Authentication

identity_provider_client

post/auth/api/v1/idp/clients

Creates a new identity provider client configuration. client_id and client_secret are automatically generated by server.

idstring

ID of the identity provider client config

namestring

Name of the identity provider client config

idp_typestring

Identity provider client type, "oidc" or "saml"

Default: "oidc"
Example: "oidc"

oidc_issuerstring

The authorization server's issuer identifier. Read-only.

Default: "Provided by server"
Example: "https://your.privx.server.endpoint/oidc/e00a8f60-9051-48d7-a755-cef45801a7cc/"

oidc_audiencearray

Custom audience(s) for the IdP config. By default, the audience is your client_id. Use this to add more audiences.

Default: [ "testdomain.local" ]
Example: [ "testdomain.local" ]

oidc_client_idstring

OAuth 2.0 Client Identifier valid at the Authorization Server.

Default: "Provided by server"
Example: "f81c1189-76b6-46e8-ba1e-54b2d3221534"

oidc_client_secretstring

OAuth 2.0 Client secret valid at the Authorization Server.

Default: "Provided by server"
Example: "83bcd1d3-cded-4BeB-903e-938359a87053"

oidc_scopes_enabledarray

Array containing a list of the enabled OAuth 2.0 [RFC6749] "scope" values. "openid" scope is implicitly enabled.

Default: "Provided by server"
Example: [ "profile", "email", "phone", "address", "offline_access", "privx_roles" ]

oidc_response_types_supportedarray

Array containing a list of the OAuth 2.0 [RFC6749] "response_type" values. Read only.

Default: "Provided by server"
Example: [ "code", "id_token token", "id_token" ]

oidc_grant_types_supportedarray

Array containing a list of the OAuth 2.0 [RFC6749] grant type values. Read only.

Default: "Provided by server"
Example: [ "authorization_code", "refresh_token", "implicit" ]

oidc_code_challenge_method_enabledboolean

Enable PKCE with S256 code_challenge_method

Default: true

oidc_auth_method_enabledstring

Selected client authentication method used by the Token Endpoint. Allowed values "none","client_secret_basic","client_secret_post" or "private_key_jwt".

Default: "client_secret_basic"

oidc_auth_method_postboolean

Enable POST method for client_id/client_secret authentication in addition to HTTP Basic Auth.

Default: true

oidc_grant_type_refresh_tokenboolean

Enable refresh_token grant use.

Default: true

oidc_default_logout_redirect_uristring

Default post logout redirect uri, if end_session is called without redirect uri.

oidc_allowed_redirect_urisarray

Array containing a list of allowed redirect URIs for Code and Implicit flow.

Example: [ "https://thirdpartysite/authorize/callback" ]

oidc_attribute_mappingobject

An object containing attribute:token mappings for mapping user attributes to idToken attributes. Allowed token attribute values are sub, name, preferred_username, family_name, given_name, locale, email, and phone_number.

Example: { "email": "sub" }

oidc_signature_algorithmstring

Token signature algorithm [RFC7518]. Allowed values are RS256,RS384,RS512,ES256,ES384,ES512,PS256,PS384,PS512

Default: "RS256"

oidc_access_token_valid_in_minutesint

Access token validity in minutes.

Default: 5

oidc_refresh_token_valid_in_minutesint

Refresh token validity in minutes.

Default: 480

saml_identifierstring

The authorization server's entity ID. Global setting, read-only.

Default: "Provided by server"
Example: "https://privx_endpoint/saml/IdForServiceProvider1"

saml_sso_service_urlstring

SAML SSO Service address. Global setting, read-only. TBD

Default: "Provided by server"

saml_metadata_urlstring

SAML metadata address. Global setting, read-only. TBD

Default: "Provided by server"

saml_acs_urlstring

SAML Assorted Consumer Service url for authentication response. TBD

Default: ""
Example: "https://thirdpartysite/login/callback"

saml_attribute_mappingobject

An object containing mappings for SAML attributes.

saml_public_x509_certificatestring

SAML public X509 certificate. Read-only.

Default: "Provider by server"

user_filterstring

User filter. Only users matching this filter are allowed to log in. Leave empty to allow all users.

Default: ""
Example: "(dn=johndoe*)"

enabledboolean

Enable/disable IDP client config

Default: true

Responses

Request examples

{
  "id": "string",
  "name": "string",
  "idp_type": "oidc",
  "oidc_issuer": "https://your.privx.server.endpoint/oidc/e00a8f60-9051-48d7-a755-cef45801a7cc/",
  "oidc_audience": [
    "testdomain.local"
  ],
  "oidc_client_id": "f81c1189-76b6-46e8-ba1e-54b2d3221534",
  "oidc_client_secret": "83bcd1d3-cded-4BeB-903e-938359a87053",
  "oidc_scopes_enabled": [
    "profile",
    "email",
    "phone",
    "address",
    "offline_access",
    "privx_roles"
  ],
  "oidc_response_types_supported": [
    "code",
    "id_token token",
    "id_token"
  ],
  "oidc_grant_types_supported": [
    "authorization_code",
    "refresh_token",
    "implicit"
  ],
  "oidc_code_challenge_method_enabled": true,
  "oidc_auth_method_enabled": "string",
  "oidc_auth_method_post": true,
  "oidc_grant_type_refresh_token": true,
  "oidc_default_logout_redirect_uri": "string",
  "oidc_allowed_redirect_uris": [
    "https://thirdpartysite/authorize/callback"
  ],
  "oidc_attribute_mapping": {
    "email": "sub"
  },
  "oidc_signature_algorithm": "string",
  "oidc_access_token_valid_in_minutes": 123,
  "oidc_refresh_token_valid_in_minutes": 123,
  "saml_identifier": "https://privx_endpoint/saml/IdForServiceProvider1",
  "saml_sso_service_url": "string",
  "saml_metadata_url": "string",
  "saml_acs_url": "https://thirdpartysite/login/callback",
  "saml_attribute_mapping": {},
  "saml_public_x509_certificate": "string",
  "user_filter": "(dn=johndoe*)",
  "enabled": true
}

Response examples

Successful response, identity provider created.

