okta.idp.Oidc
Explore with Pulumi AI
Creates an OIDC Identity Provider. This resource allows you to create and configure an OIDC Identity Provider.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as okta from "@pulumi/okta";
const example = new okta.idp.Oidc("example", {
name: "example",
authorizationUrl: "https://idp.example.com/authorize",
authorizationBinding: "HTTP-REDIRECT",
tokenUrl: "https://idp.example.com/token",
tokenBinding: "HTTP-POST",
userInfoUrl: "https://idp.example.com/userinfo",
userInfoBinding: "HTTP-REDIRECT",
jwksUrl: "https://idp.example.com/keys",
jwksBinding: "HTTP-REDIRECT",
scopes: ["openid"],
clientId: "efg456",
clientSecret: "efg456",
issuerUrl: "https://id.example.com",
usernameTemplate: "idpuser.email",
});
import pulumi
import pulumi_okta as okta
example = okta.idp.Oidc("example",
name="example",
authorization_url="https://idp.example.com/authorize",
authorization_binding="HTTP-REDIRECT",
token_url="https://idp.example.com/token",
token_binding="HTTP-POST",
user_info_url="https://idp.example.com/userinfo",
user_info_binding="HTTP-REDIRECT",
jwks_url="https://idp.example.com/keys",
jwks_binding="HTTP-REDIRECT",
scopes=["openid"],
client_id="efg456",
client_secret="efg456",
issuer_url="https://id.example.com",
username_template="idpuser.email")
package main
import (
"github.com/pulumi/pulumi-okta/sdk/v4/go/okta/idp"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := idp.NewOidc(ctx, "example", &idp.OidcArgs{
Name: pulumi.String("example"),
AuthorizationUrl: pulumi.String("https://idp.example.com/authorize"),
AuthorizationBinding: pulumi.String("HTTP-REDIRECT"),
TokenUrl: pulumi.String("https://idp.example.com/token"),
TokenBinding: pulumi.String("HTTP-POST"),
UserInfoUrl: pulumi.String("https://idp.example.com/userinfo"),
UserInfoBinding: pulumi.String("HTTP-REDIRECT"),
JwksUrl: pulumi.String("https://idp.example.com/keys"),
JwksBinding: pulumi.String("HTTP-REDIRECT"),
Scopes: pulumi.StringArray{
pulumi.String("openid"),
},
ClientId: pulumi.String("efg456"),
ClientSecret: pulumi.String("efg456"),
IssuerUrl: pulumi.String("https://id.example.com"),
UsernameTemplate: pulumi.String("idpuser.email"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Okta = Pulumi.Okta;
return await Deployment.RunAsync(() =>
{
var example = new Okta.Idp.Oidc("example", new()
{
Name = "example",
AuthorizationUrl = "https://idp.example.com/authorize",
AuthorizationBinding = "HTTP-REDIRECT",
TokenUrl = "https://idp.example.com/token",
TokenBinding = "HTTP-POST",
UserInfoUrl = "https://idp.example.com/userinfo",
UserInfoBinding = "HTTP-REDIRECT",
JwksUrl = "https://idp.example.com/keys",
JwksBinding = "HTTP-REDIRECT",
Scopes = new[]
{
"openid",
},
ClientId = "efg456",
ClientSecret = "efg456",
IssuerUrl = "https://id.example.com",
UsernameTemplate = "idpuser.email",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.okta.idp.Oidc;
import com.pulumi.okta.idp.OidcArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Oidc("example", OidcArgs.builder()
.name("example")
.authorizationUrl("https://idp.example.com/authorize")
.authorizationBinding("HTTP-REDIRECT")
.tokenUrl("https://idp.example.com/token")
.tokenBinding("HTTP-POST")
.userInfoUrl("https://idp.example.com/userinfo")
.userInfoBinding("HTTP-REDIRECT")
.jwksUrl("https://idp.example.com/keys")
.jwksBinding("HTTP-REDIRECT")
.scopes("openid")
.clientId("efg456")
.clientSecret("efg456")
.issuerUrl("https://id.example.com")
.usernameTemplate("idpuser.email")
.build());
}
}
resources:
example:
type: okta:idp:Oidc
properties:
name: example
authorizationUrl: https://idp.example.com/authorize
authorizationBinding: HTTP-REDIRECT
tokenUrl: https://idp.example.com/token
tokenBinding: HTTP-POST
userInfoUrl: https://idp.example.com/userinfo
userInfoBinding: HTTP-REDIRECT
jwksUrl: https://idp.example.com/keys
jwksBinding: HTTP-REDIRECT
scopes:
- openid
clientId: efg456
clientSecret: efg456
issuerUrl: https://id.example.com
usernameTemplate: idpuser.email
Create Oidc Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new Oidc(name: string, args: OidcArgs, opts?: CustomResourceOptions);
@overload
def Oidc(resource_name: str,
args: OidcArgs,
opts: Optional[ResourceOptions] = None)
@overload
def Oidc(resource_name: str,
opts: Optional[ResourceOptions] = None,
issuer_url: Optional[str] = None,
token_url: Optional[str] = None,
authorization_binding: Optional[str] = None,
authorization_url: Optional[str] = None,
client_id: Optional[str] = None,
client_secret: Optional[str] = None,
token_binding: Optional[str] = None,
scopes: Optional[Sequence[str]] = None,
jwks_url: Optional[str] = None,
jwks_binding: Optional[str] = None,
name: Optional[str] = None,
request_signature_algorithm: Optional[str] = None,
groups_filters: Optional[Sequence[str]] = None,
groups_attribute: Optional[str] = None,
groups_assignments: Optional[Sequence[str]] = None,
max_clock_skew: Optional[int] = None,
account_link_action: Optional[str] = None,
pkce_required: Optional[bool] = None,
profile_master: Optional[bool] = None,
protocol_type: Optional[str] = None,
provisioning_action: Optional[str] = None,
issuer_mode: Optional[str] = None,
request_signature_scope: Optional[str] = None,
groups_action: Optional[str] = None,
status: Optional[str] = None,
subject_match_attribute: Optional[str] = None,
subject_match_type: Optional[str] = None,
suspended_action: Optional[str] = None,
deprovisioned_action: Optional[str] = None,
account_link_group_includes: Optional[Sequence[str]] = None,
user_info_binding: Optional[str] = None,
user_info_url: Optional[str] = None,
username_template: Optional[str] = None)
func NewOidc(ctx *Context, name string, args OidcArgs, opts ...ResourceOption) (*Oidc, error)
public Oidc(string name, OidcArgs args, CustomResourceOptions? opts = null)
type: okta:idp:Oidc
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args OidcArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args OidcArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args OidcArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args OidcArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args OidcArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var oidcResource = new Okta.Idp.Oidc("oidcResource", new()
{
IssuerUrl = "string",
TokenUrl = "string",
AuthorizationBinding = "string",
AuthorizationUrl = "string",
ClientId = "string",
ClientSecret = "string",
TokenBinding = "string",
Scopes = new[]
{
"string",
},
JwksUrl = "string",
JwksBinding = "string",
Name = "string",
RequestSignatureAlgorithm = "string",
GroupsFilters = new[]
{
"string",
},
GroupsAttribute = "string",
GroupsAssignments = new[]
{
"string",
},
MaxClockSkew = 0,
AccountLinkAction = "string",
PkceRequired = false,
ProfileMaster = false,
ProtocolType = "string",
ProvisioningAction = "string",
IssuerMode = "string",
RequestSignatureScope = "string",
GroupsAction = "string",
Status = "string",
SubjectMatchAttribute = "string",
SubjectMatchType = "string",
SuspendedAction = "string",
DeprovisionedAction = "string",
AccountLinkGroupIncludes = new[]
{
"string",
},
UserInfoBinding = "string",
UserInfoUrl = "string",
