1. Packages
  2. Okta Provider
  3. API Docs
  4. idp
  5. Oidc
Okta v4.11.3 published on Monday, Oct 21, 2024 by Pulumi

okta.idp.Oidc

Explore with Pulumi AI

okta logo
Okta v4.11.3 published on Monday, Oct 21, 2024 by Pulumi

    Creates an OIDC Identity Provider. This resource allows you to create and configure an OIDC Identity Provider.

    Example Usage

    import * as pulumi from "@pulumi/pulumi";
    import * as okta from "@pulumi/okta";
    
    const example = new okta.idp.Oidc("example", {
        name: "example",
        authorizationUrl: "https://idp.example.com/authorize",
        authorizationBinding: "HTTP-REDIRECT",
        tokenUrl: "https://idp.example.com/token",
        tokenBinding: "HTTP-POST",
        userInfoUrl: "https://idp.example.com/userinfo",
        userInfoBinding: "HTTP-REDIRECT",
        jwksUrl: "https://idp.example.com/keys",
        jwksBinding: "HTTP-REDIRECT",
        scopes: ["openid"],
        clientId: "efg456",
        clientSecret: "efg456",
        issuerUrl: "https://id.example.com",
        usernameTemplate: "idpuser.email",
    });
    
    import pulumi
    import pulumi_okta as okta
    
    example = okta.idp.Oidc("example",
        name="example",
        authorization_url="https://idp.example.com/authorize",
        authorization_binding="HTTP-REDIRECT",
        token_url="https://idp.example.com/token",
        token_binding="HTTP-POST",
        user_info_url="https://idp.example.com/userinfo",
        user_info_binding="HTTP-REDIRECT",
        jwks_url="https://idp.example.com/keys",
        jwks_binding="HTTP-REDIRECT",
        scopes=["openid"],
        client_id="efg456",
        client_secret="efg456",
        issuer_url="https://id.example.com",
        username_template="idpuser.email")
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-okta/sdk/v4/go/okta/idp"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := idp.NewOidc(ctx, "example", &idp.OidcArgs{
    			Name:                 pulumi.String("example"),
    			AuthorizationUrl:     pulumi.String("https://idp.example.com/authorize"),
    			AuthorizationBinding: pulumi.String("HTTP-REDIRECT"),
    			TokenUrl:             pulumi.String("https://idp.example.com/token"),
    			TokenBinding:         pulumi.String("HTTP-POST"),
    			UserInfoUrl:          pulumi.String("https://idp.example.com/userinfo"),
    			UserInfoBinding:      pulumi.String("HTTP-REDIRECT"),
    			JwksUrl:              pulumi.String("https://idp.example.com/keys"),
    			JwksBinding:          pulumi.String("HTTP-REDIRECT"),
    			Scopes: pulumi.StringArray{
    				pulumi.String("openid"),
    			},
    			ClientId:         pulumi.String("efg456"),
    			ClientSecret:     pulumi.String("efg456"),
    			IssuerUrl:        pulumi.String("https://id.example.com"),
    			UsernameTemplate: pulumi.String("idpuser.email"),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Okta = Pulumi.Okta;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Okta.Idp.Oidc("example", new()
        {
            Name = "example",
            AuthorizationUrl = "https://idp.example.com/authorize",
            AuthorizationBinding = "HTTP-REDIRECT",
            TokenUrl = "https://idp.example.com/token",
            TokenBinding = "HTTP-POST",
            UserInfoUrl = "https://idp.example.com/userinfo",
            UserInfoBinding = "HTTP-REDIRECT",
            JwksUrl = "https://idp.example.com/keys",
            JwksBinding = "HTTP-REDIRECT",
            Scopes = new[]
            {
                "openid",
            },
            ClientId = "efg456",
            ClientSecret = "efg456",
            IssuerUrl = "https://id.example.com",
            UsernameTemplate = "idpuser.email",
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.okta.idp.Oidc;
    import com.pulumi.okta.idp.OidcArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new Oidc("example", OidcArgs.builder()
                .name("example")
                .authorizationUrl("https://idp.example.com/authorize")
                .authorizationBinding("HTTP-REDIRECT")
                .tokenUrl("https://idp.example.com/token")
                .tokenBinding("HTTP-POST")
                .userInfoUrl("https://idp.example.com/userinfo")
                .userInfoBinding("HTTP-REDIRECT")
                .jwksUrl("https://idp.example.com/keys")
                .jwksBinding("HTTP-REDIRECT")
                .scopes("openid")
                .clientId("efg456")
                .clientSecret("efg456")
                .issuerUrl("https://id.example.com")
                .usernameTemplate("idpuser.email")
                .build());
    
        }
    }
    
    resources:
      example:
        type: okta:idp:Oidc
        properties:
          name: example
          authorizationUrl: https://idp.example.com/authorize
          authorizationBinding: HTTP-REDIRECT
          tokenUrl: https://idp.example.com/token
          tokenBinding: HTTP-POST
          userInfoUrl: https://idp.example.com/userinfo
          userInfoBinding: HTTP-REDIRECT
          jwksUrl: https://idp.example.com/keys
          jwksBinding: HTTP-REDIRECT
          scopes:
            - openid
          clientId: efg456
          clientSecret: efg456
          issuerUrl: https://id.example.com
          usernameTemplate: idpuser.email
    

    Create Oidc Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new Oidc(name: string, args: OidcArgs, opts?: CustomResourceOptions);
    @overload
    def Oidc(resource_name: str,
             args: OidcArgs,
             opts: Optional[ResourceOptions] = None)
    
    @overload
    def Oidc(resource_name: str,
             opts: Optional[ResourceOptions] = None,
             issuer_url: Optional[str] = None,
             token_url: Optional[str] = None,
             authorization_binding: Optional[str] = None,
             authorization_url: Optional[str] = None,
             client_id: Optional[str] = None,
             client_secret: Optional[str] = None,
             token_binding: Optional[str] = None,
             scopes: Optional[Sequence[str]] = None,
             jwks_url: Optional[str] = None,
             jwks_binding: Optional[str] = None,
             name: Optional[str] = None,
             request_signature_algorithm: Optional[str] = None,
             groups_filters: Optional[Sequence[str]] = None,
             groups_attribute: Optional[str] = None,
             groups_assignments: Optional[Sequence[str]] = None,
             max_clock_skew: Optional[int] = None,
             account_link_action: Optional[str] = None,
             pkce_required: Optional[bool] = None,
             profile_master: Optional[bool] = None,
             protocol_type: Optional[str] = None,
             provisioning_action: Optional[str] = None,
             issuer_mode: Optional[str] = None,
             request_signature_scope: Optional[str] = None,
             groups_action: Optional[str] = None,
             status: Optional[str] = None,
             subject_match_attribute: Optional[str] = None,
             subject_match_type: Optional[str] = None,
             suspended_action: Optional[str] = None,
             deprovisioned_action: Optional[str] = None,
             account_link_group_includes: Optional[Sequence[str]] = None,
             user_info_binding: Optional[str] = None,
             user_info_url: Optional[str] = None,
             username_template: Optional[str] = None)
    func NewOidc(ctx *Context, name string, args OidcArgs, opts ...ResourceOption) (*Oidc, error)
    public Oidc(string name, OidcArgs args, CustomResourceOptions? opts = null)
    public Oidc(String name, OidcArgs args)
    public Oidc(String name, OidcArgs args, CustomResourceOptions options)
    
