAccountDetailsOktaUserAccountSub'
+ required:
+ - details
+ PrivilegedAccountDetailsOktaUserAccountSub:
+ description: Details for managing an Okta Universal Directory Account as a Privileged Account
+ type: object
+ properties:
+ credentials:
+ $ref: '#/components/schemas/PrivilegedAccountCredentials'
+ email:
+ description: The email address for the Okta Universal Directory Account
+ type: string
+ example: foo@bar.com
+ minLength: 5
+ maxLength: 100
+ oktaUserId:
+ description: An optional Okta user ID. If supplied, converts the matching Okta Universal Directory Account to a Privileged Account and updates the account with the provided details.
+ type: string
+ example: 00u11s48P9zGW8yqm0g5
+ required:
+ - email
+ - credentials
+ PrivilegedAccountForUpdate:
+ type: object
+ properties:
+ description:
+ description: The description of the Privileged Account
+ format: regex
+ maxLength: 255
+ minLength: 0
+ type: string
+ example: This is for accessing AWS Prod-5
+ email:
+ description: The email address for the Okta Universal Directory Account
+ type: string
+ example: foo@bar.com
+ minLength: 5
+ maxLength: 100
+ name:
+ description: The human-readable name for the Privileged Account
+ format: regex
+ maxLength: 50
+ minLength: 1
+ pattern: ^[\w\-_. ]+$
+ type: string
+ example: AWS Prod-5 account
+ ownerGroupIds:
+ description: A list of IDs of the Okta groups who own the Privileged Account
+ type: array
+ items:
+ type: string
+ minItems: 0
+ maxItems: 10
+ example:
+ - 00g57qp78yZT2XBA40g7
+ ownerUserIds:
+ description: A list of IDs of the Okta users who own the Privileged Account
+ type: array
+ items:
+ type: string
+ minItems: 0
+ maxItems: 10
+ example:
+ - 00u11s48P9zGW8yqm0g5
+ username:
+ type: string
+ description: The username associated with the Privileged Account
+ minLength: 1
+ maxLength: 100
+ example: testuser@example.com
+ PrivilegedAccountStatus:
+ description: Describes the current status of a Privileged Account
+ type: string
+ enum:
+ - ALERT
+ - ERROR
+ - INFO
+ - NO_ISSUES
+ - UNSECURED
+ x-enumDescriptions:
+ NO_ISSUES: The Account is ready for use in Okta Privileged Access
+ UNSECURED: The Account needs to be assigned to a Resource Group and a Project in Okta Privileged Access
+ INFO: An action involving the Account is currently in progress in Okta Privileged Access
+ ALERT: The Account requires attention from an Administrator
+ ERROR: An error is preventing the Account from being used in Okta Privileged Access
+ PrivilegedAccountStatusDetail:
+ description: Describes the detailed status of a Privileged Account
+ type: string
+ enum:
+ - CREATION_FAILED
+ - MISSING_PASSWORD
+ - PENDING
+ - ROTATED
+ - ROTATING
+ - ROTATION_FAILED
+ - STAGED
+ - VAULTED
+ x-enumDescriptions:
+ PENDING: The Account is in the process of being created
+ CREATION_FAILED: The Account could not be created
+ STAGED: The Account is in the Okta Privileged Access resource assignment area
+ ROTATING: The Account is assigned to a Project in Okta Privileged Access. Credentials are currently being synced using Okta Lifecycle Management.
+ ROTATED: The Account is assigned to a Project in Okta Privileged Access. Password rotations are fulfilled by Okta Lifecycle Management.
+ ROTATION_FAILED: The Account is assigned to a Project in Okta Privileged Access. An error occurred while using Okta Lifecycle Management to rotate the password.
+ VAULTED: The Account is assigned to a Project in Okta Privileged Access. A manually managed password is assigned to the Account.
+ MISSING_PASSWORD: The Account is assigned to a Project in Okta Privileged Access. A password is not assigned to the Account.
+ PrivilegedAccountType:
+ description: The type of Privileged Account
+ type: string
+ enum:
+ - APP_ACCOUNT
+ - OKTA_USER_ACCOUNT
+ x-enumDescriptions:
+ APP_ACCOUNT: SaaS Application Account
+ OKTA_USER_ACCOUNT: Okta Universal Directory Account
+ PrivilegedResource:
+ default:
+ resourceType: OKTA_USER_ACCOUNT
+ type: object
+ properties:
+ created:
+ type: string
+ description: Timestamp when the object was created
+ format: date-time
+ readOnly: true
+ example: '2024-06-10T11:11:01.000Z'
+ credentialSyncInfo:
+ $ref: '#/components/schemas/CredentialSyncInfo'
+ readOnly: true
+ example:
+ secretVersionId: 9f8400-e29b-41d4-a716-926655440034
+ syncTime: '2024-06-10T11:13:01.000Z'
+ syncState: NOT_SYNCED
+ errorCode: UNKNOWN_ERROR
+ errorReason: Unknown error
+ id:
+ type: string
+ description: ID of the privileged resource
+ readOnly: true
+ example: opa100xTfFs4MasRf0g4
+ lastUpdated:
+ type: string
+ description: Timestamp when the object was last updated
+ format: date-time
+ readOnly: true
+ example: '2024-06-10T11:13:01.000Z'
+ resourceType:
+ $ref: '#/components/schemas/PrivilegedResourceType'
+ example: APP_ACCOUNT
+ status:
+ $ref: '#/components/schemas/PrivilegedResourceStatus'
+ example: ACTIVE
+ discriminator:
+ propertyName: resourceType
+ mapping:
+ APP_ACCOUNT: '#/components/schemas/PrivilegedResourceAccountApp'
+ OKTA_USER_ACCOUNT: '#/components/schemas/PrivilegedResourceAccountOkta'
+ PrivilegedResourceAccountApp:
+ allOf:
+ - type: object
+ properties:
+ containerDetails:
+ $ref: '#/components/schemas/AppAccountContainerDetails'
+ credentials:
+ $ref: '#/components/schemas/PrivilegedResourceCredentials'
+ - $ref: '#/components/schemas/PrivilegedResource'
+ required:
+ - containerId
+ PrivilegedResourceAccountOkta:
+ allOf:
+ - type: object
+ properties:
+ resourceId:
+ type: string
+ description: The user ID associated with the Okta privileged resource
+ example: 00u100xTfFs4MasRf0g4
+ credentials:
+ $ref: '#/components/schemas/PrivilegedResourceCredentials'
+ profile:
+ $ref: '#/components/schemas/profile'
+ example:
+ email: testuser@example.com
+ - $ref: '#/components/schemas/PrivilegedResource'
+ PrivilegedResourceCredentials:
+ description: Credentials for the privileged account
+ type: object
+ properties:
+ password:
+ type: string
+ description: The password associated with the privileged resource
+ format: password
+ writeOnly: true
+ example: xf1bs9am2
+ userName:
+ type: string
+ description: The username associated with the privileged resource
+ minLength: 1
+ maxLength: 100
+ example: testuser@example.com
+ required:
+ - userName
+ PrivilegedResourceStatus:
+ description: Current status of the privileged resource
+ type: string
+ enum:
+ - ACTIVE
+ - CREATED
+ - CREATION_FAILED
+ - INACTIVE
+ - PENDING
+ x-enumDescriptions:
+ CREATED: The privileged resource is created but not yet managed by OPA
+ ACTIVE: The privileged resource is currently managed by OPA
+ INACTIVE: The privileged resource is `INACTIVE` and not currently managed by OPA
+ readOnly: true
+ PrivilegedResourceType:
+ description: The type of the resource
+ type: string
+ enum:
+ - APP_ACCOUNT
+ - OKTA_USER_ACCOUNT
+ PrivilegedResourceUpdateRequest:
+ description: Update request for a privileged resource
+ type: object
+ properties:
+ profile:
+ $ref: '#/components/schemas/profile'
+ example:
+ email: testuser@example.com
+ userName:
+ type: string
+ description: The username associated with the privileged resource
+ minLength: 1
+ maxLength: 100
+ example: testuser@example.com
ProfileEnrollmentPolicy:
allOf:
- $ref: '#/components/schemas/Policy'
- type: object
properties:
conditions:
- $ref: '#/components/schemas/PolicyRuleConditions'
+ type: string
+ description: Policy conditions aren't supported for this policy type
+ default: null
+ nullable: true
ProfileEnrollmentPolicyRule:
allOf:
- $ref: '#/components/schemas/PolicyRule'
@@ -29251,36 +60844,63 @@ components:
actions:
$ref: '#/components/schemas/ProfileEnrollmentPolicyRuleActions'
conditions:
- $ref: '#/components/schemas/PolicyRuleConditions'
+ type: string
+ description: Policy Rule conditions aren't supported for this policy type
+ default: null
+ nullable: true
ProfileEnrollmentPolicyRuleAction:
type: object
properties:
access:
type: string
+ enum:
+ - ALLOW
+ - DENY
+ description: '**Note:** The Profile Enrollment Action object can''t be modified to set the `access` property to `DENY` after the policy is created.'
activationRequirements:
$ref: '#/components/schemas/ProfileEnrollmentPolicyRuleActivationRequirement'
+ allowedIdentifiers:
+ items:
+ type: string
+ type: array
+ description: A list of attributes to identify an end user. Can be used across Okta sign-in, unlock, and recovery flows.
+ default:
+ - login
+ enrollAuthenticatorTypes:
+ items:
+ type: string
+ type: array
+ description: Additional authenticator fields that can be used on the first page of user registration. Valid values only includes `'password'`.
preRegistrationInlineHooks:
items:
$ref: '#/components/schemas/PreRegistrationInlineHook'
type: array
+ description: (Optional) The `id` of at most one registration inline hook
profileAttributes:
items:
$ref: '#/components/schemas/ProfileEnrollmentPolicyRuleProfileAttribute'
type: array
+ description: A list of attributes to prompt the user during registration or progressive profiling. Where defined on the User schema, these attributes are persisted in the User profile. Non-schema attributes can also be added, which aren't persisted to the User's profile, but are included in requests to the registration inline hook. A maximum of 10 Profile properties is supported.
+ progressiveProfilingAction:
+ type: string
+ enum:
+ - ENABLED
+ - DISABLED
+ description: Progressive profile enrollment helps evaluate the profile enrollment policy at every user login. Users can be prompted to provide input for newly required attributes.
targetGroupIds:
items:
type: string
type: array
+ description: (Optional, max 1 entry) The `id` of a Group that this User should be added to
+ uiSchemaId:
+ type: string
+ description: Value created by the backend. If present, all policy updates must include this attribute/value.
unknownUserAction:
type: string
enum:
- DENY
- REGISTER
- progressiveProfilingAction:
- type: string
- enum:
- - ENABLED
- - DISABLED
+ description: Which action should be taken if this User is new
ProfileEnrollmentPolicyRuleActions:
allOf:
- $ref: '#/components/schemas/PolicyRuleActions'
@@ -29289,40 +60909,24 @@ components:
profileEnrollment:
$ref: '#/components/schemas/ProfileEnrollmentPolicyRuleAction'
ProfileEnrollmentPolicyRuleActivationRequirement:
+ description: Contains a single Boolean property that indicates whether `emailVerification` should occur (`true`) or not (`false`, default)
type: object
properties:
emailVerification:
- type: boolean
+ type: boolean
ProfileEnrollmentPolicyRuleProfileAttribute:
type: object
properties:
label:
type: string
+ description: A display-friendly label for this property
name:
type: string
+ description: The name of a User Profile property. Can be an existing property.
required:
type: boolean
- IdpDiscoveryPolicyRule:
- allOf:
- - $ref: '#/components/schemas/PolicyRule'
- - type: object
- properties:
- actions:
- $ref: '#/components/schemas/IdpPolicyRuleAction'
- conditions:
- $ref: '#/components/schemas/IdpDiscoveryPolicyRuleCondition'
- IdpDiscoveryPolicyRuleCondition:
- allOf:
- - type: object
- properties:
- app:
- $ref: '#/components/schemas/AppAndInstancePolicyRuleCondition'
- network:
- $ref: '#/components/schemas/PolicyNetworkCondition'
- userIdentifier:
- $ref: '#/components/schemas/UserIdentifierPolicyRuleCondition'
- platform:
- $ref: '#/components/schemas/PlatformPolicyRuleCondition'
+ description: (Optional, default `FALSE`) Indicates if this property is required for enrollment
+ default: false
ProfileMapping:
description: |-
The Profile Mapping object describes a mapping between an Okta User's and an App User's properties using [JSON Schema Draft 4](https://datatracker.ietf.org/doc/html/draft-zyp-json-schema-04).
@@ -29340,10 +60944,8 @@ components:
$ref: '#/components/schemas/ProfileMappingProperty'
readOnly: false
source:
- type: object
$ref: '#/components/schemas/ProfileMappingSource'
target:
- type: object
$ref: '#/components/schemas/ProfileMappingTarget'
_links:
$ref: '#/components/schemas/LinksSelf'
@@ -29422,10 +61024,10 @@ components:
$ref: '#/components/schemas/SourceLinks'
ProfileSettingObject:
description: |
- This setting determines whether a user in the application gets updated when they're updated in Okta.
+ This setting determines whether a user in the app gets updated when they're updated in Okta.
- If enabled, Okta updates a user's attributes in the application when the application is assigned.
- Future changes made to the Okta user's profile automatically overwrite the corresponding attribute value in the application.
+ If enabled, Okta updates a user's attributes in the app when the app is assigned.
+ Future changes made to the Okta user's profile automatically overwrite the corresponding attribute value in the app.
type: object
properties:
status:
@@ -29433,122 +61035,117 @@ components:
- $ref: '#/components/schemas/EnabledStatus'
- example: DISABLED
- default: DISABLED
- Protocol:
- type: object
- properties:
- algorithms:
- $ref: '#/components/schemas/ProtocolAlgorithms'
- credentials:
- $ref: '#/components/schemas/IdentityProviderCredentials'
- endpoints:
- $ref: '#/components/schemas/ProtocolEndpoints'
- issuer:
- $ref: '#/components/schemas/ProtocolEndpoint'
- relayState:
- $ref: '#/components/schemas/ProtocolRelayState'
- scopes:
- type: array
- items:
- type: string
- settings:
- $ref: '#/components/schemas/ProtocolSettings'
- type:
- $ref: '#/components/schemas/ProtocolType'
- ProtocolAlgorithmType:
- type: object
- properties:
- signature:
- $ref: '#/components/schemas/ProtocolAlgorithmTypeSignature'
- ProtocolAlgorithmTypeSignature:
- type: object
- properties:
- algorithm:
- type: string
- scope:
- $ref: '#/components/schemas/ProtocolAlgorithmTypeSignatureScope'
- ProtocolAlgorithmTypeSignatureScope:
+ ProtocolAlgorithmRequestScope:
+ description: Specifies whether to digitally sign authorization requests to the IdP
+ example: REQUEST
type: string
enum:
- - ANY
- NONE
- REQUEST
+ ProtocolAlgorithmResponseScope:
+ description: Specifies whether to verify responses from the IdP
+ example: ANY
+ type: string
+ enum:
+ - ANY
- RESPONSE
- TOKEN
- ProtocolAlgorithms:
- type: object
- properties:
- request:
- $ref: '#/components/schemas/ProtocolAlgorithmType'
- response:
- $ref: '#/components/schemas/ProtocolAlgorithmType'
- ProtocolEndpoint:
- type: object
- properties:
- binding:
- $ref: '#/components/schemas/ProtocolEndpointBinding'
- destination:
- type: string
- type:
- $ref: '#/components/schemas/ProtocolEndpointType'
- url:
- type: string
+ ProtocolCredentialsKeyId:
+ description: IdP Key Credential reference to the Okta X.509 signature certificate
+ example: your-key-id
+ type: string
ProtocolEndpointBinding:
type: string
enum:
- HTTP-POST
- HTTP-REDIRECT
- ProtocolEndpointType:
- type: string
- enum:
- - INSTANCE
- - ORG
- ProtocolEndpoints:
+ ProtocolMtls:
+ title: Mutual TLS Protocol
+ description: Protocol settings for the [MTLS Protocol](https://tools.ietf.org/html/rfc5246#section-7.4.4)
type: object
properties:
- acs:
- $ref: '#/components/schemas/ProtocolEndpoint'
- authorization:
- $ref: '#/components/schemas/ProtocolEndpoint'
- jwks:
- $ref: '#/components/schemas/ProtocolEndpoint'
- metadata:
- $ref: '#/components/schemas/ProtocolEndpoint'
- slo:
- $ref: '#/components/schemas/ProtocolEndpoint'
- sso:
- $ref: '#/components/schemas/ProtocolEndpoint'
- token:
- $ref: '#/components/schemas/ProtocolEndpoint'
- userInfo:
- $ref: '#/components/schemas/ProtocolEndpoint'
- ProtocolRelayState:
+ credentials:
+ $ref: '#/components/schemas/MtlsCredentials'
+ endpoints:
+ $ref: '#/components/schemas/MtlsEndpoints'
+ type:
+ type: string
+ description: Mutual TLS
+ enum:
+ - MTLS
+ ProtocolOAuth:
+ title: OAuth 2.0 Protocol
+ description: Protocol settings for authentication using the [OAuth 2.0 Authorization Code flow](https://tools.ietf.org/html/rfc6749#section-4.1)
type: object
properties:
- format:
- $ref: '#/components/schemas/ProtocolRelayStateFormat'
- ProtocolRelayStateFormat:
- type: string
- enum:
- - FROM_URL
- - OPAQUE
- ProtocolSettings:
+ credentials:
+ $ref: '#/components/schemas/OAuthCredentials'
+ endpoints:
+ $ref: '#/components/schemas/OAuthEndpoints'
+ scopes:
+ type: array
+ description: |-
+ IdP-defined permission bundles to request delegated access from the User
+ > **Note:** The [Identity Provider type](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=type&t=request) table lists the scopes that are supported for each Identity Provider.
+ items:
+ type: string
+ example: public_profile
+ type:
+ type: string
+ description: OAuth 2.0 Authorization Code flow
+ enum:
+ - OAUTH2
+ ProtocolOidc:
+ title: OpenID Connect Protocol
+ description: Protocol settings for authentication using the [OpenID Connect Protocol](http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth)
type: object
properties:
- nameFormat:
+ algorithms:
+ $ref: '#/components/schemas/OidcAlgorithms'
+ credentials:
+ $ref: '#/components/schemas/OAuthCredentials'
+ endpoints:
+ $ref: '#/components/schemas/OAuthEndpoints'
+ scopes:
+ type: array
+ description: |-
+ OpenID Connect and IdP-defined permission bundles to request delegated access from the User
+ > **Note:** The [Identity Provider type](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=type&t=request) table lists the scopes that are supported for each Identity Provider.
+ items:
+ type: string
+ example: openid
+ type:
type: string
- ProtocolType:
- type: string
- enum:
- - MTLS
- - OAUTH2
- - OIDC
- - SAML2
+ description: OpenID Connect Authorization Code flow
+ enum:
+ - OIDC
+ ProtocolSaml:
+ title: SAML 2.0 Protocol
+ description: Protocol settings for the [SAML 2.0 Authentication Request Protocol](http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf)
+ type: object
+ properties:
+ algorithms:
+ $ref: '#/components/schemas/SamlAlgorithms'
+ credentials:
+ $ref: '#/components/schemas/SamlCredentials'
+ endpoints:
+ $ref: '#/components/schemas/SamlEndpoints'
+ relayState:
+ $ref: '#/components/schemas/SamlRelayState'
+ settings:
+ $ref: '#/components/schemas/SamlSettings'
+ type:
+ type: string
+ description: SAML 2.0 protocol
+ enum:
+ - SAML2
ProviderType:
type: string
enum:
- APNS
- FCM
Provisioning:
+ description: Specifies the behavior for just-in-time (JIT) provisioning of an IdP User as a new Okta User and their Group memberships
type: object
properties:
action:
@@ -29559,33 +61156,28 @@ components:
$ref: '#/components/schemas/ProvisioningGroups'
profileMaster:
type: boolean
+ description: Determines if the IdP should act as a source of truth for User profile attributes
ProvisioningAction:
+ description: |-
+ Specifies the User provisioning action during authentication when an IdP User isn't linked to an existing Okta User.
+ * To successfully provision a new Okta User, you must enable just-in-time (JIT) provisioning in your org security settings.
+ * If the target username isn't unique or the resulting Okta User profile is missing a required profile attribute, JIT provisioning may fail.
+ * New Okta Users are provisioned with either a `FEDERATION` or `SOCIAL` authentication provider depending on the IdP type.
type: string
enum:
- AUTO
- - CALLOUT
- DISABLED
+ x-enumDescriptions:
+ AUTO: The IdP User profile is transformed through defined universal directory profile mappings to an Okta User profile and automatically provisioned as an Okta User.
+ DISABLED: Okta rejects the authentication request and skips provisioning of a new Okta User if the IdP User isn't linked to an existing Okta User.
ProvisioningConditions:
+ description: Conditional behaviors for an IdP User during authentication
type: object
properties:
deprovisioned:
$ref: '#/components/schemas/ProvisioningDeprovisionedCondition'
suspended:
$ref: '#/components/schemas/ProvisioningSuspendedCondition'
- ProvisioningConnection:
- type: object
- properties:
- authScheme:
- $ref: '#/components/schemas/ProvisioningConnectionAuthScheme'
- profile:
- $ref: '#/components/schemas/ProvisioningConnectionProfile'
- status:
- $ref: '#/components/schemas/ProvisioningConnectionStatus'
- _links:
- $ref: '#/components/schemas/LinksSelfAndLifecycle'
- required:
- - authScheme
- - status
ProvisioningConnectionAuthScheme:
description: Defines the method of authentication
type: string
@@ -29597,62 +61189,75 @@ components:
TOKEN: A token is used to authenticate with the app.
OAUTH2: OAuth 2.0 is used to authenticate with the app.
UNKNOWN: The authentication scheme used by the app isn't supported, or the app doesn't support provisioning.
- ProvisioningConnectionProfile:
- description: |
- The profile used to configure the connection method of authentication and the credentials.
- Currently, token-based and OAuth 2.0-based authentication are supported.
- type: object
- properties:
- authScheme:
- $ref: '#/components/schemas/ProvisioningConnectionAuthScheme'
- discriminator:
- propertyName: authScheme
- mapping:
- TOKEN: '#/components/schemas/ProvisioningConnectionProfileToken'
- OAUTH2: '#/components/schemas/ProvisioningConnectionProfileOauth'
- UNKNOWN: '#/components/schemas/ProvisioningConnectionProfileUnknown'
- ProvisioningConnectionProfileOauth:
- description: |
- The app provisioning connection profile used to configure the method of authentication and the credentials.
- Currently, token-based and OAuth 2.0-based authentication are supported.
+ ProvisioningConnectionOauthAuthScheme:
+ description: OAuth 2.0 is used to authenticate with the app.
+ type: string
+ enum:
+ - OAUTH2
+ ProvisioningConnectionOauthRequest:
+ title: OAuth 2.0-based connection
allOf:
- - $ref: '#/components/schemas/ProvisioningConnectionProfile'
- - type: object
+ - $ref: '#/components/schemas/ProvisioningConnectionRequest'
+ - description: OAuth 2.0-based Provisioning Connection request
properties:
- clientId:
- type: string
- description: Unique client identifier for the OAuth 2.0 service app from the target org
+ profile:
+ $ref: '#/components/schemas/ProvisioningConnectionOauthRequestProfile'
required:
- - authScheme
- - clientId
- ProvisioningConnectionProfileToken:
+ - profile
+ ProvisioningConnectionOauthRequestProfile:
+ properties:
+ authScheme:
+ $ref: '#/components/schemas/ProvisioningConnectionOauthAuthScheme'
+ clientId:
+ type: string
+ description: Only used for the Okta Org2Org (`okta_org2org`) app. The unique client identifier for the OAuth 2.0 service app from the target org.
+ settings:
+ $ref: '#/components/schemas/Office365ProvisioningSettings'
+ required:
+ - authScheme
+ ProvisioningConnectionProfileOauth:
description: |
The app provisioning connection profile used to configure the method of authentication and the credentials.
Currently, token-based and OAuth 2.0-based authentication are supported.
- allOf:
- - $ref: '#/components/schemas/ProvisioningConnectionProfile'
- - type: object
- properties:
- token:
- type: string
- description: Token used to authenticate with the app
- required:
- - authScheme
- - token
- ProvisioningConnectionProfileUnknown:
- description: Unknown provisioning connection
- allOf:
- - $ref: '#/components/schemas/ProvisioningConnectionProfile'
- - type: object
+ properties:
+ authScheme:
+ $ref: '#/components/schemas/ProvisioningConnectionOauthAuthScheme'
+ clientId:
+ type: string
+ required:
+ - authScheme
ProvisioningConnectionRequest:
type: object
+ ProvisioningConnectionRequestAuthScheme:
+ type: string
+ enum:
+ - OAUTH2
+ - TOKEN
+ ProvisioningConnectionResponse:
+ type: object
properties:
+ authScheme:
+ $ref: '#/components/schemas/ProvisioningConnectionTokenAuthScheme'
+ baseUrl:
+ type: string
+ description: Base URL
profile:
- $ref: '#/components/schemas/ProvisioningConnectionProfile'
+ $ref: '#/components/schemas/ProvisioningConnectionResponseProfile'
+ status:
+ $ref: '#/components/schemas/ProvisioningConnectionStatus'
+ _links:
+ $ref: '#/components/schemas/LinksSelfLifecycleAndAuthorize'
required:
- profile
+ - status
+ ProvisioningConnectionResponseProfile:
+ properties:
+ authScheme:
+ $ref: '#/components/schemas/ProvisioningConnectionAuthScheme'
+ required:
+ - authScheme
ProvisioningConnectionStatus:
- description: Provisioning connection status
+ description: Provisioning Connection status
default: DISABLED
type: string
enum:
@@ -29660,35 +61265,89 @@ components:
- ENABLED
- UNKNOWN
x-enumDescriptions:
- DISABLED: The provisioning connection is disabled.
- ENABLED: The provisioning connection is enabled.
+ DISABLED: The Provisioning Connection is disabled.
+ ENABLED: The Provisioning Connection is enabled.
UNKNOWN: Provisioning isn't supported by the app, or the authentication method is unknown.
+ ProvisioningConnectionTokenAuthScheme:
+ description: A token is used to authenticate with the app. This property is only returned for the `TOKEN` authentication scheme.
+ type: string
+ enum:
+ - TOKEN
+ ProvisioningConnectionTokenRequest:
+ title: Token-based connection
+ allOf:
+ - $ref: '#/components/schemas/ProvisioningConnectionRequest'
+ - description: Token-based Provisioning Connection request
+ properties:
+ baseUrl:
+ type: string
+ description: Only used for the Zscaler 2.0 (`zscalerbyz`) app. The base URL for the Zscaler 2.0 target app, which also contains the Zscaler ID.
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ profile:
+ $ref: '#/components/schemas/ProvisioningConnectionTokenRequestProfile'
+ required:
+ - profile
+ ProvisioningConnectionTokenRequestProfile:
+ properties:
+ authScheme:
+ $ref: '#/components/schemas/ProvisioningConnectionTokenAuthScheme'
+ token:
+ type: string
+ description: Token used to authenticate with the app
+ required:
+ - authScheme
ProvisioningDeprovisionedAction:
+ description: Specifies the action during authentication when an IdP User is linked to a previously deprovisioned Okta User
type: string
enum:
- NONE
- REACTIVATE
+ x-enumDescriptions:
+ NONE: Take no action. If an IdP User that matches a previously deprovisioned Okta User attempts to authenticate, authentication fails.
+ REACTIVATE: If an IdP User that matches a previously deprovisioned Okta User attempts to authenticate, reactivate the matching User in Okta and allow the authentication attempt to proceed.
ProvisioningDeprovisionedCondition:
+ description: Behavior for a previously deprovisioned IdP User during authentication. Not supported with OIDC IdPs.
type: object
properties:
action:
$ref: '#/components/schemas/ProvisioningDeprovisionedAction'
ProvisioningGroups:
+ description: Provisioning settings for a User's Group memberships
type: object
properties:
action:
$ref: '#/components/schemas/ProvisioningGroupsAction'
assignments:
type: array
+ description: List of `OKTA_GROUP` Group identifiers to add an IdP User as a member with the `ASSIGN` action
items:
type: string
+ example: 00gak46y5hydV6NdM0g4
filter:
type: array
+ description: Allowlist of `OKTA_GROUP` Group identifiers for the `APPEND` or `SYNC` provisioning action
items:
type: string
+ example: 00gak46y5hydV6NdM0g4
sourceAttributeName:
type: string
+ description: IdP User profile attribute name (case-insensitive) for an array value that contains Group memberships
+ maxLength: 1024
+ example: Groups
ProvisioningGroupsAction:
+ description: |-
+ Provisioning action for the IdP User's Group memberships
+
+ | Enum | Description | Existing OKTA_GROUP Memberships | Existing APP_GROUP Memberships | Existing BUILT_IN Memberships |
+ | -------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------ | ----------------------------- |
+ | `APPEND` | Adds a User to any Group defined by the IdP as a value of the `sourceAttributeName` array that matches the name of the allow listed Group defined in the `filter` | Unchanged | Unchanged | Unchanged |
+ | `ASSIGN` | Assigns a User to Groups defined in the `assignments` array | Unchanged | Unchanged | Unchanged |
+ | `NONE` | Skips processing of Group memberships | Unchanged | Unchanged | Unchanged |
+ | `SYNC` | Group memberships are sourced by the IdP as a value of the `sourceAttributeName` array that matches the name of the Group defined in the `filter` | Removed if not defined by the IdP in `sourceAttributeName` and matching name of the Group in `filter` | Unchanged | Unchanged |
+
+ > **Note:** Group provisioning action is processed independently from profile sourcing. You can sync Group memberships through SAML with profile sourcing disabled.
type: string
enum:
- APPEND
@@ -29696,16 +61355,22 @@ components:
- NONE
- SYNC
ProvisioningSuspendedAction:
+ description: Specifies the action during authentication when an IdP User is linked to a previously suspended Okta User
type: string
enum:
- NONE
- UNSUSPEND
+ x-enumDescriptions:
+ NONE: Take no action. If an IdP User that matches a previously suspended Okta User attempts to authenticate, authentication fails.
+ UNSUSPEND: If an IdP User that matches a previously suspended Okta User attempts to authenticate, unsuspend the matching User in Okta and allow the authentication attempt to proceed.
ProvisioningSuspendedCondition:
+ description: Behavior for a previously suspended IdP User during authentication. Not supported with OIDC IdPs.
type: object
properties:
action:
$ref: '#/components/schemas/ProvisioningSuspendedAction'
PushMethodKeyProtection:
+ description: Indicates whether you must use a hardware key store
type: string
enum:
- ANY
@@ -29717,9 +61382,11 @@ components:
id:
type: string
readOnly: true
+ description: Unique key for the Push Provider
lastUpdatedDate:
type: string
readOnly: true
+ description: Timestamp when the Push Provider was last modified
name:
type: string
description: Display name of the push provider
@@ -29732,33 +61399,6 @@ components:
mapping:
APNS: '#/components/schemas/APNSPushProvider'
FCM: '#/components/schemas/FCMPushProvider'
- PushUserFactor:
- allOf:
- - $ref: '#/components/schemas/UserFactor'
- - type: object
- properties:
- expiresAt:
- type: string
- format: date-time
- factorResult:
- $ref: '#/components/schemas/FactorResultType'
- profile:
- $ref: '#/components/schemas/PushUserFactorProfile'
- PushUserFactorProfile:
- type: object
- properties:
- credentialId:
- type: string
- deviceToken:
- type: string
- deviceType:
- type: string
- name:
- type: string
- platform:
- type: string
- version:
- type: string
RateLimitAdminNotifications:
title: RateLimitAdminNotifications
description: ''
@@ -29815,19 +61455,264 @@ components:
$ref: '#/components/schemas/RealmProfile'
_links:
$ref: '#/components/schemas/LinksSelf'
+ RealmAssignment:
+ type: object
+ properties:
+ actions:
+ $ref: '#/components/schemas/Actions'
+ conditions:
+ $ref: '#/components/schemas/Conditions'
+ created:
+ type: string
+ format: date-time
+ readOnly: true
+ id:
+ type: string
+ readOnly: true
+ isDefault:
+ type: boolean
+ readOnly: true
+ lastUpdated:
+ type: string
+ format: date-time
+ readOnly: true
+ name:
+ type: string
+ priority:
+ type: integer
+ status:
+ $ref: '#/components/schemas/LifecycleStatus'
+ _links:
+ $ref: '#/components/schemas/LinksSelf'
RealmProfile:
type: object
properties:
name:
type: string
description: Name of a Realm
+ realmType:
+ type: string
+ description: Used to store partner users. This must be set to Partner to access Okta's external partner portal.
+ enum:
+ - PARTNER
+ - DEFAULT
+ x-enumDescriptions:
+ PARTNER: Realm with external partner portal
+ DEFAULT: Default
+ required:
+ - name
RecoveryQuestionCredential:
+ description: |-
+ Specifies a secret question and answer that's validated (case insensitive) when a user forgets their
+ password or unlocks their account. The answer property is write-only.
type: object
properties:
answer:
type: string
+ description: The answer to the recovery question
+ minimum: 1
+ maximum: 100
+ writeOnly: true
+ example: se7en
question:
type: string
+ description: The recovery question
+ minimum: 1
+ maximum: 100
+ example: what is your favourite movie?
+ RefreshToken:
+ description: The refresh token
+ type: object
+ properties:
+ jti:
+ description: The refresh token ID
+ type: string
+ RegistrationInlineHook:
+ allOf:
+ - $ref: '#/components/schemas/InlineHook'
+ - type: object
+ RegistrationInlineHookCommand:
+ type: object
+ properties:
+ type:
+ type: string
+ enum:
+ - com.okta.user.profile.update
+ - com.okta.action.update
+ - com.okta.user.progressive.profile.update
+ RegistrationInlineHookPPData:
+ allOf:
+ - $ref: '#/components/schemas/InlineHookBasePayload'
+ - $ref: '#/components/schemas/RegistrationInlineHookRequest'
+ - type: object
+ properties:
+ data:
+ type: object
+ properties:
+ context:
+ type: object
+ properties:
+ request:
+ $ref: '#/components/schemas/InlineHookRequestObject'
+ user:
+ type: object
+ properties:
+ passwordChanged:
+ type: string
+ format: date-time
+ description: The last time the user's password was updated
+ _links:
+ description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of the user. These links are used to discover what groups the user is a part of and what factors they have enrolled.