{
  "id": "string",
  "name": "string",
  "idp_type": "oidc",
  "oidc_issuer": "https://your.privx.server.endpoint/oidc/e00a8f60-9051-48d7-a755-cef45801a7cc/",
  "oidc_audience": [
    "testdomain.local"
  ],
  "oidc_client_id": "f81c1189-76b6-46e8-ba1e-54b2d3221534",
  "oidc_client_secret": "83bcd1d3-cded-4BeB-903e-938359a87053",
  "oidc_scopes_enabled": [
    "profile",
    "email",
    "phone",
    "address",
    "offline_access",
    "privx_roles"
  ],
  "oidc_response_types_supported": [
    "code",
    "id_token token",
    "id_token"
  ],
  "oidc_grant_types_supported": [
    "authorization_code",
    "refresh_token",
    "implicit"
  ],
  "oidc_code_challenge_method_enabled": true,
  "oidc_auth_method_enabled": "string",
  "oidc_auth_method_post": true,
  "oidc_grant_type_refresh_token": true,
  "oidc_default_logout_redirect_uri": "string",
  "oidc_allowed_redirect_uris": [
    "https://thirdpartysite/authorize/callback"
  ],
  "oidc_attribute_mapping": {
    "email": "sub"
  },
  "oidc_signature_algorithm": "string",
  "oidc_access_token_valid_in_minutes": 123,
  "oidc_refresh_token_valid_in_minutes": 123,
  "saml_identifier": "https://privx_endpoint/saml/IdForServiceProvider1",
  "saml_sso_service_url": "string",
  "saml_metadata_url": "string",
  "saml_acs_url": "https://thirdpartysite/login/callback",
  "saml_attribute_mapping": {},
  "saml_public_x509_certificate": "string",
  "user_filter": "(dn=johndoe*)",
  "enabled": true
}

get/auth/api/v1/idp/clients/{idp_id}

Fetches existing identity provider client configuration.

idp_idstring

required

Identity provider ID

Format: uuid

Responses

Response examples

Successful response, returns existing identity_provider.

{
  "id": "string",
  "name": "string",
  "idp_type": "oidc",
  "oidc_issuer": "https://your.privx.server.endpoint/oidc/e00a8f60-9051-48d7-a755-cef45801a7cc/",
  "oidc_audience": [
    "testdomain.local"
  ],
  "oidc_client_id": "f81c1189-76b6-46e8-ba1e-54b2d3221534",
  "oidc_client_secret": "83bcd1d3-cded-4BeB-903e-938359a87053",
  "oidc_scopes_enabled": [
    "profile",
    "email",
    "phone",
    "address",
    "offline_access",
    "privx_roles"
  ],
  "oidc_response_types_supported": [
    "code",
    "id_token token",
    "id_token"
  ],
  "oidc_grant_types_supported": [
    "authorization_code",
    "refresh_token",
    "implicit"
  ],
  "oidc_code_challenge_method_enabled": true,
  "oidc_auth_method_enabled": "string",
  "oidc_auth_method_post": true,
  "oidc_grant_type_refresh_token": true,
  "oidc_default_logout_redirect_uri": "string",
  "oidc_allowed_redirect_uris": [
    "https://thirdpartysite/authorize/callback"
  ],
  "oidc_attribute_mapping": {
    "email": "sub"
  },
  "oidc_signature_algorithm": "string",
  "oidc_access_token_valid_in_minutes": 123,
  "oidc_refresh_token_valid_in_minutes": 123,
  "saml_identifier": "https://privx_endpoint/saml/IdForServiceProvider1",
  "saml_sso_service_url": "string",
  "saml_metadata_url": "string",
  "saml_acs_url": "https://thirdpartysite/login/callback",
  "saml_attribute_mapping": {},
  "saml_public_x509_certificate": "string",
  "user_filter": "(dn=johndoe*)",
  "enabled": true
}

put/auth/api/v1/idp/clients/{idp_id}

Updates existing identity provider client configuration definition.

idp_idstring

required

AWS role ID

Format: uuid

Responses

Response examples

Identity provider client configuration successfully updated

{
  "id": "5bf77342-221c-11ee-be56-0242ac120002"
}

delete/auth/api/v1/idp/clients/{idp_id}

Delete identity provider client configuration by ID.

idp_idstring

required

Identity provider client configuration id

Format: uuid

Responses

Response examples

Identity provider client configuration Successfully deleted

Empty response

post/auth/api/v1/idp/clients/{idp_id}/regenerate

Regenerates client_id and client_secret for OIDC identity provider client configuration.

idp_idstring

required

Identity provider ID

Format: uuid

Responses

Response examples

client_id and client_secret successfully regenerated. Returns the new values.

{
  "client_id": "5bf77342-221c-11ee-be56-0242ac120002",
  "client_secret": "5bf77342-221c-11ee-be56-0242ac120002"
}

Was this page helpful?