UsernameTemplate = "string",
});
example, err := idp.NewOidc(ctx, "oidcResource", &idp.OidcArgs{
IssuerUrl: pulumi.String("string"),
TokenUrl: pulumi.String("string"),
AuthorizationBinding: pulumi.String("string"),
AuthorizationUrl: pulumi.String("string"),
ClientId: pulumi.String("string"),
ClientSecret: pulumi.String("string"),
TokenBinding: pulumi.String("string"),
Scopes: pulumi.StringArray{
pulumi.String("string"),
},
JwksUrl: pulumi.String("string"),
JwksBinding: pulumi.String("string"),
Name: pulumi.String("string"),
RequestSignatureAlgorithm: pulumi.String("string"),
GroupsFilters: pulumi.StringArray{
pulumi.String("string"),
},
GroupsAttribute: pulumi.String("string"),
GroupsAssignments: pulumi.StringArray{
pulumi.String("string"),
},
MaxClockSkew: pulumi.Int(0),
AccountLinkAction: pulumi.String("string"),
PkceRequired: pulumi.Bool(false),
ProfileMaster: pulumi.Bool(false),
ProtocolType: pulumi.String("string"),
ProvisioningAction: pulumi.String("string"),
IssuerMode: pulumi.String("string"),
RequestSignatureScope: pulumi.String("string"),
GroupsAction: pulumi.String("string"),
Status: pulumi.String("string"),
SubjectMatchAttribute: pulumi.String("string"),
SubjectMatchType: pulumi.String("string"),
SuspendedAction: pulumi.String("string"),
DeprovisionedAction: pulumi.String("string"),
AccountLinkGroupIncludes: pulumi.StringArray{
pulumi.String("string"),
},
UserInfoBinding: pulumi.String("string"),
UserInfoUrl: pulumi.String("string"),
UsernameTemplate: pulumi.String("string"),
})
var oidcResource = new Oidc("oidcResource", OidcArgs.builder()
.issuerUrl("string")
.tokenUrl("string")
.authorizationBinding("string")
.authorizationUrl("string")
.clientId("string")
.clientSecret("string")
.tokenBinding("string")
.scopes("string")
.jwksUrl("string")
.jwksBinding("string")
.name("string")
.requestSignatureAlgorithm("string")
.groupsFilters("string")
.groupsAttribute("string")
.groupsAssignments("string")
.maxClockSkew(0)
.accountLinkAction("string")
.pkceRequired(false)
.profileMaster(false)
.protocolType("string")
.provisioningAction("string")
.issuerMode("string")
.requestSignatureScope("string")
.groupsAction("string")
.status("string")
.subjectMatchAttribute("string")
.subjectMatchType("string")
.suspendedAction("string")
.deprovisionedAction("string")
.accountLinkGroupIncludes("string")
.userInfoBinding("string")
.userInfoUrl("string")
.usernameTemplate("string")
.build());
oidc_resource = okta.idp.Oidc("oidcResource",
issuer_url="string",
token_url="string",
authorization_binding="string",
authorization_url="string",
client_id="string",
client_secret="string",
token_binding="string",
scopes=["string"],
jwks_url="string",
jwks_binding="string",
name="string",
request_signature_algorithm="string",
groups_filters=["string"],
groups_attribute="string",
groups_assignments=["string"],
max_clock_skew=0,
account_link_action="string",
pkce_required=False,
profile_master=False,
protocol_type="string",
provisioning_action="string",
issuer_mode="string",
request_signature_scope="string",
groups_action="string",
status="string",
subject_match_attribute="string",
subject_match_type="string",
suspended_action="string",
deprovisioned_action="string",
account_link_group_includes=["string"],
user_info_binding="string",
user_info_url="string",
username_template="string")
const oidcResource = new okta.idp.Oidc("oidcResource", {
issuerUrl: "string",
tokenUrl: "string",
authorizationBinding: "string",
authorizationUrl: "string",
clientId: "string",
clientSecret: "string",
tokenBinding: "string",
scopes: ["string"],
jwksUrl: "string",
jwksBinding: "string",
name: "string",
requestSignatureAlgorithm: "string",
groupsFilters: ["string"],
groupsAttribute: "string",
groupsAssignments: ["string"],
maxClockSkew: 0,
accountLinkAction: "string",
pkceRequired: false,
profileMaster: false,
protocolType: "string",
provisioningAction: "string",
issuerMode: "string",
requestSignatureScope: "string",
groupsAction: "string",
status: "string",
subjectMatchAttribute: "string",
subjectMatchType: "string",
suspendedAction: "string",
deprovisionedAction: "string",
accountLinkGroupIncludes: ["string"],
userInfoBinding: "string",
userInfoUrl: "string",
usernameTemplate: "string",
});
type: okta:idp:Oidc
properties:
accountLinkAction: string
accountLinkGroupIncludes:
- string
authorizationBinding: string
authorizationUrl: string
clientId: string
clientSecret: string
deprovisionedAction: string
groupsAction: string
groupsAssignments:
- string
groupsAttribute: string
groupsFilters:
- string
issuerMode: string
issuerUrl: string
jwksBinding: string
jwksUrl: string
maxClockSkew: 0
name: string
pkceRequired: false
profileMaster: false
protocolType: string
provisioningAction: string
requestSignatureAlgorithm: string
requestSignatureScope: string
scopes:
- string
status: string
subjectMatchAttribute: string
subjectMatchType: string
suspendedAction: string
tokenBinding: string
tokenUrl: string
userInfoBinding: string
userInfoUrl: string
usernameTemplate: string
Oidc Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The Oidc resource accepts the following input properties:
- string
- The method of making an authorization request. It can be set to
HTTP-POST
orHTTP-REDIRECT
. - string
- IdP Authorization Server (AS) endpoint to request consent from the user and obtain an authorization code grant.
- Client
Id string - Unique identifier issued by AS for the Okta IdP instance.
- Client
Secret string - Client secret issued by AS for the Okta IdP instance.
- Issuer
Url string - URI that identifies the issuer.
- Jwks
Binding string - The method of making a request for the OIDC JWKS. It can be set to
HTTP-POST
orHTTP-REDIRECT
- Jwks
Url string - Endpoint where the keys signer publishes its keys in a JWK Set.
- Scopes List<string>
- The scopes of the IdP.
- Token
Binding string - The method of making a token request. It can be set to
HTTP-POST
orHTTP-REDIRECT
. - Token
Url string - IdP Authorization Server (AS) endpoint to exchange the authorization code grant for an access token.
- Account
Link stringAction - Specifies the account linking action for an IdP user. Default:
AUTO
- Account
Link List<string>Group Includes - Group memberships to determine link candidates.
- Deprovisioned
Action string - Action for a previously deprovisioned IdP user during authentication. Can be
NONE
orREACTIVATE
. Default:NONE
- Groups
Action string - Provisioning action for IdP user's group memberships. It can be
NONE
,SYNC
,APPEND
, orASSIGN
. Default:NONE
- Groups
Assignments List<string> - List of Okta Group IDs to add an IdP user as a member with the
ASSIGN
groups_action
. - Groups
Attribute string - IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
- Groups
Filters List<string> - Whitelist of Okta Group identifiers that are allowed for the
APPEND
orSYNC
groups_action
. - Issuer
Mode string - Indicates whether Okta uses the original Okta org domain URL, a custom domain URL, or dynamic. It can be
ORG_URL
,CUSTOM_URL
, orDYNAMIC
. Default:ORG_URL
- Max
Clock intSkew - Maximum allowable clock-skew when processing messages from the IdP.