+ type: object
+ properties:
+ groups:
+ description: URL to retrieve the individual user's group memberships
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ factors:
+ description: URL to retrieve individual user's factor enrollments
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ profile:
+ additionalProperties: true
+ type: object
+ description: The user to update's current attributes
+ id:
+ type: string
+ action:
+ description: The default action the system takes. Set to `ALLOW`. `DENY` is never sent to your external service
+ type: string
+ userProfileUpdate:
+ additionalProperties: true
+ type: object
+ description: Name-value pairs for each new attribute supplied by the user in the Progressive Profile form
+ RegistrationInlineHookRequest:
+ description: Registration inline hook request
+ type: object
+ properties:
+ eventType:
+ type: string
+ description: The type of inline hook. The registration inline hook type is `com.okta.user.pre-registration`.
+ requestType:
+ $ref: '#/components/schemas/RegistrationInlineHookRequestType'
+ discriminator:
+ propertyName: requestType
+ mapping:
+ self.service.registration: '#/components/schemas/RegistrationInlineHookSSRData'
+ progressive.profile: '#/components/schemas/RegistrationInlineHookPPData'
+ RegistrationInlineHookRequestType:
+ description: The type of registration hook. Use either `self.service.registration` or `progressive.profile`.
+ type: string
+ enum:
+ - progressive.profile
+ - self.service.registration
+ RegistrationInlineHookResponse:
+ description: Registration inline hook response
+ type: object
+ properties:
+ commands:
+ type: array
+ RegistrationInlineHookSSRData:
+ allOf:
+ - $ref: '#/components/schemas/InlineHookBasePayload'
+ - $ref: '#/components/schemas/RegistrationInlineHookRequest'
+ - type: object
+ properties:
+ data:
+ type: object
+ properties:
+ context:
+ type: object
+ properties:
+ request:
+ $ref: '#/components/schemas/InlineHookRequestObject'
+ action:
+ description: The default action the system will take. Will be `ALLOW`. `DENY` will never be sent to your external service.
+ type: string
+ userProfile:
+ additionalProperties: true
+ type: object
+ description: The name-value pairs for each registration-related attribute supplied by the user in the Profile Enrollment form.
+ RegistrationResponse:
+ type: object
+ properties:
+ commands:
+ description: |-
+ The `commands` object lets you invoke commands to modify or add values to the attributes in the Okta user profile that are created for this user. The object also lets you control whether or not the registration attempt is allowed to proceed.
+
+ This object is an array, allowing you to send multiple commands in your response. Each array element requires a `type` property and a `value` property. The `type` property is where you specify which of the supported commands you wish to execute, and `value` is where you supply parameters for that command.
+
+ The registration inline hook supports these three commands:
+ * `com.okta.user.profile.update`: Change attribute values in the user's Okta user profile. For SSR only. Invalid if used with a Progressive Profile response.
+ * `com.okta.action.update`: Allow or deny the user's registration.
+ * `com.okta.user.progressive.profile.update`: Change attribute values in the user's Okta Progressive Profile.
+ type: array
+ items:
+ type: object
+ properties:
+ type:
+ description: |-
+ The location where you specify the command. To set attributes in the user's Okta profile, supply a `type` property set to `com.okta.user.profile.update`, together with a `value` property set to a list of key-value pairs corresponding to the Okta user profile attributes you want to set. The attributes must already exist in your user profile schema.
+
+ To explicitly allow or deny registration to the user, supply a type property set to `com.okta.action.update`, together with a value property set to `{"registration": "ALLOW"}` or `{"registration": "DENY"}`. The default is to allow registration.
+
+ In Okta Identity Engine, to set attributes in the user's profile, supply a `type` property set to `com.okta.user.progressive.profile.update`, together with a `value` property set to a list of key-value pairs corresponding to the Progressive Enrollment attributes that you want to set. See [Registration inline hook - Send response](https://developer.okta.com/docs/guides/registration-inline-hook/nodejs/main/#send-response).
+
+ Commands are applied in the order that they appear in the array. Within a single `com.okta.user.profile.update` or `com.okta.user.progressive.profile.update command`, attributes are updated in the order that they appear in the `value` object.
+
+ You can never use a command to update the user's password, but you are allowed to set the values of attributes other than password that are designated sensitive in your Okta user schema. However, the values of those sensitive attributes, if included as fields in the Profile Enrollment form, aren't included in the `data.userProfile` object sent to your external service by Okta. See [data.userProfile](/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/create-registration-hook!path=0/data/userProfile&t=request).
+ type: string
+ value:
+ additionalProperties: true
+ description: |-
+ The `value` object is the parameter to pass to the command.
+
+ For `com.okta.user.profile.update` commands, `value` should be an object containing one or more name-value pairs for the attributes you wish to update.
+
+ For `com.okta.action.update` commands, the value should be an object containing the attribute `action` set to a value of either `ALLOW` or `DENY`, indicating whether the registration should be permitted or not.
+
+ Registrations are allowed by default, so setting a value of `ALLOW` for the action field is valid but superfluous.
+ type: object
+ Error:
+ description: |-
+ For the registration inline hook, the `error` object provides a way of displaying an error message to the end user who is trying to register or update their profile.
+
+ * If you're using the Okta Sign-In Widget for Profile Enrollment, only the `errorSummary` messages of the `errorCauses` objects that your external service returns appear as inline errors, given the following:
+ * You don't customize the error handling behavior of the widget.
+ * The `location` of `errorSummary` in the `errorCauses` object specifies the request object's user profile attribute.
+ * If you don't return a value for the `errorCauses` object, and deny the user's registration attempt through the `commands` object in your response to Okta, one of the following generic messages appears to the end user:
+ * "Registration cannot be completed at this time." (SSR)
+ * "We found some errors. Please review the form and make corrections." (Progressive Enrollment)
+ * If you don't return an `error` object at all and the registration is denied, the following generic message appears to the end user:
+ * "Registration denied." (SSR)
+ * "Profile update denied." (Progressive Enrollment)
+
+ >**Note:** If you include an error object in your response, no commands are executed and the registration fails. This holds true even if the top-level `errorSummary` and the `errorCauses` objects are omitted.
+ type: object
+ properties:
+ errorSummary:
+ type: string
+ description: Human-readable summary of one or more errors
+ errorCauses:
+ type: array
+ items:
+ type: object
+ properties:
+ errorSummary:
+ type: string
+ description: Human-readable summary of the error.
+ reason:
+ type: string
+ description: A brief, enum-like string that indicates the nature of the error. For example, `UNIQUE_CONSTRAINT` for a property uniqueness violation.
+ locationType:
+ type: string
+ description: Where in the request the error was found (`body`, `header`, `url`, or `query`).
+ location:
+ description: The valid JSON path to the location of the error. For example, if there was an error in the user's `login` field, the `location` might be `data.userProfile.login`.
+ type: string
+ domain:
+ type: string
+ description: Indicates the source of the error. If the error was in the user's profile, for example, you might use `end-user`. If the error occurred in the external service, you might use `external-service`.
ReleaseChannel:
description: Release channel for auto-update
type: string
@@ -29842,12 +61727,106 @@ components:
- ALWAYS
- HIGH_RISK_ONLY
- NEVER
+ ResendUserFactor:
+ type: object
+ properties:
+ factorType:
+ description: Type of the Factor
+ type: string
+ enum:
+ - call
+ - email
+ - sms
+ discriminator:
+ propertyName: factorType
+ mapping:
+ call: '#/components/schemas/UserFactorCall'
+ email: '#/components/schemas/UserFactorEmail'
+ sms: '#/components/schemas/UserFactorSMS'
ResetPasswordToken:
type: object
properties:
resetPasswordUrl:
type: string
readOnly: true
+ example: https://{yourOktaDomain}/signin/reset-password/XE6wE17zmphl3KqAPFxO
+ ResourceSelectorCreateRequestSchema:
+ type: object
+ properties:
+ description:
+ type: string
+ description: Description of the Resource Selector
+ filter:
+ type: string
+ description: SCIM filter of the Resource Selector
+ name:
+ type: string
+ description: Name of the Resource Selector
+ schema:
+ type: string
+ description: Schema of the Resource Selector
+ ResourceSelectorPatchRequestSchema:
+ type: object
+ properties:
+ description:
+ type: string
+ description: Description of the Resource Selector
+ filter:
+ type: string
+ description: SCIM filter of the Resource Selector
+ name:
+ type: string
+ description: Name of the Resource Selector
+ ResourceSelectorResponseSchema:
+ type: object
+ properties:
+ description:
+ type: string
+ description: Description of the Resource Selector
+ id:
+ type: string
+ description: Unique key for the Resource Selector
+ name:
+ type: string
+ description: Name of the Resource Selector
+ orn:
+ type: string
+ description: An Okta resource name
+ _links:
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - properties:
+ resources:
+ $ref: '#/components/schemas/HrefObject'
+ ResourceSelectorResponseWithoutSelfLinkSchema:
+ type: object
+ properties:
+ description:
+ type: string
+ description: Description of the Resource Selector
+ id:
+ type: string
+ description: Unique key for the Resource Selector
+ name:
+ type: string
+ description: Name of the Resource Selector
+ orn:
+ type: string
+ description: An Okta resource name
+ _links:
+ allOf:
+ - properties:
+ resources:
+ $ref: '#/components/schemas/HrefObject'
+ ResourceSelectorsSchema:
+ type: object
+ properties:
+ resourceSelectors:
+ type: array
+ items:
+ $ref: '#/components/schemas/ResourceSelectorResponseWithoutSelfLinkSchema'
+ _links:
+ $ref: '#/components/schemas/LinksNext'
ResourceSet:
type: object
properties:
@@ -29861,7 +61840,7 @@ components:
description: Description of the Resource Set
id:
type: string
- description: Unique key for the role
+ description: Unique ID for the Resource Set object
readOnly: true
label:
type: string
@@ -29974,29 +61953,60 @@ components:
created:
type: string
format: date-time
- description: Timestamp when the role was created
+ description: Timestamp when the Resource Set Resource object was created
readOnly: true
- description:
- type: string
- description: Description of the Resource Set
id:
type: string
- description: Unique key for the role
+ description: Unique ID of the Resource Set Resource object
readOnly: true
lastUpdated:
type: string
format: date-time
- description: Timestamp when the role was last updated
+ description: Timestamp when this object was last updated
readOnly: true
+ orn:
+ type: string
+ description: The Okta Resource Name (ORN) of the resource
_links:
- $ref: '#/components/schemas/LinksSelf'
+ description: Related discoverable resources
+ readOnly: true
+ properties:
+ self:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: The REST API URL of the related resource
+ resource:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to this Resource Set Resource object (self)
+ groups:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: If applicable, the REST API URL of the related Groups resource
+ users:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: If applicable, the REST API URL of the related Users resource
ResourceSetResourcePatchRequest:
type: object
properties:
additions:
type: array
+ description: A list of resources to add to the Resource Set
items:
type: string
+ description: Resource in ORN or REST API URL format
+ ResourceSetResourcePostRequest:
+ type: object
+ properties:
+ resourceOrnOrUrl:
+ type: string
+ description: Resource in ORN or REST API URL format
+ required:
+ - resourceOrnOrUrl
+ - conditions
+ ResourceSetResourcePutRequest:
+ type: object
ResourceSetResources:
type: object
properties:
@@ -30020,7 +62030,86 @@ components:
_links:
$ref: '#/components/schemas/LinksNext'
ResponseLinks:
+ description: Link objects
+ type: object
+ properties:
+ _links:
+ $ref: '#/components/schemas/LinksSelf'
+ ResponseMode:
+ type: string
+ enum:
+ - form_post
+ - fragment
+ - okta_post_message
+ - query
+ x-enumDescriptions:
+ fragment: Parameters are encoded in the URL fragment added to the `redirect_uri` when redirecting back to the client.
+ query: Parameters are encoded in the query string added to the `redirect_uri` when redirecting back to the client.
+ form_post: Parameters are encoded as HTML form values (`application/x-www-form-urlencoded` format) and are transmitted through the HTTP POST method to the client.
+ okta_post_message: |-
+ Uses [HTML5 Web Messaging](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage) (for example, `window.postMessage()`) instead of the redirect for the authorization response from the `/authorize` endpoint.
+
+ `okta_post_message` is an adaptation of the [Web Message Response Mode](https://tools.ietf.org/html/draft-sakimura-oauth-wmrm-00#section-4.1).
+ This value provides a secure way for a single-page application to perform a sign-in flow in a pop-up window or an iFrame and receive the ID token, access token, and/or authorization code back in the parent page without leaving the context of that page. The data object for the `postMessage` call is in the next section.
+ ResponseType:
+ type: string
+ enum:
+ - code
+ - id_token
+ - none
+ - token
+ ResponseTypesSupported:
+ type: string
+ enum:
+ - code
+ - code id_token
+ - code id_token token
+ - code token
+ - id_token
+ - id_token token
+ - token
+ RevokeRefreshTokenHrefObject:
type: object
+ properties:
+ href:
+ type: string
+ description: Link URI
+ example: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7/clients/0oabskvc6442nkvQO0h7/tokens/oar579Mcp7OUsNTlo0g3
+ RiscIdentifierChangedEvent:
+ description: The subject's identifier has changed, which is either an email address or a phone number change
+ type: object
+ properties:
+ event_timestamp:
+ type: integer
+ format: int64
+ description: The time of the event (UNIX timestamp)
+ example: 1702448550
+ new-value:
+ type: string
+ description: The new identifier value
+ example: new.email@okta.example.com
+ subject:
+ $ref: '#/components/schemas/SecurityEventSubject'
+ required:
+ - event_timestamp
+ - subject
+ RiskDetectionTypesPolicyRuleCondition:
+ description: An object that references detected risk events. This object can have an `include` parameter or an `exclude` parameter, but not both.
+ type: object
+ properties:
+ exclude:
+ type: array
+ description: An array of detected risk events to exclude in the entity policy rule
+ items:
+ $ref: '#/components/schemas/DetectedRiskEvents'
+ include:
+ type: array
+ description: An array of detected risk events to include in the entity policy rule
+ items:
+ $ref: '#/components/schemas/DetectedRiskEvents'
+ required:
+ - exclude
+ - include
RiskEvent:
type: object
properties:
@@ -30122,10 +62211,19 @@ components:
none: No action
enforce_and_log: Use risk event information to evaluate risks during authentication attempts and include risk event information in the System Log
RiskScorePolicyRuleCondition:
+ description: Specifies a particular level of risk to match on
type: object
properties:
level:
type: string
+ description: The level to match
+ enum:
+ - ANY
+ - LOW
+ - MEDIUM
+ - HIGH
+ required:
+ - level
Role:
type: object
properties:
@@ -30165,9 +62263,11 @@ components:
id:
type: string
readOnly: true
+ description: The ID of the User
orn:
type: string
readOnly: true
+ description: ORN representing the assignee
_links:
$ref: '#/components/schemas/LinksSelfAndRoles'
RoleAssignedUsers:
@@ -30178,13 +62278,79 @@ components:
items:
$ref: '#/components/schemas/RoleAssignedUser'
_links:
- $ref: '#/components/schemas/LinksNext'
+ $ref: '#/components/schemas/LinksNextForRoleAssignments'
RoleAssignmentType:
+ description: Role assignment type
type: string
enum:
+ - CLIENT
- GROUP
- USER
+ x-enumDescriptions:
+ USER: The Role is assigned to a User
+ GROUP: The Role is assigned to a Group
+ CLIENT: The Role is assigned to a Client Application
+ RoleGovernance:
+ description: List of all User Role Governance Sources
+ type: object
+ properties:
+ grants:
+ type: array
+ items:
+ $ref: '#/components/schemas/RoleGovernanceSource'
+ _links:
+ $ref: '#/components/schemas/LinksGovernanceSources'
+ RoleGovernanceResource:
+ description: The resource of a grant
+ type: object
+ properties:
+ label:
+ type: string
+ description: The resource name
+ resource:
+ type: string
+ description: The resources id
+ RoleGovernanceResources:
+ description: The resources of a grant
+ type: object
+ properties:
+ resources:
+ type: array
+ items:
+ $ref: '#/components/schemas/RoleGovernanceResource'
+ _links:
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - $ref: '#/components/schemas/LinksNext'
+ RoleGovernanceSource:
+ description: User Role Governance Source
+ type: object
+ properties:
+ bundleId:
+ type: string
+ readOnly: true
+ description: '`id` of the entitlement bundle'
+ expirationDate:
+ type: string
+ format: date-time
+ readOnly: true
+ description: The expiration date of the entitlement bundle
+ grantId:
+ type: string
+ readOnly: true
+ description: '`id` of the grant'
+ type:
+ $ref: '#/components/schemas/GovernanceSourceType'
+ _links:
+ allOf:
+ - $ref: '#/components/schemas/LinksGovernanceResources'
+ - $ref: '#/components/schemas/LinksSelf'
+ required:
+ - type
+ - grantId
+ - resources
RolePermissionType:
+ description: Permission type
type: string
enum:
- okta.apps.assignment.manage
@@ -30195,6 +62361,14 @@ components:
- okta.authzServers.read
- okta.customizations.manage
- okta.customizations.read
+ - okta.devices.lifecycle.activate
+ - okta.devices.lifecycle.deactivate
+ - okta.devices.lifecycle.delete
+ - okta.devices.lifecycle.manage
+ - okta.devices.lifecycle.suspend
+ - okta.devices.lifecycle.unsuspend
+ - okta.devices.manage
+ - okta.devices.read
- okta.governance.accessCertifications.manage
- okta.governance.accessRequests.manage
- okta.groups.appAssignment.manage
@@ -30205,6 +62379,7 @@ components:
- okta.identityProviders.manage
- okta.identityProviders.read
- okta.profilesources.import.run
+ - okta.support.cases.manage
- okta.users.appAssignment.manage
- okta.users.create
- okta.users.credentials.expirePassword
@@ -30224,8 +62399,11 @@ components:
- okta.users.read
- okta.users.userprofile.manage
RoleType:
+ description: Standard role type
type: string
enum:
+ - ACCESS_CERTIFICATIONS_ADMIN
+ - ACCESS_REQUESTS_ADMIN
- API_ACCESS_MANAGEMENT_ADMIN
- API_ADMIN
- APP_ADMIN
@@ -30239,18 +62417,246 @@ components:
- SUPER_ADMIN
- USER_ADMIN
x-enumDescriptions:
- - API_ACCESS_MANAGEMENT_ADMIN: Access Management Administrator
- - API_ADMIN: Access Management Administrator
- - APP_ADMIN: Application Administrator
- - CUSTOM: Custom Label specified by the client
- - GROUP_MEMBERSHIP_ADMIN: Group Membership Administrator
- - HELP_DESK_ADMIN: Help Desk Administrator
- - MOBILE_ADMIN: Mobile Administrator
- - ORG_ADMIN: Organizational Administrator
- - READ_ONLY_ADMIN: Read-Only Administrator
- - REPORT_ADMIN: Report Administrator
- - SUPER_ADMIN: Super Administrator
- - USER_ADMIN: Group Administrator
+ API_ACCESS_MANAGEMENT_ADMIN: Access Management Administrator
+ API_ADMIN: Access Management Administrator
+ APP_ADMIN: Application Administrator
+ CUSTOM: Custom label specified by the client
+ GROUP_MEMBERSHIP_ADMIN: Group Membership Administrator
+ HELP_DESK_ADMIN: Help Desk Administrator
+ MOBILE_ADMIN: Mobile Administrator
+ ORG_ADMIN: Organizational Administrator
+ READ_ONLY_ADMIN: Read-Only Administrator
+ REPORT_ADMIN: Report Administrator
+ SUPER_ADMIN: Super Administrator
+ USER_ADMIN: Group Administrator
+ ACCESS_CERTIFICATIONS_ADMIN: Access Certifications Administrator (predefined Resource Sets)
+ ACCESS_REQUESTS_ADMIN: Access Requests Administrator (predefined Resource Sets)
+ RotatePasswordRequest:
+ description: Rotate password request for the privileged account
+ type: object
+ properties:
+ password:
+ type: string
+ description: The password associated with the privileged resource
+ format: password
+ writeOnly: true
+ example: xf1bs9am2
+ secretVersionId:
+ type: string
+ description: The version ID of the password secret from the OPA vault
+ minLength: 1
+ maxLength: 36
+ example: 9f8400-e29b-41d4-a716-926655440034
+ required:
+ - password
+ - secretVersionId
+ SAMLHookResponse:
+ type: object
+ properties:
+ commands:
+ description: |-
+ The `commands` object is where you tell Okta to add additional claims to the assertion or to modify the existing assertion statements.
+
+ `commands` is an array, allowing you to send multiple commands. In each array element, include a `type` property and a `value` property. The `type` property is where you specify which of the supported commands you want to execute, and `value` is where you supply an operand for that command.
+ In the case of the SAML assertion inline hook, the `value` property is itself a nested object, in which you specify a particular operation, a path to act on, and a value.
+ type: array
+ items:
+ type: object
+ properties:
+ type:
+ type: string
+ description: One of the supported commands `com.okta.assertion.patch`
+ value:
+ type: array
+ items:
+ type: object
+ properties:
+ op:
+ type: string
+ description: |-
+ The name of one of the supported ops:
+ `add`: Add a new claim to the assertion
+ `replace`: Modify any element of the assertion
+ > **Note:** If a response to the SAML assertion inline hook request isn't received from your external service within three seconds, a timeout occurs. In this scenario, the Okta process flow continues with the original SAML assertion returned.
+ path:
+ type: string
+ description: Location, within the assertion, to apply the operation
+ value:
+ oneOf:
+ - type: string
+ - type: integer
+ - type: object
+ description: |-
+ The value of the claim that you add or replace, and can also include other attributes. If adding to a claim, add another `value` attribute residing within an array called `attributeValues`.
+
+ See the following examples:
+
+ #### Simple value (integer or string)
+
+ `"value": 300` or `"value": "replacementString"`
+
+ #### Attribute value (object)
+
+ ` "value": {
+ "authContextClassRef": "replacementValue"
+ }`
+
+ #### AttributeValues array value (object)
+
+ ` "value": {
+ "attributes": {
+ "NameFormat": "urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
+ },
+ "attributeValues": [
+ {"attributes": {
+ "xsi:type": "xs:string"
+ },
+ "value": "4321"}
+ ]
+ }`
+ error:
+ description: |-
+ An object to return an error. Returning an error causes Okta to record a failure event in the Okta System Log.
+ The string supplied in the `errorSummary` property is recorded in the System Log event.
+ > **Note:** If the error object doesn't include the defined `errorSummary` property, the following common default message
+ is returned to the end user: `The callback service returned an error`.
+
+ > **Note:** If a response to a SAML inline hook request isn't received from your external service within three seconds, a timeout occurs. In this scenario, the Okta SAML inline hook process continues, and the user is created.
+ type: object
+ properties:
+ errorSummary:
+ description: A human-readable summary of the error
+ type: string
+ SAMLPayLoad:
+ type: object
+ properties:
+ data:
+ type: object
+ properties:
+ context:
+ allOf:
+ - $ref: '#/components/schemas/BaseContext'
+ - type: object
+ properties:
+ protocol:
+ description: Details of the assertion protocol being used
+ type: object
+ properties:
+ type:
+ description: The type of authentication protocol being used for the assertion
+ type: string
+ example: SAML2.0
+ issuer:
+ type: object
+ properties:
+ id:
+ description: The unique identifier of the issuer that provided the SAML assertion
+ type: string
+ example: 0oath92zlO60urQOP0g3
+ name:
+ description: The name of the issuer that provided the SAML assertion
+ type: string
+ example: SAML 2.0 App
+ uri:
+ description: The base URI of the SAML endpoint that's used to assert the authorization
+ type: string
+ example: http://www.okta.com/exkth8lMzFm0HZOTU0g3
+ assertion:
+ description: Details of the SAML assertion that was generated
+ type: object
+ properties:
+ subject:
+ description: Provides a JSON representation of the `` element of the SAML assertion
+ type: object
+ properties:
+ nameId:
+ description: The unique identifier of the user
+ type: string
+ example: user@example.com
+ nameFormat:
+ description: Indicates how to interpret the attribute name
+ type: string
+ example: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+ confirmation:
+ type: object
+ properties:
+ method:
+ description: Used to indicate how the authorization server confirmed the SAML assertion
+ type: string
+ example: urn:oasis:names:tc:SAML:2.0:cm:bearer
+ data:
+ type: object
+ properties:
+ recipient:
+ description: The token endpoint URL of the authorization server
+ type: string
+ example: http://www.example.com:7070/saml/sso
+ authentication:
+ description: Provides a JSON representation of the `` element of the SAML assertion
+ type: object
+ properties:
+ sessionIndex:
+ description: The unique identifier describing the assertion statement
+ type: string
+ example: id1553800523546.312669168
+ authnContext:
+ description: Details of the authentication methods used for the SAML assertion
+ type: object
+ properties:
+ authnContextClassRef:
+ description: Describes the identity provider's supported authentication context classes
+ type: string
+ example: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+ conditions:
+ description: Provides a JSON representation of the `` element of the SAML assertion
+ type: object
+ properties:
+ audienceRestriction:
+ description: Describes which service providers the assertion is valid for
+ type: array
+ items:
+ type: string
+ example:
+ - urn:example:sp
+ claims:
+ description: Provides a JSON representation of the `` element contained in the generated SAML assertion. Contains any optional SAML attribute statements that you have defined for the app using the Admin Console's **SAML Settings**.
+ type: object
+ additionalProperties:
+ type: object
+ properties:
+ attributes:
+ type: object
+ properties:
+ NameFormat:
+ type: string
+ description: Indicates how to interpret the attribute name
+ attributeValues:
+ type: array
+ items:
+ type: object
+ properties:
+ attributes:
+ type: object
+ properties:
+ xsi:type:
+ type: string
+ description: Used to derive the type of the attribute
+ value:
+ type: string
+ description: The actual value of the attribute
+ lifetime:
+ description: Specifies the expiration time, in seconds, of the SAML assertion
+ type: object
+ properties:
+ expiration:
+ description: The expiration time in seconds
+ type: integer
+ example: 300
+ SAMLPayloadExecute:
+ description: SAML assertion inline hook request
+ allOf:
+ - $ref: '#/components/schemas/InlineHookBasePayload'
+ - $ref: '#/components/schemas/SAMLPayLoad'
SafeBrowsingProtectionLevel:
description: Represents the current value of the Safe Browsing protection level
example: ENHANCED_PROTECTION
@@ -30263,7 +62669,144 @@ components:
NO_SAFE_BROWSING: Safe Browsing is never active
STANDARD_PROTECTION: Safe Browsing is active in the standard mode
ENHANCED_PROTECTION: Safe Browsing is active in the enhanced mode
- SamlApplication:
+ SalesforceApplication:
+ title: Salesforce
+ x-tags:
+ - Application
+ x-okta-defined-as:
+ name: salesforce
+ example:
+ name: salesforce
+ label: Sample Salesforce App
+ signOnMode: SAML_2_0
+ settings:
+ app:
+ instanceType: SANDBOX
+ integrationType: STANDARD
+ description: |
+ Schema for the Salesforce app (key name: `salesforce`)
+
+ To create a Salesforce app, use the [Create an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) request with the following parameters in the request body.
+ > **Note:** The Salesforce app only supports `BROWSER_PLUGIN`, `BOOKMARK`, and `SAML_2_0` sign-on modes.
+ allOf:
+ - $ref: '#/components/schemas/OINApplication'
+ - type: object
+ - required:
+ - name
+ - label
+ - settings
+ properties:
+ name:
+ type: string
+ enum:
+ - salesforce
+ example: salesforce
+ signOnMode:
+ enum:
+ - BROWSER_PLUGIN
+ - BOOKMARK
+ - SAML_2_0
+ example: BROWSER_PLUGIN
+ settings:
+ $ref: '#/components/schemas/SalesforceApplicationSettings'
+ SalesforceApplicationSettings:
+ allOf:
+ - $ref: '#/components/schemas/ApplicationSettings'
+ - type: object
+ - required:
+ - app
+ properties:
+ app:
+ $ref: '#/components/schemas/SalesforceApplicationSettingsApplication'
+ signOn:
+ $ref: '#/components/schemas/OINSaml20ApplicationSettingsSignOn'
+ SalesforceApplicationSettingsApplication:
+ description: Salesforce app instance properties
+ type: object
+ properties:
+ instanceType:
+ type: string
+ description: Salesforce instance that you want to connect to
+ enum:
+ - SANDBOX
+ - PRODUCTION
+ - GOVERNMENT
+ integrationType:
+ type: string
+ description: Salesforce integration type
+ enum:
+ - STANDARD
+ - PORTAL
+ - COMMUNITY
+ loginUrl:
+ type: string
+ description: The Login URL specified in your Salesforce Single Sign-On settings
+ logoutUrl:
+ type: string
+ description: Salesforce Logout URL
+ required:
+ - integrationType
+ - instanceType
+ Saml:
+ description: SAML configuration details
+ type: object
+ properties:
+ acs:
+ type: array
+ minItems: 1
+ description: 'List of Assertion Consumer Service (ACS) URLs. The default ACS URL is required and is indicated by a null `index` value. You can use the org-level variables you defined in the `config` array in the URL. For example: `https://${org.subdomain}.example.com/saml/login`'
+ items:
+ type: object
+ properties:
+ index:
+ type: number
+ minimum: 0
+ maximum: 65535
+ description: Index of ACS URL. You can't reuse the same index in the ACS URL array.
+ example: 0
+ url:
+ type: string
+ format: uri
+ maxLength: 1024
+ description: Assertion Consumer Service (ACS) URL
+ example: https://${org.subdomain}.example.com/saml/login
+ claims:
+ type: array
+ description: Attribute statements to appear in the Okta SAML assertion
+ items:
+ type: object
+ properties:
+ name:
+ type: string
+ description: The attribute name
+ example: Address
+ values:
+ type: array
+ description: The Okta values inserted in the attribute statement
+ items:
+ type: string
+ example: ${user.homeAddress}
+ doc:
+ type: string
+ format: uri
+ description: The URL to your customer-facing instructions for configuring your SAML integration. See [Customer configuration document guidelines](https://developer.okta.com/docs/guides/submit-app-prereq/main/#customer-configuration-document-guidelines).
+ example: https://example.com/strawberry/help/samlSetup
+ entityId:
+ type: string
+ description: Globally unique name for your SAML entity. For instance, your Identity Provider (IdP) or Service Provider (SP) URL.
+ example: https://${org.subdomain}.example.com
+ groups:
+ type: array
+ description: Defines the group attribute names for the SAML assertion statement. Okta inserts the list of Okta user groups into the attribute names in the statement.
+ items:
+ type: string
+ description: A group attribute name in your SAML app
+ example: groups
+ required:
+ - acs
+ - entityId
+ - doc
+ Saml11Application:
allOf:
- $ref: '#/components/schemas/Application'
- type: object
@@ -30272,111 +62815,462 @@ components:
$ref: '#/components/schemas/ApplicationCredentials'
name:
type: string
+ description: The key name for the SAML 1.1 app definition. You can't create a custom SAML 1.1 app integration instance. Only existing OIN SAML 1.1 app integrations are supported.
settings:
- $ref: '#/components/schemas/SamlApplicationSettings'
- SamlApplicationSettings:
+ $ref: '#/components/schemas/Saml11ApplicationSettings'
+ required:
+ - name
+ Saml11ApplicationSettings:
allOf:
- $ref: '#/components/schemas/ApplicationSettings'
- type: object
properties:
app:
- $ref: '#/components/schemas/SamlApplicationSettingsApplication'
+ type: object
+ additionalProperties: true
signOn:
- $ref: '#/components/schemas/SamlApplicationSettingsSignOn'
- SamlApplicationSettingsApplication:
+ $ref: '#/components/schemas/Saml11ApplicationSettingsSignOn'
+ Saml11ApplicationSettingsSignOn:
+ title: SAML 1.1 settings
+ description: SAML 1.1 sign-on mode attributes
type: object
- additionalProperties: true
properties:
- acsUrl:
+ audienceOverride:
type: string
- audRestriction:
+ description: The intended audience of the SAML assertion. This is usually the Entity ID of your application.
+ defaultRelayState:
type: string
- baseUrl:
+ description: The URL of the resource to direct users after they successfully sign in to the SP using SAML. See the SP documentation to check if you need to specify a RelayState. In most instances, you can leave this field blank.
+ recipientOverride:
+ type: string
+ description: The location where the application can present the SAML assertion. This is usually the Single Sign-On (SSO) URL.
+ ssoAcsUrlOverride:
type: string
+ description: Assertion Consumer Services (ACS) URL value for the Service Provider (SP). This URL is always used for Identity Provider (IdP) initiated sign-on requests.
+ SamlAcsEndpoint:
+ description: Okta's `SPSSODescriptor` endpoint where the IdP sends a `` message
+ type: object
+ properties:
+ binding:
+ $ref: '#/components/schemas/ProtocolEndpointBinding'
+ type:
+ $ref: '#/components/schemas/SamlEndpointType'
+ SamlAlgorithms:
+ description: Settings for signing and verifying SAML messages
+ type: object
+ properties:
+ request:
+ $ref: '#/components/schemas/SamlRequestAlgorithm'
+ response:
+ $ref: '#/components/schemas/SamlResponseAlgorithm'
+ SamlApplication:
+ allOf:
+ - $ref: '#/components/schemas/Application'
+ - type: object
+ properties:
+ credentials:
+ $ref: '#/components/schemas/ApplicationCredentials'
+ name:
+ type: string
+ description: A unique key is generated for the custom app instance when you use SAML_2_0 `signOnMode`.
+ readOnly: true
+ settings:
+ $ref: '#/components/schemas/SamlApplicationSettings'
+ SamlApplicationSettings:
+ allOf:
+ - $ref: '#/components/schemas/ApplicationSettings'
+ - type: object
+ properties:
+ signOn:
+ $ref: '#/components/schemas/SamlApplicationSettingsSignOn'
SamlApplicationSettingsSignOn:
+ description: |-
+ SAML 2.0 sign-on attributes.
+ > **Note:** Set either `destinationOverride` or `ssoAcsUrl` to configure any other SAML 2.0 attributes in this section.
type: object
properties:
acsEndpoints:
type: array
+ description: An array of ACS endpoints. You can configure a maximum of 100 endpoints.
items:
$ref: '#/components/schemas/AcsEndpoint'
allowMultipleAcsEndpoints:
+ description: Determines whether the app allows you to configure multiple ACS URIs
type: boolean
assertionSigned:
type: boolean
+ description: Determines whether the SAML assertion is digitally signed
attributeStatements:
type: array
+ description: |
+ A list of custom attribute statements for the app's SAML assertion. See [SAML 2.0 Technical Overview](https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0-cd-02.html).