    type: okta:idp:Oidc
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args OidcArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args OidcArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args OidcArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args OidcArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args OidcArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var oidcResource = new Okta.Idp.Oidc("oidcResource", new()
    {
        IssuerUrl = "string",
        TokenUrl = "string",
        AuthorizationBinding = "string",
        AuthorizationUrl = "string",
        ClientId = "string",
        ClientSecret = "string",
        TokenBinding = "string",
        Scopes = new[]
        {
            "string",
        },
        JwksUrl = "string",
        JwksBinding = "string",
        Name = "string",
        RequestSignatureAlgorithm = "string",
        GroupsFilters = new[]
        {
            "string",
        },
        GroupsAttribute = "string",
        GroupsAssignments = new[]
        {
            "string",
        },
        MaxClockSkew = 0,
        AccountLinkAction = "string",
        PkceRequired = false,
        ProfileMaster = false,
        ProtocolType = "string",
        ProvisioningAction = "string",
        IssuerMode = "string",
        RequestSignatureScope = "string",
        GroupsAction = "string",
        Status = "string",
        SubjectMatchAttribute = "string",
        SubjectMatchType = "string",
        SuspendedAction = "string",
        DeprovisionedAction = "string",
        AccountLinkGroupIncludes = new[]
        {
            "string",
        },
        UserInfoBinding = "string",
        UserInfoUrl = "string",
        UsernameTemplate = "string",
    });
    
    example, err := idp.NewOidc(ctx, "oidcResource", &idp.OidcArgs{
    	IssuerUrl:            pulumi.String("string"),
    	TokenUrl:             pulumi.String("string"),
    	AuthorizationBinding: pulumi.String("string"),
    	AuthorizationUrl:     pulumi.String("string"),
    	ClientId:             pulumi.String("string"),
    	ClientSecret:         pulumi.String("string"),
    	TokenBinding:         pulumi.String("string"),
    	Scopes: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	JwksUrl:                   pulumi.String("string"),
    	JwksBinding:               pulumi.String("string"),
    	Name:                      pulumi.String("string"),
    	RequestSignatureAlgorithm: pulumi.String("string"),
    	GroupsFilters: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	GroupsAttribute: pulumi.String("string"),
    	GroupsAssignments: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	MaxClockSkew:          pulumi.Int(0),
    	AccountLinkAction:     pulumi.String("string"),
    	PkceRequired:          pulumi.Bool(false),
    	ProfileMaster:         pulumi.Bool(false),
    	ProtocolType:          pulumi.String("string"),
    	ProvisioningAction:    pulumi.String("string"),
    	IssuerMode:            pulumi.String("string"),
    	RequestSignatureScope: pulumi.String("string"),
    	GroupsAction:          pulumi.String("string"),
    	Status:                pulumi.String("string"),
    	SubjectMatchAttribute: pulumi.String("string"),
    	SubjectMatchType:      pulumi.String("string"),
    	SuspendedAction:       pulumi.String("string"),
    	DeprovisionedAction:   pulumi.String("string"),
    	AccountLinkGroupIncludes: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	UserInfoBinding:  pulumi.String("string"),
    	UserInfoUrl:      pulumi.String("string"),
    	UsernameTemplate: pulumi.String("string"),
    })
    
    var oidcResource = new Oidc("oidcResource", OidcArgs.builder()
        .issuerUrl("string")
        .tokenUrl("string")
        .authorizationBinding("string")
        .authorizationUrl("string")
        .clientId("string")
        .clientSecret("string")
        .tokenBinding("string")
        .scopes("string")
        .jwksUrl("string")
        .jwksBinding("string")
        .name("string")
        .requestSignatureAlgorithm("string")
        .groupsFilters("string")
        .groupsAttribute("string")
        .groupsAssignments("string")
        .maxClockSkew(0)
        .accountLinkAction("string")
        .pkceRequired(false)
        .profileMaster(false)
        .protocolType("string")
        .provisioningAction("string")
        .issuerMode("string")
        .requestSignatureScope("string")
        .groupsAction("string")
        .status("string")
        .subjectMatchAttribute("string")
        .subjectMatchType("string")
        .suspendedAction("string")
        .deprovisionedAction("string")
        .accountLinkGroupIncludes("string")
        .userInfoBinding("string")
        .userInfoUrl("string")
        .usernameTemplate("string")
        .build());
    
    oidc_resource = okta.idp.Oidc("oidcResource",
        issuer_url="string",
        token_url="string",
        authorization_binding="string",
        authorization_url="string",
        client_id="string",
        client_secret="string",
        token_binding="string",
        scopes=["string"],
        jwks_url="string",
        jwks_binding="string",
        name="string",
        request_signature_algorithm="string",
        groups_filters=["string"],
        groups_attribute="string",
        groups_assignments=["string"],
        max_clock_skew=0,
        account_link_action="string",
        pkce_required=False,
        profile_master=False,
        protocol_type="string",
        provisioning_action="string",
        issuer_mode="string",
        request_signature_scope="string",
        groups_action="string",
        status="string",
        subject_match_attribute="string",
        subject_match_type="string",
        suspended_action="string",
        deprovisioned_action="string",
        account_link_group_includes=["string"],
        user_info_binding="string",
        user_info_url="string",
        username_template="string")
    
    const oidcResource = new okta.idp.Oidc("oidcResource", {
        issuerUrl: "string",
        tokenUrl: "string",
        authorizationBinding: "string",
        authorizationUrl: "string",
        clientId: "string",
        clientSecret: "string",
        tokenBinding: "string",
        scopes: ["string"],
        jwksUrl: "string",
        jwksBinding: "string",
        name: "string",
        requestSignatureAlgorithm: "string",
        groupsFilters: ["string"],
        groupsAttribute: "string",
        groupsAssignments: ["string"],
        maxClockSkew: 0,
        accountLinkAction: "string",
        pkceRequired: false,
        profileMaster: false,
        protocolType: "string",
        provisioningAction: "string",
        issuerMode: "string",
        requestSignatureScope: "string",
        groupsAction: "string",
        status: "string",
        subjectMatchAttribute: "string",
        subjectMatchType: "string",
        suspendedAction: "string",
        deprovisionedAction: "string",
        accountLinkGroupIncludes: ["string"],
        userInfoBinding: "string",
        userInfoUrl: "string",
        usernameTemplate: "string",
    });
    
    type: okta:idp:Oidc
    properties:
        accountLinkAction: string
        accountLinkGroupIncludes:
            - string
        authorizationBinding: string
        authorizationUrl: string
        clientId: string
        clientSecret: string
        deprovisionedAction: string
        groupsAction: string
        groupsAssignments:
            - string
        groupsAttribute: string
        groupsFilters:
            - string
        issuerMode: string
        issuerUrl: string
        jwksBinding: string
        jwksUrl: string
        maxClockSkew: 0
        name: string
        pkceRequired: false
        profileMaster: false
        protocolType: string
        provisioningAction: string
        requestSignatureAlgorithm: string
        requestSignatureScope: string
        scopes:
            - string
        status: string
        subjectMatchAttribute: string
        subjectMatchType: string
        suspendedAction: string
        tokenBinding: string
        tokenUrl: string
        userInfoBinding: string
        userInfoUrl: string
        usernameTemplate: string
    

    Oidc Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

    The Oidc resource accepts the following input properties:

    AuthorizationBinding string
    The method of making an authorization request. It can be set to HTTP-POST or HTTP-REDIRECT.
    AuthorizationUrl string
    IdP Authorization Server (AS) endpoint to request consent from the user and obtain an authorization code grant.
    ClientId string
    Unique identifier issued by AS for the Okta IdP instance.
    ClientSecret string
    Client secret issued by AS for the Okta IdP instance.
    IssuerUrl string
    URI that identifies the issuer.
    JwksBinding string
    The method of making a request for the OIDC JWKS. It can be set to HTTP-POST or HTTP-REDIRECT
    JwksUrl string
    Endpoint where the keys signer publishes its keys in a JWK Set.
    Scopes List<string>
    The scopes of the IdP.
    TokenBinding string
    The method of making a token request. It can be set to HTTP-POST or HTTP-REDIRECT.
    TokenUrl string
    IdP Authorization Server (AS) endpoint to exchange the authorization code grant for an access token.
    AccountLinkAction string
    Specifies the account linking action for an IdP user. Default: AUTO
    AccountLinkGroupIncludes List<string>
    Group memberships to determine link candidates.
    DeprovisionedAction string
    Action for a previously deprovisioned IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
    GroupsAction string
    Provisioning action for IdP user's group memberships. It can be NONE, SYNC, APPEND, or ASSIGN. Default: NONE
    GroupsAssignments List<string>
    List of Okta Group IDs to add an IdP user as a member with the ASSIGN groups_action.
    GroupsAttribute string
    IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
    GroupsFilters List<string>
    Whitelist of Okta Group identifiers that are allowed for the APPEND or SYNC groups_action.
    IssuerMode string
    Indicates whether Okta uses the original Okta org domain URL, a custom domain URL, or dynamic. It can be ORG_URL, CUSTOM_URL, or DYNAMIC. Default: ORG_URL
    MaxClockSkew int
    Maximum allowable clock-skew when processing messages from the IdP.
    Name string
    Name of the IdP
    PkceRequired bool
    Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/idps/#oauth-2-0-and-openid-connect-client-object
    ProfileMaster bool
    Determines if the IdP should act as a source of truth for user profile attributes.
    ProtocolType string
    The type of protocol to use. It can be OIDC or OAUTH2. Default: OIDC
    ProvisioningAction string
    Provisioning action for an IdP user during authentication. Default: AUTO
    RequestSignatureAlgorithm string
    The HMAC Signature Algorithm used when signing an authorization request. Defaults to HS256. It can be HS256, HS384, HS512, SHA-256. RS256, RS384, or RS512. NOTE: SHA-256 an undocumented legacy value and not continue to be valid. See API docs https://developer.okta.com/docs/reference/api/idps/#oidc-request-signature-algorithm-object
    RequestSignatureScope string
    Specifies whether to digitally sign an AuthnRequest messages to the IdP. Defaults to REQUEST. It can be REQUEST or NONE.
    Status string
    Default to ACTIVE
    SubjectMatchAttribute string
    Okta user profile attribute for matching transformed IdP username. Only for matchType CUSTOM_ATTRIBUTE.
    SubjectMatchType string
    Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default, it is set to USERNAME. It can be set to USERNAME, EMAIL, USERNAME_OR_EMAIL or CUSTOM_ATTRIBUTE.
    SuspendedAction string
    Action for a previously suspended IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
    UserInfoBinding string
    UserInfoUrl string
    Protected resource endpoint that returns claims about the authenticated user.
    UsernameTemplate string
    Okta EL Expression to generate or transform a unique username for the IdP user. Default: idpuser.email
    AuthorizationBinding string
    The method of making an authorization request. It can be set to HTTP-POST or HTTP-REDIRECT.
    AuthorizationUrl string
    IdP Authorization Server (AS) endpoint to request consent from the user and obtain an authorization code grant.
    ClientId string
    Unique identifier issued by AS for the Okta IdP instance.
    ClientSecret string
    Client secret issued by AS for the Okta IdP instance.
    IssuerUrl string
    URI that identifies the issuer.
    JwksBinding string
    The method of making a request for the OIDC JWKS. It can be set to HTTP-POST or HTTP-REDIRECT
    JwksUrl string
    Endpoint where the keys signer publishes its keys in a JWK Set.
    Scopes []string
    The scopes of the IdP.
    TokenBinding string
    The method of making a token request. It can be set to HTTP-POST or HTTP-REDIRECT.
    TokenUrl string
    IdP Authorization Server (AS) endpoint to exchange the authorization code grant for an access token.
    AccountLinkAction string
    Specifies the account linking action for an IdP user. Default: AUTO
    AccountLinkGroupIncludes []string
    Group memberships to determine link candidates.
    DeprovisionedAction string
    Action for a previously deprovisioned IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
    GroupsAction string
    Provisioning action for IdP user's group memberships. It can be NONE, SYNC, APPEND, or ASSIGN. Default: NONE
    GroupsAssignments []string
    List of Okta Group IDs to add an IdP user as a member with the ASSIGN groups_action.
    GroupsAttribute string
    IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
    GroupsFilters []string
    Whitelist of Okta Group identifiers that are allowed for the APPEND or SYNC groups_action.
    IssuerMode string
    Indicates whether Okta uses the original Okta org domain URL, a custom domain URL, or dynamic. It can be ORG_URL, CUSTOM_URL, or DYNAMIC. Default: ORG_URL
    MaxClockSkew int
    Maximum allowable clock-skew when processing messages from the IdP.
    Name string
    Name of the IdP
    PkceRequired bool
    Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/idps/#oauth-2-0-and-openid-connect-client-object
    ProfileMaster bool
    Determines if the IdP should act as a source of truth for user profile attributes.
    ProtocolType string
    The type of protocol to use. It can be OIDC or OAUTH2. Default: OIDC
    ProvisioningAction string
    Provisioning action for an IdP user during authentication. Default: AUTO
    RequestSignatureAlgorithm string
    The HMAC Signature Algorithm used when signing an authorization request. Defaults to HS256. It can be HS256, HS384, HS512, SHA-256. RS256, RS384, or RS512. NOTE: SHA-256 an undocumented legacy value and not continue to be valid. See API docs https://developer.okta.com/docs/reference/api/idps/#oidc-request-signature-algorithm-object
    RequestSignatureScope string
    Specifies whether to digitally sign an AuthnRequest messages to the IdP. Defaults to REQUEST. It can be REQUEST or NONE.
    Status string
    Default to ACTIVE
    SubjectMatchAttribute string
    Okta user profile attribute for matching transformed IdP username. Only for matchType CUSTOM_ATTRIBUTE.
    SubjectMatchType string
    Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default, it is set to USERNAME. It can be set to USERNAME, EMAIL, USERNAME_OR_EMAIL or CUSTOM_ATTRIBUTE.
    SuspendedAction string
    Action for a previously suspended IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
    UserInfoBinding string
    UserInfoUrl string
    Protected resource endpoint that returns claims about the authenticated user.
    UsernameTemplate string
    Okta EL Expression to generate or transform a unique username for the IdP user. Default: idpuser.email