- Name string
- Name of the IdP
- Pkce
Required bool - Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/idps/#oauth-2-0-and-openid-connect-client-object
- Profile
Master bool - Determines if the IdP should act as a source of truth for user profile attributes.
- Protocol
Type string - The type of protocol to use. It can be
OIDC
orOAUTH2
. Default:OIDC
- Provisioning
Action string - Provisioning action for an IdP user during authentication. Default:
AUTO
- Request
Signature stringAlgorithm - The HMAC Signature Algorithm used when signing an authorization request. Defaults to
HS256
. It can beHS256
,HS384
,HS512
,SHA-256
.RS256
,RS384
, orRS512
. NOTE:SHA-256
an undocumented legacy value and not continue to be valid. See API docs https://developer.okta.com/docs/reference/api/idps/#oidc-request-signature-algorithm-object - Request
Signature stringScope - Specifies whether to digitally sign an AuthnRequest messages to the IdP. Defaults to
REQUEST
. It can beREQUEST
orNONE
. - Status string
- Default to
ACTIVE
- Subject
Match stringAttribute - Okta user profile attribute for matching transformed IdP username. Only for matchType
CUSTOM_ATTRIBUTE
. - Subject
Match stringType - Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default, it is set to
USERNAME
. It can be set toUSERNAME
,EMAIL
,USERNAME_OR_EMAIL
orCUSTOM_ATTRIBUTE
. - Suspended
Action string - Action for a previously suspended IdP user during authentication. Can be
NONE
orREACTIVATE
. Default:NONE
- User
Info stringBinding - User
Info stringUrl - Protected resource endpoint that returns claims about the authenticated user.
- Username
Template string - Okta EL Expression to generate or transform a unique username for the IdP user. Default:
idpuser.email
- string
- The method of making an authorization request. It can be set to
HTTP-POST
orHTTP-REDIRECT
. - string
- IdP Authorization Server (AS) endpoint to request consent from the user and obtain an authorization code grant.
- Client
Id string - Unique identifier issued by AS for the Okta IdP instance.
- Client
Secret string - Client secret issued by AS for the Okta IdP instance.
- Issuer
Url string - URI that identifies the issuer.
- Jwks
Binding string - The method of making a request for the OIDC JWKS. It can be set to
HTTP-POST
orHTTP-REDIRECT
- Jwks
Url string - Endpoint where the keys signer publishes its keys in a JWK Set.
- Scopes []string
- The scopes of the IdP.
- Token
Binding string - The method of making a token request. It can be set to
HTTP-POST
orHTTP-REDIRECT
. - Token
Url string - IdP Authorization Server (AS) endpoint to exchange the authorization code grant for an access token.
- Account
Link stringAction - Specifies the account linking action for an IdP user. Default:
AUTO
- Account
Link []stringGroup Includes - Group memberships to determine link candidates.
- Deprovisioned
Action string - Action for a previously deprovisioned IdP user during authentication. Can be
NONE
orREACTIVATE
. Default:NONE
- Groups
Action string - Provisioning action for IdP user's group memberships. It can be
NONE
,SYNC
,APPEND
, orASSIGN
. Default:NONE
- Groups
Assignments []string - List of Okta Group IDs to add an IdP user as a member with the
ASSIGN
groups_action
. - Groups
Attribute string - IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
- Groups
Filters []string - Whitelist of Okta Group identifiers that are allowed for the
APPEND
orSYNC
groups_action
. - Issuer
Mode string - Indicates whether Okta uses the original Okta org domain URL, a custom domain URL, or dynamic. It can be
ORG_URL
,CUSTOM_URL
, orDYNAMIC
. Default:ORG_URL
- Max
Clock intSkew - Maximum allowable clock-skew when processing messages from the IdP.
- Name string
- Name of the IdP
- Pkce
Required bool - Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/idps/#oauth-2-0-and-openid-connect-client-object
- Profile
Master bool - Determines if the IdP should act as a source of truth for user profile attributes.
- Protocol
Type string - The type of protocol to use. It can be
OIDC
orOAUTH2
. Default:OIDC
- Provisioning
Action string - Provisioning action for an IdP user during authentication. Default:
AUTO
- Request
Signature stringAlgorithm - The HMAC Signature Algorithm used when signing an authorization request. Defaults to
HS256
. It can beHS256
,HS384
,HS512
,SHA-256
.RS256
,RS384
, orRS512
. NOTE:SHA-256
an undocumented legacy value and not continue to be valid. See API docs https://developer.okta.com/docs/reference/api/idps/#oidc-request-signature-algorithm-object - Request
Signature stringScope - Specifies whether to digitally sign an AuthnRequest messages to the IdP. Defaults to
REQUEST
. It can beREQUEST
orNONE
. - Status string
- Default to
ACTIVE
- Subject
Match stringAttribute - Okta user profile attribute for matching transformed IdP username. Only for matchType
CUSTOM_ATTRIBUTE
. - Subject
Match stringType - Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default, it is set to
USERNAME
. It can be set toUSERNAME
,EMAIL
,USERNAME_OR_EMAIL
orCUSTOM_ATTRIBUTE
. - Suspended
Action string - Action for a previously suspended IdP user during authentication. Can be
NONE
orREACTIVATE
. Default:NONE
- User
Info stringBinding - User
Info stringUrl - Protected resource endpoint that returns claims about the authenticated user.
- Username
Template string - Okta EL Expression to generate or transform a unique username for the IdP user. Default:
idpuser.email
- String
- The method of making an authorization request. It can be set to
HTTP-POST
orHTTP-REDIRECT
. - String
- IdP Authorization Server (AS) endpoint to request consent from the user and obtain an authorization code grant.
- client
Id String - Unique identifier issued by AS for the Okta IdP instance.
- client
Secret String - Client secret issued by AS for the Okta IdP instance.
- issuer
Url String - URI that identifies the issuer.
- jwks
Binding String - The method of making a request for the OIDC JWKS. It can be set to
HTTP-POST
orHTTP-REDIRECT
- jwks
Url String - Endpoint where the keys signer publishes its keys in a JWK Set.
- scopes List<String>
- The scopes of the IdP.
- token
Binding String - The method of making a token request. It can be set to
HTTP-POST
orHTTP-REDIRECT
. - token
Url String - IdP Authorization Server (AS) endpoint to exchange the authorization code grant for an access token.
- account
Link StringAction - Specifies the account linking action for an IdP user. Default:
AUTO
- account
Link List<String>Group Includes - Group memberships to determine link candidates.
- deprovisioned
Action String - Action for a previously deprovisioned IdP user during authentication. Can be
NONE
orREACTIVATE
. Default:NONE
- groups
Action String - Provisioning action for IdP user's group memberships. It can be
NONE
,SYNC
,APPEND
, orASSIGN
. Default:NONE
- groups
Assignments List<String> - List of Okta Group IDs to add an IdP user as a member with the
ASSIGN
groups_action
. - groups
Attribute String - IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
- groups
Filters List<String> - Whitelist of Okta Group identifiers that are allowed for the
APPEND
orSYNC
groups_action
. - issuer
Mode String - Indicates whether Okta uses the original Okta org domain URL, a custom domain URL, or dynamic. It can be
ORG_URL
,CUSTOM_URL
, orDYNAMIC
. Default:ORG_URL
- max
Clock IntegerSkew - Maximum allowable clock-skew when processing messages from the IdP.
- name String
- Name of the IdP
- pkce
Required Boolean - Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/idps/#oauth-2-0-and-openid-connect-client-object
- profile
Master Boolean - Determines if the IdP should act as a source of truth for user profile attributes.