+
+ There are two types of attribute statements:
+ | Type | Description |
+ | ---- | ----------- |
+ | EXPRESSION | Generic attribute statement that can be dynamic and supports [Okta Expression Language](https://developer.okta.com/docs/reference/okta-expression-language/) |
+ | GROUP | Group attribute statement |
items:
$ref: '#/components/schemas/SamlAttributeStatement'
audience:
type: string
+ description: The entity ID of the SP. Use the entity ID value exactly as provided by the SP.
audienceOverride:
type: string
+ description: Audience override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm).
authnContextClassRef:
type: string
+ description: Identifies the SAML authentication context class for the assertion's authentication statement
+ enum:
+ - urn:federation:authentication:windows
+ - oasis:names:tc:SAML:2.0:ac:classes:Kerberos
+ - urn:oasis:names:tc:SAML:2.0:ac:classes:Password
+ - urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+ - urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient
+ - urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
+ - urn:oasis:names:tc:SAML:2.0:ac:classes:X509
+ x-enumDescriptions:
+ urn:federation:authentication:windows: Integrated Windows Authentication
+ oasis:names:tc:SAML:2.0:ac:classes:Kerberos: Kerberos
+ urn:oasis:names:tc:SAML:2.0:ac:classes:Password: Password
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport: PasswordProtectedTransport
+ urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient: TLS Client
+ urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified: Unspecified
+ urn:oasis:names:tc:SAML:2.0:ac:classes:X509: X509 Certificate
configuredAttributeStatements:
type: array
+ description: |
+ The list of dynamic attribute statements for the SAML assertion inherited from app metadata (apps from the OIN) during app creation.
+
+ There are two types of attribute statements: `EXPRESSION` and `GROUP`.
items:
$ref: '#/components/schemas/SamlAttributeStatement'
defaultRelayState:
type: string
+ description: Identifies a specific application resource in an IdP-initiated SSO scenario
destination:
type: string
+ description: Identifies the location inside the SAML assertion where the SAML response should be sent
destinationOverride:
type: string
+ description: Destination override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm).
digestAlgorithm:
type: string
+ description: Determines the digest algorithm used to digitally sign the SAML assertion and response
+ enum:
+ - SHA1
+ - SHA256
honorForceAuthn:
type: boolean
+ description: Set to `true` to prompt users for their credentials when a SAML request has the `ForceAuthn` attribute set to `true`
idpIssuer:
type: string
+ description: SAML Issuer ID
inlineHooks:
+ description: Associates the app with SAML inline hooks. See [the SAML assertion inline hook reference](https://developer.okta.com/docs/reference/saml-hook/).
items:
$ref: '#/components/schemas/SignOnInlineHook'
type: array
participateSlo:
$ref: '#/components/schemas/SloParticipate'
recipient:
+ description: The location where the app may present the SAML assertion
type: string
recipientOverride:
type: string
+ description: Recipient override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm).
requestCompressed:
type: boolean
+ description: Determines whether the SAML request is expected to be compressed
responseSigned:
type: boolean
+ description: |-
+ Determines whether the SAML authentication response message is digitally signed by the IdP
+ > **Note:** Either (or both) `responseSigned` or `assertionSigned` must be `TRUE`.
+ samlAssertionLifetimeSeconds:
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ type: integer
+ description: Determines the SAML app session lifetimes with Okta
+ example: 3600
signatureAlgorithm:
type: string
+ description: Determines the signing algorithm used to digitally sign the SAML assertion and response
+ enum:
+ - RSA_SHA1
+ - RSA_SHA256
slo:
$ref: '#/components/schemas/SingleLogout'
spCertificate:
- $ref: '#/components/schemas/SpCertificate'
+ $ref: '#/components/schemas/SamlSpCertificate'
spIssuer:
type: string
+ description: The issuer ID for the Service Provider. This property appears when SLO is enabled.
ssoAcsUrl:
type: string
+ description: Single Sign-On Assertion Consumer Service (ACS) URL
ssoAcsUrlOverride:
type: string
+ description: Assertion Consumer Service (ACS) URL override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm).
subjectNameIdFormat:
type: string
+ description: 'Identifies the SAML processing rules. Supported values:'
+ enum:
+ - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
+ - urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
+ - urn:oasis:names:tc:SAML:2.0:nameid-format:transient
+ - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+ - urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName
+ x-enumDescriptions:
+ urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress: Email Address
+ urn:oasis:names:tc:SAML:2.0:nameid-format:persistent: Persistent
+ urn:oasis:names:tc:SAML:2.0:nameid-format:transient: Transient
+ urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified: Unspecified
+ urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName: x509SubjectName
subjectNameIdTemplate:
type: string
+ description: Template for app user's username when a user is assigned to the app
+ required:
+ - allowMultipleAcsEndpoints
+ - assertionSigned
+ - audience
+ - authnContextClassRef
+ - destination
+ - digestAlgorithm
+ - honorForceAuthn
+ - idpIssuer
+ - recipient
+ - requestCompressed
+ - responseSigned
+ - signatureAlgorithm
+ - ssoAcsUrl
+ - subjectNameIdFormat
+ - subjectNameIdTemplate
SamlAttributeStatement:
+ anyOf:
+ - $ref: '#/components/schemas/SamlAttributeStatementExpression'
+ - $ref: '#/components/schemas/SamlAttributeStatementGroup'
+ type: object
+ properties:
+ type:
+ type: string
+ description: The type of attribute statements object
+ enum:
+ - EXPRESSION
+ - GROUP
+ discriminator:
+ propertyName: type
+ mapping:
+ EXPRESSION: '#/components/schemas/SamlAttributeStatementExpression'
+ GROUP: '#/components/schemas/SamlAttributeStatementGroup'
+ SamlAttributeStatementExpression:
+ description: Generic `EXPRESSION` attribute statements
+ type: object
+ properties:
+ name:
+ type: string
+ description: The name of the attribute in your app. The attribute name must be unique across all user and group attribute statements.
+ example: attributeOne
+ namespace:
+ type: string
+ description: 'The name format of the attribute. Supported values:'
+ enum:
+ - urn:oasis:names:tc:SAML:2.0:attrname-format:basic
+ - urn:oasis:names:tc:SAML:2.0:attrname-format:uri
+ - urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
+ x-enumDescriptions:
+ urn:oasis:names:tc:SAML:2.0:attrname-format:basic: Basic
+ urn:oasis:names:tc:SAML:2.0:attrname-format:uri: URI reference
+ urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified: Unspecified
+ example: urn:oasis:names:tc:SAML:2.0:attrname-format:basic
+ type:
+ type: string
+ description: The type of attribute statements object
+ example: EXPRESSION
+ values:
+ type: array
+ description: The attribute values (supports [Okta Expression Language](https://developer.okta.com/docs/reference/okta-expression-language/))
+ items:
+ type: string
+ example: ValueOne
+ SamlAttributeStatementGroup:
+ description: '`GROUP` attribute statements'
type: object
properties:
filterType:
type: string
+ description: The operation to filter groups based on `filterValue`
+ enum:
+ - STARTS_WITH
+ - EQUALS
+ - CONTAINS
+ - REGEX
filterValue:
type: string
+ description: Filter the groups based on a specific value.
+ example: Team
name:
type: string
+ description: The name of the group attribute in your app. The attribute name must be unique across all user and group attribute statements.
namespace:
type: string
+ description: 'The name format of the group attribute. Supported values:'
+ enum:
+ - urn:oasis:names:tc:SAML:2.0:attrname-format:basic
+ - urn:oasis:names:tc:SAML:2.0:attrname-format:uri
+ - urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
+ x-enumDescriptions:
+ urn:oasis:names:tc:SAML:2.0:attrname-format:basic: Basic
+ urn:oasis:names:tc:SAML:2.0:attrname-format:uri: URI reference
+ urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified: Unspecified
+ example: urn:oasis:names:tc:SAML:2.0:attrname-format:basic
type:
type: string
- values:
+ description: The type of attribute statements object
+ example: GROUP
+ SamlCredentials:
+ description: Federation Trust Credentials for verifying assertions from the IdP and signing requests to the IdP
+ type: object
+ properties:
+ signing:
+ $ref: '#/components/schemas/SamlSigningCredentials'
+ trust:
+ $ref: '#/components/schemas/SamlTrustCredentials'
+ SamlEndpointType:
+ description: Determines whether to publish an instance-specific (trust) or organization (shared) ACS endpoint in the SAML metadata
+ default: INSTANCE
+ type: string
+ enum:
+ - INSTANCE
+ - ORG
+ SamlEndpoints:
+ description: SAML 2.0 HTTP binding settings for IdP and SP (Okta)
+ type: object
+ properties:
+ acs:
+ $ref: '#/components/schemas/SamlAcsEndpoint'
+ sso:
+ $ref: '#/components/schemas/SamlSsoEndpoint'
+ SamlNameIdFormat:
+ description: SAML 2.0 Name Identifier formats
+ default: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+ type: string
+ enum:
+ - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
+ - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+ - urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
+ - urn:oasis:names:tc:SAML:2.0:nameid-format:transient
+ SamlRelayState:
+ description: Relay state settings for IdP
+ type: object
+ properties:
+ format:
+ $ref: '#/components/schemas/SamlRelayStateFormat'
+ SamlRelayStateFormat:
+ description: The format used to generate the `relayState` in the SAML request. The `FROM_URL` format is used if this value is null.
+ type: string
+ enum:
+ - FROM_URL
+ - OPAQUE
+ SamlRequestAlgorithm:
+ description: Algorithm settings used to secure an `` message
+ type: object
+ properties:
+ signature:
+ $ref: '#/components/schemas/SamlRequestSignatureAlgorithm'
+ SamlRequestSignatureAlgorithm:
+ description: |-
+ XML digital Signature Algorithm settings for signing `` messages sent to the IdP
+ > **Note:** The `algorithm` property is ignored when you disable request signatures (`scope` set as `NONE`).
+ type: object
+ properties:
+ algorithm:
+ $ref: '#/components/schemas/SamlSigningAlgorithm'
+ scope:
+ $ref: '#/components/schemas/ProtocolAlgorithmRequestScope'
+ SamlResponseAlgorithm:
+ description: Algorithm settings for verifying `` messages and `` elements from the IdP
+ type: object
+ properties:
+ signature:
+ $ref: '#/components/schemas/SamlResponseSignatureAlgorithm'
+ SamlResponseSignatureAlgorithm:
+ description: XML digital Signature Algorithm settings for verifying `` messages and `` elements from the IdP
+ type: object
+ properties:
+ algorithm:
+ $ref: '#/components/schemas/SamlSigningAlgorithm'
+ scope:
+ $ref: '#/components/schemas/ProtocolAlgorithmResponseScope'
+ SamlSettings:
+ description: Advanced settings for the SAML 2.0 protocol
+ type: object
+ properties:
+ honorPersistentNameId:
+ type: boolean
+ description: Determines if the IdP should persist account linking when the incoming assertion NameID format is `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent`
+ default: true
+ nameFormat:
+ $ref: '#/components/schemas/SamlNameIdFormat'
+ SamlSigningAlgorithm:
+ example: SHA-256
+ type: string
+ enum:
+ - SHA-1
+ - SHA-256
+ SamlSigningCredentials:
+ description: Key used for signing requests to the IdP
+ type: object
+ properties:
+ kid:
+ $ref: '#/components/schemas/ProtocolCredentialsKeyId'
+ SamlSpCertificate:
+ description: The certificate that Okta uses to validate Single Logout (SLO) requests and responses
+ type: object
+ properties:
+ x5c:
type: array
+ description: A list that contains exactly one x509 encoded certificate
items:
type: string
+ SamlSsoEndpoint:
+ description: IdP's `SingleSignOnService` endpoint where Okta sends an `` message
+ type: object
+ properties:
+ binding:
+ $ref: '#/components/schemas/ProtocolEndpointBinding'
+ destination:
+ type: string
+ description: |-
+ URI reference that indicates the address to which the `` message is sent.
+ The `destination` property is required if request signatures are specified. See [SAML 2.0 Request Algorithm object](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=protocol/0/algorithms/request&t=request).
+ maxLength: 512
+ example: https://idp.example.com/saml2/sso
+ url:
+ type: string
+ description: |-
+ URL of the binding-specific endpoint to send an `` message to the IdP.
+ The value of `url` defaults to the same value as the `sso` endpoint if omitted during creation of a new IdP instance.
+ The `url` should be the same value as the `Location` attribute for a published binding in the IdP's SAML Metadata `IDPSSODescriptor`.
+ maxLength: 1014
+ example: https://idp.example.com/saml2/sso
+ SamlTrustCredentials:
+ description: Federation Trust Credentials for verifying assertions from the IdP
+ type: object
+ properties:
+ audience:
+ type: string
+ description: URI that identifies the target Okta IdP instance (SP) for an ``
+ maxLength: 1024
+ example: https://www.okta.com/saml2/service-provider/spgv32vOnpdyeGSaiUpL
+ issuer:
+ type: string
+ description: URI that identifies the issuer (IdP) of a `` message `` element
+ maxLength: 1024
+ example: urn:example:idp
+ kid:
+ $ref: '#/components/schemas/ProtocolCredentialsKeyId'
ScheduledUserLifecycleAction:
type: object
properties:
@@ -30391,16 +63285,48 @@ components:
$ref: '#/components/schemas/PasswordCredential'
revealPassword:
type: boolean
+ description: Allow users to securely see their password
scheme:
$ref: '#/components/schemas/ApplicationCredentialsScheme'
signing:
$ref: '#/components/schemas/ApplicationCredentialsSigning'
userName:
type: string
+ description: Shared username for the app
+ minLength: 1
+ maxLength: 100
+ Scope:
+ type: string
+ ScopeResourceHrefObject:
+ type: object
+ properties:
+ href:
+ type: string
+ description: Link URI
+ example: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7/scopes/scpCmCCV1DpxVkCaye2X
+ title:
+ type: string
+ description: Link name
+ example: My phone
+ ScreenLockComplexity:
+ description: |
+ Indicates whether a device has a screen lock set, and the type or complexity of the screen lock
+
+ **Note:** This option requires a `screenLockType.include` value.
+ type: string
+ enum:
+ - HIGH
+ - LOW
+ - MEDIUM
+ x-enumDescriptions:
+ LOW: A pattern or PIN is set
+ MEDIUM: A complex PIN, or alphabetic or alphanumeric screen lock with at least 4 digits is set
+ HIGH: A complex 8-digit PIN, or 6-character alphabetic or alphanumeric screen lock is set
ScreenLockType:
type: string
enum:
- BIOMETRIC
+ - NONE
- PASSCODE
SecurePasswordStoreApplication:
x-okta-defined-as:
@@ -30413,9 +63339,14 @@ components:
$ref: '#/components/schemas/SchemeApplicationCredentials'
name:
type: string
- default: template_sps
+ description: '`template_sps` is the key name for a SWA app instance that uses HTTP POST and doesn''t require a browser plugin'
+ enum:
+ - template_sps
settings:
$ref: '#/components/schemas/SecurePasswordStoreApplicationSettings'
+ required:
+ - name
+ - settings
SecurePasswordStoreApplicationSettings:
allOf:
- $ref: '#/components/schemas/ApplicationSettings'
@@ -30428,47 +63359,272 @@ components:
properties:
optionalField1:
type: string
+ description: Name of the optional parameter in the sign-in form
optionalField1Value:
type: string
+ description: Name of the optional value in the sign-in form
optionalField2:
type: string
+ description: Name of the optional parameter in the sign-in form
optionalField2Value:
type: string
+ description: Name of the optional value in the sign-in form
optionalField3:
type: string
+ description: Name of the optional parameter in the sign-in form
optionalField3Value:
type: string
+ description: Name of the optional value in the sign-in form
passwordField:
type: string
+ description: CSS selector for the **Password** field in the sign-in form
url:
type: string
+ description: The URL of the sign-in page for this app
usernameField:
type: string
- SecurityQuestion:
+ description: CSS selector for the **Username** field in the sign-in form
+ required:
+ - passwordField
+ - url
+ - usernameField
+ SecurityEvent:
type: object
properties:
- answer:
+ event_timestamp:
+ type: integer
+ format: int64
+ description: The time of the event (UNIX timestamp)
+ example: 1702448550
+ subject:
+ $ref: '#/components/schemas/SecurityEventSubject'
+ required:
+ - event_timestamp
+ - subject
+ SecurityEventReason:
+ type: object
+ properties:
+ en:
type: string
- question:
+ description: The event reason in English
+ example: Event message example
+ required:
+ - en
+ SecurityEventSubject:
+ description: The event subjects
+ properties:
+ device:
+ type: object
+ description: The device involved with the event
+ tenant:
+ type: object
+ description: The tenant involved with the event
+ user:
+ type: object
+ description: The user involved with the event
+ SecurityEventTokenError:
+ title: Security Event Token Error
+ description: Error object thrown when parsing the Security Event Token
+ type: object
+ properties:
+ description:
type: string
- questionText:
+ description: |
+ Describes the error
+ > **Note:** SET claim fields with underscores (snake case) are presented in camelcase. For example, `previous_status` appears as `previousStatus`.
+ example: 'Failed claim validation in security event token. ''events.mediationDeviceComplianceChangeEvent.previousStatus'': The field cannot be left blank'
+ err:
type: string
- SecurityQuestionUserFactor:
- allOf:
- - $ref: '#/components/schemas/UserFactor'
- - type: object
- properties:
- profile:
- $ref: '#/components/schemas/SecurityQuestionUserFactorProfile'
- SecurityQuestionUserFactorProfile:
+ description: A code that describes the category of the error
+ example: invalid_request
+ enum:
+ - authentication_failed
+ - invalid_audience
+ - invalid_issuer
+ - invalid_key
+ - invalid_request
+ SecurityEventTokenRequestJwtBody:
+ title: Security Event Token JWT body payload
+ x-tags:
+ - SSFSecurityEventToken
+ description: JSON Web Token body payload for a Security Event Token
type: object
properties:
- answer:
+ aud:
type: string
- question:
+ description: Audience
+ example: https://receiverexample.okta.com/
+ events:
+ $ref: '#/components/schemas/SecurityEventTokenRequestJwtEvents'
+ iat:
+ type: integer
+ format: int64
+ description: Token issue time (UNIX timestamp)
+ example: 1702448550
+ iss:
type: string
- questionText:
+ description: Token issuer
+ example: https://transmitter.example.com
+ jti:
+ type: string
+ description: Token ID
+ example: 24c63fb56f ... a9fa24
+ required:
+ - iss
+ - aud
+ - jti
+ - iat
+ - events
+ SecurityEventTokenRequestJwtEvents:
+ description: A non-empty collection of events
+ type: object
+ properties:
+ https://schemas.okta.com/secevent/okta/event-type/device-risk-change:
+ $ref: '#/components/schemas/OktaDeviceRiskChangeEvent'
+ https://schemas.okta.com/secevent/okta/event-type/ip-change:
+ $ref: '#/components/schemas/OktaIpChangeEvent'
+ https://schemas.okta.com/secevent/okta/event-type/user-risk-change:
+ $ref: '#/components/schemas/OktaUserRiskChangeEvent'
+ https://schemas.openid.net/secevent/caep/event-type/device-compliance-change:
+ $ref: '#/components/schemas/CaepDeviceComplianceChangeEvent'
+ https://schemas.openid.net/secevent/caep/event-type/session-revoked:
+ $ref: '#/components/schemas/CaepSessionRevokedEvent'
+ https://schemas.openid.net/secevent/risc/event-type/identifier-changed:
+ $ref: '#/components/schemas/RiscIdentifierChangedEvent'
+ SecurityEventTokenRequestJwtHeader:
+ title: Security Event Token JWT header
+ x-tags:
+ - SSFSecurityEventToken
+ description: JSON Web Token header for a Security Event Token
+ type: object
+ properties:
+ alg:
+ type: string
+ description: Algorithm used to sign or encrypt the JWT
+ example: RS256
+ kid:
+ type: string
+ description: Key ID used to sign or encrypt the JWT
+ typ:
+ type: string
+ description: The type of content being signed or encrypted
+ example: secevent+jwt
+ required:
+ - kid
+ - typ
+ - alg
+ SecurityEventsProviderRequest:
+ title: Security Events Provider Request
+ description: The request schema for creating or updating a Security Events Provider. The `settings` must match one of the schemas.
+ type: object
+ properties:
+ name:
+ description: The name of the Security Events Provider instance
+ type: string
+ maxLength: 100
+ example: Target SSF Provider
+ settings:
+ type: object
+ description: Information about the Security Events Provider for signal ingestion
+ oneOf:
+ - $ref: '#/components/schemas/SecurityEventsProviderSettingsSSFCompliant'
+ - $ref: '#/components/schemas/SecurityEventsProviderSettingsNonSSFCompliant'
+ type:
+ description: The application type of the Security Events Provider
+ maxLength: 255
+ type: string
+ example: okta
+ required:
+ - name
+ - settings
+ - type
+ SecurityEventsProviderResponse:
+ title: Security Events Provider Response
+ description: The Security Events Provider response
+ type: object
+ properties:
+ id:
+ description: The unique identifier of this instance
+ type: string
+ readOnly: true
+ example: sse1qg25RpusjUP6m0g5
+ name:
+ description: The name of the Security Events Provider instance
+ type: string
+ maxLength: 100
+ example: Target SSF Provider
+ settings:
+ description: Information about the Security Events Provider for signal ingestion
+ $ref: '#/components/schemas/SecurityEventsProviderSettingsResponse'
+ status:
+ description: Indicates whether the Security Events Provider is active or not
+ type: string
+ enum:
+ - ACTIVE
+ - INACTIVE
+ readOnly: true
+ type:
+ description: The application type of the Security Events Provider
+ maxLength: 255
+ type: string
+ example: okta
+ _links:
+ $ref: '#/components/schemas/LinksSelfAndLifecycle'
+ SecurityEventsProviderSettingsNonSSFCompliant:
+ title: Provider with issuer and JWKS settings
+ description: Security Events Provider with issuer and JWKS settings for signal ingestion
+ type: object
+ properties:
+ issuer:
+ type: string
+ description: Issuer URL
+ maxLength: 700
+ example: example.okta.com
+ jwks_url:
+ type: string
+ format: url
+ description: The public URL where the JWKS public key is uploaded
+ maxLength: 1000
+ example: https://example.okta.com/oauth2/v1/keys
+ required:
+ - jwks_url
+ - issuer
+ SecurityEventsProviderSettingsResponse:
+ title: Security Events Provider settings
+ description: Security Events Provider settings
+ type: object
+ properties:
+ issuer:
+ type: string
+ description: Issuer URL
+ maxLength: 700
+ example: example.okta.com
+ jwks_url:
+ type: string
+ format: url
+ description: The public URL where the JWKS public key is uploaded
+ maxLength: 1000
+ example: https://example.okta.com/oauth2/v1/keys
+ well_known_url:
+ type: string
+ format: url
+ description: The well-known URL of the Security Events Provider (the SSF transmitter)
+ nullable: true
+ maxLength: 1000
+ example: https://example.okta.com/.well-known/ssf-configuration
+ SecurityEventsProviderSettingsSSFCompliant:
+ title: Provider with well-known URL setting
+ description: Security Events Provider with well-known URL setting
+ type: object
+ properties:
+ well_known_url:
type: string
+ format: url
+ description: The published well-known URL of the Security Events Provider (the SSF transmitter)
+ maxLength: 1000
+ example: https://example.okta.com/.well-known/ssf-configuration
+ required:
+ - well_known_url
SeedEnum:
description: Determines whether the generated password is the user's Okta password or a randomly generated password
default: RANDOM
@@ -30478,19 +63634,18 @@ components:
- OKTA
- RANDOM
SelfServicePasswordResetAction:
- allOf:
- - $ref: '#/components/schemas/PasswordPolicyRuleAction'
- - type: object
- - description: Enables or disables users to reset their own password and defines the authenticators and constraints needed to complete the reset
- properties:
- type:
- type: string
- readOnly: true
- description: The type of rule action
- enum:
- - selfServicePasswordReset
- requirement:
- $ref: '#/components/schemas/SsprRequirement'
+ description: Enables or disables users to reset their own password and defines the authenticators and constraints needed to complete the reset
+ type: object
+ properties:
+ access:
+ $ref: '#/components/schemas/PolicyAccess'
+ requirement:
+ $ref: '#/components/schemas/SsprRequirement'
+ type:
+ type: string
+ description: The type of rule action
+ enum:
+ - selfServicePasswordReset
Session:
type: object
properties:
@@ -30594,6 +63749,7 @@ components:
MFA_REQUIRED: The Session is established, but requires second factor verification.
MFA_ENROLL: The Session is established, but the user needs to enroll a second factor.
ShowSignInWithOV:
+ description: Controls whether to show the Sign in with Okta Verify button on the Sign-In Widget
type: string
enum:
- ALWAYS
@@ -30610,443 +63766,2064 @@ components:
properties:
signInLabel:
type: string
+ description: The label for the sign in widget
usernameLabel:
type: string
+ description: The label for the username field
usernameInfoTip:
type: string
+ description: The label for the username information tip
passwordLabel:
type: string
+ description: The label for the password field
passwordInfoTip:
type: string
+ description: The label for the password information tip
showPasswordVisibilityToggle:
type: boolean
+ description: Allows users to see their passwords as they type
showUserIdentifier:
type: boolean
+ description: Allows the user's identifier to appear on authentication and enrollment pages
forgotPasswordLabel:
type: string
+ description: The label for the forgot password page
forgotPasswordUrl:
type: string
+ description: The forgot password URL
unlockAccountLabel:
type: string
+ description: The label for the unlock account link
unlockAccountUrl:
type: string
+ description: The unlock account URL
helpLabel:
type: string
+ description: The label for the help link
helpUrl:
type: string
+ description: The help link URL
customLink1Label:
type: string
+ description: The label for the first custom link
customLink1Url:
type: string
+ description: The URL for the first custom link
customLink2Label:
type: string
+ description: The label for the second custom link
customLink2Url:
type: string
+ description: The URL for the second custom link
authenticatorPageCustomLinkLabel:
type: string
+ description: The label for the authenticator page custom link
authenticatorPageCustomLinkUrl:
type: string
+ description: The URL for the authenticator page custom link
classicRecoveryFlowEmailOrUsernameLabel:
type: string
+ description: The label for the username field in the classic recovery flow
+ widgetGeneration:
+ $ref: '#/components/schemas/WidgetGeneration'
widgetVersion:
$ref: '#/components/schemas/Version'
SignInPageTouchPointVariant:
+ description: |
+ Variant for the Okta sign-in page. You can publish a theme for sign-in page with different combinations of assets. Variants are preset combinations of those assets.
+ > **Note:** For a non-`OKTA_DEFAULT` variant, `primaryColorHex` is used for button background color and `primaryColorContrastHex` is used to optimize the opacity for button text.
+ type: string
+ enum:
+ - BACKGROUND_IMAGE
+ - BACKGROUND_SECONDARY_COLOR
+ - OKTA_DEFAULT
+ x-enumDescriptions:
+ BACKGROUND_IMAGE: Uses the logo, favicon, and background image from the Theme
+ BACKGROUND_SECONDARY_COLOR: Uses the logo and favicon from the Theme. Uses `secondaryColorHex` as the background color for the Okta sign-in page.
+ OKTA_DEFAULT: Uses the Okta logo and favicon with no background image. Uses the Okta colors on the Okta sign-in page.
+ SignOnInlineHook:
+ properties:
+ id:
+ type: string
+ readOnly: false
+ SigningAlgorithm:
+ type: string
+ enum:
+ - ES256
+ - ES384
+ - ES512
+ - HS256
+ - HS384
+ - HS512
+ - RS256
+ - RS384
+ - RS512
+ SimulatePolicyBody:
+ description: The request body required for a simulate policy operation
+ type: object
+ properties:
+ appInstance:
+ type: string
+ description: The application instance ID for a simulate operation
+ policyContext:
+ $ref: '#/components/schemas/PolicyContext'
+ policyTypes:
+ type: array
+ description: Supported policy types for a simulate operation. The default value, `null`, returns all types.
+ items:
+ $ref: '#/components/schemas/PolicyTypeSimulation'
+ required:
+ - appInstance
+ SimulatePolicyEvaluations:
+ type: object
+ properties:
+ evaluated:
+ type: object
+ description: A list of evaluated but not matched policies and rules
+ properties:
+ policies:
+ $ref: '#/components/schemas/SimulateResultPolicies'
+ policyType:
+ type: array
+ description: The policy type of the simulate operation
+ items:
+ $ref: '#/components/schemas/PolicyTypeSimulation'
+ result:
+ $ref: '#/components/schemas/SimulatePolicyResult'
+ status:
+ $ref: '#/components/schemas/SimulateResultStatus'
+ undefined:
+ type: object
+ description: A list of undefined but not matched policies and rules
+ properties:
+ policies:
+ $ref: '#/components/schemas/SimulateResultPolicies'
+ SimulatePolicyResponse:
+ description: The response body returned for a simulate policy operation. An array of `evaluations`.
+ items:
+ $ref: '#/components/schemas/SimulatePolicyEvaluations'
+ type: array
+ SimulatePolicyResult:
+ description: The result of the policy evaluation
+ type: object
+ properties:
+ policies:
+ $ref: '#/components/schemas/SimulateResultPolicies'
+ SimulateResultConditions:
+ type: object
+ properties:
+ status:
+ $ref: '#/components/schemas/SimulateResultStatus'
+ type:
+ type: string
+ description: The type of condition
+ SimulateResultPolicies:
+ items:
+ $ref: '#/components/schemas/SimulateResultPoliciesItems'
+ type: array
+ SimulateResultPoliciesItems:
+ type: object
+ properties:
+ conditions:
+ type: array
+ description: List of all conditions involved for this policy evaluation
+ items:
+ $ref: '#/components/schemas/SimulateResultConditions'
+ id:
+ type: string
+ description: ID of the specified policy type
+ name:
+ type: string
+ description: Policy name
+ rules:
+ type: array
+ items:
+ $ref: '#/components/schemas/SimulateResultRules'
+ status:
+ $ref: '#/components/schemas/SimulateResultStatus'
+ SimulateResultRules:
+ type: object
+ properties:
+ conditions:
+ type: array
+ description: List of all conditions involved for this rule evaluation
+ items:
+ $ref: '#/components/schemas/SimulateResultConditions'
+ id:
+ type: string
+ description: The unique ID number of the policy rule
+ name:
+ type: string
+ description: The name of the policy rule
+ status:
+ $ref: '#/components/schemas/SimulateResultStatus'
+ SimulateResultStatus:
+ description: The result of this entity evaluation
+ type: string
+ enum:
+ - MATCH
+ - NOT_MATCH
+ - UNDEFINED
+ SingleLogout:
+ description: Determines if the app supports Single Logout (SLO)
+ type: object
+ properties:
+ enabled:
+ type: boolean
+ description: Whether the application supports SLO
+ issuer:
+ type: string
+ description: The issuer of the Service Provider that generates the SLO request
+ logoutUrl:
+ type: string
+ description: The location where the logout response is sent
+ SlackApplication:
+ title: Slack
+ x-tags:
+ - Application
+ x-okta-defined-as:
+ name: slack
+ example:
+ name: slack
+ label: Sample Slack App
+ signOnMode: SAML_2_0
+ settings:
+ app:
+ domain: my-company-domain
+ description: |
+ Schema for the Slack app (key name: `slack`)
+
+ To create a Slack app, use the [Create an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) request with the following parameters in the request body.
+ > **Note:** The Slack app only supports `BROWSER_PLUGIN` and `SAML_2_0` sign-on modes.
+ allOf:
+ - $ref: '#/components/schemas/OINApplication'
+ - type: object
+ - required:
+ - name
+ - label
+ - settings
+ properties:
+ name:
+ type: string
+ enum:
+ - slack
+ example: slack
+ signOnMode:
+ enum:
+ - BROWSER_PLUGIN
+ - SAML_2_0
+ settings:
+ $ref: '#/components/schemas/SlackApplicationSettings'
+ SlackApplicationSettings:
+ allOf:
+ - $ref: '#/components/schemas/ApplicationSettings'
+ - type: object
+ - required:
+ - app
+ properties:
+ app:
+ $ref: '#/components/schemas/SlackApplicationSettingsApplication'
+ signOn:
+ $ref: '#/components/schemas/OINSaml20ApplicationSettingsSignOn'
+ SlackApplicationSettingsApplication:
+ description: Slack app instance properties
+ type: object
+ properties:
+ domain:
+ type: string
+ description: The Slack app domain name
+ userEmailValue:
+ type: string
+ description: The `User.Email` attribute value
+ required:
+ - domain
+ SloParticipate:
+ description: Determines if the app participates in Single Logout (SLO)
+ type: object
+ properties:
+ bindingType:
+ type: string
+ description: Request binding type
+ enum:
+ - POST
+ - REDIRECT
+ enabled:
+ type: boolean
+ description: Indicates whether the app is allowed to participate in front-channel SLO
+ logoutRequestUrl:
+ type: string
+ description: URL where Okta sends the logout request
+ sessionIndexRequired:
+ type: boolean
+ description: Determines whether Okta sends the `SessionIndex` elements in the logout request
+ SmsTemplate:
+ type: object
+ properties:
+ created:
+ type: string
+ format: date-time
+ readOnly: true
+ id:
+ type: string
+ readOnly: true
+ lastUpdated:
+ type: string
+ format: date-time
+ readOnly: true
+ name:
+ type: string
+ description: Human-readable name of the Template
+ maxLength: 50
+ minLength: 1
+ template:
+ type: string
+ description: Text of the Template, including any [macros](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Template/)
+ maxLength: 161
+ minLength: 1
+ translations:
+ $ref: '#/components/schemas/SmsTemplateTranslations'
+ type:
+ $ref: '#/components/schemas/SmsTemplateType'
+ SmsTemplateTranslations:
+ description: |
+ - Template translations are optionally provided when you want to localize the SMS messages. Translations are provided as an object that contains `key:value` pairs: the language and the translated Template text. The key portion is a two-letter country code that conforms to [ISO 639-1](https://www.loc.gov/standards/iso639-2/php/code_list.php). The value is the translated SMS Template.
+ - Just like with regular SMS Templates, the length of the SMS message can't exceed 160 characters.