    authorizationBinding String
    The method of making an authorization request. It can be set to HTTP-POST or HTTP-REDIRECT.
    authorizationUrl String
    IdP Authorization Server (AS) endpoint to request consent from the user and obtain an authorization code grant.
    clientId String
    Unique identifier issued by AS for the Okta IdP instance.
    clientSecret String
    Client secret issued by AS for the Okta IdP instance.
    issuerUrl String
    URI that identifies the issuer.
    jwksBinding String
    The method of making a request for the OIDC JWKS. It can be set to HTTP-POST or HTTP-REDIRECT
    jwksUrl String
    Endpoint where the keys signer publishes its keys in a JWK Set.
    scopes List<String>
    The scopes of the IdP.
    tokenBinding String
    The method of making a token request. It can be set to HTTP-POST or HTTP-REDIRECT.
    tokenUrl String
    IdP Authorization Server (AS) endpoint to exchange the authorization code grant for an access token.
    accountLinkAction String
    Specifies the account linking action for an IdP user. Default: AUTO
    accountLinkGroupIncludes List<String>
    Group memberships to determine link candidates.
    deprovisionedAction String
    Action for a previously deprovisioned IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
    groupsAction String
    Provisioning action for IdP user's group memberships. It can be NONE, SYNC, APPEND, or ASSIGN. Default: NONE
    groupsAssignments List<String>
    List of Okta Group IDs to add an IdP user as a member with the ASSIGN groups_action.
    groupsAttribute String
    IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
    groupsFilters List<String>
    Whitelist of Okta Group identifiers that are allowed for the APPEND or SYNC groups_action.
    issuerMode String
    Indicates whether Okta uses the original Okta org domain URL, a custom domain URL, or dynamic. It can be ORG_URL, CUSTOM_URL, or DYNAMIC. Default: ORG_URL
    maxClockSkew Integer
    Maximum allowable clock-skew when processing messages from the IdP.
    name String
    Name of the IdP
    pkceRequired Boolean
    Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/idps/#oauth-2-0-and-openid-connect-client-object
    profileMaster Boolean
    Determines if the IdP should act as a source of truth for user profile attributes.
    protocolType String
    The type of protocol to use. It can be OIDC or OAUTH2. Default: OIDC
    provisioningAction String
    Provisioning action for an IdP user during authentication. Default: AUTO
    requestSignatureAlgorithm String
    The HMAC Signature Algorithm used when signing an authorization request. Defaults to HS256. It can be HS256, HS384, HS512, SHA-256. RS256, RS384, or RS512. NOTE: SHA-256 an undocumented legacy value and not continue to be valid. See API docs https://developer.okta.com/docs/reference/api/idps/#oidc-request-signature-algorithm-object
    requestSignatureScope String
    Specifies whether to digitally sign an AuthnRequest messages to the IdP. Defaults to REQUEST. It can be REQUEST or NONE.
    status String
    Default to ACTIVE
    subjectMatchAttribute String
    Okta user profile attribute for matching transformed IdP username. Only for matchType CUSTOM_ATTRIBUTE.
    subjectMatchType String
    Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default, it is set to USERNAME. It can be set to USERNAME, EMAIL, USERNAME_OR_EMAIL or CUSTOM_ATTRIBUTE.
    suspendedAction String
    Action for a previously suspended IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
    userInfoBinding String
    userInfoUrl String
    Protected resource endpoint that returns claims about the authenticated user.
    usernameTemplate String
    Okta EL Expression to generate or transform a unique username for the IdP user. Default: idpuser.email
    authorizationBinding string
    The method of making an authorization request. It can be set to HTTP-POST or HTTP-REDIRECT.
    authorizationUrl string
    IdP Authorization Server (AS) endpoint to request consent from the user and obtain an authorization code grant.
    clientId string
    Unique identifier issued by AS for the Okta IdP instance.
    clientSecret string
    Client secret issued by AS for the Okta IdP instance.
    issuerUrl string
    URI that identifies the issuer.
    jwksBinding string
    The method of making a request for the OIDC JWKS. It can be set to HTTP-POST or HTTP-REDIRECT
    jwksUrl string
    Endpoint where the keys signer publishes its keys in a JWK Set.
    scopes string[]
    The scopes of the IdP.
    tokenBinding string
    The method of making a token request. It can be set to HTTP-POST or HTTP-REDIRECT.
    tokenUrl string
    IdP Authorization Server (AS) endpoint to exchange the authorization code grant for an access token.
    accountLinkAction string
    Specifies the account linking action for an IdP user. Default: AUTO
    accountLinkGroupIncludes string[]
    Group memberships to determine link candidates.
    deprovisionedAction string
    Action for a previously deprovisioned IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
    groupsAction string
    Provisioning action for IdP user's group memberships. It can be NONE, SYNC, APPEND, or ASSIGN. Default: NONE
    groupsAssignments string[]
    List of Okta Group IDs to add an IdP user as a member with the ASSIGN groups_action.
    groupsAttribute string
    IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
    groupsFilters string[]
    Whitelist of Okta Group identifiers that are allowed for the APPEND or SYNC groups_action.
    issuerMode string
    Indicates whether Okta uses the original Okta org domain URL, a custom domain URL, or dynamic. It can be ORG_URL, CUSTOM_URL, or DYNAMIC. Default: ORG_URL
    maxClockSkew number
    Maximum allowable clock-skew when processing messages from the IdP.
    name string
    Name of the IdP
    pkceRequired boolean
    Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/idps/#oauth-2-0-and-openid-connect-client-object
    profileMaster boolean
    Determines if the IdP should act as a source of truth for user profile attributes.
    protocolType string
    The type of protocol to use. It can be OIDC or OAUTH2. Default: OIDC
    provisioningAction string
    Provisioning action for an IdP user during authentication. Default: AUTO
    requestSignatureAlgorithm string
    The HMAC Signature Algorithm used when signing an authorization request. Defaults to HS256. It can be HS256, HS384, HS512, SHA-256. RS256, RS384, or RS512. NOTE: SHA-256 an undocumented legacy value and not continue to be valid. See API docs https://developer.okta.com/docs/reference/api/idps/#oidc-request-signature-algorithm-object
    requestSignatureScope string
    Specifies whether to digitally sign an AuthnRequest messages to the IdP. Defaults to REQUEST. It can be REQUEST or NONE.
    status string
    Default to ACTIVE
    subjectMatchAttribute string
    Okta user profile attribute for matching transformed IdP username. Only for matchType CUSTOM_ATTRIBUTE.
    subjectMatchType string
    Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default, it is set to USERNAME. It can be set to USERNAME, EMAIL, USERNAME_OR_EMAIL or CUSTOM_ATTRIBUTE.
    suspendedAction string
    Action for a previously suspended IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
    userInfoBinding string
    userInfoUrl string
    Protected resource endpoint that returns claims about the authenticated user.
    usernameTemplate string
    Okta EL Expression to generate or transform a unique username for the IdP user. Default: idpuser.email