- protocol
Type String - The type of protocol to use. It can be
OIDC
orOAUTH2
. Default:OIDC
- provisioning
Action String - Provisioning action for an IdP user during authentication. Default:
AUTO
- request
Signature StringAlgorithm - The HMAC Signature Algorithm used when signing an authorization request. Defaults to
HS256
. It can beHS256
,HS384
,HS512
,SHA-256
.RS256
,RS384
, orRS512
. NOTE:SHA-256
an undocumented legacy value and not continue to be valid. See API docs https://developer.okta.com/docs/reference/api/idps/#oidc-request-signature-algorithm-object - request
Signature StringScope - Specifies whether to digitally sign an AuthnRequest messages to the IdP. Defaults to
REQUEST
. It can beREQUEST
orNONE
. - status String
- Default to
ACTIVE
- subject
Match StringAttribute - Okta user profile attribute for matching transformed IdP username. Only for matchType
CUSTOM_ATTRIBUTE
. - subject
Match StringType - Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default, it is set to
USERNAME
. It can be set toUSERNAME
,EMAIL
,USERNAME_OR_EMAIL
orCUSTOM_ATTRIBUTE
. - suspended
Action String - Action for a previously suspended IdP user during authentication. Can be
NONE
orREACTIVATE
. Default:NONE
- user
Info StringBinding - user
Info StringUrl - Protected resource endpoint that returns claims about the authenticated user.
- username
Template String - Okta EL Expression to generate or transform a unique username for the IdP user. Default:
idpuser.email
- string
- The method of making an authorization request. It can be set to
HTTP-POST
orHTTP-REDIRECT
. - string
- IdP Authorization Server (AS) endpoint to request consent from the user and obtain an authorization code grant.
- client
Id string - Unique identifier issued by AS for the Okta IdP instance.
- client
Secret string - Client secret issued by AS for the Okta IdP instance.
- issuer
Url string - URI that identifies the issuer.
- jwks
Binding string - The method of making a request for the OIDC JWKS. It can be set to
HTTP-POST
orHTTP-REDIRECT
- jwks
Url string - Endpoint where the keys signer publishes its keys in a JWK Set.
- scopes string[]
- The scopes of the IdP.
- token
Binding string - The method of making a token request. It can be set to
HTTP-POST
orHTTP-REDIRECT
. - token
Url string - IdP Authorization Server (AS) endpoint to exchange the authorization code grant for an access token.
- account
Link stringAction - Specifies the account linking action for an IdP user. Default:
AUTO
- account
Link string[]Group Includes - Group memberships to determine link candidates.
- deprovisioned
Action string - Action for a previously deprovisioned IdP user during authentication. Can be
NONE
orREACTIVATE
. Default:NONE
- groups
Action string - Provisioning action for IdP user's group memberships. It can be
NONE
,SYNC
,APPEND
, orASSIGN
. Default:NONE
- groups
Assignments string[] - List of Okta Group IDs to add an IdP user as a member with the
ASSIGN
groups_action
. - groups
Attribute string - IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
- groups
Filters string[] - Whitelist of Okta Group identifiers that are allowed for the
APPEND
orSYNC
groups_action
. - issuer
Mode string - Indicates whether Okta uses the original Okta org domain URL, a custom domain URL, or dynamic. It can be
ORG_URL
,CUSTOM_URL
, orDYNAMIC
. Default:ORG_URL
- max
Clock numberSkew - Maximum allowable clock-skew when processing messages from the IdP.
- name string
- Name of the IdP
- pkce
Required boolean - Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/idps/#oauth-2-0-and-openid-connect-client-object
- profile
Master boolean - Determines if the IdP should act as a source of truth for user profile attributes.
- protocol
Type string - The type of protocol to use. It can be
OIDC
orOAUTH2
. Default:OIDC
- provisioning
Action string - Provisioning action for an IdP user during authentication. Default:
AUTO
- request
Signature stringAlgorithm - The HMAC Signature Algorithm used when signing an authorization request. Defaults to
HS256
. It can beHS256
,HS384
,HS512
,SHA-256
.RS256
,RS384
, orRS512
. NOTE:SHA-256
an undocumented legacy value and not continue to be valid. See API docs https://developer.okta.com/docs/reference/api/idps/#oidc-request-signature-algorithm-object - request
Signature stringScope - Specifies whether to digitally sign an AuthnRequest messages to the IdP. Defaults to
REQUEST
. It can beREQUEST
orNONE
. - status string
- Default to
ACTIVE
- subject
Match stringAttribute - Okta user profile attribute for matching transformed IdP username. Only for matchType
CUSTOM_ATTRIBUTE
. - subject
Match stringType - Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default, it is set to
USERNAME
. It can be set toUSERNAME
,EMAIL
,USERNAME_OR_EMAIL
orCUSTOM_ATTRIBUTE
. - suspended
Action string - Action for a previously suspended IdP user during authentication. Can be
NONE
orREACTIVATE
. Default:NONE
- user
Info stringBinding - user
Info stringUrl - Protected resource endpoint that returns claims about the authenticated user.
- username
Template string - Okta EL Expression to generate or transform a unique username for the IdP user. Default:
idpuser.email
- str
- The method of making an authorization request. It can be set to
HTTP-POST
orHTTP-REDIRECT
. - str
- IdP Authorization Server (AS) endpoint to request consent from the user and obtain an authorization code grant.
- client_
id str - Unique identifier issued by AS for the Okta IdP instance.
- client_
secret str - Client secret issued by AS for the Okta IdP instance.
- issuer_
url str - URI that identifies the issuer.
- jwks_
binding str - The method of making a request for the OIDC JWKS. It can be set to
HTTP-POST
orHTTP-REDIRECT
- jwks_
url str - Endpoint where the keys signer publishes its keys in a JWK Set.
- scopes Sequence[str]
- The scopes of the IdP.
- token_
binding str - The method of making a token request. It can be set to
HTTP-POST
orHTTP-REDIRECT
. - token_
url str - IdP Authorization Server (AS) endpoint to exchange the authorization code grant for an access token.
- account_
link_ straction - Specifies the account linking action for an IdP user. Default:
AUTO
- account_
link_ Sequence[str]group_ includes - Group memberships to determine link candidates.
- deprovisioned_
action str - Action for a previously deprovisioned IdP user during authentication. Can be
NONE
orREACTIVATE
. Default:NONE
- groups_
action str - Provisioning action for IdP user's group memberships. It can be
NONE
,SYNC
,APPEND
, orASSIGN
. Default:NONE
- groups_
assignments Sequence[str] - List of Okta Group IDs to add an IdP user as a member with the
ASSIGN
groups_action
. - groups_
attribute str - IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
- groups_
filters Sequence[str] - Whitelist of Okta Group identifiers that are allowed for the
APPEND
orSYNC
groups_action
. - issuer_
mode str - Indicates whether Okta uses the original Okta org domain URL, a custom domain URL, or dynamic. It can be
ORG_URL
,CUSTOM_URL
, orDYNAMIC
. Default:ORG_URL
- max_
clock_ intskew - Maximum allowable clock-skew when processing messages from the IdP.
- name str
- Name of the IdP
- pkce_
required bool - Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/idps/#oauth-2-0-and-openid-connect-client-object
- profile_
master bool - Determines if the IdP should act as a source of truth for user profile attributes.