+ type: object
+ x-okta-extensible: true
+ SmsTemplateType:
+ description: Type of the Template
+ maxLength: 50
+ minLength: 1
+ type: string
+ enum:
+ - SMS_VERIFY_CODE
+ SocialAuthToken:
+ description: The Social Authentication Token object provides the tokens and associated metadata provided by social providers during social authentication.
+ type: object
+ properties:
+ expiresAt:
+ $ref: '#/components/schemas/ExpiresAt'
+ id:
+ type: string
+ description: Unique identifier for the token
+ readOnly: true
+ example: NXp9GaX1eOA-XVF_H9fn2Q
+ scopes:
+ type: array
+ description: The scopes that the token is good for
+ readOnly: true
+ items:
+ type: string
+ example:
+ - openid
+ - foo
+ token:
+ type: string
+ description: The raw token
+ readOnly: true
+ example: JBTWGV22G4ZGKV3N
+ tokenAuthScheme:
+ type: string
+ readOnly: true
+ description: The token authentication scheme as defined by the social provider
+ example: Bearer
+ tokenType:
+ type: string
+ readOnly: true
+ description: The type of token defined by the [OAuth Token Exchange Spec](https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-07#section-3)
+ example: urn:ietf:params:oauth:token-type:access_token
+ SourceLinks:
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - type: object
+ properties:
+ schema:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: The associated schema
+ SplunkEdition:
+ description: Edition of the Splunk Cloud instance
+ example: aws
+ type: string
+ enum:
+ - aws
+ - aws_govcloud
+ - gcp
+ SplunkHost:
+ description: 'The domain name for your Splunk Cloud instance. Don''t include `http` or `https` in the string. For example: `acme.splunkcloud.com`'
+ minLength: 17
+ maxLength: 116
+ example: acme.splunkcloud.com
+ type: string
+ SplunkToken:
+ description: The HEC token for your Splunk Cloud HTTP Event Collector. The token value is set at object creation, but isn't returned.
+ example: 11111111-1111-2222-2222-222222222222
+ writeOnly: true
+ type: string
+ pattern: (?i)^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$
+ Sso:
+ description: 'Supported SSO protocol configurations. You must configure at least one protocol: `oidc` or `saml`'
+ type: object
+ properties:
+ oidc:
+ $ref: '#/components/schemas/Oidc'
+ saml:
+ $ref: '#/components/schemas/Saml'
+ SsprPrimaryRequirement:
+ description: Defines the authenticators permitted for the initial authentication step of password recovery
+ type: object
+ properties:
+ methodConstraints:
+ description: Constraints on the values specified in the `methods` array. Specifying a constraint limits methods to specific authenticator(s). Currently, Google OTP is the only accepted constraint.
+ x-okta-lifecycle:
+ lifecycle: GA
+ isGenerallyAvailable: true
+ type: array
+ items:
+ $ref: '#/components/schemas/AuthenticatorMethodConstraint'
+ methods:
+ type: array
+ description: Authenticator methods allowed for the initial authentication step of password recovery. Method `otp` requires a constraint limiting it to a Google authenticator.
+ items:
+ type: string
+ enum:
+ - push
+ - sms
+ - voice
+ - email
+ - otp
+ SsprRequirement:
+ description: Describes the initial and secondary authenticator requirements a user needs to reset their password
+ type: object
+ properties:
+ accessControl:
+ description: Determines which authentication requirements a user needs to perform self-service operations. `AUTH_POLICY` defers conditions and authentication requirements to the [Okta account management policy](https://developer.okta.com/docs/guides/okta-account-management-policy/main/). `LEGACY` refers to the requirements described by this rule.
+ type: string
+ enum:
+ - AUTH_POLICY
+ - LEGACY
+ primary:
+ $ref: '#/components/schemas/SsprPrimaryRequirement'
+ stepUp:
+ $ref: '#/components/schemas/SsprStepUpRequirement'
+ SsprStepUpRequirement:
+ description: |-
+ Defines the secondary authenticators needed for password reset if `required` is true. The following are three valid configurations:
+ * `required`=false
+ * `required`=true with no methods to use any SSO authenticator
+ * `required`=true with `security_question` as the method
+ type: object
+ properties:
+ methods:
+ description: Authenticator methods required for secondary authentication step of password recovery. Specify this value only when `required` is true and `security_question` is permitted for the secondary authentication.
+ type: array
+ items:
+ type: string
+ enum:
+ - security_question
+ required:
+ type: boolean
+ StandardRole:
+ title: Standard Role Assignment
+ type: object
+ properties:
+ assignmentType:
+ $ref: '#/components/schemas/RoleAssignmentType'
+ created:
+ type: string
+ description: Timestamp when the object was created
+ format: date-time
+ readOnly: true
+ id:
+ type: string
+ description: Role Assignment ID
+ readOnly: true
+ label:
+ type: string
+ description: Label for the Role Assignment
+ readOnly: true
+ lastUpdated:
+ type: string
+ description: Timestamp when the object was last updated
+ format: date-time
+ readOnly: true
+ status:
+ allOf:
+ - $ref: '#/components/schemas/LifecycleStatus'
+ - description: Status of the Role Assignment
+ type:
+ $ref: '#/components/schemas/RoleType'
+ _embedded:
+ type: object
+ description: Optional embedded resources for the Role Assignment
+ properties:
+ targets:
+ type: object
+ description: Targets configured for the Role Assignment
+ properties:
+ groups:
+ type: array
+ description: Group targets
+ items:
+ $ref: '#/components/schemas/Group'
+ catalog:
+ description: App targets
+ properties:
+ apps:
+ type: array
+ items:
+ $ref: '#/components/schemas/CatalogApplication'
+ _links:
+ $ref: '#/components/schemas/LinksAssignee'
+ StandardRoleAssignmentSchema:
+ title: Standard Role
+ type: object
+ properties:
+ type:
+ type: string
+ description: Specify the standard or IAM-based role type. See [standard roles](/openapi/okta-management/guides/roles/#standard-roles).
+ StreamConfiguration:
+ title: Stream Configuration
+ type: object
+ properties:
+ aud:
+ oneOf:
+ - type: string
+ format: uri
+ example: https://example.com
+ - type: array
+ items:
+ type: string
+ format: uri
+ example: https://example.com
+ description: |-
+ The audience used in the SET. This value is set as `aud` in the claim.
+
+ A read-only parameter that is set by the transmitter. If this parameter is included in the request, the value must match the expected value from the transmitter.
+ example: https://example.com
+ delivery:
+ $ref: '#/components/schemas/StreamConfigurationDelivery'
+ events_delivered:
+ type: array
+ items:
+ type: string
+ format: uri
+ description: |-
+ The events (mapped by the array of event type URIs) that the transmitter actually delivers to the SSF Stream.
+
+ A read-only parameter that is set by the transmitter. If this parameter is included in the request, the value must match the expected value from the transmitter.
+ example:
+ - https://schemas.openid.net/secevent/caep/event-type/session-revoked
+ - https://schemas.openid.net/secevent/caep/event-type/credential-change
+ events_requested:
+ type: array
+ maxItems: 50
+ items:
+ type: string
+ format: uri
+ maxLength: 256
+ description: The events (mapped by the array of event type URIs) that the receiver wants to receive
+ example:
+ - https://schemas.openid.net/secevent/caep/event-type/session-revoked
+ - https://schemas.openid.net/secevent/caep/event-type/credential-change
+ events_supported:
+ type: array
+ items:
+ type: string
+ format: uri
+ description: |-
+ An array of event type URIs that the transmitter supports.
+
+ A read-only parameter that is set by the transmitter. If this parameter is included in the request, the value must match the expected value from the transmitter.
+ example:
+ - https://schemas.openid.net/secevent/caep/event-type/session-revoked
+ - https://schemas.openid.net/secevent/caep/event-type/credential-change
+ format:
+ type: string
+ description: The Subject Identifier format expected for any SET transmitted.
+ enum:
+ - iss_sub
+ iss:
+ type: string
+ description: |-
+ The issuer used in Security Event Tokens (SETs). This value is set as `iss` in the claim.
+
+ A read-only parameter that is set by the transmitter. If this parameter is included in the request, the value must match the expected value from the transmitter.
+ example: https://{yourOktaDomain}
+ min_verification_interval:
+ type: integer
+ nullable: true
+ example: 60
+ description: |-
+ The minimum amount of time, in seconds, between two verification requests.
+
+ A read-only parameter that is set by the transmitter. If this parameter is included in the request, the value must match the expected value from the transmitter.
+ stream_id:
+ type: string
+ description: The ID of the SSF Stream configuration
+ example: esc1k235GIIztAuGK0g5
+ required:
+ - events_requested
+ - delivery
+ StreamConfigurationCreateRequest:
+ title: Stream Configuration Create Request
+ type: object
+ properties:
+ delivery:
+ $ref: '#/components/schemas/StreamConfigurationDelivery'
+ events_requested:
+ type: array
+ maxItems: 50
+ items:
+ type: string
+ format: uri
+ maxLength: 256
+ description: The events (mapped by the array of event type URIs) that the receiver wants to receive
+ example:
+ - https://schemas.openid.net/secevent/caep/event-type/session-revoked
+ - https://schemas.openid.net/secevent/caep/event-type/credential-change
+ format:
+ type: string
+ description: The Subject Identifier format expected for any SET transmitted.
+ enum:
+ - iss_sub
+ required:
+ - events_requested
+ - delivery
+ StreamConfigurationDelivery:
+ title: Stream Configuration Delivery
+ description: Contains information about the intended SET delivery method by the receiver
+ type: object
+ properties:
+ authorization_header:
+ type: string
+ description: The HTTP Authorization header that is included for each HTTP POST request
+ example: '{authorizationHeaderValue}'
+ nullable: true
+ maxLength: 8192
+ endpoint_url:
+ type: string
+ format: uri
+ description: The target endpoint URL where the transmitter delivers the SET using HTTP POST requests
+ example: https://example.com/
+ maxLength: 2048
+ method:
+ type: string
+ description: The delivery method that the transmitter uses for delivering a SET
+ enum:
+ - https://schemas.openid.net/secevent/risc/delivery-method/push
+ - urn:ietf:rfc:8935
+ required:
+ - method
+ - endpoint_url
+ SubjectType:
+ type: string
+ enum:
+ - pairwise
+ - public
+ SubmissionRequest:
+ allOf:
+ - $ref: '#/components/schemas/SubmissionResponse'
+ required:
+ - name
+ - description
+ - logo
+ SubmissionResponse:
+ type: object
+ properties:
+ config:
+ type: array
+ description: 'List of org-level variables for the customer per-tenant configuration. For example, a `subdomain` variable can be used in the ACS URL: `https://${org.subdomain}.example.com/saml/login`'
+ items:
+ type: object
+ properties:
+ label:
+ type: string
+ description: Display name of the variable in the Admin Console
+ example: Subdomain
+ name:
+ type: string
+ maxLength: 1024
+ minLength: 1
+ description: Name of the variable
+ example: subdomain
+ description:
+ type: string
+ maxLength: 1024
+ minLength: 1
+ description: A general description of your application and the benefits provided to your customers
+ example: Your one source for in-season strawberry deals. Okta's Strawberry Central integration allow users to securely access those sweet deals.
+ id:
+ type: string
+ description: OIN Integration ID
+ readOnly: true
+ example: acme_submissionapp_1
+ lastPublished:
+ type: string
+ description: Timestamp when the OIN Integration was last published
+ readOnly: true
+ example: '2023-08-24T14:15:22.000Z'
+ lastUpdated:
+ type: string
+ description: Timestamp when the OIN Integration instance was last updated
+ readOnly: true
+ example: '2023-08-24T14:15:22.000Z'
+ lastUpdatedBy:
+ type: string
+ description: ID of the user who made the last update
+ readOnly: true
+ example: 00ub0oNGTSWTBKOLGLNR
+ logo:
+ type: string
+ format: uri
+ description: URL to an uploaded application logo. This logo appears next to your app integration name in the OIN catalog. You must first [Upload an OIN Integration logo](/openapi/okta-management/management/tag/YourOinIntegrations/#tag/YourOinIntegrations/operation/uploadSubmissionLogo) to obtain the logo URL before you can specify this value.
+ example: https://acme.okta.com/bc/image/fileStoreRecord?id=fs03xxd3KmkDBwJU80g4
+ name:
+ type: string
+ maxLength: 64
+ minLength: 1
+ description: The app integration name. This is the main title used for your integration in the OIN catalog.
+ example: Strawberry Central
+ sso:
+ $ref: '#/components/schemas/Sso'
+ status:
+ type: string
+ description: Status of the OIN Integration submission
+ readOnly: true
+ example: New
+ Subscription:
+ type: object
+ properties:
+ channels:
+ description: |-
+ An array of sources send notifications to users.
+ > **Note**: Currently, Okta only allows `email` channels.
+ items:
+ type: string
+ type: array
+ notificationType:
+ $ref: '#/components/schemas/NotificationType'
+ status:
+ $ref: '#/components/schemas/SubscriptionStatus'
+ _links:
+ type: object
+ description: Discoverable resources related to the subscription
+ properties:
+ self:
+ $ref: '#/components/schemas/HrefObject'
+ readOnly: true
+ SubscriptionStatus:
+ description: The status of the subscription
type: string
enum:
- - BACKGROUND_IMAGE
- - BACKGROUND_SECONDARY_COLOR
- - OKTA_DEFAULT
- SignOnInlineHook:
+ - subscribed
+ - unsubscribed
+ SupportedMethods:
+ description: The supported methods of an Authenticator
+ type: object
properties:
- id:
+ settings:
+ type: object
+ properties:
+ keyProtection:
+ $ref: '#/components/schemas/PushMethodKeyProtection'
+ algorithms:
+ description: The encryption algorithm for this authenticator method
+ type: array
+ items:
+ $ref: '#/components/schemas/AuthenticatorMethodAlgorithm'
+ transactionTypes:
+ type: array
+ description: The transaction type for this authenticator method
+ items:
+ $ref: '#/components/schemas/AuthenticatorMethodTransactionType'
+ status:
+ description: The status of the authenticator method
+ $ref: '#/components/schemas/LifecycleStatus'
+ type:
type: string
- readOnly: false
- SimulatePolicyBody:
+ description: The type of authenticator method
+ enum:
+ - push
+ SwaApplicationSettings:
+ allOf:
+ - $ref: '#/components/schemas/ApplicationSettings'
+ - type: object
+ properties:
+ app:
+ $ref: '#/components/schemas/SwaApplicationSettingsApplication'
+ SwaApplicationSettingsApplication:
type: object
- description: The request body required for a simulate policy operation.
properties:
- policyTypes:
- type: array
- description: Supported policy types for a simulate operation. The default value, `null`, returns all types.
- items:
- $ref: '#/components/schemas/PolicyType'
- appInstance:
+ buttonField:
type: string
- description: The application instance ID for a simulate operation
- policyContext:
- $ref: '#/components/schemas/PolicyContext'
+ description: CSS selector for the **Sign-In** button in the sign-in form (for SWA apps with the `template_swa` app name definition)
+ buttonSelector:
+ type: string
+ description: CSS selector for the **Sign-In** button in the sign-in form (for three-field SWA apps with the `template_swa3field` app name definition)
+ extraFieldSelector:
+ type: string
+ description: Enter the CSS selector for the extra field (for three-field SWA apps with the `template_swa3field` app name definition).
+ extraFieldValue:
+ type: string
+ description: Enter the value for the extra field in the form (for three-field SWA apps with the `template_swa3field` app name definition).
+ loginUrlRegex:
+ type: string
+ description: A regular expression that further restricts targetURL to the specified regular expression
+ passwordField:
+ type: string
+ description: CSS selector for the **Password** field in the sign-in form (for SWA apps with the `template_swa` app name definition)
+ passwordSelector:
+ type: string
+ description: CSS selector for the **Password** field in the sign-in form (for three-field SWA apps with the `template_swa3field` app name definition)
+ targetURL:
+ type: string
+ description: The URL of the sign-in page for this app (for three-field SWA apps with the `template_swa3field` app name definition)
+ url:
+ type: string
+ description: The URL of the sign-in page for this app (for SWA apps with the `template_swa` app name definition)
+ usernameField:
+ type: string
+ description: CSS selector for the **Username** field in the sign-in form (for SWA apps with the `template_swa` app name definition)
+ userNameSelector:
+ type: string
+ description: CSS selector for the **Username** field in the sign-in form (for three-field SWA apps with the `template_swa3field` app name definition)
required:
- - appInstance
- SimulatePolicyEvaluations:
+ - buttonField
+ - passwordField
+ - usernameField
+ - url
+ TelephonyRequest:
type: object
properties:
- status:
+ data:
+ $ref: '#/components/schemas/TelephonyRequestData'
+ eventType:
type: string
- description: The result of this entity evaluation
- enum:
- - MATCH
- - NOT_MATCH
- - UNDEFINED
- policyType:
- type: array
- description: The policy type of the simulate operation
- items:
- $ref: '#/components/schemas/PolicyType'
- result:
- $ref: "#/components/schemas/SimulatePolicyResult"
- undefined:
+ description: The type of inline hook. The Telephony inline hook type is `com.okta.telephony.provider`.
+ requestType:
+ type: string
+ description: The type of inline hook request. For example, `com.okta.user.telephony.pre-enrollment`.
+ source:
+ description: The ID and URL of the Telephony inline hook
+ type: string
+ TelephonyRequestData:
+ type: object
+ properties:
+ context:
type: object
- description: A list of undefined but not matched policies and rules
properties:
- policies:
- $ref: "#/components/schemas/SimulateResultPolicies"
- evaluated:
+ request:
+ $ref: '#/components/schemas/InlineHookRequestObject'
+ messageProfile:
type: object
- description: A list of evaluated but not matched policies and rules
+ description: Message profile specifies information about the telephony (sms/voice) message to be sent to the Okta user
properties:
- policies:
- $ref: "#/components/schemas/SimulateResultPolicies"
- SimulatePolicyResponse:
- description: The response body returned for a simulate policy operation. An array of `evaluations`.
- items:
- $ref: '#/components/schemas/SimulatePolicyEvaluations'
- type: array
- SimulatePolicyResult:
- description: The result of the policy evaluation
+ msgTemplate:
+ description: Default or Okta org configured sms or voice message template
+ type: string
+ phoneNumber:
+ description: The Okta's user's phone number
+ type: string
+ otpExpires:
+ description: The time when OTP expires
+ type: string
+ deliveryChannel:
+ description: The channel for OTP delivery - SMS or voice
+ type: string
+ otpCode:
+ description: The OTP code requested by the Okta user
+ type: string
+ locale:
+ description: The locale associated with the Okta user
+ type: string
+ userProfile:
+ type: object
+ description: User profile specifies information about the Okta user
+ properties:
+ firstName:
+ description: The user's first name
+ type: string
+ lastName:
+ description: The user's last name
+ type: string
+ login:
+ description: The user's Okta login
+ type: string
+ userId:
+ description: The user's Okta user ID
+ type: string
+ TelephonyRequestExecute:
+ description: Telephony inline hook request body
+ allOf:
+ - $ref: '#/components/schemas/InlineHookBasePayload'
+ - $ref: '#/components/schemas/TelephonyRequest'
+ TelephonyResponse:
+ description: Telephony inline hook response
type: object
properties:
- policies:
- $ref: '#/components/schemas/SimulateResultPolicies'
- SimulateResultConditions:
+ commands:
+ description: The `commands` object specifies whether Okta accepts the end user's sign-in credentials as valid or not. For the Telephony inline hook, you typically only return one `commands` object with one array element in it.
+ type: array
+ items:
+ type: object
+ properties:
+ type:
+ description: The location where you specify the command. For the Telephony inline hook, there's only one command, `com.okta.telephony.action`.
+ type: string
+ value:
+ description: The status of the telephony operation along with optional additional information about the provider, transaction ID and any other transaction metadata.
+ type: array
+ items:
+ type: object
+ properties:
+ status:
+ type: string
+ description: Status of telephony callout
+ enum:
+ - SUCCESSFUL
+ - PENDING
+ - FAILED
+ x-enumDescriptions:
+ SUCCESSFUL: External web service was able to deliver the OTP to the Requester.
+ PENDING: External web service wasn't able to confirm delivery of the OTP to the Requester.
+ FAILED: External web service was unable to deliver the OTP to the Requester.
+ provider:
+ type: string
+ description: Telephony provider for sms/voice
+ transactionId:
+ type: string
+ description: Transaction ID for sms/voice
+ transactionMetadata:
+ type: string
+ description: Any relevant metadata for the telephony transaction
+ TempPassword:
type: object
properties:
- status:
+ tempPassword:
type: string
- description: The result of the entity evaluation
- enum:
- - MATCH
- - UNMATCHED
- - UNDEFINED
- type:
+ readOnly: true
+ TestInfo:
+ description: Integration Testing Information
+ type: object
+ properties:
+ escalationSupportContact:
type: string
- description: The type of condition
- SimulateResultPolicies:
- items:
- $ref: '#/components/schemas/SimulateResultPoliciesItems'
- type: array
- SimulateResultPoliciesItems:
+ maxLength: 255
+ description: An email for Okta to contact your company about your integration. This email isn't shared with customers.
+ example: strawberry.support@example.com
+ oidcTestConfiguration:
+ type: object
+ description: OIDC test details
+ properties:
+ idp:
+ type: boolean
+ description: Read only.
Indicates if your integration supports IdP-initiated sign-in flows. If [`sso.oidc.initiateLoginUri`](/openapi/okta-management/management/tag/YourOinIntegrations/#tag/YourOinIntegrations/operation/createSubmission!path=sso/oidc/initiateLoginUri&t=request) is specified, this property is set to `true`. If [`sso.oidc.initiateLoginUri`](/openapi/okta-management/management/tag/YourOinIntegrations/#tag/YourOinIntegrations/operation/createSubmission!path=sso/oidc/initiateLoginUri&t=request) isn't set for the integration submission, this property is set to `false`
+ readOnly: true
+ sp:
+ type: boolean
+ description: Read only.
Indicates if your integration supports SP-initiated sign-in flows and is always set to `true` for OIDC SSO
+ readOnly: true
+ jit:
+ type: boolean
+ description: Indicates if your integration supports Just-In-Time (JIT) provisioning
+ spInitiateUrl:
+ type: string
+ format: uri
+ maxLength: 512
+ description: URL for SP-initiated sign-in flows (required if `sp = true`)
+ example: https://test.example.com/strawberry/oidc/sp-init
+ required:
+ - spInitiateUrl
+ samlTestConfiguration:
+ type: object
+ description: SAML test details
+ properties:
+ idp:
+ type: boolean
+ description: Indicates if your integration supports IdP-initiated sign-in
+ sp:
+ type: boolean
+ description: Indicates if your integration supports SP-initiated sign-in
+ jit:
+ type: boolean
+ description: Indicates if your integration supports Just-In-Time (JIT) provisioning
+ spInitiateUrl:
+ type: string
+ format: uri
+ maxLength: 512
+ description: URL for SP-initiated sign-in flows (required if `sp = true`)
+ example: https://test.example.com/strawberry/saml/sp-init
+ spInitiateDescription:
+ type: string
+ maxLength: 2048
+ description: Instructions on how to sign in to your app using the SP-initiated flow (required if `sp = true`)
+ example: Go to your app URL from a browser and enter your username
+ required:
+ - spInitiateUrl
+ testAccount:
+ type: object
+ description: An account on a test instance of your app with admin privileges. A test admin account is required by Okta for integration testing. During OIN QA testing, an Okta analyst uses this admin account to configure your app for the various test case flows.
+ properties:
+ url:
+ type: string
+ format: uri
+ maxLength: 512
+ description: The sign-in URL to a test instance of your app
+ example: https://example.com/strawberry/login
+ username:
+ type: string
+ maxLength: 255
+ description: The username for your app admin account
+ example: test@example.com
+ password:
+ type: string
+ maxLength: 255
+ description: The password for your app admin account
+ example: sUperP@ssw0rd
+ instructions:
+ type: string
+ maxLength: 2048
+ description: Additional instructions to test the app integration, including instructions for obtaining test accounts
+ example: Go to your app URL from a browser and enter your credentials
+ required:
+ - url
+ - username
+ - password
+ required:
+ - escalationSupportContact
+ ThemeResponse:
type: object
properties:
+ backgroundImage:
+ readOnly: true
+ type: string
+ emailTemplateTouchPointVariant:
+ $ref: '#/components/schemas/EmailTemplateTouchPointVariant'
+ endUserDashboardTouchPointVariant:
+ $ref: '#/components/schemas/EndUserDashboardTouchPointVariant'
+ errorPageTouchPointVariant:
+ $ref: '#/components/schemas/ErrorPageTouchPointVariant'
+ favicon:
+ readOnly: true
+ type: string
id:
+ readOnly: true
type: string
- name:
+ loadingPageTouchPointVariant:
+ $ref: '#/components/schemas/LoadingPageTouchPointVariant'
+ logo:
+ readOnly: true
type: string
- status:
+ primaryColorContrastHex:
type: string
- conditions:
- type: array
- $ref: "#/components/schemas/SimulateResultConditions"
- rules:
- type: array
- $ref: "#/components/schemas/SimulateResultRules"
- SimulateResultRules:
- type: object
- properties:
- id:
+ description: Primary color contrast hex code
+ primaryColorHex:
type: string
- description: The unique ID number of the policy rule
- name:
+ description: Primary color hex code
+ secondaryColorContrastHex:
type: string
- description: The name of the policy rule
- status:
+ description: Secondary color contrast hex code
+ secondaryColorHex:
type: string
- description: The result of the entity evaluation
- enum:
- - MATCH
- - UNMATCHED
- - UNDEFINED
- conditions:
- type: array
- $ref: "#/components/schemas/SimulateResultConditions"
- SingleLogout:
+ description: Secondary color hex code
+ signInPageTouchPointVariant:
+ $ref: '#/components/schemas/SignInPageTouchPointVariant'
+ _links:
+ $ref: '#/components/schemas/LinksSelf'
+ ThirdPartyAdminSetting:
+ description: The third-party admin setting
type: object
properties:
- enabled:
+ thirdPartyAdmin:
type: boolean
- issuer:
- type: string
- logoutUrl:
- type: string
- SloParticipate:
+ description: Indicates if third-party admin is enabled
+ example: false
+ ThreatInsightConfiguration:
type: object
properties:
- bindingType:
+ action:
type: string
- description: Request binding type
+ description: Specifies how Okta responds to authentication requests from suspicious IP addresses
enum:
- - POST
- - REDIRECT
- enabled:
- type: boolean
- description: Allows the app to participate in front-channel single logout.
- logoutRequestUrl:
- type: string
- description: URL where Okta sends the logout request.
- sessionIndexRequired:
- type: boolean
- description: Include user session details.
- SmsTemplate:
- type: object
- properties:
+ - none
+ - audit
+ - block
+ x-enumDescriptions:
+ none: Indicates that ThreatInsight is disabled
+ audit: Indicates that Okta logs suspicious requests to the System Log
+ block: Indicates that Okta logs suspicious requests to the System Log and blocks the requests
+ example: none
created:
type: string
format: date-time
+ description: Timestamp when the ThreatInsight Configuration object was created
+ example: '2020-08-05T22:18:30.629Z'
readOnly: true
- id:
- type: string
- readOnly: true
+ excludeZones:
+ type: array
+ description: |-
+ Accepts a list of [Network Zone](/openapi/okta-management/management/tag/NetworkZone/) IDs.
+ IPs in the excluded network zones aren't logged or blocked.
+ This ensures that traffic from known, trusted IPs isn't accidentally logged or blocked.
+ items:
+ type: string
+ example: []
lastUpdated:
type: string
format: date-time
+ description: Timestamp when the ThreatInsight Configuration object was last updated
readOnly: true
- name:
- type: string
- template:
- type: string
- translations:
- $ref: '#/components/schemas/SmsTemplateTranslations'
- type:
- $ref: '#/components/schemas/SmsTemplateType'
- SmsTemplateTranslations:
+ example: '2020-09-08T20:53:20.882Z'
+ _links:
+ $ref: '#/components/schemas/LinksSelf'
+ required:
+ - action
+ TimeDuration:
+ description: A time duration specified as an [ISO-8601 duration](https://en.wikipedia.org/wiki/ISO_8601#Durations).
+ type: string
+ pattern: ^P(?:$)(\d+Y)?(\d+M)?(\d+W)?(\d+D)?(T(?:\d)(\d+H)?(\d+M)?(\d+S)?)?$
+ TokenAuthorizationServerPolicyRuleAction:
type: object
- x-okta-extensible: true
- SmsTemplateType:
+ properties:
+ accessTokenLifetimeMinutes:
+ type: integer
+ description: Lifetime of the access token in minutes. The minimum is five minutes. The maximum is one day.
+ inlineHook:
+ $ref: '#/components/schemas/TokenAuthorizationServerPolicyRuleActionInlineHook'
+ refreshTokenLifetimeMinutes:
+ type: integer
+ description: Lifetime of the refresh token is the minimum access token lifetime.
+ refreshTokenWindowMinutes:
+ type: integer
+ description: Timeframe when the refresh token is valid. The minimum is 10 minutes. The maximum is five years (2,628,000 minutes).
+ TokenAuthorizationServerPolicyRuleActionInlineHook:
+ type: object
+ properties:
+ id:
+ type: string
+ readOnly: false
+ TokenDeliveryMode:
type: string
enum:
- - SMS_VERIFY_CODE
- SmsUserFactor:
- allOf:
- - $ref: '#/components/schemas/UserFactor'
- - type: object
+ - poll
+ TokenHookResponse:
+ description: |-
+ For the token inline hook, the `commands` and `error` objects that you can return in the JSON payload of your response are defined in the following sections.
+ > **Note:** The size of your response payload must be less than 256 KB.
+ type: object
+ properties:
+ commands:
+ description: |-
+ You can use the `commands` object to provide commands to Okta. It's where you can tell Okta to add more claims to the token.
+ The `commands` object is an array, allowing you to send multiple commands. In each array element, there needs to be a `type` property and `value` property. The `type` property is where you specify which of the supported commands you want to execute, and `value` is where you supply an operand for that command.
+ In the case of the token hook type, the `value` property is itself a nested object in which you specify a particular operation, a path to act on, and a value.
+ type: array
+ items:
+ type: object
+ properties:
+ type:
+ description: |-
+ One of the supported commands:
+ `com.okta.identity.patch`: Modify an ID token
+ `com.okta.access.patch`: Modify an access token
+ > **Note:** The `commands` array should only contain commands that can be applied to the requested tokens. For example, if only an ID token is requested, the `commands` array shouldn't contain commands of the type `com.okta.access.patch`.
+ type: string
+ value:
+ description: The `value` object is where you specify the operation to perform. It's an array, which allows you to request more than one operation.
+ type: array
+ items:
+ type: object
+ properties:
+ op:
+ description: |-
+ The name of one of the supported ops: `add`: Add a claim. `replace`: Modify an existing claim and update the token lifetime. `remove`: Remove an existing claim.
+ #### `op: add` notes
+
+
+ Add a claim
+
+ Add a claim
+
+ **Existing JSON**
+
+ ```
+ {
+ "employeeId": "00u12345678"
+ }
+ ```
+
+ **Operation**
+
+ ```
+ {
+ "commands": [
+ {
+ "type": "com.okta.assertion.patch",
+ "value": [
+ {
+ "op": "add",
+ "path": "/claims/extPatientId",
+ "value": "1234"
+ }
+ ]
+ },
+ {
+ "type": "com.okta.assertion.patch",
+ "value": [
+ {
+ "op": "add",
+ "path": "/claims/external_guid",
+ "value": "F0384685-F87D-474B-848D-2058AC5655A7"
+ }
+ ]
+ }
+ ]
+ }
+ ```
+
+ **Updated JSON**
+
+ ```
+ {
+ "employeeId": "00u12345678",
+ "extPatientId": 1234,
+ "external_guid": "F0384685-F87D-474B-848D-2058AC5655A7"
+ }
+ ```
+
+ > **Note:** If you use the `add` operation and include an existing claim in your response with a different value, that value is replaced. Use the `replace` operation instead. If you attempt to remove a system-specific claim or use an invalid operation, the entire PATCH fails and errors are logged in the token hooks events. See `op: replace` notes.
+
+
+
+ Add new members to existing JSON objects
+
+ If you have a JSON object in a claim called `employee_profile`, and you want to add the `department_id` member to the claim, the existing JSON is updated by specifying the claim in the path, followed by the name of the object member.
+
+ **Existing JSON**
+
+ ```
+ {
+ "employee_profile": {
+ "employee_id": "1234",
+ "name": "Anna"
+ }
+ }
+ ```
+
+ **Operation**
+
+ ```
+ {
+ "commands": [
+ {
+ "type": "com.okta.identity.patch",
+ "value": [
+ {
+ "op": "add",
+ "path": "/claims/employee_profile/department_id",
+ "value": "4947"
+ }
+ ]
+ }
+ ]
+ }
+ ```
+
+ **Updated JSON**
+
+ ```
+ {
+ "employee_profile": {
+ "employee_id": "1234",
+ "name": "Anna",
+ "department_id": "4947"
+ }
+ }
+ ```
+
+ > **Note:** If you attempt to add a member within a JSON object that doesn't exist or using an invalid operation, the entire PATCH fails and errors are logged in the token hooks events.
+
+
+
+ Add new elements to existing arrays
+
+ Append an element to an array by specifying the name of the array, followed by the index where you want to insert the element in the path. Alternatively, you can specify the array name followed by a hyphen (-) in the path to append an element at the end of the array. For example, you have an array that contains the user's preferred airports, and you want to add a new airport to the array. The existing target JSON object is updated by specifying the claim in the path, followed by the index of where to insert the claim.
+
+ **Existing JSON**
+
+ ```
+ {
+ "preferred_airports":[
+ "sjc",
+ "sfo",
+ "oak"
+ ]
+ }
+ ```
+
+ **Operation**
+
+ ```
+ {
+ "commands": [
+ {
+ "type": "com.okta.identity.patch",
+ "value": [
+ {
+ "op": "add",
+ "path": "/claims/preferred_airports/3",
+ "value": "lax"
+ }
+ ]
+ }
+ ]
+ }
+ ```
+
+ **Updated JSON**
+
+ ```
+ {
+ "preferred_airports":[
+ "sjc",
+ "sfo",
+ "oak",
+ "lax"
+ ]
+ }
+ ```
+
+ > **Note:** If you attempt to add an element within an array that doesn't exist or specify an invalid index, the entire PATCH fails and errors are logged in the token hooks events.