    authorization_binding str
    The method of making an authorization request. It can be set to HTTP-POST or HTTP-REDIRECT.
    authorization_url str
    IdP Authorization Server (AS) endpoint to request consent from the user and obtain an authorization code grant.
    client_id str
    Unique identifier issued by AS for the Okta IdP instance.
    client_secret str
    Client secret issued by AS for the Okta IdP instance.
    issuer_url str
    URI that identifies the issuer.
    jwks_binding str
    The method of making a request for the OIDC JWKS. It can be set to HTTP-POST or HTTP-REDIRECT
    jwks_url str
    Endpoint where the keys signer publishes its keys in a JWK Set.
    scopes Sequence[str]
    The scopes of the IdP.
    token_binding str
    The method of making a token request. It can be set to HTTP-POST or HTTP-REDIRECT.
    token_url str
    IdP Authorization Server (AS) endpoint to exchange the authorization code grant for an access token.
    account_link_action str
    Specifies the account linking action for an IdP user. Default: AUTO
    account_link_group_includes Sequence[str]
    Group memberships to determine link candidates.
    deprovisioned_action str
    Action for a previously deprovisioned IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
    groups_action str
    Provisioning action for IdP user's group memberships. It can be NONE, SYNC, APPEND, or ASSIGN. Default: NONE
    groups_assignments Sequence[str]
    List of Okta Group IDs to add an IdP user as a member with the ASSIGN groups_action.
    groups_attribute str
    IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
    groups_filters Sequence[str]
    Whitelist of Okta Group identifiers that are allowed for the APPEND or SYNC groups_action.
    issuer_mode str
    Indicates whether Okta uses the original Okta org domain URL, a custom domain URL, or dynamic. It can be ORG_URL, CUSTOM_URL, or DYNAMIC. Default: ORG_URL
    max_clock_skew int
    Maximum allowable clock-skew when processing messages from the IdP.
    name str
    Name of the IdP
    pkce_required bool
    Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/idps/#oauth-2-0-and-openid-connect-client-object
    profile_master bool
    Determines if the IdP should act as a source of truth for user profile attributes.
    protocol_type str
    The type of protocol to use. It can be OIDC or OAUTH2. Default: OIDC
    provisioning_action str
    Provisioning action for an IdP user during authentication. Default: AUTO
    request_signature_algorithm str
    The HMAC Signature Algorithm used when signing an authorization request. Defaults to HS256. It can be HS256, HS384, HS512, SHA-256. RS256, RS384, or RS512. NOTE: SHA-256 an undocumented legacy value and not continue to be valid. See API docs https://developer.okta.com/docs/reference/api/idps/#oidc-request-signature-algorithm-object
    request_signature_scope str
    Specifies whether to digitally sign an AuthnRequest messages to the IdP. Defaults to REQUEST. It can be REQUEST or NONE.
    status str
    Default to ACTIVE
    subject_match_attribute str
    Okta user profile attribute for matching transformed IdP username. Only for matchType CUSTOM_ATTRIBUTE.
    subject_match_type str
    Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default, it is set to USERNAME. It can be set to USERNAME, EMAIL, USERNAME_OR_EMAIL or CUSTOM_ATTRIBUTE.
    suspended_action str
    Action for a previously suspended IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
    user_info_binding str
    user_info_url str
    Protected resource endpoint that returns claims about the authenticated user.
    username_template str
    Okta EL Expression to generate or transform a unique username for the IdP user. Default: idpuser.email
    authorizationBinding String
    The method of making an authorization request. It can be set to HTTP-POST or HTTP-REDIRECT.
    authorizationUrl String
    IdP Authorization Server (AS) endpoint to request consent from the user and obtain an authorization code grant.
    clientId String
    Unique identifier issued by AS for the Okta IdP instance.
    clientSecret String
    Client secret issued by AS for the Okta IdP instance.
    issuerUrl String
    URI that identifies the issuer.
    jwksBinding String
    The method of making a request for the OIDC JWKS. It can be set to HTTP-POST or HTTP-REDIRECT
    jwksUrl String
    Endpoint where the keys signer publishes its keys in a JWK Set.
    scopes List<String>
    The scopes of the IdP.
    tokenBinding String
    The method of making a token request. It can be set to HTTP-POST or HTTP-REDIRECT.
    tokenUrl String
    IdP Authorization Server (AS) endpoint to exchange the authorization code grant for an access token.
    accountLinkAction String
    Specifies the account linking action for an IdP user. Default: AUTO
    accountLinkGroupIncludes List<String>
    Group memberships to determine link candidates.
    deprovisionedAction String
    Action for a previously deprovisioned IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
    groupsAction String
    Provisioning action for IdP user's group memberships. It can be NONE, SYNC, APPEND, or ASSIGN. Default: NONE
    groupsAssignments List<String>
    List of Okta Group IDs to add an IdP user as a member with the ASSIGN groups_action.
    groupsAttribute String
    IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
    groupsFilters List<String>
    Whitelist of Okta Group identifiers that are allowed for the APPEND or SYNC groups_action.
    issuerMode String
    Indicates whether Okta uses the original Okta org domain URL, a custom domain URL, or dynamic. It can be ORG_URL, CUSTOM_URL, or DYNAMIC. Default: ORG_URL
    maxClockSkew Number
    Maximum allowable clock-skew when processing messages from the IdP.
    name String
    Name of the IdP
    pkceRequired Boolean
    Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/idps/#oauth-2-0-and-openid-connect-client-object
    profileMaster Boolean
    Determines if the IdP should act as a source of truth for user profile attributes.
    protocolType String
    The type of protocol to use. It can be OIDC or OAUTH2. Default: OIDC
    provisioningAction String
    Provisioning action for an IdP user during authentication. Default: AUTO
    requestSignatureAlgorithm String
    The HMAC Signature Algorithm used when signing an authorization request. Defaults to HS256. It can be HS256, HS384, HS512, SHA-256. RS256, RS384, or RS512. NOTE: SHA-256 an undocumented legacy value and not continue to be valid. See API docs https://developer.okta.com/docs/reference/api/idps/#oidc-request-signature-algorithm-object
    requestSignatureScope String
    Specifies whether to digitally sign an AuthnRequest messages to the IdP. Defaults to REQUEST. It can be REQUEST or NONE.
    status String
    Default to ACTIVE
    subjectMatchAttribute String
    Okta user profile attribute for matching transformed IdP username. Only for matchType CUSTOM_ATTRIBUTE.
    subjectMatchType String
    Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default, it is set to USERNAME. It can be set to USERNAME, EMAIL, USERNAME_OR_EMAIL or CUSTOM_ATTRIBUTE.
    suspendedAction String
    Action for a previously suspended IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
    userInfoBinding String
    userInfoUrl String
    Protected resource endpoint that returns claims about the authenticated user.
    usernameTemplate String
    Okta EL Expression to generate or transform a unique username for the IdP user. Default: idpuser.email