- protocol_
type str - The type of protocol to use. It can be
OIDC
orOAUTH2
. Default:OIDC
- provisioning_
action str - Provisioning action for an IdP user during authentication. Default:
AUTO
- request_
signature_ stralgorithm - The HMAC Signature Algorithm used when signing an authorization request. Defaults to
HS256
. It can beHS256
,HS384
,HS512
,SHA-256
.RS256
,RS384
, orRS512
. NOTE:SHA-256
an undocumented legacy value and not continue to be valid. See API docs https://developer.okta.com/docs/reference/api/idps/#oidc-request-signature-algorithm-object - request_
signature_ strscope - Specifies whether to digitally sign an AuthnRequest messages to the IdP. Defaults to
REQUEST
. It can beREQUEST
orNONE
. - status str
- Default to
ACTIVE
- subject_
match_ strattribute - Okta user profile attribute for matching transformed IdP username. Only for matchType
CUSTOM_ATTRIBUTE
. - subject_
match_ strtype - Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default, it is set to
USERNAME
. It can be set toUSERNAME
,EMAIL
,USERNAME_OR_EMAIL
orCUSTOM_ATTRIBUTE
. - suspended_
action str - Action for a previously suspended IdP user during authentication. Can be
NONE
orREACTIVATE
. Default:NONE
- user_
info_ strbinding - user_
info_ strurl - Protected resource endpoint that returns claims about the authenticated user.
- username_
template str - Okta EL Expression to generate or transform a unique username for the IdP user. Default:
idpuser.email
- String
- The method of making an authorization request. It can be set to
HTTP-POST
orHTTP-REDIRECT
. - String
- IdP Authorization Server (AS) endpoint to request consent from the user and obtain an authorization code grant.
- client
Id String - Unique identifier issued by AS for the Okta IdP instance.
- client
Secret String - Client secret issued by AS for the Okta IdP instance.
- issuer
Url String - URI that identifies the issuer.
- jwks
Binding String - The method of making a request for the OIDC JWKS. It can be set to
HTTP-POST
orHTTP-REDIRECT
- jwks
Url String - Endpoint where the keys signer publishes its keys in a JWK Set.
- scopes List<String>
- The scopes of the IdP.
- token
Binding String - The method of making a token request. It can be set to
HTTP-POST
orHTTP-REDIRECT
. - token
Url String - IdP Authorization Server (AS) endpoint to exchange the authorization code grant for an access token.
- account
Link StringAction - Specifies the account linking action for an IdP user. Default:
AUTO
- account
Link List<String>Group Includes - Group memberships to determine link candidates.
- deprovisioned
Action String - Action for a previously deprovisioned IdP user during authentication. Can be
NONE
orREACTIVATE
. Default:NONE
- groups
Action String - Provisioning action for IdP user's group memberships. It can be
NONE
,SYNC
,APPEND
, orASSIGN
. Default:NONE
- groups
Assignments List<String> - List of Okta Group IDs to add an IdP user as a member with the
ASSIGN
groups_action
. - groups
Attribute String - IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
- groups
Filters List<String> - Whitelist of Okta Group identifiers that are allowed for the
APPEND
orSYNC
groups_action
. - issuer
Mode String - Indicates whether Okta uses the original Okta org domain URL, a custom domain URL, or dynamic. It can be
ORG_URL
,CUSTOM_URL
, orDYNAMIC
. Default:ORG_URL
- max
Clock NumberSkew - Maximum allowable clock-skew when processing messages from the IdP.
- name String
- Name of the IdP
- pkce
Required Boolean - Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/idps/#oauth-2-0-and-openid-connect-client-object
- profile
Master Boolean - Determines if the IdP should act as a source of truth for user profile attributes.
- protocol
Type String - The type of protocol to use. It can be
OIDC
orOAUTH2
. Default:OIDC
- provisioning
Action String - Provisioning action for an IdP user during authentication. Default:
AUTO
- request
Signature StringAlgorithm - The HMAC Signature Algorithm used when signing an authorization request. Defaults to
HS256
. It can beHS256
,HS384
,HS512
,SHA-256
.RS256
,RS384
, orRS512
. NOTE:SHA-256
an undocumented legacy value and not continue to be valid. See API docs https://developer.okta.com/docs/reference/api/idps/#oidc-request-signature-algorithm-object - request
Signature StringScope - Specifies whether to digitally sign an AuthnRequest messages to the IdP. Defaults to
REQUEST
. It can beREQUEST
orNONE
. - status String
- Default to
ACTIVE
- subject
Match StringAttribute - Okta user profile attribute for matching transformed IdP username. Only for matchType
CUSTOM_ATTRIBUTE
. - subject
Match StringType - Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default, it is set to
USERNAME
. It can be set toUSERNAME
,EMAIL
,USERNAME_OR_EMAIL
orCUSTOM_ATTRIBUTE
. - suspended
Action String - Action for a previously suspended IdP user during authentication. Can be
NONE
orREACTIVATE
. Default:NONE
- user
Info StringBinding - user
Info StringUrl - Protected resource endpoint that returns claims about the authenticated user.
- username
Template String - Okta EL Expression to generate or transform a unique username for the IdP user. Default:
idpuser.email
Outputs
All input properties are implicitly available as output properties. Additionally, the Oidc resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Type string
- Type of OIDC IdP.
- User
Type stringId - User type ID. Can be used as
target_id
in theokta.profile.Mapping
resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- Type string
- Type of OIDC IdP.
- User
Type stringId - User type ID. Can be used as
target_id
in theokta.profile.Mapping
resource.
- id String
- The provider-assigned unique ID for this managed resource.
- type String
- Type of OIDC IdP.
- user
Type StringId - User type ID. Can be used as
target_id
in theokta.profile.Mapping
resource.
- id string
- The provider-assigned unique ID for this managed resource.
- type string
- Type of OIDC IdP.
- user
Type stringId - User type ID. Can be used as
target_id
in theokta.profile.Mapping
resource.
- id str
- The provider-assigned unique ID for this managed resource.
- type str
- Type of OIDC IdP.
- user_
type_ strid - User type ID. Can be used as
target_id
in theokta.profile.Mapping
resource.
- id String
- The provider-assigned unique ID for this managed resource.
- type String
- Type of OIDC IdP.
- user
Type StringId - User type ID. Can be used as
target_id
in theokta.profile.Mapping
resource.
Look up Existing Oidc Resource
Get an existing Oidc resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: OidcState, opts?: CustomResourceOptions): Oidc
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
account_link_action: Optional[str] = None,
account_link_group_includes: Optional[Sequence[str]] = None,
authorization_binding: Optional[str] = None,
authorization_url: Optional[str] = None,
client_id: Optional[str] = None,
client_secret: Optional[str] = None,
deprovisioned_action: Optional[str] = None,
groups_action: Optional[str] = None,
groups_assignments: Optional[Sequence[str]] = None,
groups_attribute: Optional[str] = None,
groups_filters: Optional[Sequence[str]] = None,
issuer_mode: Optional[str] = None,
issuer_url: Optional[str] = None,
jwks_binding: Optional[str] = None,
jwks_url: Optional[str] = None,
max_clock_skew: Optional[int] = None,
name: Optional[str] = None,
pkce_required: Optional[bool] = None,
profile_master: Optional[bool] = None,
protocol_type: Optional[str] = None,
provisioning_action: Optional[str] = None,
request_signature_algorithm: Optional[str] = None,
request_signature_scope: Optional[str] = None,
scopes: Optional[Sequence[str]] = None,
status: Optional[str] = None,
subject_match_attribute: Optional[str] = None,
subject_match_type: Optional[str] = None,
suspended_action: Optional[str] = None,
token_binding: Optional[str] = None,
token_url: Optional[str] = None,
type: Optional[str] = None,
user_info_binding: Optional[str] = None,
user_info_url: Optional[str] = None,
user_type_id: Optional[str] = None,
username_template: Optional[str] = None) -> Oidc
func GetOidc(ctx *Context, name string, id IDInput, state *OidcState, opts ...ResourceOption) (*Oidc, error)
public static Oidc Get(string name, Input<string> id, OidcState? state, CustomResourceOptions? opts = null)
public static Oidc get(String name, Output<String> id, OidcState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Account
Link stringAction - Specifies the account linking action for an IdP user. Default:
AUTO
- Account
Link List<string>Group Includes - Group memberships to determine link candidates.