+
+
+ #### `op: replace` notes
+
+
+ Modify an existing claim
+
+ You can modify (`replace`) existing custom claims or OIDC standard profile claims, such as `birthdate` and `locale`. You can't, however, modify any system-specific claims, such as `iss` or `ver`. Also, you can't modify a claim that isn't currently part of the token in the request payload. Attempting to modify a system-specific claim or using an invalid operation results in the entire PATCH failing and errors logged in the token hooks events.
+
+ See [Access Tokens Scopes and Claims](/openapi/okta-oauth/guides/overview/#access-token-scopes-and-claims) for the list of access token-reserved claims that you can't modify.
+
+ > **Note:** Although the `aud` and `sub` claims are listed as reserved claims, you can modify those claims in access tokens. You can't modify these claims in ID tokens.
+
+ See [ID Token Claims](/openapi/okta-oauth/guides/overview/#id-token-claims) for a list of ID token-reserved claims that you can't modify.
+
+ **Existing target JSON object**
+
+ ```
+ {
+ "employeeId": "00u12345678",
+ "extPatientId": 1234,
+ "external_guid": "F0384685-F87D-474B-848D-2058AC5655A7"
+ }
+ ```
+
+ **Operation**
+
+ ```
+ {
+ "commands": [
+ {
+ "type": "com.okta.identity.patch",
+ "value": [
+ {
+ "op": "replace",
+ "path": "/claims/extPatientId",
+ "value": "12345"
+ },
+ {
+ "op": "replace",
+ "path": "/claims/external_guid",
+ "value": "D1495796-G98E-585C-959E-1269CD6766B8"
+ }
+ ]
+ }
+ ]
+ }
+ ```
+
+ **Updated JSON***
+
+ ```
+ {
+ "employeeId": "00u12345678",
+ "extPatientId": 12345,
+ "external_guid": "D1495796-G98E-585C-959E-1269CD6766B8"
+ }
+ ```
+
+
+
+
+ Modify members within existing JSON objects and arrays
+
+ Use the `replace` operation to modify members within JSON objects and elements within arrays. For example, you have a JSON object in a claim called `employee_profile`, and you want to update the email address of the employee. The existing target JSON object is updated by specifying the claim in the path, followed by the name of the object member that you want to modify.
+
+ **Existing target JSON object**
+
+ ```
+ {
+ "employee_profile": {
+ "employee_id":"1234",
+ "name":"Anna",
+ "email":"anna.v@company.com"
+ }
+ }
+ ```
+
+ **Operation**
+
+ ```
+ {
+ "commands": [
+ {
+ "type": "com.okta.identity.patch",
+ "value": [
+ {
+ "op": "replace",
+ "path": "/claims/employee_profile/email",
+ "value": "anna@company.com"
+ }
+ ]
+ }
+ ]
+ }
+ ```
+
+ **Updated JSON**
+
+ ```
+ {
+ "employee_profile": {
+ "employee_id":"1234",
+ "name":"Anna",
+ "email":"anna@company.com"
+ }
+ }
+ ```
+
+ > **Note:** If you attempt to modify a member within a JSON object that doesn't exist or use an invalid operation, the entire PATCH fails and errors are logged in the token hooks events.
+
+ Similarly, you can replace elements in an array by specifying the array name and the valid index of the element that you want to replace in the path.
+
+
+
+ Modify token lifetimes
+ You can modify how long the access and ID tokens are valid by specifying the `lifetime` in seconds. The `lifetime` value must be a minimum of five minutes (300 seconds) and a maximum of 24 hours (86,400 seconds).
+
+ **Operation**
+
+ ```
+ {
+ "commands": [
+ {
+ "type": "com.okta.identity.patch",
+ "value": [
+ {
+ "op": "replace",
+ "path": "/token/lifetime/expiration",
+ "value": 36000
+ }
+ ]
+ },
+ {
+ "type": "com.okta.access.patch",
+ "value": [
+ {
+ "op": "replace",
+ "path": "/token/lifetime/expiration",
+ "value": 36000
+ }
+ ]
+ }
+ ]
+ }
+ ```
+
+
+
+ #### `op: remove` notes
+
+
+ Remove a claim
+
+ You can remove existing custom claims or OIDC standard profile claims, such as `birthdate` or `locale`. You can't, however, remove any system-specific claims, such as `iss` or `ver`. You also can't remove a claim that isn't currently part of the token in the request payload. If you attempt to remove a system-specific claim or use an invalid operation, the entire PATCH fails and errors are logged in the token hooks events.
+
+ See [Access Tokens Scopes and Claims](/openapi/okta-oauth/guides/overview/#access-token-scopes-and-claims) for the list of access token-reserved claims that you can't modify.
+
+ See [ID Token Claims](/openapi/okta-oauth/guides/overview/#id-token-claims) for a list of ID token-reserved claims that you can't modify.
+
+ **Operation**
+
+ ```
+ {
+ "commands": [
+ {
+ "type": "com.okta.identity.patch",
+ "value": [
+ {
+ "op": "remove",
+ "path": "/claims/birthdate",
+ "value": null
+ }
+ ]
+ },
+ {
+ "type": "com.okta.access.patch",
+ "value": [
+ {
+ "op": "remove",
+ "path": "/claims/external_guid"
+ }
+ ]
+ }
+ ]
+ }
+ ```
+
+ > **Note:** The `value` property for the `remove` operation isn't required. If you provide it in the response, it should be set to `null`. Providing any other value fails the entire PATCH response.
+
+
+
+
+ Remove members from existing arrays
+
+ Use the `remove` operation to remove members from existing arrays. For example, you have an array that contains the user's preferred airports, and you want to remove an airport from the array. The existing target JSON object is updated by specifying the array name followed by the index of the element that you want to remove. You don't need to specify a value for the remove operation, but you can specify `null` as the value if you want.
+
+ **Existing target JSON object**
+
+ ```
+ {
+ "preferred_airports": [
+ "sjc",
+ "lax",
+ "sfo",
+ "oak"
+ ]
+ }
+ ```
+
+ **Operation**
+
+ ```
+ {
+ "commands": [
+ {
+ "type": "com.okta.identity.patch",
+ "value": [
+ {
+ "op": "remove",
+ "path": "/claims/preferred_airports/1"
+ }
+ ]
+ }
+ ]
+ }
+ ```
+
+ **Updated JSON**
+
+ ```
+ {
+ "preferred_airports": [
+ "sjc",
+ "sfo",
+ "oak"
+ ]
+ }
+ ```
+
+
+
+
+ Remove members from existing JSON objects
+
+ Use the `remove` operation to remove members from existing JSON objects. Do this by specifying the JSON object in the path, followed by the claim member that you would like to remove. For example, you have an `employee_profile` claim, and you want to remove `email` from it.
+
+ **Existing target JSON object**
+
+ ```
+ {
+ "employee_profile": {
+ "employee_id":"1234",
+ "name":"Anna",
+ "email":"anna.v@company.com"
+ }
+ }
+ ```
+
+ **Operation**
+
+ ```
+ {
+ "commands": [
+ {
+ "type": "com.okta.identity.patch",
+ "value": [
+ {
+ "op": "remove",
+ "path": "/claims/employee_profile/email"
+ }
+ ]
+ }
+ ]
+ }
+ ```
+
+ **Updated JSON**
+ ```
+ {
+ "employee_profile": {
+ "employee_id":"1234",
+ "name":"Anna",
+ }
+ }
+ ```
+
+
+ type: string
+ path:
+ description: Location within the token to apply the operation, specified as a slash-delimited path. When you add, replace, or remove a claim, this path always begins with `/claims/` and is followed by the name of the new claim that you're adding. When you replace a token lifetime, the path should always be `/token/lifetime/expiration`.
+ type: string
+ value:
+ description: Value to set the claim to.
+ oneOf:
+ - type: string
+ - type: integer
+ - type: object
+ error:
+ description: When an error object is returned, it causes Okta to return an OAuth 2.0 error to the requester of the token. In the error response, the value of `error` is `server_error`, and the value of `error_description` is the string that you supplied in the `errorSummary` property of the `error` object that you returned.
+ type: object
properties:
- profile:
- $ref: '#/components/schemas/SmsUserFactorProfile'
- SmsUserFactorProfile:
+ errorSummary:
+ description: 'Human-readable summary of the error. If the error object doesn''t include the `errorSummary` property defined, the following common default message is returned to the end user: `The callback service returned an error`.'
+ type: string
+ TokenPayLoad:
type: object
properties:
- phoneNumber:
- type: string
- SocialAuthToken:
+ data:
+ type: object
+ properties:
+ context:
+ allOf:
+ - $ref: '#/components/schemas/BaseContext'
+ - type: object
+ properties:
+ protocol:
+ description: Details of the authentication protocol
+ type: object
+ properties:
+ type:
+ description: The type of authentication protocol used
+ type: string
+ example: OAUTH2.0
+ request:
+ $ref: '#/components/schemas/TokenProtocolRequest'
+ OriginalGrant:
+ description: Information about the original token request used to get the refresh token being used, when in a refresh token request
+ type: object
+ properties:
+ request:
+ $ref: '#/components/schemas/TokenProtocolRequest'
+ refresh_token:
+ $ref: '#/components/schemas/RefreshToken'
+ issuer:
+ description: The authorization server's issuer identifier
+ type: object
+ properties:
+ uri:
+ description: The authorization server's issuer identifier
+ type: string
+ format: uri
+ client:
+ description: The client making the token request
+ type: object
+ properties:
+ id:
+ description: The unique identifier of the client
+ type: string
+ name:
+ description: The name of the client
+ type: string
+ type:
+ description: The type of client
+ type: string
+ example: PUBLIC
+ policy:
+ description: The authorization server policy used to mint the token
+ type: object
+ properties:
+ id:
+ description: The unique identifier for the policy
+ type: string
+ example: 00p4ktaq2ryOYtsHC0g7
+ rule:
+ description: The authorization server policy rule used to mint the token
+ type: object
+ properties:
+ id:
+ description: The unique identifier for the policy rule
+ type: string
+ example: 0pr4ktb7elD3ZvrMy0g7
+ identity:
+ allOf:
+ - description: Provides information on the properties of the ID token that Okta has generated, including the existing claims that it contains
+ - $ref: '#/components/schemas/BaseToken'
+ access:
+ allOf:
+ - description: Provides information on the properties of the access token that Okta has generated, including the existing claims that it contains
+ - $ref: '#/components/schemas/BaseToken'
+ - type: object
+ properties:
+ scopes:
+ description: The scopes contained in the token. For descriptions of the scopes that you can include, see the Okta [OpenID Connect and OAuth 2.0 API reference](/openapi/okta-oauth/guides/overview/#scopes).
+ type: object
+ refresh_token:
+ $ref: '#/components/schemas/RefreshToken'
+ TokenProtocolRequest:
+ description: Details of the token request
type: object
properties:
- expiresAt:
+ client_id:
+ description: The ID of the client associated with the token
type: string
- format: date-time
- readOnly: true
- id:
+ grant_type:
+ $ref: '#/components/schemas/GrantType'
+ redirect_uri:
+ description: Specifies the callback location where the authorization was sent
type: string
- readOnly: true
- scopes:
- type: array
- items:
- type: string
- token:
+ format: uri
+ response_mode:
+ description: The authorization response mode
type: string
- tokenAuthScheme:
+ enum:
+ - form_post
+ - fragment
+ - okta_post_message
+ - query
+ response_type:
+ description: The authorization response type
type: string
- tokenType:
+ enum:
+ - code
+ - id_token
+ - token
+ - none
+ scope:
+ description: The scopes requested
type: string
- SourceLinks:
+ state:
+ type: string
+ TokenRequest:
+ description: Token inline hook request
allOf:
- - $ref: '#/components/schemas/LinksSelf'
- - type: object
- properties:
- schema:
- allOf:
- - $ref: '#/components/schemas/HrefObject'
- - description: The associated schema
- SpCertificate:
+ - $ref: '#/components/schemas/InlineHookBasePayload'
+ - $ref: '#/components/schemas/TokenPayLoad'
+ TokenResourcesHrefObject:
type: object
properties:
- x5c:
- type: array
- items:
- type: string
- SplunkEdition:
- description: Edition of the Splunk Cloud instance
- example: aws
+ href:
+ type: string
+ description: Link URI
+ example: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7/clients/0oabskvc6442nkvQO0h7/tokens
+ TokenResponse:
+ type: object
+ properties:
+ access_token:
+ type: string
+ description: An access token.
+ device_secret:
+ type: string
+ description: An opaque device secret. This is returned if the `device_sso` scope is granted.
+ expires_in:
+ type: integer
+ description: The expiration time of the access token in seconds.
+ id_token:
+ type: string
+ description: An ID token. This is returned if the `openid` scope is granted.
+ issued_token_type:
+ $ref: '#/components/schemas/TokenType'
+ refresh_token:
+ type: string
+ description: An opaque refresh token. This is returned if the `offline_access` scope is granted.
+ scope:
+ type: string
+ description: The scopes contained in the access token.
+ token_type:
+ $ref: '#/components/schemas/TokenResponseTokenType'
+ TokenResponseTokenType:
+ description: The token type in a `/token` response. The value is generally `Bearer` except for a few instances of token exchange.
type: string
enum:
- - aws
- - aws_govcloud
- - gcp
- SplunkHost:
- description: 'The domain name for your Splunk Cloud instance. Don''t include `http` or `https` in the string. For example: `acme.splunkcloud.com`'
- minLength: 17
- maxLength: 116
- example: acme.splunkcloud.com
- type: string
- SplunkToken:
- description: The HEC token for your Splunk Cloud HTTP Event Collector. The token value is set at object creation, but isn't returned.
- example: 11111111-1111-2222-2222-222222222222
- writeOnly: true
+ - Bearer
+ - N_A
+ TokenType:
+ description: The type of token for token exchange.
type: string
- pattern: (?i)^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$
- SsprPrimaryRequirement:
- type: object
- description: Defines the authenticators permitted for the initial authentication step of password recovery
- properties:
- methods:
- type: array
- description: Authenticator methods allowed for the initial authentication step of password recovery
- items:
- type: string
- enum:
- - push
- - sms
- - voice
- - email
- x-okta-feature-flag-amends:
- IDX_SSPR_EXTENDED_PRIMARY_FACTORS:
- description: Authenticator methods allowed for the initial authentication step of password recovery. Method `otp` requires a constraint limiting it to a Google authenticator.
- items:
- type: string
- enum:
- - push
- - sms
- - voice
- - email
- - otp
- methodConstraints:
- description: Constraints on the values specified in the `methods` array. Specifying a constraint limits methods to specific authenticator(s). Currently, Google OTP is the only accepted constraint.
- x-okta-lifecycle:
- features:
- - IDX_SSPR_EXTENDED_PRIMARY_FACTORS
- type: array
- items:
- $ref: '#/components/schemas/AuthenticatorMethodConstraint'
- SsprRequirement:
- description: Describes the initial and secondary authenticator requirements a user needs to reset their password
+ enum:
+ - urn:ietf:params:oauth:token-type:access_token
+ - urn:ietf:params:oauth:token-type:id_token
+ - urn:ietf:params:oauth:token-type:jwt
+ - urn:ietf:params:oauth:token-type:refresh_token
+ - urn:ietf:params:oauth:token-type:saml1
+ - urn:ietf:params:oauth:token-type:saml2
+ - urn:okta:oauth:token-type:web_sso_token
+ - urn:x-oath:params:oauth:token-type:device-secret
+ TrendMicroApexOneServiceApplication:
+ title: Trend Micro Apex One Service
+ x-tags:
+ - Application
+ x-okta-defined-as:
+ name: trendmicroapexoneservice
+ example:
+ name: trendmicroapexoneservice
+ label: Sample Trend Micro Apex One as a Service App
+ signOnMode: SAML_2_0
+ settings:
+ app:
+ baseURL: https://acme.trendmicro.com
+ description: |
+ Schema for Trend Micro Apex One as a Service app (key name: `trendmicroapexoneservice`)
+
+ To create a Trend Micro Apex One as a Service app, use the [Create an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) request with the following parameters in the request body.
+ > **Note:** The Trend Micro Apex One as a Service app only supports `SAML_2_0` sign-on mode.
+ allOf:
+ - $ref: '#/components/schemas/OINApplication'
+ - type: object
+ - required:
+ - name
+ - label
+ - settings
+ properties:
+ name:
+ type: string
+ enum:
+ - trendmicroapexoneservice
+ example: trendmicroapexoneservice
+ signOnMode:
+ enum:
+ - SAML_2_0
+ settings:
+ $ref: '#/components/schemas/TrendMicroApexOneServiceApplicationSettings'
+ TrendMicroApexOneServiceApplicationSettings:
+ allOf:
+ - $ref: '#/components/schemas/ApplicationSettings'
+ - type: object
+ - required:
+ - app
+ properties:
+ app:
+ $ref: '#/components/schemas/TrendMicroApexOneServiceApplicationSettingsApplication'
+ signOn:
+ $ref: '#/components/schemas/OINSaml20ApplicationSettingsSignOn'
+ TrendMicroApexOneServiceApplicationSettingsApplication:
+ description: Trend Micro Apex One as a Service app instance properties
type: object
properties:
- primary:
- $ref: '#/components/schemas/SsprPrimaryRequirement'
- stepUp:
- $ref: '#/components/schemas/SsprStepUpRequirement'
- SsprStepUpRequirement:
- description: |-
- Defines the secondary authenticators needed for password reset if `required` is true. The following are three valid configurations:
- * `required`=false
- * `required`=true with no methods to use any SSO authenticator
- * `required`=true with `security_question` as the method
+ baseURL:
+ type: string
+ description: Base Trend Micro Apex One Service URL
+ required:
+ - baseURL
+ TrustedOrigin:
type: object
properties:
- methods:
- description: Authenticator methods required for secondary authentication step of password recovery. Specify this value only when `required` is true and `security_question` is permitted for the secondary authentication.
- type: array
- items:
- type: string
- enum:
- - security_question
- required:
- type: boolean
- Subscription:
+ created:
+ description: Timestamp when the Trusted Origin was created
+ type: string
+ format: date-time
+ readOnly: true
+ createdBy:
+ description: The ID of the user who created the Trusted Origin
+ type: string
+ id:
+ description: Unique identifier for the Trusted Origin
+ type: string
+ readOnly: true
+ lastUpdated:
+ description: Timestamp when the Trusted Origin was last updated
+ type: string
+ format: date-time
+ readOnly: true
+ lastUpdatedBy:
+ description: The ID of the user who last updated the Trusted Origin
+ type: string
+ name:
+ $ref: '#/components/schemas/TrustedOriginName'
+ origin:
+ $ref: '#/components/schemas/TrustedOriginOrigin'
+ scopes:
+ $ref: '#/components/schemas/TrustedOriginScopes'
+ status:
+ $ref: '#/components/schemas/LifecycleStatus'
+ _links:
+ $ref: '#/components/schemas/LinksSelfAndLifecycle'
+ TrustedOriginName:
+ maximum: 255
+ description: Unique name for the Trusted Origin
+ type: string
+ TrustedOriginOrigin:
+ maximum: 255
+ description: Unique origin URL for the Trusted Origin. The supported schemes for this attribute are HTTP, HTTPS, FTP, Ionic 2, and Capacitor.
+ type: string
+ TrustedOriginScope:
type: object
properties:
- channels:
- description: |-
- An array of sources send notifications to users.
- > **Note**: Currently, Okta only allows `email` channels.
- items:
- type: string
+ allowedOktaApps:
type: array
- notificationType:
- $ref: '#/components/schemas/NotificationType'
- status:
- $ref: '#/components/schemas/SubscriptionStatus'
- _links:
- type: object
- description: Discoverable resources related to the subscription
- properties:
- self:
- $ref: '#/components/schemas/HrefObject'
- readOnly: true
- SubscriptionStatus:
- description: The status of the subscription
+ description: The allowed Okta apps for the Trusted Origin scope
+ items:
+ $ref: '#/components/schemas/IframeEmbedScopeAllowedApps'
+ type:
+ $ref: '#/components/schemas/TrustedOriginScopeType'
+ TrustedOriginScopeType:
+ description: |
+ The scope type. Supported values: When you use `IFRAME_EMBED` as the scope type, leave the allowedOktaApps property
+ empty to allow iFrame embedding of only Okta sign-in pages. Include `OKTA_ENDUSER` as a value for the allowedOktaApps
+ property to allow iFrame embedding of both Okta sign-in pages and the Okta End-User Dashboard.
type: string
enum:
- - subscribed
- - unsubscribed
- SupportedMethods:
+ - CORS
+ - IFRAME_EMBED
+ - REDIRECT
+ TrustedOriginScopes:
+ maximum: 3
+ description: Array of Scope types that this Trusted Origin is used for
+ items:
+ $ref: '#/components/schemas/TrustedOriginScope'
+ type: array
+ TrustedOriginWrite:
type: object
properties:
- settings:
+ name:
+ $ref: '#/components/schemas/TrustedOriginName'
+ origin:
+ $ref: '#/components/schemas/TrustedOriginOrigin'
+ scopes:
+ $ref: '#/components/schemas/TrustedOriginScopes'
+ UIElement:
+ description: Specifies the configuration of an input field on an enrollment form
+ type: object
+ properties:
+ label:
+ type: string
+ description: Label name for the UI element
+ options:
type: object
+ description: UI Schema element options object
properties:
- keyProtection:
+ format:
type: string
- algorithms:
- type: array
- items:
- $ref: '#/components/schemas/AuthenticatorMethodAlgorithm'
- transactionTypes:
- type: array
- items:
- $ref: '#/components/schemas/AuthenticatorMethodTransactionType'
- status:
+ description: Specifies how the input appears
+ enum:
+ - text
+ - radio
+ - select
+ - checkbox
+ - radio_yes_no
+ - radio_true_false
+ x-enumDescriptions:
+ text: The default format for the majority of property types
+ radio: Radio button options. This option is only available for `string` data types with an `enum` or `one of` constraint.
+ select: Displays input as a dropdown list. This option is only available for the `country-code` data type or a string data type with an enum or one of constraint.
+ checkbox: Displays input as a checkbox. This option is only available for Boolean data types.
+ radio_yes_no: Displays input as two radio buttons, one with the option `yes` and the other `no`. This option is only available for Boolean data types.
+ radio_true_false: Displays input as two radio buttons, one with the option `true` and the other `false`. This option is only available for Boolean data types.
+ scope:
type: string
+ description: Specifies the property bound to the input field. It must follow the format `#/properties/PROPERTY_NAME` where `PROPERTY_NAME` is a variable name for an attribute in `profile editor`.
type:
type: string
- enum:
- - push
- SwaApplicationSettings:
- allOf:
- - $ref: '#/components/schemas/ApplicationSettings'
- - type: object
- properties:
- app:
- $ref: '#/components/schemas/SwaApplicationSettingsApplication'
- SwaApplicationSettingsApplication:
+ description: Specifies the relationship between this input element and `scope`. The `Control` value specifies that this input controls the value represented by `scope`.
+ UISchemaObject:
+ description: Properties of the UI schema
type: object
properties:
- buttonField:
- type: string
- buttonSelector:
- type: string
- checkbox:
- type: string
- extraFieldSelector:
- type: string
- extraFieldValue:
+ buttonLabel:
type: string
- loginUrlRegex:
+ description: Specifies the button label for the `Submit` button at the bottom of the enrollment form
+ default: Submit
+ elements:
+ $ref: '#/components/schemas/UIElement'
+ label:
type: string
- passwordField:
+ description: Specifies the label at the top of the enrollment form under the logo
+ default: Sign in
+ type:
type: string
- passwordSelector:
+ description: Specifies the type of layout
+ UISchemasResponseObject:
+ type: object
+ properties:
+ created:
type: string
- redirectUrl:
+ format: date-time
+ description: Timestamp when the UI Schema was created (ISO-86001)
+ readOnly: true
+ id:
type: string
- targetURL:
+ description: Unique identifier for the UI Schema
+ readOnly: true
+ lastUpdated:
type: string
- url:
+ format: date-time
+ description: Timestamp when the UI Schema was last modified (ISO-86001)
+ readOnly: true
+ uiSchema:
+ $ref: '#/components/schemas/UISchemaObject'
+ _links:
+ $ref: '#/components/schemas/LinksSelf'
+ required:
+ - id
+ - uiSchema
+ - created
+ - lastUpdated
+ - _links
+ UpdateDomain:
+ type: object
+ properties:
+ brandId:
+ description: The `id` of the brand used to replace the existing brand.
type: string
- usernameField:
+ example: bndul904tTZ6kWVhP0g3
+ required:
+ - brandId
+ UpdateEmailDomain:
+ allOf:
+ - $ref: '#/components/schemas/BaseEmailDomain'
+ UpdateIamRoleRequest:
+ type: object
+ properties:
+ description:
type: string
- userNameSelector:
+ description: Description of the role
+ label:
type: string
- TempPassword:
+ description: Unique label for the role
+ required:
+ - label
+ - description
+ UpdateRealmAssignmentRequest:
type: object
properties:
- tempPassword:
+ actions:
+ $ref: '#/components/schemas/Actions'
+ conditions:
+ $ref: '#/components/schemas/Conditions'
+ name:
type: string
- readOnly: true
- Theme:
+ priority:
+ type: integer
+ UpdateRealmRequest:
+ type: object
+ properties:
+ profile:
+ $ref: '#/components/schemas/RealmProfile'
+ UpdateThemeRequest:
type: object
properties:
- backgroundImage:
- readOnly: true
- type: string
emailTemplateTouchPointVariant:
$ref: '#/components/schemas/EmailTemplateTouchPointVariant'
endUserDashboardTouchPointVariant:
@@ -31057,370 +65834,995 @@ components:
$ref: '#/components/schemas/LoadingPageTouchPointVariant'
primaryColorContrastHex:
type: string
+ description: Primary color contrast hex code
+ default: null
primaryColorHex:
type: string
+ description: Primary color hex code
+ default: null
secondaryColorContrastHex:
type: string
+ description: Secondary color contrast hex code
+ default: null
secondaryColorHex:
type: string
+ description: Secondary color hex code
+ default: null
signInPageTouchPointVariant:
$ref: '#/components/schemas/SignInPageTouchPointVariant'
_links:
$ref: '#/components/schemas/LinksSelf'
- ThemeResponse:
+ required:
+ - primaryColorHex
+ - secondaryColorHex
+ - signInPageTouchPointVariant
+ - endUserDashboardTouchPointVariant
+ - errorPageTouchPointVariant
+ - emailTemplateTouchPointVariant
+ UpdateUISchema:
+ description: The updated request body properties
type: object
properties:
- backgroundImage:
- readOnly: true
+ uiSchema:
+ $ref: '#/components/schemas/UISchemaObject'
+ UpdateUserRequest:
+ type: object
+ properties:
+ credentials:
+ $ref: '#/components/schemas/UserCredentials'
+ profile:
+ $ref: '#/components/schemas/UserProfile'
+ realmId:
type: string
- emailTemplateTouchPointVariant:
- $ref: '#/components/schemas/EmailTemplateTouchPointVariant'
- endUserDashboardTouchPointVariant:
- $ref: '#/components/schemas/EndUserDashboardTouchPointVariant'
- errorPageTouchPointVariant:
- $ref: '#/components/schemas/ErrorPageTouchPointVariant'
- favicon:
+ description:
The ID of the realm in which the user is residing
+ example: guo1bfiNtSnZYILxO0g4
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
+ User:
+ type: object
+ properties:
+ activated:
+ type: string
+ description: The timestamp when the user status transitioned to `ACTIVE`
+ format: date-time
readOnly: true
+ nullable: true
+ created:
type: string
+ description: The timestamp when the user was created
+ format: date-time
+ readOnly: true
+ credentials:
+ $ref: '#/components/schemas/UserCredentials'
id:
+ type: string
+ description: The unique key for the user
readOnly: true
+ lastLogin:
type: string
- loadingPageTouchPointVariant:
- $ref: '#/components/schemas/LoadingPageTouchPointVariant'
- logo:
+ description: The timestamp of the last login
+ format: date-time
readOnly: true
+ nullable: true
+ lastUpdated:
type: string
- primaryColorContrastHex:
+ description: The timestamp when the user was last updated
+ format: date-time
+ readOnly: true
+ passwordChanged:
type: string
- primaryColorHex:
+ description: The timestamp when the user's password was last updated
+ format: date-time
+ readOnly: true
+ nullable: true
+ profile:
+ $ref: '#/components/schemas/UserProfile'
+ realmId:
type: string
- secondaryColorContrastHex:
+ description:
The ID of the realm in which the user is residing
+ example: guo1bfiNtSnZYILxO0g4
+ x-okta-lifecycle:
+ lifecycle: EA
+ isGenerallyAvailable: false
+ SKUs: []
+ readOnly: true
+ status:
+ $ref: '#/components/schemas/UserStatus'
+ statusChanged:
type: string
- secondaryColorHex:
+ description: The timestamp when the status of the user last changed
+ format: date-time
+ readOnly: true
+ nullable: true
+ transitioningToStatus:
type: string
- signInPageTouchPointVariant:
- $ref: '#/components/schemas/SignInPageTouchPointVariant'
+ description: The target status of an in-progress asynchronous status transition. This property is only returned if the user's state is transitioning.
+ readOnly: true
+ nullable: true
+ enum:
+ - ACTIVE
+ - DEPROVISIONED
+ - PROVISIONED
+ type:
+ type: object
+ description: |-
+ The user type that determines the schema for the user's profile. The `type` property is a map that identifies the [User Types](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/#tag/UserType).
+
+ Currently it contains a single element, `id`. It can be specified when creating a new user, and ca be updated by an admin on a full replace of an existing user (but not a partial update).
+ properties:
+ id:
+ type: string
+ description: The ID of the user type
+ _embedded:
+ type: object
+ description: Embedded resources related to the user using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification
+ additionalProperties:
+ type: object
+ properties: {}
+ readOnly: true
_links:
- $ref: '#/components/schemas/LinksSelf'
- ThreatInsightConfiguration:
+ description: |-
+ Specifies link relations (see [Web Linking](https://datatracker.ietf.org/doc/html/rfc8288) available for the current status of a user.
+ The links object is used for dynamic discovery of related resources, lifecycle operations, and credential operations. The links object is read-only.
+
+ For an individual user result, the links object contains a full set of link relations available for that user as determined by your policies.
+ For a collection of users, the links object contains only the `self` link. Operations that return a collection of users include List users and List group Members.
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - type: object
+ properties:
+ self:
+ description: URL to the individual user
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ activate:
+ description: URL to activate the user
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ resetPassword:
+ description: URL to reset the user's password
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ resetFactors:
+ description: URL to reset the user's factors
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ expirePassword:
+ description: URL to expire the user's password
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ forgotPassword:
+ description: URL to initiate a forgot password operation
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ changeRecoveryQuestion:
+ description: URL to change the user's recovery question
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ deactivate:
+ description: URL to deactivate a user
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ reactivate:
+ description: URL to reactivate the user
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ changePassword:
+ description: URL to change the user's password
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ schema:
+ description: URL to the user's profile schema
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ suspend:
+ description: URL to suspend the user
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ unsuspend:
+ description: URL to unsuspend the user
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ unlock:
+ description: URL to unlock the locked-out user
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ type:
+ description: URL to the user type
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - readOnly: true
+ UserActivationToken:
type: object
properties:
- action:
+ activationToken:
type: string
- description: Specifies how Okta responds to authentication requests from suspicious IP addresses
+ readOnly: true
+ example: XE6wE17zmphl3KqAPFxO
+ description: |-
+ Token received as part of an activation user request. If a password was set before the user was activated, then user must sign in with their password or the `activationToken` and not the activation link. More information about using the `activationToken`
+ to login can be found in the [Authentication API](https://developer.okta.com/docs/reference/api/authn/#primary-authentication-with-activation-token).
+ activationUrl:
+ type: string
+ readOnly: true
+ example: https://{yourOktaDomain}/welcome/XE6wE17zmphl3KqAPFxO
+ description: If `sendEmail` is `false`, returns an activation link for the user to set up their account. The activation token can be used to create a custom activation link.
+ UserBlock:
+ description: Describes how the account is blocked from access. If `appliesTo` is `ANY_DEVICES`, then the account is blocked for all devices. If `appliesTo` is `UNKNOWN_DEVICES`, then the account is only blocked for unknown devices.
+ type: object
+ properties:
+ appliesTo:
+ type: string
+ readOnly: true
+ description: The devices that the block applies to
enum:
- - none
- - audit
- - block
+ - ANY_DEVICES
+ - UNKNOWN_DEVICES
x-enumDescriptions:
- none: Indicates that ThreatInsight is disabled
- audit: Indicates that Okta logs suspicious requests to the System Log
- block: Indicates that Okta logs suspicious requests to the System Log and blocks the requests
- example: none
- created:
+ ANY_DEVICES: The account is blocked for all devices
+ UNKNOWN_DEVICES: The account is only blocked for unknown devices
+ type:
type: string
- format: date-time
- description: Timestamp when the ThreatInsight Configuration object was created
- example: '2020-08-05T22:18:30.629Z'
readOnly: true
- excludeZones:
+ description: Type of access block
+ enum:
+ - DEVICE_BASED
+ UserCondition:
+ description: Specifies a set of Users to be included or excluded
+ type: object
+ properties:
+ exclude:
+ description: Users to be excluded
type: array
- description: |-
- Accepts a list of [Network Zone](/openapi/okta-management/management/tag/NetworkZone/) IDs.
- IPs in the excluded network zones aren't logged or blocked.
- This ensures that traffic from known, trusted IPs isn't accidentally logged or blocked.
items:
type: string
- example: []
+ include:
+ description: Users to be included
+ type: array
+ items:
+ type: string
+ required:
+ - exclude
+ - include
+ UserCredentials:
+ description: Specifies primary authentication and recovery credentials for a user. Credential types and requirements vary depending on the provider and security policy of the org.
+ type: object
+ properties:
+ password:
+ $ref: '#/components/schemas/PasswordCredential'
+ provider:
+ $ref: '#/components/schemas/AuthenticationProvider'
+ recovery_question:
+ $ref: '#/components/schemas/RecoveryQuestionCredential'
+ UserFactor:
+ type: object
+ properties:
+ created:
+ description: Timestamp when the Factor was enrolled
+ type: string
+ format: date-time
+ example: '2022-08-25T00:31:00.000Z'
+ readOnly: true
+ factorType:
+ $ref: '#/components/schemas/UserFactorType'
+ id:
+ description: ID of the Factor
+ type: string
+ example: caf8m6jbcvUH8mAep1d7
+ readOnly: true
lastUpdated:
+ description: Timestamp when the Factor was last updated
type: string
format: date-time
- description: Timestamp when the ThreatInsight Configuration object was last updated
+ example: '2022-08-25T00:31:00.000Z'
+ readOnly: true
+ profile:
+ type: object
+ description: Specific attributes related to the Factor
+ provider:
+ $ref: '#/components/schemas/UserFactorProvider'
+ status:
+ $ref: '#/components/schemas/UserFactorStatus'
+ vendorName:
+ description: Name of the Factor vendor. This is usually the same as the provider except for On-Prem MFA where it depends on administrator settings.