    Outputs

    All input properties are implicitly available as output properties. Additionally, the Oidc resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    Type string
    Type of OIDC IdP.
    UserTypeId string
    User type ID. Can be used as target_id in the okta.profile.Mapping resource.
    Id string
    The provider-assigned unique ID for this managed resource.
    Type string
    Type of OIDC IdP.
    UserTypeId string
    User type ID. Can be used as target_id in the okta.profile.Mapping resource.
    id String
    The provider-assigned unique ID for this managed resource.
    type String
    Type of OIDC IdP.
    userTypeId String
    User type ID. Can be used as target_id in the okta.profile.Mapping resource.
    id string
    The provider-assigned unique ID for this managed resource.
    type string
    Type of OIDC IdP.
    userTypeId string
    User type ID. Can be used as target_id in the okta.profile.Mapping resource.
    id str
    The provider-assigned unique ID for this managed resource.
    type str
    Type of OIDC IdP.
    user_type_id str
    User type ID. Can be used as target_id in the okta.profile.Mapping resource.
    id String
    The provider-assigned unique ID for this managed resource.
    type String
    Type of OIDC IdP.
    userTypeId String
    User type ID. Can be used as target_id in the okta.profile.Mapping resource.

    Look up Existing Oidc Resource

    Get an existing Oidc resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: OidcState, opts?: CustomResourceOptions): Oidc
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            account_link_action: Optional[str] = None,
            account_link_group_includes: Optional[Sequence[str]] = None,
            authorization_binding: Optional[str] = None,
            authorization_url: Optional[str] = None,
            client_id: Optional[str] = None,
            client_secret: Optional[str] = None,
            deprovisioned_action: Optional[str] = None,
            groups_action: Optional[str] = None,
            groups_assignments: Optional[Sequence[str]] = None,
            groups_attribute: Optional[str] = None,
            groups_filters: Optional[Sequence[str]] = None,
            issuer_mode: Optional[str] = None,
            issuer_url: Optional[str] = None,
            jwks_binding: Optional[str] = None,
            jwks_url: Optional[str] = None,
            max_clock_skew: Optional[int] = None,
            name: Optional[str] = None,
            pkce_required: Optional[bool] = None,
            profile_master: Optional[bool] = None,
            protocol_type: Optional[str] = None,
            provisioning_action: Optional[str] = None,
            request_signature_algorithm: Optional[str] = None,
            request_signature_scope: Optional[str] = None,
            scopes: Optional[Sequence[str]] = None,
            status: Optional[str] = None,
            subject_match_attribute: Optional[str] = None,
            subject_match_type: Optional[str] = None,
            suspended_action: Optional[str] = None,
            token_binding: Optional[str] = None,
            token_url: Optional[str] = None,
            type: Optional[str] = None,
            user_info_binding: Optional[str] = None,
            user_info_url: Optional[str] = None,
            user_type_id: Optional[str] = None,
            username_template: Optional[str] = None) -> Oidc
    func GetOidc(ctx *Context, name string, id IDInput, state *OidcState, opts ...ResourceOption) (*Oidc, error)
    public static Oidc Get(string name, Input<string> id, OidcState? state, CustomResourceOptions? opts = null)
    public static Oidc get(String name, Output<String> id, OidcState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    AccountLinkAction string
    Specifies the account linking action for an IdP user. Default: AUTO
    AccountLinkGroupIncludes List<string>
    Group memberships to determine link candidates.
    AuthorizationBinding string
    The method of making an authorization request. It can be set to HTTP-POST or HTTP-REDIRECT.
    AuthorizationUrl string
    IdP Authorization Server (AS) endpoint to request consent from the user and obtain an authorization code grant.
    ClientId string
    Unique identifier issued by AS for the Okta IdP instance.
    ClientSecret string
    Client secret issued by AS for the Okta IdP instance.
    DeprovisionedAction string
    Action for a previously deprovisioned IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
    GroupsAction string
    Provisioning action for IdP user's group memberships. It can be NONE, SYNC, APPEND, or ASSIGN. Default: NONE
    GroupsAssignments List<string>
    List of Okta Group IDs to add an IdP user as a member with the ASSIGN groups_action.
    GroupsAttribute string
    IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
    GroupsFilters List<string>
    Whitelist of Okta Group identifiers that are allowed for the APPEND or SYNC groups_action.
    IssuerMode string
    Indicates whether Okta uses the original Okta org domain URL, a custom domain URL, or dynamic. It can be ORG_URL, CUSTOM_URL, or DYNAMIC. Default: ORG_URL
    IssuerUrl string
    URI that identifies the issuer.
    JwksBinding string
    The method of making a request for the OIDC JWKS. It can be set to HTTP-POST or HTTP-REDIRECT
    JwksUrl string
    Endpoint where the keys signer publishes its keys in a JWK Set.
    MaxClockSkew int
    Maximum allowable clock-skew when processing messages from the IdP.
    Name string
    Name of the IdP
    PkceRequired bool
    Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/idps/#oauth-2-0-and-openid-connect-client-object
    ProfileMaster bool
    Determines if the IdP should act as a source of truth for user profile attributes.
    ProtocolType string
    The type of protocol to use. It can be OIDC or OAUTH2. Default: OIDC
    ProvisioningAction string
    Provisioning action for an IdP user during authentication. Default: AUTO
    RequestSignatureAlgorithm string
    The HMAC Signature Algorithm used when signing an authorization request. Defaults to HS256. It can be HS256, HS384, HS512, SHA-256. RS256, RS384, or RS512. NOTE: SHA-256 an undocumented legacy value and not continue to be valid. See API docs https://developer.okta.com/docs/reference/api/idps/#oidc-request-signature-algorithm-object
    RequestSignatureScope string
    Specifies whether to digitally sign an AuthnRequest messages to the IdP. Defaults to REQUEST. It can be REQUEST or NONE.
    Scopes List<string>
    The scopes of the IdP.
    Status string
    Default to ACTIVE
    SubjectMatchAttribute string
    Okta user profile attribute for matching transformed IdP username. Only for matchType CUSTOM_ATTRIBUTE.
    SubjectMatchType string
    Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default, it is set to USERNAME. It can be set to USERNAME, EMAIL, USERNAME_OR_EMAIL or CUSTOM_ATTRIBUTE.
    SuspendedAction string
    Action for a previously suspended IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
    TokenBinding string
    The method of making a token request. It can be set to HTTP-POST or HTTP-REDIRECT.
    TokenUrl string
    IdP Authorization Server (AS) endpoint to exchange the authorization code grant for an access token.
    Type string
    Type of OIDC IdP.
    UserInfoBinding string
    UserInfoUrl string
    Protected resource endpoint that returns claims about the authenticated user.
    UserTypeId string
    User type ID. Can be used as target_id in the okta.profile.Mapping resource.
    UsernameTemplate string
    Okta EL Expression to generate or transform a unique username for the IdP user. Default: idpuser.email
    AccountLinkAction string
    Specifies the account linking action for an IdP user. Default: AUTO
    AccountLinkGroupIncludes []string
    Group memberships to determine link candidates.
    AuthorizationBinding string
    The method of making an authorization request. It can be set to HTTP-POST or HTTP-REDIRECT.
    AuthorizationUrl string
    IdP Authorization Server (AS) endpoint to request consent from the user and obtain an authorization code grant.
    ClientId string
    Unique identifier issued by AS for the Okta IdP instance.
    ClientSecret string
    Client secret issued by AS for the Okta IdP instance.
    DeprovisionedAction string
    Action for a previously deprovisioned IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
    GroupsAction string
    Provisioning action for IdP user's group memberships. It can be NONE, SYNC, APPEND, or ASSIGN. Default: NONE
    GroupsAssignments []string
    List of Okta Group IDs to add an IdP user as a member with the ASSIGN groups_action.
    GroupsAttribute string
    IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
    GroupsFilters []string
    Whitelist of Okta Group identifiers that are allowed for the APPEND or SYNC groups_action.
    IssuerMode string
    Indicates whether Okta uses the original Okta org domain URL, a custom domain URL, or dynamic. It can be ORG_URL, CUSTOM_URL, or DYNAMIC. Default: ORG_URL
    IssuerUrl string
    URI that identifies the issuer.
    JwksBinding string
    The method of making a request for the OIDC JWKS. It can be set to HTTP-POST or HTTP-REDIRECT