- string
- The method of making an authorization request. It can be set to
HTTP-POST
orHTTP-REDIRECT
. - string
- IdP Authorization Server (AS) endpoint to request consent from the user and obtain an authorization code grant.
- Client
Id string - Unique identifier issued by AS for the Okta IdP instance.
- Client
Secret string - Client secret issued by AS for the Okta IdP instance.
- Deprovisioned
Action string - Action for a previously deprovisioned IdP user during authentication. Can be
NONE
orREACTIVATE
. Default:NONE
- Groups
Action string - Provisioning action for IdP user's group memberships. It can be
NONE
,SYNC
,APPEND
, orASSIGN
. Default:NONE
- Groups
Assignments List<string> - List of Okta Group IDs to add an IdP user as a member with the
ASSIGN
groups_action
. - Groups
Attribute string - IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
- Groups
Filters List<string> - Whitelist of Okta Group identifiers that are allowed for the
APPEND
orSYNC
groups_action
. - Issuer
Mode string - Indicates whether Okta uses the original Okta org domain URL, a custom domain URL, or dynamic. It can be
ORG_URL
,CUSTOM_URL
, orDYNAMIC
. Default:ORG_URL
- Issuer
Url string - URI that identifies the issuer.
- Jwks
Binding string - The method of making a request for the OIDC JWKS. It can be set to
HTTP-POST
orHTTP-REDIRECT
- Jwks
Url string - Endpoint where the keys signer publishes its keys in a JWK Set.
- Max
Clock intSkew - Maximum allowable clock-skew when processing messages from the IdP.
- Name string
- Name of the IdP
- Pkce
Required bool - Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/idps/#oauth-2-0-and-openid-connect-client-object
- Profile
Master bool - Determines if the IdP should act as a source of truth for user profile attributes.
- Protocol
Type string - The type of protocol to use. It can be
OIDC
orOAUTH2
. Default:OIDC
- Provisioning
Action string - Provisioning action for an IdP user during authentication. Default:
AUTO
- Request
Signature stringAlgorithm - The HMAC Signature Algorithm used when signing an authorization request. Defaults to
HS256
. It can beHS256
,HS384
,HS512
,SHA-256
.RS256
,RS384
, orRS512
. NOTE:SHA-256
an undocumented legacy value and not continue to be valid. See API docs https://developer.okta.com/docs/reference/api/idps/#oidc-request-signature-algorithm-object - Request
Signature stringScope - Specifies whether to digitally sign an AuthnRequest messages to the IdP. Defaults to
REQUEST
. It can beREQUEST
orNONE
. - Scopes List<string>
- The scopes of the IdP.
- Status string
- Default to
ACTIVE
- Subject
Match stringAttribute - Okta user profile attribute for matching transformed IdP username. Only for matchType
CUSTOM_ATTRIBUTE
. - Subject
Match stringType - Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default, it is set to
USERNAME
. It can be set toUSERNAME
,EMAIL
,USERNAME_OR_EMAIL
orCUSTOM_ATTRIBUTE
. - Suspended
Action string - Action for a previously suspended IdP user during authentication. Can be
NONE
orREACTIVATE
. Default:NONE
- Token
Binding string - The method of making a token request. It can be set to
HTTP-POST
orHTTP-REDIRECT
. - Token
Url string - IdP Authorization Server (AS) endpoint to exchange the authorization code grant for an access token.
- Type string
- Type of OIDC IdP.
- User
Info stringBinding - User
Info stringUrl - Protected resource endpoint that returns claims about the authenticated user.
- User
Type stringId - User type ID. Can be used as
target_id
in theokta.profile.Mapping
resource. - Username
Template string - Okta EL Expression to generate or transform a unique username for the IdP user. Default:
idpuser.email
- Account
Link stringAction - Specifies the account linking action for an IdP user. Default:
AUTO
- Account
Link []stringGroup Includes - Group memberships to determine link candidates.
- string
- The method of making an authorization request. It can be set to
HTTP-POST
orHTTP-REDIRECT
. - string
- IdP Authorization Server (AS) endpoint to request consent from the user and obtain an authorization code grant.
- Client
Id string - Unique identifier issued by AS for the Okta IdP instance.
- Client
Secret string - Client secret issued by AS for the Okta IdP instance.
- Deprovisioned
Action string - Action for a previously deprovisioned IdP user during authentication. Can be
NONE
orREACTIVATE
. Default:NONE
- Groups
Action string - Provisioning action for IdP user's group memberships. It can be
NONE
,SYNC
,APPEND
, orASSIGN
. Default:NONE
- Groups
Assignments []string - List of Okta Group IDs to add an IdP user as a member with the
ASSIGN
groups_action
. - Groups
Attribute string - IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
- Groups
Filters []string - Whitelist of Okta Group identifiers that are allowed for the
APPEND
orSYNC
groups_action
. - Issuer
Mode string - Indicates whether Okta uses the original Okta org domain URL, a custom domain URL, or dynamic. It can be
ORG_URL
,CUSTOM_URL
, orDYNAMIC
. Default:ORG_URL
- Issuer
Url string - URI that identifies the issuer.
- Jwks
Binding string - The method of making a request for the OIDC JWKS. It can be set to
HTTP-POST
orHTTP-REDIRECT
- Jwks
Url string - Endpoint where the keys signer publishes its keys in a JWK Set.
- Max
Clock intSkew - Maximum allowable clock-skew when processing messages from the IdP.
- Name string
- Name of the IdP
- Pkce
Required bool - Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/idps/#oauth-2-0-and-openid-connect-client-object
- Profile
Master bool - Determines if the IdP should act as a source of truth for user profile attributes.
- Protocol
Type string - The type of protocol to use. It can be
OIDC
orOAUTH2
. Default:OIDC
- Provisioning
Action string - Provisioning action for an IdP user during authentication. Default:
AUTO
- Request
Signature stringAlgorithm - The HMAC Signature Algorithm used when signing an authorization request. Defaults to
HS256
. It can beHS256
,HS384
,HS512
,SHA-256
.RS256
,RS384
, orRS512
. NOTE:SHA-256
an undocumented legacy value and not continue to be valid. See API docs https://developer.okta.com/docs/reference/api/idps/#oidc-request-signature-algorithm-object - Request
Signature stringScope - Specifies whether to digitally sign an AuthnRequest messages to the IdP. Defaults to
REQUEST
. It can beREQUEST
orNONE
. - Scopes []string
- The scopes of the IdP.
- Status string
- Default to
ACTIVE
- Subject
Match stringAttribute - Okta user profile attribute for matching transformed IdP username. Only for matchType
CUSTOM_ATTRIBUTE
. - Subject
Match stringType - Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default, it is set to
USERNAME
. It can be set toUSERNAME
,EMAIL
,USERNAME_OR_EMAIL
orCUSTOM_ATTRIBUTE
. - Suspended
Action string - Action for a previously suspended IdP user during authentication. Can be
NONE
orREACTIVATE
. Default:NONE
- Token
Binding string - The method of making a token request. It can be set to
HTTP-POST
orHTTP-REDIRECT
. - Token
Url string - IdP Authorization Server (AS) endpoint to exchange the authorization code grant for an access token.
- Type string
- Type of OIDC IdP.
- User
Info stringBinding - User
Info stringUrl - Protected resource endpoint that returns claims about the authenticated user.