+ type: string
+ example: OKTA
+ readOnly: true
+ _embedded:
+ type: object
+ additionalProperties:
+ type: object
+ properties: {}
readOnly: true
- example: '2020-09-08T20:53:20.882Z'
_links:
- $ref: '#/components/schemas/LinksSelf'
- required:
- - action
- TimeDuration:
- description: A time duration specified as an [ISO-8601 duration](https://en.wikipedia.org/wiki/ISO_8601#Durations).
+ $ref: '#/components/schemas/UserFactorLinks'
+ discriminator:
+ propertyName: factorType
+ mapping:
+ call: '#/components/schemas/UserFactorCall'
+ email: '#/components/schemas/UserFactorEmail'
+ push: '#/components/schemas/UserFactorPush'
+ question: '#/components/schemas/UserFactorSecurityQuestion'
+ sms: '#/components/schemas/UserFactorSMS'
+ token: '#/components/schemas/UserFactorToken'
+ token:hardware: '#/components/schemas/UserFactorTokenHardware'
+ token:hotp: '#/components/schemas/UserFactorTokenHOTP'
+ token:software:totp: '#/components/schemas/UserFactorTokenSoftwareTOTP'
+ u2f: '#/components/schemas/UserFactorU2F'
+ web: '#/components/schemas/UserFactorWeb'
+ webauthn: '#/components/schemas/UserFactorWebAuthn'
+ hotp: '#/components/schemas/UserFactorTokenHOTP'
+ UserFactorActivatePush:
+ description: Activation requests have a short lifetime and expire if the activation isn't completed before the indicated timestamp. If the activation expires, use the returned `activate` link to restart the process.
+ type: object
+ properties:
+ expiresAt:
+ description: Timestamp when the Factor verification attempt expires
+ type: string
+ format: date-time
+ example: '2022-08-25T00:31:00.000Z'
+ readOnly: true
+ factorResult:
+ $ref: '#/components/schemas/UserFactorActivatePushResult'
+ readOnly: true
+ UserFactorActivatePushResult:
+ description: Result of a Factor activation
type: string
- pattern: ^P(?!$)(\d+Y)?(\d+M)?(\d+W)?(\d+D)?(T(?=\d)(\d+H)?(\d+M)?(\d+S)?)?$
- TokenAuthorizationServerPolicyRuleAction:
+ enum:
+ - CANCELLED
+ - ERROR
+ - TIMEOUT
+ - WAITING
+ UserFactorActivateRequest:
+ oneOf:
+ - title: call
+ description: Attempts to activate a `call` Factor with the specified passcode
+ properties:
+ passCode:
+ $ref: '#/components/schemas/UserFactorPassCode'
+ - title: email
+ description: Attempts to activate an `email` Factor with the specified passcode
+ properties:
+ passCode:
+ $ref: '#/components/schemas/UserFactorPassCode'
+ - title: push
+ type: object
+ nullable: true
+ description: |-
+ Sends an asynchronous push notification to the device for approval by the user. You must poll the transaction to determine the state of the activation. See [Retrieve a Factor transaction status](./#tag/UserFactor/operation/getFactorTransactionStatus).
+
+ No request body is required for `push` Factors.
+
+ Activations have a short lifetime of several minutes and return a `TIMEOUT` if not completed before the timestamp specified in the `expiresAt` param. Use the published activate link to restart the activation process if the activation expires.
+ - title: sms
+ description: Attempts to activate an `sms` Factor with the specified passcode
+ properties:
+ passCode:
+ $ref: '#/components/schemas/UserFactorPassCode'
+ - title: token:software:totp
+ description: Attempts to activate a `token:software:totp` Factor with the specified passcode
+ properties:
+ passCode:
+ $ref: '#/components/schemas/UserFactorPassCode'
+ - title: u2f
+ description: Activates a `u2f` Factor with the specified client and registration information from the U2F token
+ properties:
+ clientData:
+ type: string
+ description: Base64-encoded client data from the U2F token
+ example: eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZmluaXNoRW5yb2xsbWVudCIsImNoYWxsZW5nZSI6IlhxR0h0RTBoUkxuVEoxYUF5U1oyIiwib3JpZ2luIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6MzAwMCIsImNpZF9wdWJrZXkiOiJ1bnVzZWQifQ
+ registrationData:
+ type: string
+ description: Base64-encoded registration data from the U2F token
+ example: BQTEMUyOM8h1TiZG4DL-RdMr-tYgTYSf62Y52AmwEFTiSYWIRVO5L-MwWdRJOthmV3J3JrqpmGfmFb820-awx1YIQFlTvkMhxItHlpkzahEqicpw7SIH9yMfTn2kaDcC6JaLKPfV5ds0vzuxF1JJj3gCM01bRC-HWI4nCVgc-zaaoRgwggEcMIHDoAMCAQICCwD52fCSMoNczORdMAoGCCqGSM49BAMCMBUxEzARBgNVBAMTClUyRiBJc3N1ZXIwGhcLMDAwMTAxMDAwMFoXCzAwMDEwMTAwMDBaMBUxEzARBgNVBAMTClUyRiBEZXZpY2UwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQFKJupuUgPQcRHUphaW5JPfLvkkwlEwlHKk_ntSp7MS4aTHJyGnpziqncrjiTC_oUVtb-wN-y_t_IMIjueGkhxMAoGCCqGSM49BAMCA0gAMEUCIQDBo6aOLxanIUYnBX9iu3KMngPnobpi0EZSTkVtLC8_cwIgC1945RGqGBKfbyNtkhMifZK05n7fU-gW37Bdnci5D94wRQIhAJv3VvclbRkHAQhaUR8rr8qFTg9iF-GtHoXU95vWaQdyAiAbEr-440U4dQAZF-Sj8G2fxgh5DkgkkWpyUHZhz7N9ew
+ - title: webauthn
+ description: Activates a `webauthn` Factor with the specified attestation and registration information from the WebAuthn authenticator
+ properties:
+ attestation:
+ type: string
+ description: Base64-encoded attestation from the WebAuthn authenticator
+ example: o2NmbXRmcGFja2VkZ2F0dFN0bXSiY2FsZyZjc2lnWEgwRgIhAMvf2+dzXlHZN1um38Y8aFzrKvX0k5dt/hnDu9lahbR4AiEAuwtMg3IoaElWMp00QrP/+3Po/6LwXfmYQVfsnsQ+da1oYXV0aERhdGFYxkgb9OHGifjS2dG03qLRqvXrDIRyfGAuc+GzF1z20/eVRV2wvl6tzgACNbzGCmSLCyXx8FUDAEIBvWNHOcE3QDUkDP/HB1kRbrIOoZ1dR874ZaGbMuvaSVHVWN2kfNiO4D+HlAzUEFaqlNi5FPqKw+mF8f0XwdpEBlClAQIDJiABIVgg0a6oo3W0JdYPu6+eBrbr0WyB3uJLI3ODVgDfQnpgafgiWCB4fFo/5iiVrFhB8pNH2tbBtKewyAHuDkRolcCnVaCcmQ==
+ clientData:
+ type: string
+ description: Base64-encoded client data from the WebAuthn authenticator
+ example: eyJjaGFsbGVuZ2UiOiJVSk5wYW9sVWt0dF9vcEZPNXJMYyIsIm9yaWdpbiI6Imh0dHBzOi8vcmFpbi5va3RhMS5jb20iLCJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIn0
+ type: object
+ UserFactorActivateResponse:
type: object
properties:
- accessTokenLifetimeMinutes:
- type: integer
- inlineHook:
- $ref: '#/components/schemas/TokenAuthorizationServerPolicyRuleActionInlineHook'
- refreshTokenLifetimeMinutes:
- type: integer
- refreshTokenWindowMinutes:
- type: integer
- TokenAuthorizationServerPolicyRuleActionInlineHook:
+ factorType:
+ description: Type of the Factor
+ type: string
+ enum:
+ - call
+ - email
+ - sms
+ - push
+ - token:software:totp
+ - u2f
+ - webauthn
+ _links:
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - $ref: '#/components/schemas/LinksUser'
+ - $ref: '#/components/schemas/LinksVerify'
+ discriminator:
+ propertyName: factorType
+ mapping:
+ call: '#/components/schemas/UserFactorCall'
+ email: '#/components/schemas/UserFactorEmail'
+ sms: '#/components/schemas/UserFactorSMS'
+ push: '#/components/schemas/UserFactorPush'
+ token:software:totp: '#/components/schemas/UserFactorTokenSoftwareTOTP'
+ u2f: '#/components/schemas/UserFactorU2F'
+ webauthn: '#/components/schemas/UserFactorWebAuthn'
+ UserFactorCall:
+ title: call
+ allOf:
+ - $ref: '#/components/schemas/UserFactor'
+ - type: object
+ properties:
+ factorType:
+ example: call
+ profile:
+ $ref: '#/components/schemas/UserFactorCallProfile'
+ provider:
+ enum:
+ - OKTA
+ UserFactorCallProfile:
type: object
properties:
- id:
+ phoneExtension:
+ description: Extension of the associated `phoneNumber`
type: string
- readOnly: false
- TokenUserFactor:
+ example: 1234
+ nullable: true
+ maxLength: 15
+ phoneNumber:
+ description: Phone number of the Factor. Format phone numbers to use the [E.164 standard](https://www.itu.int/rec/T-REC-E.164/).
+ example: '+15554151337'
+ type: string
+ pattern: ^\+[1-9]\d{1,14}$
+ maxLength: 15
+ UserFactorEmail:
+ title: email
allOf:
- $ref: '#/components/schemas/UserFactor'
- type: object
properties:
+ factorType:
+ example: email
profile:
- $ref: '#/components/schemas/TokenUserFactorProfile'
- TokenUserFactorProfile:
+ $ref: '#/components/schemas/UserFactorEmailProfile'
+ provider:
+ enum:
+ - OKTA
+ UserFactorEmailProfile:
type: object
properties:
- credentialId:
+ email:
+ description: Email address of the user. This must be either the primary or secondary email address associated with the Okta user account.
+ maxLength: 100
+ example: z.cool@example.com
type: string
- TotpUserFactor:
+ UserFactorLinks:
+ allOf:
+ - $ref: '#/components/schemas/LinksActivate'
+ - $ref: '#/components/schemas/LinksCancel'
+ - $ref: '#/components/schemas/LinksDeactivate'
+ - $ref: '#/components/schemas/LinksEnroll'
+ - $ref: '#/components/schemas/LinksFactor'
+ - $ref: '#/components/schemas/LinksPoll'
+ - $ref: '#/components/schemas/LinksQrcode'
+ - $ref: '#/components/schemas/LinksQuestions'
+ - $ref: '#/components/schemas/LinksResend'
+ - $ref: '#/components/schemas/LinksSend'
+ - $ref: '#/components/schemas/LinksSelf'
+ - $ref: '#/components/schemas/LinksUser'
+ - $ref: '#/components/schemas/LinksVerify'
+ readOnly: true
+ UserFactorPassCode:
+ description: OTP for the current time window
+ example: 1234567890
+ type: string
+ UserFactorProvider:
+ description: Provider for the Factor
+ type: string
+ enum:
+ - CUSTOM
+ - DUO
+ - FIDO
+ - GOOGLE
+ - OKTA
+ - RSA
+ - SYMANTEC
+ - YUBICO
+ UserFactorPush:
+ title: push
allOf:
- $ref: '#/components/schemas/UserFactor'
- type: object
properties:
profile:
- $ref: '#/components/schemas/TotpUserFactorProfile'
- TotpUserFactorProfile:
+ $ref: '#/components/schemas/UserFactorPushProfile'
+ provider:
+ enum:
+ - OKTA
+ UserFactorPushProfile:
type: object
properties:
credentialId:
+ description: ID for the Factor credential
+ example: dade.murphy@example.com
type: string
- TrustedOrigin:
- type: object
- properties:
- created:
- type: string
- format: date-time
- readOnly: true
- createdBy:
- type: string
- id:
- type: string
- readOnly: true
- lastUpdated:
+ deviceToken:
+ description: Token used to identify the device
+ example: fwf7ku6bsiSCieh6y1d7
type: string
- format: date-time
- readOnly: true
- lastUpdatedBy:
+ deviceType:
+ description: Type of device
+ example: SmartPhone_IPhone
type: string
name:
+ description: Name of the device
+ example: My Phone
type: string
- origin:
+ platform:
+ description: OS version of the associated device
+ example: IOS
type: string
- scopes:
- type: array
- items:
- $ref: '#/components/schemas/TrustedOriginScope'
- status:
+ version:
+ description: Installed version of Okta Verify
+ example: '9.0'
type: string
- _links:
- $ref: '#/components/schemas/LinksSelf'
- TrustedOriginScope:
+ UserFactorPushTransaction:
type: object
properties:
- allowedOktaApps:
- type: array
- items:
- $ref: '#/components/schemas/IframeEmbedScopeAllowedApps'
- type:
- $ref: '#/components/schemas/TrustedOriginScopeType'
- TrustedOriginScopeType:
+ factorResult:
+ description: Result of the verification transaction
+ type: string
+ enum:
+ - WAITING
+ - SUCCESS
+ - REJECTED
+ - TIMEOUT
+ discriminator:
+ propertyName: factorResult
+ mapping:
+ WAITING: '#/components/schemas/UserFactorPushTransactionWaiting'
+ SUCCESS: '#/components/schemas/UserFactorPushTransaction'
+ REJECTED: '#/components/schemas/UserFactorPushTransactionRejected'
+ TIMEOUT: '#/components/schemas/UserFactorPushTransactionTimeout'
+ UserFactorPushTransactionRejected:
+ allOf:
+ - $ref: '#/components/schemas/UserFactorPushTransaction'
+ - type: object
+ properties:
+ profile:
+ type: object
+ properties:
+ credentialId:
+ description: ID for the Factor credential
+ example: dade.murphy@example.com
+ type: string
+ _links:
+ allOf:
+ - $ref: '#/components/schemas/LinksVerify'
+ - type: object
+ properties:
+ factor:
+ $ref: '#/components/schemas/UserFactor'
+ UserFactorPushTransactionSuccess:
+ $ref: '#/components/schemas/UserFactorPushTransaction'
+ UserFactorPushTransactionTimeout:
+ allOf:
+ - $ref: '#/components/schemas/UserFactorPushTransaction'
+ - type: object
+ properties:
+ profile:
+ type: object
+ properties:
+ credentialId:
+ description: ID for the Factor credential
+ example: dade.murphy@example.com
+ type: string
+ _links:
+ allOf:
+ - $ref: '#/components/schemas/LinksVerify'
+ - type: object
+ properties:
+ factor:
+ $ref: '#/components/schemas/UserFactor'
+ UserFactorPushTransactionWaiting:
+ allOf:
+ - $ref: '#/components/schemas/UserFactorPushTransaction'
+ - type: object
+ properties:
+ profile:
+ type: object
+ properties:
+ credentialId:
+ description: ID for the Factor credential
+ example: dade.murphy@example.com
+ type: string
+ _links:
+ allOf:
+ - $ref: '#/components/schemas/LinksPoll'
+ - $ref: '#/components/schemas/LinksCancel'
+ UserFactorResultType:
+ description: Result of a Factor verification attempt
type: string
enum:
- - CORS
- - IFRAME_EMBED
- - REDIRECT
- U2fUserFactor:
+ - CANCELLED
+ - CHALLENGE
+ - ERROR
+ - FAILED
+ - PASSCODE_REPLAYED
+ - REJECTED
+ - SUCCESS
+ - TIMEOUT
+ - TIME_WINDOW_EXCEEDED
+ - WAITING
+ readOnly: true
+ UserFactorSMS:
+ title: sms
allOf:
- $ref: '#/components/schemas/UserFactor'
- type: object
properties:
+ factorType:
+ example: sms
profile:
- $ref: '#/components/schemas/U2fUserFactorProfile'
- U2fUserFactorProfile:
- type: object
- properties:
- credentialId:
- type: string
- UIElement:
- description: Specifies the configuration of an input field on an enrollment form
+ $ref: '#/components/schemas/UserFactorSMSProfile'
+ provider:
+ enum:
+ - OKTA
+ UserFactorSMSProfile:
type: object
properties:
- label:
+ phoneNumber:
+ description: Phone number of the Factor. You should format phone numbers to use the [E.164 standard](https://www.itu.int/rec/T-REC-E.164/).
+ example: '+15554151337'
type: string
- description: Label name for the UI element
- options:
- type: object
- description: UI Schema element options object
+ pattern: ^\+[1-9]\d{1,14}$
+ maxLength: 15
+ UserFactorSecurityQuestion:
+ title: question
+ allOf:
+ - $ref: '#/components/schemas/UserFactor'
+ - type: object
properties:
- format:
- type: string
- description: Specifies how the input appears
+ factorType:
+ example: question
+ profile:
+ $ref: '#/components/schemas/UserFactorSecurityQuestionProfile'
+ provider:
enum:
- - text
- - radio
- - select
- - checkbox
- - radio_yes_no
- - radio_true_false
- x-enumDescriptions:
- text: The default format for the majority of property types.
- radio: Radio button options. This option is only available for `string` data types with an `enum` or `one of` constraint.
- select: Displays input as a dropdown list. This option is only available for the `country-code` data type or a string data type with an enum or one of constraint.
- checkbox: Displays input as a checkbox. This option is only available for Boolean data types.
- radio_yes_no: Displays input as two radio buttons, one with the option `yes` and the other `no`. This option is only available for Boolean data types.
- radio_true_false: Displays input as two radio buttons, one with the option `true` and the other `false`. This option is only available for Boolean data types.
- scope:
- type: string
- description: Specifies the property bound to the input field. It must follow the format `#/properties/PROPERTY_NAME` where `PROPERTY_NAME` is a variable name for an attribute in `profile editor`.
- type:
- type: string
- description: Specifies the relationship between this input element and `scope`. The `Control` value specifies that this input controls the value represented by `scope`.
- UISchemaObject:
- description: Properties of the UI schema
+ - OKTA
+ UserFactorSecurityQuestionProfile:
type: object
properties:
- buttonLabel:
+ answer:
+ description: Answer to the question
+ minLength: 4
type: string
- description: Specifies the button label for the `Submit` button at the bottom of the enrollment form.
- default: Submit
- elements:
- allOf:
- $ref: '#/components/schemas/UIElement'
- label:
+ writeOnly: true
+ question:
+ description: Unique key for the question
+ example: disliked_food
+ enum:
+ - disliked_food
+ - name_of_first_plush_toy
+ - first_award
+ - favorite_security_question
+ - favorite_toy
+ - first_computer_game
+ - favorite_movie_quote
+ - first_sports_team_mascot
+ - first_music_purchase
+ - favorite_art_piece
+ - grandmother_favorite_desert
+ - first_thing_cooked
+ - childhood_dream_job
+ - first_kiss_location
+ - place_where_significant_other_was_met
+ - favorite_vacation_location
+ - new_years_two_thousand
+ - favorite_speaker_actor
+ - favorite_book_movie_character
+ - favorite_sports_player
type: string
- description: Specifies the label at the top of the enrollment form under the logo.
- default: Sign in
- type:
+ questionText:
+ description: Human-readable text that's displayed to the user
+ example: What is the food you least liked as a child?
type: string
- description: Specifies the type of layout
- UISchemasResponseObject:
+ readOnly: true
+ UserFactorSignatureData:
+ description: Base64-encoded signature data from the WebAuthn authenticator
+ type: string
+ UserFactorStatus:
+ example: ACTIVE
+ description: Status of the Factor
+ type: string
+ enum:
+ - ACTIVE
+ - DISABLED
+ - ENROLLED
+ - EXPIRED
+ - INACTIVE
+ - NOT_SETUP
+ - PENDING_ACTIVATION
+ readOnly: true
+ UserFactorSupported:
type: object
properties:
- created:
+ enrollment:
type: string
- format: date-time
- description: Timestamp when the UI Schema was created (ISO-86001)
- readOnly: true
- id:
+ description: Indicates if the Factor is required for the specified user
+ example: OPTIONAL
+ enum:
+ - OPTIONAL
+ - REQUIRED
+ factorType:
+ $ref: '#/components/schemas/UserFactorType'
+ provider:
+ $ref: '#/components/schemas/UserFactorProvider'
+ status:
+ $ref: '#/components/schemas/UserFactorStatus'
+ vendorName:
+ description: Name of the Factor vendor. This is usually the same as the provider except for On-Prem MFA where it depends on administrator settings.
type: string
- description: Unique identifier for the UI Schema
+ example: OKTA
readOnly: true
- lastUpdated:
- type: string
- format: date-time
- description: Timestamp when the UI Schema was last modified (ISO-86001)
+ _embedded:
+ type: object
+ description: Embedded resources related to the Factor
+ additionalProperties:
+ type: object
+ properties: {}
readOnly: true
- uiSchema:
- $ref: '#/components/schemas/UISchemaObject'
_links:
- $ref: '#/components/schemas/LinksSelf'
- required:
- - id
- - uiSchema
- - created
- - lastUpdated
- - _links
- UpdateDomain:
+ $ref: '#/components/schemas/UserFactorLinks'
+ UserFactorToken:
+ title: token
+ allOf:
+ - $ref: '#/components/schemas/UserFactor'
+ - type: object
+ properties:
+ factorType:
+ example: token
+ profile:
+ $ref: '#/components/schemas/UserFactorTokenProfile'
+ provider:
+ enum:
+ - RSA
+ - SYMANTEC
+ verify:
+ oneOf:
+ - $ref: '#/components/schemas/UserFactorTokenVerifyRSA'
+ - $ref: '#/components/schemas/UserFactorTokenVerifySymantec'
+ UserFactorTokenFactorVerificationObject:
type: object
properties:
- brandId:
- description: The `id` of the brand used to replace the existing brand.
+ nextPassCode:
+ description: OTP for the next time window
type: string
- example: bndul904tTZ6kWVhP0g3
- required:
- - brandId
- UpdateEmailDomain:
+ example: 678195
+ passCode:
+ description: OTP for the current time window
+ type: string
+ example: 875498
+ UserFactorTokenHOTP:
+ title: token:hotp
allOf:
- - $ref: '#/components/schemas/BaseEmailDomain'
- UpdateIamRoleRequest:
+ - $ref: '#/components/schemas/UserFactor'
+ - type: object
+ properties:
+ factorProfileId:
+ description: ID of an existing Custom TOTP Factor profile. To create this, see [Custom TOTP Factor](https://help.okta.com/okta_help.htm?id=ext-mfa-totp).
+ type: string
+ factorType:
+ example: token:hotp
+ profile:
+ $ref: '#/components/schemas/UserFactorTokenHOTPProfile'
+ provider:
+ enum:
+ - CUSTOM
+ UserFactorTokenHOTPProfile:
type: object
properties:
- description:
- type: string
- description: Description of the role
- label:
+ sharedSecret:
+ description: Unique secret key used to generate the OTP
type: string
- description: Unique label for the role
- required:
- - label
- - description
- UpdateUISchema:
- description: The updated request body properties
+ example: 484f97be3213b117e3a20438e291540a
+ UserFactorTokenHardware:
+ title: token:hardware
+ allOf:
+ - $ref: '#/components/schemas/UserFactor'
+ - type: object
+ properties:
+ factorType:
+ example: token:hardware
+ profile:
+ $ref: '#/components/schemas/UserFactorTokenProfile'
+ provider:
+ enum:
+ - YUBICO
+ verify:
+ type: object
+ properties:
+ passCode:
+ description: OTP for the current time window
+ type: string
+ example: cccccceukngdfgkukfctkcvfidnetljjiknckkcjulji
+ UserFactorTokenProfile:
type: object
properties:
- uiSchema:
- type: object
- description: Updated schema property expressions (Okta object or App Instance object)
- $ref: '#/components/schemas/UISchemaObject'
- UpdateUserRequest:
+ credentialId:
+ description: ID for the Factor credential
+ example: dade.murphy@example.com
+ type: string
+ UserFactorTokenSoftwareTOTP:
+ title: token:software:totp
+ allOf:
+ - $ref: '#/components/schemas/UserFactor'
+ - type: object
+ properties:
+ factorType:
+ example: token:software:totp
+ profile:
+ $ref: '#/components/schemas/UserFactorTokenProfile'
+ provider:
+ enum:
+ - OKTA
+ - GOOGLE
+ UserFactorTokenVerifyRSA:
+ title: RSA SecurID
type: object
properties:
- credentials:
- $ref: '#/components/schemas/UserCredentials'
- profile:
- $ref: '#/components/schemas/UserProfile'
- realmId:
+ passCode:
+ description: OTP for the current time window
type: string
- description: The ID of the realm in which the user is residing
- example: guo1bfiNtSnZYILxO0g4
- x-okta-lifecycle:
- features:
- - UD_REALMS
- User:
+ example: 5275875498
+ UserFactorTokenVerifySymantec:
+ title: Symantec VIP
type: object
properties:
- activated:
- type: string
- format: date-time
- readOnly: true
- nullable: true
- created:
- type: string
- format: date-time
- readOnly: true
- credentials:
- $ref: '#/components/schemas/UserCredentials'
- id:
+ nextPassCode:
+ description: OTP for the next time window
+ type: integer
+ example: 3956685498
+ passCode:
+ description: OTP for the current time window
type: string
- readOnly: true
- lastLogin:
+ example: 5275875498
+ UserFactorType:
+ description: Type of Factor
+ type: string
+ enum:
+ - call
+ - email
+ - push
+ - question
+ - signed_nonce
+ - sms
+ - token
+ - token:hardware
+ - token:hotp
+ - token:software:totp
+ - u2f
+ - web
+ - webauthn
+ UserFactorU2F:
+ title: u2f
+ allOf:
+ - $ref: '#/components/schemas/UserFactor'
+ - type: object
+ properties:
+ factorType:
+ example: u2f
+ profile:
+ $ref: '#/components/schemas/UserFactorU2FProfile'
+ provider:
+ enum:
+ - FIDO
+ UserFactorU2FProfile:
+ type: object
+ properties:
+ credentialId:
+ description: ID for the Factor credential
+ example: dade.murphy@example.com
type: string
- format: date-time
- readOnly: true
+ UserFactorVerifyRequest:
+ oneOf:
+ - title: call
+ description: Verifies an OTP sent by a `call` Factor challenge. If you omit `passCode` in the request, a new OTP is sent to the phone.
+ properties:
+ passCode:
+ $ref: '#/components/schemas/UserFactorPassCode'
+ - title: sms
+ description: Verifies an OTP sent by an `sms` Factor challenge. If you omit `passCode` in the request, a new OTP is sent to the phone.
+ properties:
+ passCode:
+ $ref: '#/components/schemas/UserFactorPassCode'
+ - title: push
+ type: object
nullable: true
- lastUpdated:
+ description: Sends an asynchronous push notification to the device for approval by the user. You must poll the transaction to determine the state of the verification. See [Retrieve a Factor transaction status](./#tag/UserFactor/operation/getFactorTransactionStatus).
+ - title: email
+ description: Verifies an OTP sent by an `email` Factor challenge. If you omit `passCode` in the request, a new OTP is sent to the phone.
+ properties:
+ passCode:
+ $ref: '#/components/schemas/UserFactorPassCode'
+ - title: question
+ description: Verifies an answer to a `question` Factor
+ properties:
+ answer:
+ description: Answer to the question
+ minLength: 4
+ type: string
+ writeOnly: true
+ - title: token:software:totp
+ description: Verifies an OTP for a `token:software:totp` Factor
+ properties:
+ passCode:
+ $ref: '#/components/schemas/UserFactorPassCode'
+ - title: token:hotp
+ description: Verifies an OTP for a `token:hotp` Factor
+ properties:
+ passCode:
+ $ref: '#/components/schemas/UserFactorPassCode'
+ - title: token:hardware
+ description: Verifies an OTP for a `token:hardware` Factor
+ properties:
+ passCode:
+ $ref: '#/components/schemas/UserFactorPassCode'
+ - title: token
+ description: Verifies an OTP for a `token` Factor
+ properties:
+ passCode:
+ $ref: '#/components/schemas/UserFactorPassCode'
+ - title: u2f
+ description: Verifies a `u2f` Factor challenge by posting a signed assertion using the challenge `nonce`
+ properties:
+ clientData:
+ type: string
+ description: Base64-encoded client data from the U2F token
+ example: eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZmluaXNoRW5yb2xsbWVudCIsImNoYWxsZW5nZSI6IlhxR0h0RTBoUkxuVEoxYUF5U1oyIiwib3JpZ2luIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6MzAwMCIsImNpZF9wdWJrZXkiOiJ1bnVzZWQifQ
+ signatureData:
+ description: Base64-encoded signature data from the U2F token
+ - title: webauthn
+ description: Verifies a `webauthn` Factor challenge by posting a signed assertion using the challenge `nonce`
+ properties:
+ authenticatorData:
+ description: Base64-encoded authenticator data from the WebAuthn authenticator
+ type: string
+ clientData:
+ type: string
+ description: Base64-encoded client data from the WebAuthn authenticator
+ example: eyJjaGFsbGVuZ2UiOiJVSk5wYW9sVWt0dF9vcEZPNXJMYyIsIm9yaWdpbiI6Imh0dHBzOi8vcmFpbi5va3RhMS5jb20iLCJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIn0
+ signatureData:
+ type: string
+ description: Base64-encoded signature data from the WebAuthn authenticator
+ UserFactorVerifyResponse:
+ type: object
+ properties:
+ expiresAt:
+ description: Timestamp when the verification expires
type: string
format: date-time
+ example: '2022-08-25T00:31:00.000Z'
readOnly: true
- passwordChanged:
+ factorMessage:
+ description: Optional display message for Factor verification
type: string
- format: date-time
readOnly: true
nullable: true
- profile:
- $ref: '#/components/schemas/UserProfile'
- realmId:
- type: string
- description: The ID of the realm in which the user is residing
- example: guo1bfiNtSnZYILxO0g4
- x-okta-lifecycle:
- features:
- - UD_REALMS
- readOnly: true
- status:
- $ref: '#/components/schemas/UserStatus'
- statusChanged:
- type: string
- format: date-time
+ factorResult:
+ $ref: '#/components/schemas/UserFactorVerifyResult'
readOnly: true
- nullable: true
- transitioningToStatus:
- $ref: '#/components/schemas/UserStatus'
- type:
- $ref: '#/components/schemas/UserType'
_embedded:
type: object
additionalProperties:
@@ -31428,109 +66830,155 @@ components:
properties: {}
readOnly: true
_links:
- $ref: '#/components/schemas/LinksSelf'
- UserActivationToken:
+ $ref: '#/components/schemas/UserFactorLinks'
+ UserFactorVerifyResult:
+ description: Result of a Factor verification
+ type: string
+ enum:
+ - CHALLENGE
+ - ERROR
+ - EXPIRED
+ - FAILED
+ - PASSCODE_REPLAYED
+ - REJECTED
+ - SUCCESS
+ - TIMEOUT
+ - TIME_WINDOW_EXCEEDED
+ - WAITING
+ x-enumDescriptions:
+ CANCELED: User cancelled the verification
+ CHALLENGE: Okta issued a verification challenge
+ ERROR: Verification encountered an unexpected server error
+ EXPIRED: User didn't complete the verification within the allowed time window
+ FAILED: Verification failed
+ PASSCODE_REPLAYED: User previously verified the Factor within the same time window. Another verification is required during another time window.
+ REJECTED: User rejected the verification
+ SUCCESS: User completed the verification
+ TIMEOUT: Okta didn't complete the verification within the allowed time window
+ TIME_WINDOW_EXCEEDED: User completed the verification outside of the allowed time window. Another verification is required.
+ WAITING: Verification is in progress
+ UserFactorWeb:
+ title: web
+ allOf:
+ - $ref: '#/components/schemas/UserFactor'
+ - type: object
+ properties:
+ factorType:
+ example: web
+ profile:
+ $ref: '#/components/schemas/UserFactorWebProfile'
+ provider:
+ enum:
+ - DUO
+ UserFactorWebAuthn:
+ title: webauthn
+ allOf:
+ - $ref: '#/components/schemas/UserFactor'
+ - type: object
+ properties:
+ factorType:
+ example: webauthn
+ profile:
+ $ref: '#/components/schemas/UserFactorWebAuthnProfile'
+ provider:
+ enum:
+ - FIDO
+ UserFactorWebAuthnProfile:
type: object
properties:
- activationToken:
+ authenticatorName:
+ description: Human-readable name of the authenticator
+ example: MacBook Touch ID
type: string
- readOnly: true
- activationUrl:
+ credentialId:
+ description: ID for the Factor credential
+ example: AHoOEhwvYiMv6SSwLp7KYRNttXtg_kYgQoQiEIWPFH_T3Ztp5Vj3bQ5H0LypIFR8ka8kfiCJ3I5qVpxrsd6JTMWKcE3xNh_U2QVF0Kwlan8Fiw
type: string
- readOnly: true
- UserBlock:
+ UserFactorWebProfile:
type: object
properties:
- appliesTo:
- type: string
- readOnly: true
- type:
+ credentialId:
+ description: ID for the Factor credential
+ example: dade.murphy@example.com
type: string
- readOnly: true
- UserCondition:
- description: Specifies a set of Users to be included or excluded
- type: object
- properties:
- exclude:
- description: Users to be excluded
- type: array
- items:
- type: string
- include:
- description: Users to be included
- type: array
- items:
- type: string
- UserCredentials:
- type: object
- properties:
- password:
- $ref: '#/components/schemas/PasswordCredential'
- provider:
- $ref: '#/components/schemas/AuthenticationProvider'
- recovery_question:
- $ref: '#/components/schemas/RecoveryQuestionCredential'
- UserFactor:
+ UserFactorYubikeyOtpToken:
type: object
properties:
created:
+ description: Timestamp when the Token was created
type: string
format: date-time
+ example: '2022-08-25T00:31:00.000Z'
readOnly: true
- factorType:
- $ref: '#/components/schemas/FactorType'
id:
+ description: ID of the Token
type: string
+ example: ykkwcx13nrDq8g4oy0g3
readOnly: true
lastUpdated:
+ description: Timestamp when the Token was last updated
+ type: string
+ format: date-time
+ example: '2022-08-25T00:31:00.000Z'
+ readOnly: true
+ lastVerified:
+ description: Timestamp when the Token was last verified
type: string
format: date-time
+ example: '2022-08-25T00:31:00.000Z'
readOnly: true
profile:
type: object
- description: Factor-specific attributes
- provider:
- $ref: '#/components/schemas/FactorProvider'
+ description: Specified profile information for token
+ additionalProperties:
+ type: object
+ properties: {}
status:
- $ref: '#/components/schemas/FactorStatus'
- verify:
- $ref: '#/components/schemas/VerifyFactorRequest'
+ description: Token status
+ type: string
+ enum:
+ - BLOCKED
+ - UNASSIGNED
+ - ACTIVE
+ - REVOKED
+ - DELETED
+ - INACTIVE
_embedded:
type: object
additionalProperties:
type: object
properties: {}
- readOnly: true
_links:
- $ref: '#/components/schemas/LinksSelf'
- discriminator:
- propertyName: factorType
- mapping:
- call: '#/components/schemas/CallUserFactor'
- email: '#/components/schemas/EmailUserFactor'
- push: '#/components/schemas/PushUserFactor'
- question: '#/components/schemas/SecurityQuestionUserFactor'
- sms: '#/components/schemas/SmsUserFactor'
- token: '#/components/schemas/TokenUserFactor'
- token:hardware: '#/components/schemas/HardwareUserFactor'
- token:hotp: '#/components/schemas/CustomHotpUserFactor'
- token:software:totp: '#/components/schemas/TotpUserFactor'
- u2f: '#/components/schemas/U2fUserFactor'
- web: '#/components/schemas/WebUserFactor'
- webauthn: '#/components/schemas/WebAuthnUserFactor'
- hotp: '#/components/schemas/CustomHotpUserFactor'
+ $ref: '#/components/schemas/UserFactorLinks'
+ UserGetSingleton:
+ allOf:
+ - $ref: '#/components/schemas/User'
+ - type: object
+ properties:
+ _embedded:
+ type: object
+ description: The embedded resources related to the object if the `expand` query parameter is specified
+ properties:
+ blocks:
+ type: array
+ description: A list of access block details for the user account
+ items:
+ $ref: '#/components/schemas/UserBlock'
UserIdentifierConditionEvaluatorPattern:
- type: object
description: Used in the User Identifier Condition object. Specifies the details of the patterns to match against.