    JwksUrl string
    Endpoint where the keys signer publishes its keys in a JWK Set.
    MaxClockSkew int
    Maximum allowable clock-skew when processing messages from the IdP.
    Name string
    Name of the IdP
    PkceRequired bool
    Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/idps/#oauth-2-0-and-openid-connect-client-object
    ProfileMaster bool
    Determines if the IdP should act as a source of truth for user profile attributes.
    ProtocolType string
    The type of protocol to use. It can be OIDC or OAUTH2. Default: OIDC
    ProvisioningAction string
    Provisioning action for an IdP user during authentication. Default: AUTO
    RequestSignatureAlgorithm string
    The HMAC Signature Algorithm used when signing an authorization request. Defaults to HS256. It can be HS256, HS384, HS512, SHA-256. RS256, RS384, or RS512. NOTE: SHA-256 an undocumented legacy value and not continue to be valid. See API docs https://developer.okta.com/docs/reference/api/idps/#oidc-request-signature-algorithm-object
    RequestSignatureScope string
    Specifies whether to digitally sign an AuthnRequest messages to the IdP. Defaults to REQUEST. It can be REQUEST or NONE.
    Scopes []string
    The scopes of the IdP.
    Status string
    Default to ACTIVE
    SubjectMatchAttribute string
    Okta user profile attribute for matching transformed IdP username. Only for matchType CUSTOM_ATTRIBUTE.
    SubjectMatchType string
    Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default, it is set to USERNAME. It can be set to USERNAME, EMAIL, USERNAME_OR_EMAIL or CUSTOM_ATTRIBUTE.
    SuspendedAction string
    Action for a previously suspended IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
    TokenBinding string
    The method of making a token request. It can be set to HTTP-POST or HTTP-REDIRECT.
    TokenUrl string
    IdP Authorization Server (AS) endpoint to exchange the authorization code grant for an access token.
    Type string
    Type of OIDC IdP.
    UserInfoBinding string
    UserInfoUrl string
    Protected resource endpoint that returns claims about the authenticated user.
    UserTypeId string
    User type ID. Can be used as target_id in the okta.profile.Mapping resource.
    UsernameTemplate string
    Okta EL Expression to generate or transform a unique username for the IdP user. Default: idpuser.email
    accountLinkAction String
    Specifies the account linking action for an IdP user. Default: AUTO
    accountLinkGroupIncludes List<String>
    Group memberships to determine link candidates.
    authorizationBinding String
    The method of making an authorization request. It can be set to HTTP-POST or HTTP-REDIRECT.
    authorizationUrl String
    IdP Authorization Server (AS) endpoint to request consent from the user and obtain an authorization code grant.
    clientId String
    Unique identifier issued by AS for the Okta IdP instance.
    clientSecret String
    Client secret issued by AS for the Okta IdP instance.
    deprovisionedAction String
    Action for a previously deprovisioned IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
    groupsAction String
    Provisioning action for IdP user's group memberships. It can be NONE, SYNC, APPEND, or ASSIGN. Default: NONE
    groupsAssignments List<String>
    List of Okta Group IDs to add an IdP user as a member with the ASSIGN groups_action.
    groupsAttribute String
    IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
    groupsFilters List<String>
    Whitelist of Okta Group identifiers that are allowed for the APPEND or SYNC groups_action.
    issuerMode String
    Indicates whether Okta uses the original Okta org domain URL, a custom domain URL, or dynamic. It can be ORG_URL, CUSTOM_URL, or DYNAMIC. Default: ORG_URL
    issuerUrl String
    URI that identifies the issuer.
    jwksBinding String
    The method of making a request for the OIDC JWKS. It can be set to HTTP-POST or HTTP-REDIRECT
    jwksUrl String
    Endpoint where the keys signer publishes its keys in a JWK Set.
    maxClockSkew Integer
    Maximum allowable clock-skew when processing messages from the IdP.
    name String
    Name of the IdP
    pkceRequired Boolean
    Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/idps/#oauth-2-0-and-openid-connect-client-object
    profileMaster Boolean
    Determines if the IdP should act as a source of truth for user profile attributes.
    protocolType String
    The type of protocol to use. It can be OIDC or OAUTH2. Default: OIDC
    provisioningAction String
    Provisioning action for an IdP user during authentication. Default: AUTO
    requestSignatureAlgorithm String
    The HMAC Signature Algorithm used when signing an authorization request. Defaults to HS256. It can be HS256, HS384, HS512, SHA-256. RS256, RS384, or RS512. NOTE: SHA-256 an undocumented legacy value and not continue to be valid. See API docs https://developer.okta.com/docs/reference/api/idps/#oidc-request-signature-algorithm-object
    requestSignatureScope String
    Specifies whether to digitally sign an AuthnRequest messages to the IdP. Defaults to REQUEST. It can be REQUEST or NONE.
    scopes List<String>
    The scopes of the IdP.
    status String
    Default to ACTIVE
    subjectMatchAttribute String
    Okta user profile attribute for matching transformed IdP username. Only for matchType CUSTOM_ATTRIBUTE.
    subjectMatchType String
    Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default, it is set to USERNAME. It can be set to USERNAME, EMAIL, USERNAME_OR_EMAIL or CUSTOM_ATTRIBUTE.
    suspendedAction String
    Action for a previously suspended IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
    tokenBinding String
    The method of making a token request. It can be set to HTTP-POST or HTTP-REDIRECT.
    tokenUrl String
    IdP Authorization Server (AS) endpoint to exchange the authorization code grant for an access token.
    type String
    Type of OIDC IdP.
    userInfoBinding String
    userInfoUrl String
    Protected resource endpoint that returns claims about the authenticated user.
    userTypeId String
    User type ID. Can be used as target_id in the okta.profile.Mapping resource.
    usernameTemplate String
    Okta EL Expression to generate or transform a unique username for the IdP user. Default: idpuser.email
    accountLinkAction string
    Specifies the account linking action for an IdP user. Default: AUTO
    accountLinkGroupIncludes string[]
    Group memberships to determine link candidates.
    authorizationBinding string
    The method of making an authorization request. It can be set to HTTP-POST or HTTP-REDIRECT.
    authorizationUrl string
    IdP Authorization Server (AS) endpoint to request consent from the user and obtain an authorization code grant.
    clientId string
    Unique identifier issued by AS for the Okta IdP instance.
    clientSecret string
    Client secret issued by AS for the Okta IdP instance.
    deprovisionedAction string
    Action for a previously deprovisioned IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
    groupsAction string
    Provisioning action for IdP user's group memberships. It can be NONE, SYNC, APPEND, or ASSIGN. Default: NONE
    groupsAssignments string[]
    List of Okta Group IDs to add an IdP user as a member with the ASSIGN groups_action.
    groupsAttribute string
    IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
    groupsFilters string[]
    Whitelist of Okta Group identifiers that are allowed for the APPEND or SYNC groups_action.
    issuerMode string
    Indicates whether Okta uses the original Okta org domain URL, a custom domain URL, or dynamic. It can be ORG_URL, CUSTOM_URL, or DYNAMIC. Default: ORG_URL
    issuerUrl string
    URI that identifies the issuer.
    jwksBinding string
    The method of making a request for the OIDC JWKS. It can be set to HTTP-POST or HTTP-REDIRECT
    jwksUrl string
    Endpoint where the keys signer publishes its keys in a JWK Set.
    maxClockSkew number
    Maximum allowable clock-skew when processing messages from the IdP.
    name string
    Name of the IdP
    pkceRequired boolean
    Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/idps/#oauth-2-0-and-openid-connect-client-object
    profileMaster boolean
    Determines if the IdP should act as a source of truth for user profile attributes.
    protocolType string
    The type of protocol to use. It can be OIDC or OAUTH2. Default: OIDC
    provisioningAction string
    Provisioning action for an IdP user during authentication. Default: AUTO
    requestSignatureAlgorithm string
    The HMAC Signature Algorithm used when signing an authorization request. Defaults to HS256. It can be HS256, HS384, HS512, SHA-256. RS256, RS384, or RS512. NOTE: SHA-256 an undocumented legacy value and not continue to be valid. See API docs https://developer.okta.com/docs/reference/api/idps/#oidc-request-signature-algorithm-object
    requestSignatureScope string
    Specifies whether to digitally sign an AuthnRequest messages to the IdP. Defaults to REQUEST. It can be REQUEST or NONE.
    scopes string[]
    The scopes of the IdP.
    status string
    Default to ACTIVE
    subjectMatchAttribute string