- User
Type stringId - User type ID. Can be used as
target_id
in theokta.profile.Mapping
resource. - Username
Template string - Okta EL Expression to generate or transform a unique username for the IdP user. Default:
idpuser.email
- account
Link StringAction - Specifies the account linking action for an IdP user. Default:
AUTO
- account
Link List<String>Group Includes - Group memberships to determine link candidates.
- String
- The method of making an authorization request. It can be set to
HTTP-POST
orHTTP-REDIRECT
. - String
- IdP Authorization Server (AS) endpoint to request consent from the user and obtain an authorization code grant.
- client
Id String - Unique identifier issued by AS for the Okta IdP instance.
- client
Secret String - Client secret issued by AS for the Okta IdP instance.
- deprovisioned
Action String - Action for a previously deprovisioned IdP user during authentication. Can be
NONE
orREACTIVATE
. Default:NONE
- groups
Action String - Provisioning action for IdP user's group memberships. It can be
NONE
,SYNC
,APPEND
, orASSIGN
. Default:NONE
- groups
Assignments List<String> - List of Okta Group IDs to add an IdP user as a member with the
ASSIGN
groups_action
. - groups
Attribute String - IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
- groups
Filters List<String> - Whitelist of Okta Group identifiers that are allowed for the
APPEND
orSYNC
groups_action
. - issuer
Mode String - Indicates whether Okta uses the original Okta org domain URL, a custom domain URL, or dynamic. It can be
ORG_URL
,CUSTOM_URL
, orDYNAMIC
. Default:ORG_URL
- issuer
Url String - URI that identifies the issuer.
- jwks
Binding String - The method of making a request for the OIDC JWKS. It can be set to
HTTP-POST
orHTTP-REDIRECT
- jwks
Url String - Endpoint where the keys signer publishes its keys in a JWK Set.
- max
Clock IntegerSkew - Maximum allowable clock-skew when processing messages from the IdP.
- name String
- Name of the IdP
- pkce
Required Boolean - Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/idps/#oauth-2-0-and-openid-connect-client-object
- profile
Master Boolean - Determines if the IdP should act as a source of truth for user profile attributes.
- protocol
Type String - The type of protocol to use. It can be
OIDC
orOAUTH2
. Default:OIDC
- provisioning
Action String - Provisioning action for an IdP user during authentication. Default:
AUTO
- request
Signature StringAlgorithm - The HMAC Signature Algorithm used when signing an authorization request. Defaults to
HS256
. It can beHS256
,HS384
,HS512
,SHA-256
.RS256
,RS384
, orRS512
. NOTE:SHA-256
an undocumented legacy value and not continue to be valid. See API docs https://developer.okta.com/docs/reference/api/idps/#oidc-request-signature-algorithm-object - request
Signature StringScope - Specifies whether to digitally sign an AuthnRequest messages to the IdP. Defaults to
REQUEST
. It can beREQUEST
orNONE
. - scopes List<String>
- The scopes of the IdP.
- status String
- Default to
ACTIVE
- subject
Match StringAttribute - Okta user profile attribute for matching transformed IdP username. Only for matchType
CUSTOM_ATTRIBUTE
. - subject
Match StringType - Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default, it is set to
USERNAME
. It can be set toUSERNAME
,EMAIL
,USERNAME_OR_EMAIL
orCUSTOM_ATTRIBUTE
. - suspended
Action String - Action for a previously suspended IdP user during authentication. Can be
NONE
orREACTIVATE
. Default:NONE
- token
Binding String - The method of making a token request. It can be set to
HTTP-POST
orHTTP-REDIRECT
. - token
Url String - IdP Authorization Server (AS) endpoint to exchange the authorization code grant for an access token.
- type String
- Type of OIDC IdP.
- user
Info StringBinding - user
Info StringUrl - Protected resource endpoint that returns claims about the authenticated user.
- user
Type StringId - User type ID. Can be used as
target_id
in theokta.profile.Mapping
resource. - username
Template String - Okta EL Expression to generate or transform a unique username for the IdP user. Default:
idpuser.email
- account
Link stringAction - Specifies the account linking action for an IdP user. Default:
AUTO
- account
Link string[]Group Includes - Group memberships to determine link candidates.
- string
- The method of making an authorization request. It can be set to
HTTP-POST
orHTTP-REDIRECT
. - string
- IdP Authorization Server (AS) endpoint to request consent from the user and obtain an authorization code grant.
- client
Id string - Unique identifier issued by AS for the Okta IdP instance.
- client
Secret string - Client secret issued by AS for the Okta IdP instance.
- deprovisioned
Action string - Action for a previously deprovisioned IdP user during authentication. Can be
NONE
orREACTIVATE
. Default:NONE
- groups
Action string - Provisioning action for IdP user's group memberships. It can be
NONE
,SYNC
,APPEND
, orASSIGN
. Default:NONE
- groups
Assignments string[] - List of Okta Group IDs to add an IdP user as a member with the
ASSIGN
groups_action
. - groups
Attribute string - IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
- groups
Filters string[] - Whitelist of Okta Group identifiers that are allowed for the
APPEND
orSYNC
groups_action
. - issuer
Mode string - Indicates whether Okta uses the original Okta org domain URL, a custom domain URL, or dynamic. It can be
ORG_URL
,CUSTOM_URL
, orDYNAMIC
. Default:ORG_URL
- issuer
Url string - URI that identifies the issuer.
- jwks
Binding string - The method of making a request for the OIDC JWKS. It can be set to
HTTP-POST
orHTTP-REDIRECT
- jwks
Url string - Endpoint where the keys signer publishes its keys in a JWK Set.
- max
Clock numberSkew - Maximum allowable clock-skew when processing messages from the IdP.
- name string
- Name of the IdP
- pkce
Required boolean - Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/idps/#oauth-2-0-and-openid-connect-client-object
- profile
Master boolean - Determines if the IdP should act as a source of truth for user profile attributes.
- protocol
Type string - The type of protocol to use. It can be
OIDC
orOAUTH2
. Default:OIDC
- provisioning
Action string - Provisioning action for an IdP user during authentication. Default:
AUTO
- request
Signature stringAlgorithm - The HMAC Signature Algorithm used when signing an authorization request. Defaults to
HS256
. It can beHS256
,HS384
,HS512
,SHA-256
.RS256
,RS384
, orRS512
. NOTE:SHA-256
an undocumented legacy value and not continue to be valid. See API docs https://developer.okta.com/docs/reference/api/idps/#oidc-request-signature-algorithm-object - request
Signature stringScope - Specifies whether to digitally sign an AuthnRequest messages to the IdP. Defaults to
REQUEST
. It can beREQUEST
orNONE
. - scopes string[]
- The scopes of the IdP.
- status string
- Default to
ACTIVE
- subject
Match stringAttribute - Okta user profile attribute for matching transformed IdP username. Only for matchType
CUSTOM_ATTRIBUTE
. - subject
Match stringType - Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default, it is set to
USERNAME
. It can be set toUSERNAME
,EMAIL
,USERNAME_OR_EMAIL
orCUSTOM_ATTRIBUTE
. - suspended
Action string - Action for a previously suspended IdP user during authentication. Can be
NONE
orREACTIVATE
. Default:NONE
- token
Binding string - The method of making a token request. It can be set to
HTTP-POST
orHTTP-REDIRECT
. - token
Url string - IdP Authorization Server (AS) endpoint to exchange the authorization code grant for an access token.
- type string
- Type of OIDC IdP.
- user
Info stringBinding - user
Info stringUrl - Protected resource endpoint that returns claims about the authenticated user.
- user
Type stringId - User type ID. Can be used as
target_id
in theokta.profile.Mapping
resource. - username
Template string - Okta EL Expression to generate or transform a unique username for the IdP user. Default:
idpuser.email
- account_
link_ straction - Specifies the account linking action for an IdP user. Default:
AUTO
- account_
link_ Sequence[str]group_ includes - Group memberships to determine link candidates.