+ type: object
properties:
matchType:
$ref: '#/components/schemas/UserIdentifierMatchType'
value:
type: string
- description: The regex expression of a simple match string
+ description: The regular expression or simple match string
+ required:
+ - matchType
+ - value
UserIdentifierMatchType:
- type: string
description: The type of pattern. For regex, use `EXPRESSION`.
+ type: string
enum:
- CONTAINS
- EQUALS
@@ -31538,26 +66986,190 @@ components:
- STARTS_WITH
- SUFFIX
UserIdentifierPolicyRuleCondition:
+ description: Specifies a user identifier condition to match on
+ type: object
+ properties:
+ attribute:
+ type: string
+ description: The name of the profile attribute to match against. Only used when type is `ATTRIBUTE`.
+ patterns:
+ type: array
+ items:
+ $ref: '#/components/schemas/UserIdentifierConditionEvaluatorPattern'
+ type:
+ $ref: '#/components/schemas/UserIdentifierType'
+ required:
+ - patterns
+ - type
+ UserIdentifierType:
+ description: What to match against, either user ID or an attribute in the user's Okta profile.
+ type: string
+ enum:
+ - ATTRIBUTE
+ - IDENTIFIER
+ UserIdentityProviderLinkRequest:
+ type: object
+ properties:
+ externalId:
+ type: string
+ description: Unique IdP-specific identifier for a User
+ example: '121749775026145'
+ UserImportRequest:
+ type: object
+ properties:
+ data:
+ $ref: '#/components/schemas/UserImportRequestData'
+ eventType:
+ type: string
+ description: The type of inline hook. The user import inline hook type is `com.okta.import.transform`.
+ source:
+ description: The ID of the user import inline hook
+ type: string
+ UserImportRequestData:
+ type: object
+ properties:
+ action:
+ type: object
+ description: The object that specifies the default action Okta is set to take
+ properties:
+ result:
+ description: |-
+ The current default action that results when Okta imports a user. The two possible values are `CREATE_USER` and `LINK_USER`. You
+ can change the action that is taken by means of the commands object you return.
+ type: string
+ enum:
+ - CREATE_USER
+ - LINK_USER
+ x-enumDescriptions:
+ CREATE_USER: A new Okta user profile is created for the user
+ LINK_USER: The user is treated as a match for the existing Okta user identified by the value of `data.user.id`
+ appUser:
+ type: object
+ description: The app user profile being imported
+ properties:
+ profile:
+ type: object
+ description: |-
+ Provides the name-value pairs of the attributes contained in the app user profile of the user who is being imported. You can change
+ the values of attributes in the user's app profile by means of the `commands` object you return. If you change attributes in the app
+ profile, they then flow through to the Okta user profile, based on matching and mapping rules.
+ additionalProperties:
+ type: string
+ context:
+ type: object
+ properties:
+ conflicts:
+ description: An array of user profile attributes that are in conflict
+ type: array
+ items:
+ additionalProperties: true
+ type: string
+ application:
+ type: object
+ description: Details of the app from which the user is being imported
+ properties:
+ name:
+ type: string
+ description: The app name
+ id:
+ type: string
+ description: The app ID
+ label:
+ type: string
+ description: The user-defined display name for the app
+ status:
+ type: string
+ description: The status of the app
+ enum:
+ - ACTIVE
+ - INACTIVE
+ job:
+ type: object
+ description: The details of the running import job
+ properties:
+ id:
+ type: string
+ description: The ID number of the import job
+ type:
+ type: string
+ description: The type of import job
+ matches:
+ type: array
+ description: The list of Okta users currently matched to the app user based on import matching. There can be more than one match.
+ items:
+ additionalProperties: true
+ type: string
+ policy:
+ type: array
+ description: The list of any policies that apply to the import matching
+ items:
+ additionalProperties: true
+ type: string
+ user:
+ type: object
+ description: |-
+ Provides information on the Okta user profile currently set to be used for the user who is being imported, based on the matching
+ rules and attribute mappings that were applied.
+ properties:
+ profile:
+ description: |-
+ The `data.user.profile` contains the name-value pairs of the attributes in the user profile. If the user has been matched to an existing
+ Okta user, a `data.user.id` object is included, containing the unique identifier of the Okta user profile.
+
+ You can change the values of the attributes by means of the `commands` object you return.
+ type: object
+ additionalProperties:
+ type: string
+ UserImportRequestExecute:
+ description: User import inline hook request
+ allOf:
+ - $ref: '#/components/schemas/InlineHookBasePayload'
+ - $ref: '#/components/schemas/UserImportRequest'
+ UserImportResponse:
type: object
properties:
- attribute:
- type: string
- patterns:
+ commands:
+ description: |-
+ The `commands` object is where you can provide commands to Okta. It is an array that allows you to send multiple commands.
+ Each array element needs to consist of a type-value pair.
type: array
items:
- $ref: '#/components/schemas/UserIdentifierConditionEvaluatorPattern'
- type:
- $ref: '#/components/schemas/UserIdentifierType'
- UserIdentifierType:
- type: string
- enum:
- - ATTRIBUTE
- - IDENTIFIER
- UserIdentityProviderLinkRequest:
- type: object
- properties:
- externalId:
- type: string
+ type: object
+ properties:
+ type:
+ description: |-
+ The command types supported for the import inline hook.
+ When using the `com.okta.action.update` command to specify that the user should be treated as a match, you need to also provide a `com.okta.user.update` command that sets the ID of the Okta user.
+ type: string
+ enum:
+ - com.okta.appUser.profile.update
+ - com.okta.user.profile.update
+ - com.okta.action.update
+ - com.okta.user.update
+ x-enumDescriptions:
+ com.okta.appUser.profile.update: Change values of attributes in the user's app user profile
+ com.okta.user.profile.update: Change values of attributes in the user's Okta user profile
+ com.okta.action.update: Specify whether to create a new Okta user for the user being imported or treat them as a match of an existing Okta user
+ com.okta.user.update: Specify the existing Okta user that the imported user should be treated as a match of.
+ value:
+ description: |-
+ The `value` object is the parameter to pass to the command. In the case of the `com.okta.appUser.profile.update` and `com.okta.user.profile.update` commands,
+ the parameter should be a list of one or more profile attributes and the values you wish to set them to. In the case of the `com.okta.action.update` command,
+ the parameter should be a `result` property set to either `CREATE_USER` or `LINK_USER`.
+ type: object
+ additionalProperties:
+ type: string
+ error:
+ description: |-
+ An object to return an error. Returning an error causes Okta to record a failure event in the Okta System Log.
+ The string supplied in the `errorSummary` property is recorded in the System Log event.
+
+ >**Note:** If a response to an import inline hook request is not received from your external service within three seconds, a timeout occurs. In this scenario, the Okta import process continues and the user is created.
+ type: object
+ properties:
+ errorSummary:
+ description: A human-readable summary of the error
+ type: string
UserLifecycleAttributePolicyRuleCondition:
type: object
properties:
@@ -31571,21 +67183,25 @@ components:
preventBruteForceLockoutFromUnknownDevices:
type: boolean
description: Prevents brute-force lockout from unknown devices for the password authenticator.
+ default: false
UserNextLogin:
type: string
enum:
- changePassword
UserPolicyRuleCondition:
+ description: Specifies a set of Users to be included or excluded
type: object
properties:
exclude:
type: array
+ description: Users to be excluded
items:
type: string
inactivity:
$ref: '#/components/schemas/InactivityPolicyRuleCondition'
include:
type: array
+ description: Users to be included
items:
type: string
lifecycleExpiration:
@@ -31595,128 +67211,293 @@ components:
userLifecycleAttribute:
$ref: '#/components/schemas/UserLifecycleAttributePolicyRuleCondition'
UserProfile:
- additionalProperties: true # TODO: revisit
+ additionalProperties: true
+ description: |-
+ Specifies the default and custom profile properties for a user.
+
+ The default user profile is based on the [System for Cross-domain Identity Management: Core Schema](https://datatracker.ietf.org/doc/html/rfc7643).
+
+ The only permitted customizations of the default profile are to update permissions, change whether the `firstName` and `lastName` properties are nullable, and specify a [pattern](https://developer.okta.com/docs/reference/api/schemas/#login-pattern-validation) for `login`. You can use the Profile Editor in the Admin Console or the [Schemas API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UISchema/#tag/UISchema) to make schema modifications.
+
+ You can extend user profiles with custom properties. You must first add the custom property to the user profile schema before you reference it.
+ You can use the Profile Editor in the Admin Console or the [Schemas API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UISchema/#tag/UISchema) to manage schema extensions.
+
+ Custom attributes can contain HTML tags. It's the client's responsibility to escape or encode this data before displaying it. Use [best-practices](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) to prevent cross-site scripting.
type: object
properties:
city:
type: string
+ description: The city or locality of the user's address (`locality`)
maxLength: 128
nullable: true
costCenter:
type: string
+ description: Name of the cost center assigned to a user
+ nullable: true
countryCode:
+ description: The country name component of the user's address (`country`). For validation, see [ISO 3166-1 alpha 2 "short" code format](https://datatracker.ietf.org/doc/html/draft-ietf-scim-core-schema-22#ref-ISO3166).
type: string
maxLength: 2
nullable: true
department:
type: string
+ description: Name of the user's department
displayName:
type: string
+ description: Name of the user suitable for display to end users
+ nullable: true
division:
type: string
+ description: Name of the user's division
+ nullable: true
email:
type: string
+ description: The primary email address of the user. For validation, see [RFC 5322 Section 3.2.3](https://datatracker.ietf.org/doc/html/rfc5322#section-3.2.3).
format: email
minLength: 5
maxLength: 100
employeeNumber:
+ description: The organization or company assigned unique identifier for the user
type: string
firstName:
type: string
+ description: Given name of the user (`givenName`)
minLength: 1
maxLength: 50
nullable: true
honorificPrefix:
type: string
+ description: Honorific prefix(es) of the user, or title in most Western languages
+ nullable: true
honorificSuffix:
type: string
+ description: Honorific suffix(es) of the user
+ nullable: true
lastName:
type: string
+ description: The family name of the user (`familyName`)
minLength: 1
maxLength: 50
nullable: true
locale:
- $ref: '#/components/schemas/Language'
+ type: string
+ description: |-
+ The user's default location for purposes of localizing items such as currency, date time format, numerical representations, and so on.
+ A locale value is a concatenation of the ISO 639-1 two-letter language code, an underscore, and the ISO 3166-1 two-letter country code. For example, en_US specifies the language English and country US. This value is `en_US` by default.
login:
type: string
- maxLength: 100
+ description: |-
+ The unique identifier for the user (`username`). For validation, see [Login pattern validation](https://developer.okta.com/docs/reference/api/schemas/#login-pattern-validation).
+
+ Every user within your Okta org must have a unique identifier for a login. This constraint applies to all users you import from other systems or applications such as Active Directory. Your organization is the top-level namespace to mix and match logins from all your connected applications or directories. Careful consideration of naming conventions for your login identifier will make it easier to onboard new applications in the future.
+
+ Logins are not considered unique if they differ only in case and/or diacritical marks. If one of your users has a login of Isaac.Brock@example.com, there cannot be another user whose login is isaac.brock@example.com, nor isáà c.bröck@example.com.
+
+ Okta has a default ambiguous name resolution policy for usernames that include @-signs. (By default, usernames must be formatted as email addresses and thus always include @-signs. You can remove that restriction using either the Admin Console or the Schemas API (opens new window).) Users can sign in with their non-qualified short name (for example: isaac.brock with username isaac.brock@example.com) as long as the short name is still unique within the organization.
+ maxLength: 100
+ minLength: 5
manager:
type: string
+ description: The `displayName` of the user's manager
+ nullable: true
managerId:
type: string
+ description: The `id` of the user's manager
+ nullable: true
middleName:
type: string
+ description: The middle name of the user
+ nullable: true
mobilePhone:
type: string
+ description: The mobile phone number of the user
maxLength: 100
+ minLength: 0
nullable: true
nickName:
type: string
+ description: The casual way to address the user in real life
+ nullable: true
organization:
type: string
+ description: Name of the the user's organization
+ nullable: true
postalAddress:
type: string
+ description: Mailing address component of the user's address
maxLength: 4096
nullable: true
preferredLanguage:
type: string
+ description: The user's preferred written or spoken language. For validation, see [RFC 7231 Section 5.3.5](https://datatracker.ietf.org/doc/html/rfc7231#section-5.3.5).
+ nullable: true
primaryPhone:
type: string
+ description: The primary phone number of the user such as a home number
maxLength: 100
+ minLength: 0
nullable: true
profileUrl:
type: string
+ description: The URL of the user's online profile. For example, a web page. See [URL](https://datatracker.ietf.org/doc/html/rfc1808).
+ nullable: true
secondEmail:
type: string
format: email
+ description: The secondary email address of the user typically used for account recovery. For validation, see [RFC 5322 Section 3.2.3](https://datatracker.ietf.org/doc/html/rfc5322#section-3.2.3).
minLength: 5
maxLength: 100
nullable: true
state:
type: string
+ description: The state or region component of the user's address (`region`)
maxLength: 128
nullable: true
streetAddress:
type: string
+ description: The full street address component of the user's address
maxLength: 1024
nullable: true
timezone:
type: string
+ description: The user's time zone
+ nullable: true
title:
type: string
+ description: The user's title, such as Vice President
+ nullable: true
userType:
type: string
+ description: The property used to describe the organization-to-user relationship, such as employee or contractor
+ nullable: true
zipCode:
type: string
+ description: The ZIP code or postal code component of the user's address (`postalCode`)
maxLength: 50
nullable: true
+ UserProvisioningApplicationFeature:
+ allOf:
+ - $ref: '#/components/schemas/ApplicationFeature'
+ - type: object
+ - properties:
+ capabilities:
+ $ref: '#/components/schemas/CapabilitiesObject'
+ UserResourceHrefObject:
+ type: object
+ properties:
+ href:
+ type: string
+ description: Link URI
+ example: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7
+ title:
+ type: string
+ description: Link name
+ example: SAML Jackson
+ UserRiskGetResponse:
+ type: object
+ properties:
+ riskLevel:
+ $ref: '#/components/schemas/UserRiskLevelAll'
+ _links:
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - $ref: '#/components/schemas/LinksUserRef'
+ discriminator:
+ propertyName: riskLevel
+ mapping:
+ HIGH: '#/components/schemas/UserRiskLevelExists'
+ MEDIUM: '#/components/schemas/UserRiskLevelExists'
+ LOW: '#/components/schemas/UserRiskLevelExists'
+ NONE: '#/components/schemas/UserRiskLevelNone'
+ UserRiskLevelAll:
+ description: The risk level associated with the user
+ type: string
+ enum:
+ - HIGH
+ - LOW
+ - MEDIUM
+ - NONE
+ UserRiskLevelExists:
+ allOf:
+ - $ref: '#/components/schemas/UserRiskGetResponse'
+ - type: object
+ properties:
+ reason:
+ $ref: '#/components/schemas/UserRiskReason'
+ UserRiskLevelNone:
+ allOf:
+ - $ref: '#/components/schemas/UserRiskGetResponse'
+ UserRiskLevelPut:
+ description: The risk level associated with the user
+ type: string
+ enum:
+ - HIGH
+ - LOW
+ UserRiskPutResponse:
+ type: object
+ properties:
+ reason:
+ $ref: '#/components/schemas/UserRiskReason'
+ riskLevel:
+ $ref: '#/components/schemas/UserRiskLevelPut'
+ _links:
+ allOf:
+ - $ref: '#/components/schemas/LinksSelf'
+ - $ref: '#/components/schemas/LinksUserRef'
+ UserRiskReason:
+ description: Describes the risk level for the user
+ example: Admin override risk
+ type: string
+ UserRiskRequest:
+ type: object
+ properties:
+ riskLevel:
+ type: string
+ description: The risk level associated with the user
+ enum:
+ - HIGH
+ - LOW
UserSchema:
type: object
properties:
$schema:
type: string
readOnly: true
+ description: JSON Schema version identifier
created:
type: string
readOnly: true
+ description: Timestamp when the Schema was created
definitions:
- $ref: '#/components/schemas/UserSchemaDefinitions'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaDefinitions'
+ description: |-
+ User Profile subschemas
+
+ The Profile object for a User is defined by a composite Schema of base and custom properties using a JSON path to reference subschemas. The `#base` properties are defined and versioned by Okta, while `#custom` properties are extensible. Custom property names for the Profile object must be unique and can't conflict with a property name defined in the `#base` subschema.
id:
type: string
readOnly: true
+ description: URI of User Schema
lastUpdated:
type: string
readOnly: true
+ description: Timestamp when the Schema was last updated
name:
type: string
readOnly: true
+ description: Name of the Schema
properties:
- $ref: '#/components/schemas/UserSchemaProperties'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaProperties'
+ description: User Object Properties
title:
type: string
+ description: User-defined display name for the Schema
type:
type: string
readOnly: true
+ description: Type of [root Schema](https://tools.ietf.org/html/draft-zyp-json-schema-04#section-3.4)
_links:
$ref: '#/components/schemas/LinksSelf'
UserSchemaAttribute:
@@ -31724,48 +67505,107 @@ components:
properties:
description:
type: string
+ description: Description of the property
enum:
type: array
+ nullable: true
+ description: |-
+ Enumerated value of the property.
+
+ The value of the property is limited to one of the values specified in the enum definition. The list of values for the enum must consist of unique elements.
items:
- type: string
+ anyOf:
+ - type: string
+ - type: integer
externalName:
type: string
+ description: |-
+ Name of the property as it exists in an external application
+
+ **NOTE**: When you add a custom property, only Identity Provider app user schemas require `externalName` to be
+ included in the request body. If an existing custom Identity Provider app user schema property has an empty
+ `externalName`, requests aren't allowed to update other properties until the `externalName` is defined.
externalNamespace:
type: string
- items:
- $ref: '#/components/schemas/UserSchemaAttributeItems'
+ description: Namespace from the external application
+ format:
+ description: Identifies the type of data represented by the string
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttributeFormat'
master:
- $ref: '#/components/schemas/UserSchemaAttributeMaster'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttributeMaster'
+ description: Identifies where the property is mastered
maxLength:
type: integer
+ description: Maximum character length of a string property
nullable: true
minLength:
type: integer
+ description: Minimum character length of a string property
nullable: true
mutability:
- type: string
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttributeMutabilityString'
+ description: Defines the mutability of the property
oneOf:
type: array
+ nullable: true
+ description: |-
+ Non-empty array of valid JSON schemas.
+
+ Okta only supports `oneOf` for specifying display names for an `enum`. Each schema has the following format:
+
+ ```
+ {
+ "const": "enumValue",
+ "title": "display name"
+ }
+ ```json
+
+ When `enum` is used in conjunction with `oneOf`, you must keep the set of enumerated values and their order.
+
+ ```
+ {"enum": ["S","M","L","XL"],
+ "oneOf": [
+ {"const": "S", "title": "Small"},
+ {"const": "M", "title": "Medium"},
+ {"const": "L", "title": "Large"},
+ {"const": "XL", "title": "Extra Large"}
+ ]
+ }
+ ```json
+
+ The `oneOf` key is only supported in conjunction with `enum` and provides a mechanism to return a display name for the `enum` value.
items:
$ref: '#/components/schemas/UserSchemaAttributeEnum'
pattern:
type: string
+ description: For `string` property types, specifies the regular expression used to validate the property
permissions:
type: array
+ nullable: true
+ description: Access control permissions for the property
items:
$ref: '#/components/schemas/UserSchemaAttributePermission'
required:
type: boolean
+ nullable: true
+ description: Determines whether the property is required
scope:
$ref: '#/components/schemas/UserSchemaAttributeScope'
title:
type: string
+ minLength: 1
+ description: User-defined display name for the property
type:
- $ref: '#/components/schemas/UserSchemaAttributeType'
- union:
- $ref: '#/components/schemas/UserSchemaAttributeUnion'
+ description: Type of property
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttributeType'
unique:
- type: string
+ description: Determines whether property values must be unique
+ type: boolean
+ nullable: true
x-okta-allow-null-property-value-for-updates: true
UserSchemaAttributeEnum:
type: object
@@ -31774,6 +67614,19 @@ components:
type: string
title:
type: string
+ UserSchemaAttributeFormat:
+ type: string
+ enum:
+ - country-code
+ - date-time
+ - email
+ - encrypted
+ - hashed
+ - language-code
+ - locale
+ - ref-id
+ - timezone
+ - uri
UserSchemaAttributeItems:
type: object
properties:
@@ -31788,6 +67641,7 @@ components:
type:
type: string
UserSchemaAttributeMaster:
+ nullable: true
type: object
properties:
priority:
@@ -31809,13 +67663,22 @@ components:
- OKTA
- OVERRIDE
- PROFILE_MASTER
+ UserSchemaAttributeMutabilityString:
+ type: string
+ enum:
+ - IMMUTABLE
+ - READ_ONLY
+ - READ_WRITE
+ - WRITE_ONLY
UserSchemaAttributePermission:
type: object
properties:
action:
type: string
+ description: Determines whether the principal can view or modify the property
principal:
type: string
+ description: Security principal
UserSchemaAttributeScope:
type: string
enum:
@@ -31829,89 +67692,169 @@ components:
- integer
- number
- string
- UserSchemaAttributeUnion:
- type: string
- enum:
- - DISABLE
- - ENABLE
UserSchemaBase:
+ description: |-
+ All Okta-defined Profile properties are defined in a Profile subschema with the resolution scope `#base`. You can't modify these properties, except to update permissions, to change the nullability of `firstName` and `lastName`, or to specify a pattern for `login`. They can't be removed.
+
+ The base User Profile is based on the [System for Cross-domain Identity Management: Core Schema](https://tools.ietf.org/html/draft-ietf-scim-core-schema-22#section-4.1.1) and has the standard properties detailed below.
type: object
properties:
id:
type: string
+ description: The subschema name
+ readOnly: true
properties:
- $ref: '#/components/schemas/UserSchemaBaseProperties'
+ description: The `#base` object properties
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaBaseProperties'
required:
type: array
+ description: A collection indicating required property names
+ readOnly: true
items:
type: string
type:
type: string
+ description: The object type
+ readOnly: true
UserSchemaBaseProperties:
type: object
properties:
city:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: City or locality component of the User's address (`locality`)
costCenter:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: Name of a cost center assigned to the User
countryCode:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: Country name component of the User's address (`country`.) This property uses [ISO 3166-1 alpha 2 "short" code format](https://tools.ietf.org/html/draft-ietf-scim-core-schema-22#ref-ISO3166).
department:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: Name of the User's department
displayName:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: Name of the User, suitable for display to end Users
division:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: Name of the User's division
email:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: Primary email address of the User. This property is formatted according to [RFC 5322 Section 3.2.3](https://datatracker.ietf.org/doc/html/rfc5322#section-3.2.3).
employeeNumber:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: Organization or company assigned unique identifier for the User
firstName:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: Given name of the User (`givenName`)
honorificPrefix:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: Honorific prefix(es) of the User or title in most Western languages
honorificSuffix:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: Honorific suffix(es) of the User
lastName:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: Family name of the User (`familyName`)
locale:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: |-
+ User's default location for purposes of localizing items such as currency, date time format, numerical representations, and so on.
+
+ A locale value is a concatenation of the ISO 639-1 two-letter language code, an underscore, and the ISO 3166-1 two-letter country code. For example: `en_US` specifies the language English and country US. This value is `en_US` by default.
login:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: |-
+ Unique identifier for the User (`username`)
+
+ The login property is validated according to its pattern attribute, which is a string. By default, the attribute is null. When the attribute is null, the username is required to be formatted as an email address as defined by [RFC 6531 Section 3.3](http://tools.ietf.org/html/rfc6531#section-3.3). The pattern can be set through the API to one of the following forms. (The Admin Console provides access to the same forms.)
+ * A login pattern of `".+"` indicates that there is no restriction on usernames. Any non-empty, unique value is permitted, and the minimum length of five isn't enforced. In this case, usernames don't need to include the `@` character. If a name does include `@`, the portion ahead of the `@` can be used for logging in, provided it identifies a unique User within the org.
+ * A login pattern of the form `"[...]+"` indicates that usernames must only contain characters from the set given between the brackets. The enclosing brackets and final `+` are required for this form. Character ranges can be indicated using hyphens. To include the hyphen itself in the allowed set, the hyphen must appear first. Any characters in the set except the hyphen, a-z, A-Z, and 0-9 must be preceded by a backslash (`\`). For example, `"[a-z13579\.]+"` would restrict usernames to lowercase letters, odd digits, and periods, while `"[-a-zA-Z0-9]+"` would allow basic alphanumeric characters and hyphens.
manager:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: The `displayName` of the User's manager
managerId:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: The `id` of the User's manager
middleName:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: Middle name(s) of the User
mobilePhone:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: Mobile phone number of the User
nickName:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: Casual way to address the User in real life
organization:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: Name of the User's organization
postalAddress:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: Mailing address component of the User's address
preferredLanguage:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: User's preferred written or spoken languages. This property is formatted according to [RFC 7231 Section 5.3.5](https://tools.ietf.org/html/rfc7231#section-5.3.5).
primaryPhone:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: Primary phone number of the User, such as home number
profileUrl:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: URL of the User's online Profile (for example, a web page.) This property is formatted according to the [Relative Uniform Resource Locators specification](https://tools.ietf.org/html/draft-ietf-scim-core-schema-22#ref-ISO3166).
secondEmail:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: Secondary email address of the User typically used for account recovery. This property is formatted according to [RFC 5322 Section 3.2.3](https://datatracker.ietf.org/doc/html/rfc5322#section-3.2.3).
state:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: State or region component of the User's address (`region`)
streetAddress:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: Full street address component of the User's address
timezone:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: User's time zone. This property is formatted according to the [IANA Time Zone database format](https://tools.ietf.org/html/rfc6557).
title:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: User's title, such as "Vice President"
userType:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: |-
+ Used to describe the organization to the User relationship such as "Employee" or "Contractor".
+
+ **Note:** The `userType` field is an arbitrary string value and isn't related to the newer [User Types](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/) feature.
zipCode:
- $ref: '#/components/schemas/UserSchemaAttribute'
+ allOf:
+ - $ref: '#/components/schemas/UserSchemaAttribute'
+ description: ZIP code or postal code component of the User's address (`postalCode`)
UserSchemaDefinitions:
type: object
properties:
@@ -31937,21 +67880,33 @@ components:
$ref:
type: string
UserSchemaPublic:
+ description: All custom Profile properties are defined in a Profile subschema with the resolution scope `#custom`
type: object
properties:
id:
type: string
+ description: The subschema name
+ readOnly: true
properties:
type: object
+ description: The `#custom` object properties
additionalProperties:
$ref: '#/components/schemas/UserSchemaAttribute'
required:
type: array
+ description: A collection indicating required property names
+ readOnly: true
items:
type: string
type:
type: string
+ description: The object type
+ readOnly: true
UserStatus:
+ description: |-
+ The current status of the user.
+
+ The status of a user changes in response to explicit events, such as admin-driven lifecycle changes, user login, or self-service password recovery. Okta doesn't asynchronously sweep through users and update their password expiry state, for example. Instead, Okta evaluates password policy at login time, notices the password has expired, and moves the user to the expired state. When running reports, remember that the data is valid as of the last login or lifecycle event for that user.
type: string
enum:
- ACTIVE
@@ -31962,6 +67917,7 @@ components:
- RECOVERY
- STAGED
- SUSPENDED
+ readOnly: true
UserStatusPolicyRuleCondition:
type: object
properties:
@@ -31992,7 +67948,7 @@ components:
id:
type: string
description: The unique key for the User Type
- readOnly: false # This should be editable since it's being used by other models that updates the user type
+ readOnly: true
lastUpdated:
type: string
format: date-time
@@ -32004,24 +67960,28 @@ components:
readOnly: true
name:
type: string
- description: |-
- The name of the User Type. The name must start with A-Z or a-z and contain only A-Z, a-z, 0-9, or underscore (_) characters.
- This value becomes read-only after creation and can't be updated.
+ description: The name of the User Type. The name must start with A-Z or a-z and contain only A-Z, a-z, 0-9, or underscore (_) characters. This value becomes read-only after creation and can't be updated.
_links:
$ref: '#/components/schemas/UserTypeLinks'
required:
- name
- displayName
UserTypeCondition:
+ description: Specifies which User Types to include and/or exclude
properties:
exclude:
items:
type: string
type: array
+ description: The User Types to exclude
include:
items:
type: string
type: array
+ description: The User Types to include
+ required:
+ - exclude
+ - include
UserTypeLinks:
allOf:
- $ref: '#/components/schemas/LinksSelf'
@@ -32057,159 +68017,136 @@ components:
- displayName
- description
UserVerificationEnum:
- description: User verification setting
+ description: User verification setting. Possible values `DISCOURAGED` (the authenticator isn't asked to perform user verification, but may do so at its discretion), `PREFERRED` (the client uses an authenticator capable of user verification if possible), or `REQUIRED`(the client uses only an authenticator capable of user verification)
type: string
enum:
- DISCOURAGED
- PREFERRED
- REQUIRED
+ UsersLink:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the [Application Users](/openapi/okta-management/management/tag/ApplicationUsers/#tag/ApplicationUsers/operation/listApplicationUsers) resource
VerificationMethod:
+ description: |-
+ Describes the method for verifying the user. The supported method types are `ASSURANCE` and `AUTH_METHOD_CHAIN`.