    Okta user profile attribute for matching transformed IdP username. Only for matchType CUSTOM_ATTRIBUTE.
    subjectMatchType string
    Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default, it is set to USERNAME. It can be set to USERNAME, EMAIL, USERNAME_OR_EMAIL or CUSTOM_ATTRIBUTE.
    suspendedAction string
    Action for a previously suspended IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
    tokenBinding string
    The method of making a token request. It can be set to HTTP-POST or HTTP-REDIRECT.
    tokenUrl string
    IdP Authorization Server (AS) endpoint to exchange the authorization code grant for an access token.
    type string
    Type of OIDC IdP.
    userInfoBinding string
    userInfoUrl string
    Protected resource endpoint that returns claims about the authenticated user.
    userTypeId string
    User type ID. Can be used as target_id in the okta.profile.Mapping resource.
    usernameTemplate string
    Okta EL Expression to generate or transform a unique username for the IdP user. Default: idpuser.email
    account_link_action str
    Specifies the account linking action for an IdP user. Default: AUTO
    account_link_group_includes Sequence[str]
    Group memberships to determine link candidates.
    authorization_binding str
    The method of making an authorization request. It can be set to HTTP-POST or HTTP-REDIRECT.
    authorization_url str
    IdP Authorization Server (AS) endpoint to request consent from the user and obtain an authorization code grant.
    client_id str
    Unique identifier issued by AS for the Okta IdP instance.
    client_secret str
    Client secret issued by AS for the Okta IdP instance.
    deprovisioned_action str
    Action for a previously deprovisioned IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
    groups_action str
    Provisioning action for IdP user's group memberships. It can be NONE, SYNC, APPEND, or ASSIGN. Default: NONE
    groups_assignments Sequence[str]
    List of Okta Group IDs to add an IdP user as a member with the ASSIGN groups_action.
    groups_attribute str
    IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
    groups_filters Sequence[str]
    Whitelist of Okta Group identifiers that are allowed for the APPEND or SYNC groups_action.
    issuer_mode str
    Indicates whether Okta uses the original Okta org domain URL, a custom domain URL, or dynamic. It can be ORG_URL, CUSTOM_URL, or DYNAMIC. Default: ORG_URL
    issuer_url str
    URI that identifies the issuer.
    jwks_binding str
    The method of making a request for the OIDC JWKS. It can be set to HTTP-POST or HTTP-REDIRECT
    jwks_url str
    Endpoint where the keys signer publishes its keys in a JWK Set.
    max_clock_skew int
    Maximum allowable clock-skew when processing messages from the IdP.
    name str
    Name of the IdP
    pkce_required bool
    Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/idps/#oauth-2-0-and-openid-connect-client-object
    profile_master bool
    Determines if the IdP should act as a source of truth for user profile attributes.
    protocol_type str
    The type of protocol to use. It can be OIDC or OAUTH2. Default: OIDC
    provisioning_action str
    Provisioning action for an IdP user during authentication. Default: AUTO
    request_signature_algorithm str
    The HMAC Signature Algorithm used when signing an authorization request. Defaults to HS256. It can be HS256, HS384, HS512, SHA-256. RS256, RS384, or RS512. NOTE: SHA-256 an undocumented legacy value and not continue to be valid. See API docs https://developer.okta.com/docs/reference/api/idps/#oidc-request-signature-algorithm-object
    request_signature_scope str
    Specifies whether to digitally sign an AuthnRequest messages to the IdP. Defaults to REQUEST. It can be REQUEST or NONE.
    scopes Sequence[str]
    The scopes of the IdP.
    status str
    Default to ACTIVE
    subject_match_attribute str
    Okta user profile attribute for matching transformed IdP username. Only for matchType CUSTOM_ATTRIBUTE.
    subject_match_type str
    Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default, it is set to USERNAME. It can be set to USERNAME, EMAIL, USERNAME_OR_EMAIL or CUSTOM_ATTRIBUTE.
    suspended_action str
    Action for a previously suspended IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
    token_binding str
    The method of making a token request. It can be set to HTTP-POST or HTTP-REDIRECT.
    token_url str
    IdP Authorization Server (AS) endpoint to exchange the authorization code grant for an access token.
    type str
    Type of OIDC IdP.
    user_info_binding str
    user_info_url str
    Protected resource endpoint that returns claims about the authenticated user.
    user_type_id str
    User type ID. Can be used as target_id in the okta.profile.Mapping resource.
    username_template str
    Okta EL Expression to generate or transform a unique username for the IdP user. Default: idpuser.email
    accountLinkAction String
    Specifies the account linking action for an IdP user. Default: AUTO
    accountLinkGroupIncludes List<String>
    Group memberships to determine link candidates.
    authorizationBinding String
    The method of making an authorization request. It can be set to HTTP-POST or HTTP-REDIRECT.
    authorizationUrl String
    IdP Authorization Server (AS) endpoint to request consent from the user and obtain an authorization code grant.
    clientId String
    Unique identifier issued by AS for the Okta IdP instance.
    clientSecret String
    Client secret issued by AS for the Okta IdP instance.
    deprovisionedAction String
    Action for a previously deprovisioned IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
    groupsAction String
    Provisioning action for IdP user's group memberships. It can be NONE, SYNC, APPEND, or ASSIGN. Default: NONE
    groupsAssignments List<String>
    List of Okta Group IDs to add an IdP user as a member with the ASSIGN groups_action.
    groupsAttribute String
    IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
    groupsFilters List<String>
    Whitelist of Okta Group identifiers that are allowed for the APPEND or SYNC groups_action.
    issuerMode String
    Indicates whether Okta uses the original Okta org domain URL, a custom domain URL, or dynamic. It can be ORG_URL, CUSTOM_URL, or DYNAMIC. Default: ORG_URL
    issuerUrl String
    URI that identifies the issuer.
    jwksBinding String
    The method of making a request for the OIDC JWKS. It can be set to HTTP-POST or HTTP-REDIRECT
    jwksUrl String
    Endpoint where the keys signer publishes its keys in a JWK Set.
    maxClockSkew Number
    Maximum allowable clock-skew when processing messages from the IdP.
    name String
    Name of the IdP
    pkceRequired Boolean
    Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/idps/#oauth-2-0-and-openid-connect-client-object
    profileMaster Boolean
    Determines if the IdP should act as a source of truth for user profile attributes.
    protocolType String
    The type of protocol to use. It can be OIDC or OAUTH2. Default: OIDC
    provisioningAction String
    Provisioning action for an IdP user during authentication. Default: AUTO
    requestSignatureAlgorithm String
    The HMAC Signature Algorithm used when signing an authorization request. Defaults to HS256. It can be HS256, HS384, HS512, SHA-256. RS256, RS384, or RS512. NOTE: SHA-256 an undocumented legacy value and not continue to be valid. See API docs https://developer.okta.com/docs/reference/api/idps/#oidc-request-signature-algorithm-object
    requestSignatureScope String
    Specifies whether to digitally sign an AuthnRequest messages to the IdP. Defaults to REQUEST. It can be REQUEST or NONE.
    scopes List<String>
    The scopes of the IdP.
    status String
    Default to ACTIVE
    subjectMatchAttribute String
    Okta user profile attribute for matching transformed IdP username. Only for matchType CUSTOM_ATTRIBUTE.
    subjectMatchType String
    Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default, it is set to USERNAME. It can be set to USERNAME, EMAIL, USERNAME_OR_EMAIL or CUSTOM_ATTRIBUTE.
    suspendedAction String
    Action for a previously suspended IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
    tokenBinding String
    The method of making a token request. It can be set to HTTP-POST or HTTP-REDIRECT.
    tokenUrl String
    IdP Authorization Server (AS) endpoint to exchange the authorization code grant for an access token.
    type String
    Type of OIDC IdP.
    userInfoBinding String
    userInfoUrl String
    Protected resource endpoint that returns claims about the authenticated user.
    userTypeId String
    User type ID. Can be used as target_id in the okta.profile.Mapping resource.
    usernameTemplate String
    Okta EL Expression to generate or transform a unique username for the IdP user. Default: idpuser.email

    Import

    $ pulumi import okta:idp/oidc:Oidc example <idp_id>
    

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    Okta pulumi/pulumi-okta
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the okta Terraform Provider.
    okta logo
    Okta v4.11.3 published on Monday, Oct 21, 2024 by Pulumi