- str
- The method of making an authorization request. It can be set to
HTTP-POST
orHTTP-REDIRECT
. - str
- IdP Authorization Server (AS) endpoint to request consent from the user and obtain an authorization code grant.
- client_
id str - Unique identifier issued by AS for the Okta IdP instance.
- client_
secret str - Client secret issued by AS for the Okta IdP instance.
- deprovisioned_
action str - Action for a previously deprovisioned IdP user during authentication. Can be
NONE
orREACTIVATE
. Default:NONE
- groups_
action str - Provisioning action for IdP user's group memberships. It can be
NONE
,SYNC
,APPEND
, orASSIGN
. Default:NONE
- groups_
assignments Sequence[str] - List of Okta Group IDs to add an IdP user as a member with the
ASSIGN
groups_action
. - groups_
attribute str - IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
- groups_
filters Sequence[str] - Whitelist of Okta Group identifiers that are allowed for the
APPEND
orSYNC
groups_action
. - issuer_
mode str - Indicates whether Okta uses the original Okta org domain URL, a custom domain URL, or dynamic. It can be
ORG_URL
,CUSTOM_URL
, orDYNAMIC
. Default:ORG_URL
- issuer_
url str - URI that identifies the issuer.
- jwks_
binding str - The method of making a request for the OIDC JWKS. It can be set to
HTTP-POST
orHTTP-REDIRECT
- jwks_
url str - Endpoint where the keys signer publishes its keys in a JWK Set.
- max_
clock_ intskew - Maximum allowable clock-skew when processing messages from the IdP.
- name str
- Name of the IdP
- pkce_
required bool - Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/idps/#oauth-2-0-and-openid-connect-client-object
- profile_
master bool - Determines if the IdP should act as a source of truth for user profile attributes.
- protocol_
type str - The type of protocol to use. It can be
OIDC
orOAUTH2
. Default:OIDC
- provisioning_
action str - Provisioning action for an IdP user during authentication. Default:
AUTO
- request_
signature_ stralgorithm - The HMAC Signature Algorithm used when signing an authorization request. Defaults to
HS256
. It can beHS256
,HS384
,HS512
,SHA-256
.RS256
,RS384
, orRS512
. NOTE:SHA-256
an undocumented legacy value and not continue to be valid. See API docs https://developer.okta.com/docs/reference/api/idps/#oidc-request-signature-algorithm-object - request_
signature_ strscope - Specifies whether to digitally sign an AuthnRequest messages to the IdP. Defaults to
REQUEST
. It can beREQUEST
orNONE
. - scopes Sequence[str]
- The scopes of the IdP.
- status str
- Default to
ACTIVE
- subject_
match_ strattribute - Okta user profile attribute for matching transformed IdP username. Only for matchType
CUSTOM_ATTRIBUTE
. - subject_
match_ strtype - Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default, it is set to
USERNAME
. It can be set toUSERNAME
,EMAIL
,USERNAME_OR_EMAIL
orCUSTOM_ATTRIBUTE
. - suspended_
action str - Action for a previously suspended IdP user during authentication. Can be
NONE
orREACTIVATE
. Default:NONE
- token_
binding str - The method of making a token request. It can be set to
HTTP-POST
orHTTP-REDIRECT
. - token_
url str - IdP Authorization Server (AS) endpoint to exchange the authorization code grant for an access token.
- type str
- Type of OIDC IdP.
- user_
info_ strbinding - user_
info_ strurl - Protected resource endpoint that returns claims about the authenticated user.
- user_
type_ strid - User type ID. Can be used as
target_id
in theokta.profile.Mapping
resource. - username_
template str - Okta EL Expression to generate or transform a unique username for the IdP user. Default:
idpuser.email
- account
Link StringAction - Specifies the account linking action for an IdP user. Default:
AUTO
- account
Link List<String>Group Includes - Group memberships to determine link candidates.
- String
- The method of making an authorization request. It can be set to
HTTP-POST
orHTTP-REDIRECT
. - String
- IdP Authorization Server (AS) endpoint to request consent from the user and obtain an authorization code grant.
- client
Id String - Unique identifier issued by AS for the Okta IdP instance.
- client
Secret String - Client secret issued by AS for the Okta IdP instance.
- deprovisioned
Action String - Action for a previously deprovisioned IdP user during authentication. Can be
NONE
orREACTIVATE
. Default:NONE
- groups
Action String - Provisioning action for IdP user's group memberships. It can be
NONE
,SYNC
,APPEND
, orASSIGN
. Default:NONE
- groups
Assignments List<String> - List of Okta Group IDs to add an IdP user as a member with the
ASSIGN
groups_action
. - groups
Attribute String - IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
- groups
Filters List<String> - Whitelist of Okta Group identifiers that are allowed for the
APPEND
orSYNC
groups_action
. - issuer
Mode String - Indicates whether Okta uses the original Okta org domain URL, a custom domain URL, or dynamic. It can be
ORG_URL
,CUSTOM_URL
, orDYNAMIC
. Default:ORG_URL
- issuer
Url String - URI that identifies the issuer.
- jwks
Binding String - The method of making a request for the OIDC JWKS. It can be set to
HTTP-POST
orHTTP-REDIRECT
- jwks
Url String - Endpoint where the keys signer publishes its keys in a JWK Set.
- max
Clock NumberSkew - Maximum allowable clock-skew when processing messages from the IdP.
- name String
- Name of the IdP
- pkce
Required Boolean - Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/idps/#oauth-2-0-and-openid-connect-client-object
- profile
Master Boolean - Determines if the IdP should act as a source of truth for user profile attributes.
- protocol
Type String - The type of protocol to use. It can be
OIDC
orOAUTH2
. Default:OIDC
- provisioning
Action String - Provisioning action for an IdP user during authentication. Default:
AUTO
- request
Signature StringAlgorithm - The HMAC Signature Algorithm used when signing an authorization request. Defaults to
HS256
. It can beHS256
,HS384
,HS512
,SHA-256
.RS256
,RS384
, orRS512
. NOTE:SHA-256
an undocumented legacy value and not continue to be valid. See API docs https://developer.okta.com/docs/reference/api/idps/#oidc-request-signature-algorithm-object - request
Signature StringScope - Specifies whether to digitally sign an AuthnRequest messages to the IdP. Defaults to
REQUEST
. It can beREQUEST
orNONE
. - scopes List<String>
- The scopes of the IdP.
- status String
- Default to
ACTIVE
- subject
Match StringAttribute - Okta user profile attribute for matching transformed IdP username. Only for matchType
CUSTOM_ATTRIBUTE
. - subject
Match StringType - Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default, it is set to
USERNAME
. It can be set toUSERNAME
,EMAIL
,USERNAME_OR_EMAIL
orCUSTOM_ATTRIBUTE
. - suspended
Action String - Action for a previously suspended IdP user during authentication. Can be
NONE
orREACTIVATE
. Default:NONE
- token
Binding String - The method of making a token request. It can be set to
HTTP-POST
orHTTP-REDIRECT
. - token
Url String - IdP Authorization Server (AS) endpoint to exchange the authorization code grant for an access token.
- type String
- Type of OIDC IdP.
- user
Info StringBinding - user
Info StringUrl - Protected resource endpoint that returns claims about the authenticated user.
- user
Type StringId - User type ID. Can be used as
target_id
in theokta.profile.Mapping
resource. - username
Template String - Okta EL Expression to generate or transform a unique username for the IdP user. Default:
idpuser.email
Import
$ pulumi import okta:idp/oidc:Oidc example <idp_id>
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Okta pulumi/pulumi-okta
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
okta
Terraform Provider.