+
+ The method type `AUTH_METHOD_CHAIN` is an [Early Access](https://developer.okta.com/docs/api/openapi/okta-management/guides/release-lifecycle/#early-access-ea) (Self-Service) feature. You can
+ enable the feature for your org from the **Settings** > **Features** page in the Admin Console.
type: object
properties:
- constraints:
- items:
- $ref: '#/components/schemas/AccessPolicyConstraints'
- type: array
- factorMode:
- type: string
- reauthenticateIn:
- type: string
type:
- type: string
- VerifyFactorRequest:
- type: object
- properties:
- activationToken:
- type: string
- answer:
- type: string
- attestation:
- type: string
- clientData:
- type: string
- nextPassCode:
- type: string
- passCode:
- type: string
- registrationData:
- type: string
- stateToken:
- type: string
- authenticatorData:
- type: string
- signatureData:
- type: string
- VerifyUserFactorResponseLinks:
- type: object
- properties:
- self:
- $ref: '#/components/schemas/HrefObjectSelfLink'
- poll:
- $ref: '#/components/schemas/HrefObject'
- cancel:
- $ref: '#/components/schemas/HrefObject'
- VerifyUserFactorResponse:
- type: object
- additionalProperties: true
- properties:
- expiresAt:
- type: string
- format: date-time
- readOnly: true
- factorResult:
- $ref: '#/components/schemas/VerifyUserFactorResult'
- factorResultMessage:
- type: string
- _embedded:
- type: object
- additionalProperties:
- type: object
- properties: {}
- readOnly: true
- _links:
- $ref: '#/components/schemas/VerifyUserFactorResponseLinks'
- VerifyUserFactorResult:
- type: string
- enum:
- - CHALLENGE
- - ERROR
- - EXPIRED
- - FAILED
- - PASSCODE_REPLAYED
- - REJECTED
- - SUCCESS
- - TIMEOUT
- - TIME_WINDOW_EXCEEDED
- - WAITING
+ $ref: '#/components/schemas/PolicyRuleVerificationMethodType'
+ discriminator:
+ propertyName: type
+ mapping:
+ ASSURANCE: '#/components/schemas/AssuranceMethod'
+ AUTH_METHOD_CHAIN: '#/components/schemas/AuthenticationMethodChainMethod'
Version:
description: The version specified as a [Semantic Version](https://semver.org/).
type: string
pattern: ^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$
WebAuthnAttachment:
+ description: Method attachment
type: string
enum:
- ANY
- BUILT_IN
- ROAMING
- WebAuthnUserFactor:
- allOf:
- - $ref: '#/components/schemas/UserFactor'
- - type: object
- properties:
- profile:
- $ref: '#/components/schemas/WebAuthnUserFactorProfile'
- WebAuthnUserFactorProfile:
+ WebAuthnCredRequest:
+ description: Credential request object for the initialized credential, along with the enrollment and key identifiers to associate with the credential
type: object
properties:
- authenticatorName:
+ authenticatorEnrollmentId:
+ description: ID for a WebAuthn Preregistration Factor in Okta
type: string
- credentialId:
+ credRequestJwe:
+ description: Encrypted JWE of credential request for the fulfillment provider
type: string
- WebUserFactor:
- allOf:
- - $ref: '#/components/schemas/UserFactor'
- - type: object
- properties:
- profile:
- $ref: '#/components/schemas/WebUserFactorProfile'
- WebUserFactorProfile:
+ keyId:
+ description: ID for the Okta response key-pair used to encrypt and decrypt credential requests and responses
+ type: string
+ WebAuthnCredResponse:
+ description: Credential response object for enrolled credential details, along with enrollment and key identifiers to associate the credential
type: object
properties:
- credentialId:
+ authenticatorEnrollmentId:
+ description: ID for a WebAuthn Preregistration Factor in Okta
+ type: string
+ credResponseJWE:
+ description: Encrypted JWE of credential response from the fulfillment provider
+ type: string
+ WebAuthnPreregistrationFactor:
+ description: User Factor variant used for WebAuthn Preregistration Factors
+ type: object
+ properties:
+ created:
+ description: Timestamp indicating when the Factor was enrolled
+ type: string
+ format: date-time
+ readOnly: true
+ factorType:
+ $ref: '#/components/schemas/UserFactorType'
+ id:
+ description: ID of the Factor
+ type: string
+ readOnly: true
+ lastUpdated:
+ description: Timestamp indicating when the Factor was last updated
+ type: string
+ format: date-time
+ readOnly: true
+ profile:
+ type: object
+ description: Specific attributes related to the Factor
+ provider:
+ $ref: '#/components/schemas/UserFactorProvider'
+ status:
+ $ref: '#/components/schemas/UserFactorStatus'
+ vendorName:
+ description: Name of the Factor vendor. This is usually the same as the provider.
type: string
+ example: OKTA
+ readOnly: true
+ _links:
+ $ref: '#/components/schemas/LinksSelf'
WellKnownAppAuthenticatorConfiguration:
type: object
properties:
appAuthenticatorEnrollEndpoint:
type: string
+ description: The authenticator enrollment endpoint
authenticatorId:
type: string
description: The unique identifier of the app authenticator
createdDate:
type: string
+ description: Timestamp when the Authenticator was created
format: date-time
key:
- type: string
+ $ref: '#/components/schemas/AuthenticatorKeyEnum'
lastUpdated:
type: string
+ description: Timestamp when the Authenticator was last modified
format: date-time
name:
type: string
description: The authenticator display name
orgId:
type: string
+ description: The `id` of the Okta Org
settings:
type: object
properties:
userVerification:
- type: string
- $ref: '#/components/schemas/UserVerificationEnum'
+ $ref: '#/components/schemas/CustomAppUserVerificationEnum'
supportedMethods:
type: array
items:
$ref: '#/components/schemas/SupportedMethods'
type:
type: string
+ description: The type of Authenticator
enum:
- app
WellKnownOrgMetadata:
@@ -32239,6 +68176,40 @@ components:
omEnabled:
type: boolean
description: Whether the legacy Okta Mobile application is enabled for the org
+ WellKnownSSFMetadata:
+ title: Shared Signals Framework Metadata
+ description: Metadata about Okta as a transmitter and relevant information for configuration.
+ type: object
+ properties:
+ configuration_endpoint:
+ type: string
+ format: uri
+ description: The URL of the SSF Stream configuration endpoint
+ example: https://{yourOktaDomain}/api/v1/ssf/stream
+ delivery_methods_supported:
+ type: array
+ items:
+ type: string
+ format: uri
+ description: An array of supported SET delivery methods
+ example:
+ - https://schemas.openid.net/secevent/risc/delivery-method/push
+ - urn:ietf:rfc:8935
+ issuer:
+ type: string
+ description: The issuer used in Security Event Tokens. This value is set as `iss` in the claim.
+ example: https://{yourOktaDomain}
+ jwks_uri:
+ type: string
+ description: The URL of the JSON Web Key Set (JWKS) that contains the signing keys for validating the signatures of Security Event Tokens (SETs)
+ format: uri
+ example: https://{yourOktaDomain}/oauth2/v1/keys
+ WidgetGeneration:
+ description: The generation of the Sign-in Widget
+ type: string
+ enum:
+ - G2
+ - G3
WsFederationApplication:
x-okta-defined-as:
name: template_wsfed
@@ -32250,9 +68221,14 @@ components:
$ref: '#/components/schemas/ApplicationCredentials'
name:
type: string
- default: template_wsfed
+ description: '`template_wsfed` is the key name for a WS-Federated app instance with a SAML 2.0 token'
+ enum:
+ - template_wsfed
settings:
$ref: '#/components/schemas/WsFederationApplicationSettings'
+ required:
+ - name
+ - settings
WsFederationApplicationSettings:
allOf:
- $ref: '#/components/schemas/ApplicationSettings'
@@ -32265,28 +68241,221 @@ components:
properties:
attributeStatements:
type: string
+ description: You can federate user attributes such as Okta profile fields, LDAP, Active Directory, and Workday values. The SP uses the federated WS-Fed attribute values accordingly.
audienceRestriction:
type: string
+ description: The entity ID of the SP. Use the entity ID value exactly as provided by the SP.
authnContextClassRef:
type: string
+ description: Identifies the SAML authentication context class for the assertion's authentication statement
groupFilter:
type: string
+ description: A regular expression that filters for the User Groups you want included with the `groupName` attribute. If the matching User Group has a corresponding AD group, then the attribute statement includes the value of the attribute specified by `groupValueFormat`. If the matching User Group doesn't contain a corresponding AD group, then the `groupName` is used in the attribute statement.
groupName:
type: string
+ description: The group name to include in the WS-Fed response attribute statement. This property is used in conjunction with the `groupFilter` property. Groups that are filtered through the `groupFilter` expression are included with the `groupName` in the attribute statement. Any users that belong to the group you've filtered are included in the WS-Fed response attribute statement.
groupValueFormat:
type: string
+ description: Specifies the WS-Fed assertion attribute value for filtered groups. This attribute is only applied to Active Directory groups.
+ enum:
+ - windowsDomainQualifiedName
+ - samAccountName
+ - dn
nameIDFormat:
type: string
+ description: The username format that you send in the WS-Fed response
realm:
type: string
+ description: The uniform resource identifier (URI) of the WS-Fed app that's used to share resources securely within a domain. It's the identity that's sent to the Okta IdP when signing in. See [Realm name](https://help.okta.com/okta_help.htm?type=oie&id=ext_Apps_Configure_Okta_Template_WS_Federation#Realm).
siteURL:
type: string
+ description: Launch URL for the web app
usernameAttribute:
type: string
+ description: Specifies additional username attribute statements to include in the WS-Fed assertion
+ enum:
+ - username
+ - upn
+ - upnAndUsername
+ - none
wReplyOverride:
type: boolean
+ description: Enables a web app to override the `wReplyURL` URL with a reply parameter.
wReplyURL:
type: string
+ description: The WS-Fed SP endpoint where your users sign in
+ example: http://test.acme.com/example-post-sign/
+ required:
+ - audienceRestriction
+ - groupValueFormat
+ - wReplyURL
+ - nameIDFormat
+ - authnContextClassRef
+ - siteURL
+ - usernameAttribute
+ X5c:
+ description: Base64-encoded X.509 certificate chain with DER encoding
+ items:
+ type: string
+ example: MIIDnjCCAoagAwIBAgIGAVG3MN+PMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB2V4YW1wbGUxHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMTUxMjE4MjIyMjMyWhcNMjUxMjE4MjIyMzMyWjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdleGFtcGxlMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtcnyvuVCrsFEKCwHDenS3Ocjed8eWDv3zLtD2K/iZfE8BMj2wpTfn6Ry8zCYey3mWlKdxIybnV9amrujGRnE0ab6Q16v9D6RlFQLOG6dwqoRKuZy33Uyg8PGdEudZjGbWuKCqqXEp+UKALJHV+k4wWeVH8g5d1n3KyR2TVajVJpCrPhLFmq1Il4G/IUnPe4MvjXqB6CpKkog1+ThWsItPRJPAM+RweFHXq7KfChXsYE7Mmfuly8sDQlvBmQyxZnFHVuiPfCvGHJjpvHy11YlHdOjfgqHRvZbmo30+y0X/oY/yV4YEJ00LL6eJWU4wi7ViY3HP6/VCdRjHoRdr5L/DwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCzzhOFkvyYLNFj2WDcq1YqD4sBy1iCia9QpRH3rjQvMKDwQDYWbi6EdOX0TQ/IYR7UWGj+2pXd6v0t33lYtoKocp/4lUvT3tfBnWZ5KnObi+J2uY2teUqoYkASN7F+GRPVOuMVoVgm05ss8tuMb2dLc9vsx93sDt+XlMTv/2qi5VPwaDtqduKkzwW9lUfn4xIMkTiVvCpe0X2HneD2Bpuao3/U8Rk0uiPfq6TooWaoW3kjsmErhEAs9bA7xuqo1KKY9CdHcFhkSsMhoeaZylZHtzbnoipUlQKSLMdJQiiYZQ0bYL83/Ta9fulr1EERICMFt3GUmtYaZZKHpWSfdJp9
+ type: array
+ ZoomUsApplication:
+ title: Zoom
+ x-tags:
+ - Application
+ x-okta-defined-as:
+ name: zoomus
+ example:
+ name: zoomus
+ label: Sample Zoom App
+ signOnMode: SAML_2_0
+ settings:
+ app:
+ subDomain: my-zoom-subdomain
+ description: |
+ Schema for the Zoom app (key name: `zoomus`)
+
+ To create a Zoom app, use the [Create an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) request with the following parameters in the request body.
+ > **Note:** The Zoom app only supports `SAML_2_0` sign-on mode.
+ allOf:
+ - $ref: '#/components/schemas/OINApplication'
+ - type: object
+ - required:
+ - name
+ - label
+ - settings
+ properties:
+ name:
+ type: string
+ enum:
+ - zoomus
+ example: zoomus
+ signOnMode:
+ enum:
+ - SAML_2_0
+ settings:
+ $ref: '#/components/schemas/ZoomUsApplicationSettings'
+ ZoomUsApplicationSettings:
+ allOf:
+ - $ref: '#/components/schemas/ApplicationSettings'
+ - type: object
+ - required:
+ - app
+ properties:
+ app:
+ $ref: '#/components/schemas/ZoomUsApplicationSettingsApplication'
+ signOn:
+ $ref: '#/components/schemas/OINSaml20ApplicationSettingsSignOn'
+ ZoomUsApplicationSettingsApplication:
+ description: Zoom app instance properties
+ type: object
+ properties:
+ subDomain:
+ type: string
+ description: Your Zoom subdomain
+ required:
+ - subDomain
+ ZscalerbyzApplication:
+ title: Zscaler 2.0
+ x-tags:
+ - Application
+ x-okta-defined-as:
+ name: zscalerbyz
+ example:
+ name: zscalerbyz
+ label: Sample Zscaler 2.0 App
+ signOnMode: SAML_2_0
+ description: |
+ Schema for the Zscaler 2.0 app (key name: `zscalerbyz`)
+
+ To create a Zscaler 2.0 app, use the [Create an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) request with the following parameters in the request body.
+ > **Note:** The Zscaler 2.0 app only supports `BROWSER_PLUGIN` and `SAML_2_0` sign-on modes.
+ allOf:
+ - $ref: '#/components/schemas/OINApplication'
+ - type: object
+ - required:
+ - name
+ - label
+ - settings
+ properties:
+ name:
+ type: string
+ enum:
+ - zscalerbyz
+ example: zscalerbyz
+ signOnMode:
+ enum:
+ - BROWSER_PLUGIN
+ - SAML_2_0
+ settings:
+ $ref: '#/components/schemas/ZscalerbyzApplicationSettings'
+ ZscalerbyzApplicationSettings:
+ allOf:
+ - $ref: '#/components/schemas/ApplicationSettings'
+ - type: object
+ - required:
+ - app
+ properties:
+ app:
+ $ref: '#/components/schemas/ZscalerbyzApplicationSettingsApplication'
+ signOn:
+ $ref: '#/components/schemas/OINSaml20ApplicationSettingsSignOn'
+ ZscalerbyzApplicationSettingsApplication:
+ description: Zscaler app instance properties
+ type: object
+ properties:
+ siteDomain:
+ type: string
+ description: Your Zscaler domain
+ _embedded:
+ description: The Public Key Details are defined in the `_embedded` property of the Key object.
+ type: object
+ properties:
+ alg:
+ description: Algorithm used in the key
+ type: string
+ nullable: false
+ readOnly: true
+ e:
+ description: RSA key value (exponent) for key binding
+ type: string
+ nullable: false
+ readOnly: true
+ kid:
+ description: Unique identifier for the certificate
+ type: string
+ uniqueItems: true
+ nullable: false
+ readOnly: true
+ kty:
+ description: Cryptographic algorithm family for the certificate's keypair
+ type: string
+ nullable: false
+ readOnly: true
+ 'n':
+ description: RSA key value (modulus) for key binding
+ type: string
+ nullable: false
+ readOnly: true
+ use:
+ description: Acceptable use of the certificate
+ type: string
+ nullable: true
+ readOnly: true
+ appLink:
+ type: object
+ properties:
+ login:
+ $ref: '#/components/schemas/HrefObjectAppLink'
+ logo:
+ $ref: '#/components/schemas/HrefObjectLogoLink'
+ readOnly: true
+ createdProperty:
+ description: Timestamp when the object was created
+ format: date-time
+ example: '2017-03-28T01:11:10.000Z'
+ type: string
+ readOnly: true
enabledPagesType:
title: enabledPages
type: string
@@ -32298,6 +68467,70 @@ components:
SIGN_IN: User sign-in page
SSPR: Self-service Password Recovery page
SSR: Self-service Registration page
+ lastUpdatedProperty:
+ format: date-time
+ description: Timestamp when the object was last updated
+ type: string
+ readOnly: true
+ orgBillingContactType:
+ description: Org billing contact
+ type: object
+ properties:
+ contactType:
+ $ref: '#/components/schemas/OrgContactType'
+ _links:
+ type: object
+ description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the org billing Contact Type object using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification
+ readOnly: true
+ properties:
+ billing:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the org billing [Contact Type User](/openapi/okta-management/management/tag/OrgSettingContact/#tag/OrgSettingContact/operation/getOrgContactUser) resource
+ orgGeneralSettingLinks:
+ description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the org using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification
+ type: object
+ properties:
+ contacts:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the [Org Contacts](/openapi/okta-management/management/tag/OrgSettingContact/) resource
+ logo:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the org logo
+ oktaCommunication:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the [Org Communication Settings](/openapi/okta-management/management/tag/OrgSettingCommunication/) resource
+ oktaSupport:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the [Org Support Settings](/openapi/okta-management/management/tag/OrgSettingSupport/) resource
+ preferences:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the [Org Preferences](/openapi/okta-management/management/tag/OrgSettingCustomization/#tag/OrgSettingCustomization/operation/getOrgPreferences) resource
+ uploadLogo:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the [Upload Org Logo](/openapi/okta-management/management/tag/OrgSettingCustomization/#tag/OrgSettingCustomization/operation/uploadOrgLogo) resource
+ readOnly: true
+ orgTechnicalContactType:
+ description: Org technical contact
+ type: object
+ properties:
+ contactType:
+ $ref: '#/components/schemas/OrgContactType'
+ _links:
+ type: object
+ description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the org technical Contact Type object using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification
+ readOnly: true
+ properties:
+ technical:
+ allOf:
+ - $ref: '#/components/schemas/HrefObject'
+ - description: Link to the org technical [Contact Type User](/openapi/okta-management/management/tag/OrgSettingContact/#tag/OrgSettingContact/operation/getOrgContactUser) resource
postAPIServiceIntegrationInstance:
allOf:
- $ref: '#/components/schemas/APIServiceIntegrationInstance'
@@ -32324,6 +68557,94 @@ components:
required:
- type
- grantedScopes
+ profile:
+ description: Specific profile properties for the privileged account
+ additionalProperties:
+ type: object
+ properties: {}
+ type: object
+ readOnly: true
+ subject:
+ nullable: false
+ type: object
+ properties:
+ format:
+ type: string
+ description: The user identifier
+ nullable: false
+ writeOnly: true
+ enum:
+ - opaque
+ id:
+ type: string
+ description: ID of the user
+ writeOnly: true
+ nullable: false
+ userLink:
+ type: object
+ properties:
+ user:
+ $ref: '#/components/schemas/HrefObjectUserLink'
+ schemas-JsonWebKey:
+ description: A [JSON Web Key (JWK)](https://tools.ietf.org/html/rfc7517) is a JSON representation of a cryptographic key. Okta can use these keys to verify the signature of a JWT when provided for the `private_key_jwt` client authentication method or for a signed authorize request object. Okta supports both RSA and Elliptic Curve (EC) keys.
+ type: object
+ properties:
+ alg:
+ $ref: '#/components/schemas/SigningAlgorithm'
+ kid:
+ type: string
+ description: The unique identifier of the key
+ kty:
+ $ref: '#/components/schemas/JsonWebKeyType'
+ status:
+ $ref: '#/components/schemas/JsonWebKeyStatus'
+ use:
+ $ref: '#/components/schemas/JsonWebKeyUse'
+ discriminator:
+ propertyName: kty
+ mapping:
+ EC: '#/components/schemas/JsonWebKeyEC'
+ RSA: '#/components/schemas/JsonWebKeyRsa'
+ JsonWebKeyEC:
+ allOf:
+ - $ref: '#/components/schemas/schemas-JsonWebKey'
+ - type: object
+ properties:
+ x:
+ type: string
+ description: The public x coordinate for the elliptic curve point
+ 'y':
+ type: string
+ description: The public y coordinate for the elliptic curve point
+ JsonWebKeyRsa:
+ allOf:
+ - $ref: '#/components/schemas/schemas-JsonWebKey'
+ - type: object
+ properties:
+ e:
+ type: string
+ description: The key exponent of a RSA key
+ 'n':
+ type: string
+ description: The modulus of the RSA key
+ JsonWebKeyType:
+ description: The type of public key
+ type: string
+ enum:
+ - EC
+ - RSA
+ JsonWebKeyStatus:
+ description: The status of the public key
+ type: string
+ enum:
+ - ACTIVE
+ - INACTIVE
+ JsonWebKeyUse:
+ description: The intended use of the public key
+ type: string
+ enum:
+ - enc
+ - sig
securitySchemes:
apiToken:
description: 'Pass the API token as the Authorization header value prefixed with SSWS: `Authorization: SSWS {API Token}`'
@@ -32338,87 +68659,113 @@ components:
authorizationUrl: /oauth2/v1/authorize
tokenUrl: /oauth2/v1/token
scopes:
- okta.agentPools.manage: Allows the app to create and manage agent pools in your Okta organization.
- okta.agentPools.read: Allows the app to read agent pools in your Okta organization.
- okta.apiTokens.manage: Allows the app to manage API Tokens in your Okta organization.
- okta.apiTokens.read: Allows the app to read API Tokens in your Okta organization.
- okta.appGrants.manage: Allows the app to create and manage grants in your Okta organization.
- okta.appGrants.read: Allows the app to read grants in your Okta organization.
- okta.apps.manage: Allows the app to create and manage Apps in your Okta organization.
- okta.apps.read: Allows the app to read information about Apps in your Okta organization.
- okta.authenticators.manage: Allows the app to manage all authenticators (e.g. enrollments, reset).
- okta.authenticators.read: Allows the app to read org authenticators information.
- okta.authorizationServers.manage: Allows the app to create and manage Authorization Servers in your Okta organization.
- okta.authorizationServers.read: Allows the app to read information about Authorization Servers in your Okta organization.
- okta.behaviors.manage: Allows the app to create and manage behavior detection rules in your Okta organization.
- okta.behaviors.read: Allows the app to read behavior detection rules in your Okta organization.
- okta.brands.manage: Allows the app to create and manage Brands and Themes in your Okta organization.
- okta.brands.read: Allows the app to read information about Brands and Themes in your Okta organization.
- okta.captchas.manage: Allows the app to create and manage CAPTCHAs in your Okta organization.
- okta.captchas.read: Allows the app to read information about CAPTCHAs in your Okta organization.
- okta.deviceAssurance.manage: Allows the app to manage device assurances.
- okta.deviceAssurance.read: Allows the app to read device assurances.
- okta.devices.manage: Allows the app to manage device status transitions and delete a device.
- okta.devices.read: Allows the app to read the existing device's profile and search devices.
- okta.domains.manage: Allows the app to manage custom Domains for your Okta organization.
- okta.domains.read: Allows the app to read information about custom Domains for your Okta organization.
- okta.emailDomains.manage: Allows the app to manage Email Domains for your Okta organization.
- okta.emailDomains.read: Allows the app to read information about Email Domains for your Okta organization.
- okta.emailServers.manage: Allows the app to manage Email Servers for your Okta organization.
- okta.emailServers.read: Allows the app to read information about Email Servers for your Okta organization.
- okta.eventHooks.manage: Allows the app to create and manage Event Hooks in your Okta organization.
- okta.eventHooks.read: Allows the app to read information about Event Hooks in your Okta organization.
- okta.features.manage: Allows the app to create and manage Features in your Okta organization.
- okta.features.read: Allows the app to read information about Features in your Okta organization.
- okta.groups.manage: Allows the app to manage existing groups in your Okta organization.
- okta.groups.read: Allows the app to read information about groups and their members in your Okta organization.
+ okta.agentPools.manage: Allows the app to create and manage agent pools in your Okta organization
+ okta.agentPools.read: Allows the app to read agent pools in your Okta organization
+ okta.apiTokens.manage: Allows the app to manage API Tokens in your Okta organization
+ okta.apiTokens.read: Allows the app to read API Tokens in your Okta organization
+ okta.appGrants.manage: Allows the app to create and manage grants in your Okta organization
+ okta.appGrants.read: Allows the app to read grants in your Okta organization
+ okta.apps.manage: Allows the app to create and manage Apps in your Okta organization
+ okta.apps.read: Allows the app to read information about Apps in your Okta organization
+ okta.authenticators.manage: Allows the app to manage all authenticators. For example, enrollments or resets.
+ okta.authenticators.manage.self: Allows the app to manage a user's own authenticators. For example, enrollments or resets.
+ okta.authenticators.read: Allows the app to read org authenticators information
+ okta.authorizationServers.manage: Allows the app to create and manage Authorization Servers in your Okta organization
+ okta.authorizationServers.read: Allows the app to read information about Authorization Servers in your Okta organization
+ okta.behaviors.manage: Allows the app to create and manage behavior detection rules in your Okta organization
+ okta.behaviors.read: Allows the app to read behavior detection rules in your Okta organization
+ okta.brands.manage: Allows the app to create and manage Brands and Themes in your Okta organization
+ okta.brands.read: Allows the app to read information about Brands and Themes in your Okta organization
+ okta.captchas.manage: Allows the app to create and manage CAPTCHAs in your Okta organization
+ okta.captchas.read: Allows the app to read information about CAPTCHAs in your Okta organization
+ okta.deviceAssurance.manage: Allows the app to manage device assurances
+ okta.deviceAssurance.read: Allows the app to read device assurances
+ okta.deviceChecks.manage: Allows the app to manage device checks
+ okta.deviceChecks.read: Allows the app to read device checks
+ okta.devices.manage: Allows the app to manage device status transitions and delete a device
+ okta.devices.read: Allows the app to read the existing device's profile and search devices
+ okta.directories.groups.manage: Allows the app to manage AD/LDAP Groups for your Okta organization
+ okta.domains.manage: Allows the app to manage custom Domains for your Okta organization
+ okta.domains.read: Allows the app to read information about custom Domains for your Okta organization
+ okta.dr.manage: Allows the app to manage disaster recovery
+ okta.dr.read: Allows the app to read the disaster recovery status
+ okta.emailDomains.manage: Allows the app to manage Email Domains for your Okta organization
+ okta.emailDomains.read: Allows the app to read information about Email Domains for your Okta organization
+ okta.emailServers.manage: Allows the app to manage Email Servers for your Okta organization
+ okta.emailServers.read: Allows the app to read information about Email Servers for your Okta organization
+ okta.eventHooks.manage: Allows the app to create and manage Event Hooks in your Okta organization
+ okta.eventHooks.read: Allows the app to read information about Event Hooks in your Okta organization
+ okta.features.manage: Allows the app to create and manage Features in your Okta organization
+ okta.features.read: Allows the app to read information about Features in your Okta organization
+ okta.groups.manage: Allows the app to manage existing groups in your Okta organization
+ okta.groups.read: Allows the app to read information about groups and their members in your Okta organization
okta.identitySources.manage: Allows the custom identity sources to manage user entities in your Okta organization
okta.identitySources.read: Allows to read session information for custom identity sources in your Okta organization
- okta.idps.manage: Allows the app to create and manage Identity Providers in your Okta organization.
- okta.idps.read: Allows the app to read information about Identity Providers in your Okta organization.
- okta.inlineHooks.manage: Allows the app to create and manage Inline Hooks in your Okta organization.
- okta.inlineHooks.read: Allows the app to read information about Inline Hooks in your Okta organization.
- okta.linkedObjects.manage: Allows the app to manage linked object definitions in your Okta organization.
- okta.linkedObjects.read: Allows the app to read linked object definitions in your Okta organization.
- okta.logStreams.manage: Allows the app to create and manage log streams in your Okta organization.
- okta.logStreams.read: Allows the app to read information about log streams in your Okta organization.
- okta.logs.read: Allows the app to read information about System Log entries in your Okta organization.
- okta.networkZones.manage: Allows the app to create and manage Network Zones in your Okta organization.
- okta.networkZones.read: Allows the app to read Network Zones in your Okta organization.
- okta.oauthIntegrations.manage: Allows the app to create and manage API service Integration instances in your Okta organization.
- okta.oauthIntegrations.read: Allows the app to read API service Integration instances in your Okta organization.
- okta.orgs.manage: Allows the app to manage organization-specific details for your Okta organization.
- okta.orgs.read: Allows the app to read organization-specific details about your Okta organization.
- okta.policies.manage: Allows the app to manage policies in your Okta organization.
- okta.policies.read: Allows the app to read information about policies in your Okta organization.
- okta.principalRateLimits.manage: Allows the app to create and manage Principal Rate Limits in your Okta organization.
- okta.principalRateLimits.read: Allows the app to read information about Principal Rate Limits in your Okta organization.
- okta.profileMappings.manage: Allows the app to manage user profile mappings in your Okta organization.
- okta.profileMappings.read: Allows the app to read user profile mappings in your Okta organization.
- okta.pushProviders.manage: Allows the app to create and manage push notification providers such as APNs and FCM.
- okta.pushProviders.read: Allows the app to read push notification providers such as APNs and FCM.
- okta.rateLimits.manage: Allows the app to create and manage rate limits in your Okta organization.
- okta.rateLimits.read: Allows the app to read information about rate limits in your Okta organization.
- okta.realms.manage: Allows the app to create new realms and to manage their details.
- okta.realms.read: Allows the app to read the existing realms and their details.
- okta.riskEvents.manage: Allows the app to publish risk events to your Okta organization.
- okta.riskProviders.manage: Allows the app to create and manage risk provider integrations in your Okta organization.
- okta.riskProviders.read: Allows the app to read all risk provider integrations in your Okta organization.
- okta.roles.manage: Allows the app to manage administrative role assignments for users in your Okta organization.
- okta.roles.read: Allows the app to read administrative role assignments for users in your Okta organization.
- okta.schemas.manage: Allows the app to create and manage Schemas in your Okta organization.
- okta.schemas.read: Allows the app to read information about Schemas in your Okta organization.
- okta.sessions.manage: Allows the app to manage all sessions in your Okta organization.
- okta.sessions.read: Allows the app to read all sessions in your Okta organization.
- okta.templates.manage: Allows the app to manage all custom templates in your Okta organization.
- okta.templates.read: Allows the app to read all custom templates in your Okta organization.
- okta.threatInsights.manage: Allows the app to manage all ThreatInsight configurations in your Okta organization.
- okta.threatInsights.read: Allows the app to read all ThreatInsight configurations in your Okta organization.
- okta.trustedOrigins.manage: Allows the app to manage all Trusted Origins in your Okta organization.
- okta.trustedOrigins.read: Allows the app to read all Trusted Origins in your Okta organization.
- okta.uischemas.manage: Allows the app to manage all the UI Schemas in your Okta organization.
- okta.uischemas.read: Allows the app to read all the UI Schemas in your Okta organization.
- okta.userTypes.manage: Allows the app to manage user types in your Okta organization.
- okta.userTypes.read: Allows the app to read user types in your Okta organization.
- okta.users.manage: Allows the app to create new users and to manage all users' profile and credentials information.
- okta.users.read: Allows the app to read the existing users' profiles and credentials.
+ okta.idps.manage: Allows the app to create and manage Identity Providers in your Okta organization
+ okta.idps.read: Allows the app to read information about Identity Providers in your Okta organization
+ okta.inlineHooks.manage: Allows the app to create and manage Inline Hooks in your Okta organization
+ okta.inlineHooks.read: Allows the app to read information about Inline Hooks in your Okta organization
+ okta.linkedObjects.manage: Allows the app to manage linked object definitions in your Okta organization
+ okta.linkedObjects.read: Allows the app to read linked object definitions in your Okta organization
+ okta.logStreams.manage: Allows the app to create and manage log streams in your Okta organization
+ okta.logStreams.read: Allows the app to read information about log streams in your Okta organization
+ okta.logs.read: Allows the app to read information about System Log entries in your Okta organization
+ okta.manifests.manage: Allows the app to manage OIN submissions in your Okta organization
+ okta.manifests.read: Allows the app to read OIN submissions in your Okta organization
+ okta.networkZones.manage: Allows the app to create and manage Network Zones in your Okta organization
+ okta.networkZones.read: Allows the app to read Network Zones in your Okta organization
+ okta.oauthIntegrations.manage: Allows the app to create and manage API service Integration instances in your Okta organization
+ okta.oauthIntegrations.read: Allows the app to read API service Integration instances in your Okta organization
+ okta.orgs.manage: Allows the app to manage organization-specific details for your Okta organization
+ okta.orgs.read: Allows the app to read organization-specific details about your Okta organization
+ okta.personal.adminSettings.manage: Allows the app to manage the personal admin settings for the signed-in user
+ okta.personal.adminSettings.read: Allows the app to read the personal admin settings for the signed-in user
+ okta.policies.manage: Allows the app to manage policies in your Okta organization
+ okta.policies.read: Allows the app to read information about policies in your Okta organization
+ okta.principalRateLimits.manage: Allows the app to create and manage Principal Rate Limits in your Okta organization
+ okta.principalRateLimits.read: Allows the app to read information about Principal Rate Limits in your Okta organization
+ okta.privilegedAccounts.manage: Allows the app to create and manage Privileged Accounts in your Okta organization
+ okta.privilegedAccounts.read: Allows the app to read Privileged Accounts in your Okta organization
+ okta.privilegedResources.manage: Allows the app to create privileged resources and manage their details
+ okta.privilegedResources.read: Allows the app to read the details of existing privileged resources
+ okta.profileMappings.manage: Allows the app to manage user profile mappings in your Okta organization
+ okta.profileMappings.read: Allows the app to read user profile mappings in your Okta organization
+ okta.pushProviders.manage: Allows the app to create and manage push notification providers such as APNs and FCM
+ okta.pushProviders.read: Allows the app to read push notification providers such as APNs and FCM
+ okta.rateLimits.manage: Allows the app to create and manage rate limits in your Okta organization
+ okta.rateLimits.read: Allows the app to read information about rate limits in your Okta organization
+ okta.realmAssignments.manage: Allows a user to manage realm assignments
+ okta.realmAssignments.read: Allows a user to read realm assignments
+ okta.realms.manage: Allows the app to create new realms and to manage their details
+ okta.realms.read: Allows the app to read the existing realms and their details
+ okta.resourceSelectors.manage: Allows the app to manage resource selectors in your Okta org
+ okta.resourceSelectors.read: Allows the app to read resource selectors in your Okta org
+ okta.riskEvents.manage: Allows the app to publish risk events to your Okta organization
+ okta.riskProviders.manage: Allows the app to create and manage risk provider integrations in your Okta organization
+ okta.riskProviders.read: Allows the app to read all risk provider integrations in your Okta organization
+ okta.roles.manage: Allows the app to manage administrative role assignments for users in your Okta organization. Delegated admins with this permission can only manage user credential fields and not the credential values themselves.
+ okta.roles.read: Allows the app to read administrative role assignments for users in your Okta organization. Delegated admins with this permission can only manage user credential fields and not the credential values themselves.
+ okta.schemas.manage: Allows the app to create and manage Schemas in your Okta organization
+ okta.schemas.read: Allows the app to read information about Schemas in your Okta organization
+ okta.securityEventsProviders.manage: Allows the app to create and manage Security Events Providers in your Okta organization
+ okta.securityEventsProviders.read: Allows the app to read information about Security Events Providers in your Okta organization
+ okta.sessions.manage: Allows the app to manage all sessions in your Okta organization
+ okta.sessions.read: Allows the app to read all sessions in your Okta organization
+ okta.templates.manage: Allows the app to manage all custom templates in your Okta organization
+ okta.templates.read: Allows the app to read all custom templates in your Okta organization
+ okta.threatInsights.manage: Allows the app to manage all ThreatInsight configurations in your Okta organization
+ okta.threatInsights.read: Allows the app to read all ThreatInsight configurations in your Okta organization
+ okta.trustedOrigins.manage: Allows the app to manage all Trusted Origins in your Okta organization
+ okta.trustedOrigins.read: Allows the app to read all Trusted Origins in your Okta organization
+ okta.uischemas.manage: Allows the app to manage all the UI Schemas in your Okta organization
+ okta.uischemas.read: Allows the app to read all the UI Schemas in your Okta organization
+ okta.userRisk.manage: Allows the app to manage a user's risk in your Okta org
+ okta.userRisk.read: Allows the app to read a user's risk in your Okta org
+ okta.userTypes.manage: Allows the app to manage user types in your Okta org
+ okta.userTypes.read: Allows the app to read user types in your Okta org
+ okta.users.manage: Allows the app to create new users and to manage all users' profile and credentials information
+ okta.users.manage.self: Allows the app to manage the signed-in user's profile and credentials
+ okta.users.read: Allows the app to read the existing users' profiles and credentials
+ okta.users.read.self: Allows the app to read the signed-in user's profile and credentials
+ ssf.manage: Allows the app to create and manage Shared Signals Framework (SSF) in your Okta organization
+ ssf.read: Allows the app to read information about Shared Signals Framework (SSF) in your Okta organization