Version: v41

identity_provider_client

PrivX Identity Provider client configuration

idstring

ID of the identity provider client config

namestring

Name of the identity provider client config

idp_typestring

Identity provider client type, "oidc" or "saml"

Default value: oidc

Example: oidc

oidc_issuerstring

The authorization server's issuer identifier. Read-only.

Default value: Provided by server

Example: https://your.privx.server.endpoint/oidc/e00a8f60-9051-48d7-a755-cef45801a7cc/

oidc_audiencestring[]

Custom audience(s) for the IdP config. By default, the audience is your client_id. Use this to add more audiences.

Default value: ["testdomain.local"]

Example: ["testdomain.local"]

oidc_client_idstring

OAuth 2.0 Client Identifier valid at the Authorization Server.

Default value: Provided by server

Example: f81c1189-76b6-46e8-ba1e-54b2d3221534

oidc_client_secretstring

OAuth 2.0 Client secret valid at the Authorization Server.

Default value: Provided by server

Example: 83bcd1d3-cded-4BeB-903e-938359a87053

oidc_scopes_enabledstring[]

Array containing a list of the enabled OAuth 2.0 [RFC6749] "scope" values. "openid" scope is implicitly enabled.

Default value: ["Provided by server"]

Example: ["profile","email","phone","address","offline_access","privx_roles"]

oidc_response_types_supportedstring[]

Array containing a list of the OAuth 2.0 [RFC6749] "response_type" values. Read only.

Default value: ["Provided by server"]

Example: ["code","id_token token","id_token"]

oidc_grant_types_supportedstring[]

Array containing a list of the OAuth 2.0 [RFC6749] grant type values. Read only.

Default value: ["Provided by server"]

Example: ["authorization_code","refresh_token","implicit"]

oidc_code_challenge_method_enabledboolean

Enable PKCE with S256 code_challenge_method

Default value: true

oidc_auth_method_enabledstring

Selected client authentication method used by the Token Endpoint. Allowed values "none","client_secret_basic","client_secret_post" or "private_key_jwt".

Default value: client_secret_basic

oidc_auth_method_postboolean

Enable POST method for client_id/client_secret authentication in addition to HTTP Basic Auth.

Default value: true

oidc_grant_type_refresh_tokenboolean

Enable refresh_token grant use.

Default value: true

oidc_default_logout_redirect_uristring

Default post logout redirect uri, if end_session is called without redirect uri.

oidc_allowed_redirect_urisstring[]

Array containing a list of allowed redirect URIs for Code and Implicit flow.

Example: ["https://thirdpartysite/authorize/callback"]

oidc_attribute_mappingobject

An object containing attribute:token mappings for mapping user attributes to idToken attributes. Allowed token attribute values are sub, name, preferred_username, family_name, given_name, locale, email, and phone_number.

Example: {"email":"sub"}

oidc_signature_algorithmstring

Token signature algorithm [RFC7518]. Allowed values are RS256,RS384,RS512,ES256,ES384,ES512,PS256,PS384,PS512

Default value: RS256

oidc_access_token_valid_in_minutesinteger

Access token validity in minutes.

Default value: 5

oidc_refresh_token_valid_in_minutesinteger

Refresh token validity in minutes.

Default value: 480

saml_identifierstring

The authorization server's entity ID. Global setting, read-only.

Default value: Provided by server

Example: https://privx_endpoint/saml/IdForServiceProvider1

saml_sso_service_urlstring

SAML SSO Service address. Global setting, read-only. TBD

Default value: Provided by server

saml_metadata_urlstring

SAML metadata address. Global setting, read-only. TBD

Default value: Provided by server

saml_acs_urlstring

SAML Assorted Consumer Service url for authentication response. TBD

Default value:

Example: https://thirdpartysite/login/callback

saml_attribute_mappingobject

An object containing mappings for SAML attributes.

saml_public_x509_certificatestring

SAML public X509 certificate. Read-only.

Default value: Provider by server

user_filterstring

User filter. Only users matching this filter are allowed to log in. Leave empty to allow all users.

Default value:

Example: (dn=johndoe*)

enabledboolean

Enable/disable IDP client config

Default value: true

identity_provider_client
{
  "id": "string",
  "name": "string",
  "idp_type": "oidc",
  "oidc_issuer": "https://your.privx.server.endpoint/oidc/e00a8f60-9051-48d7-a755-cef45801a7cc/",
  "oidc_audience": [
    "testdomain.local"
  ],
  "oidc_client_id": "f81c1189-76b6-46e8-ba1e-54b2d3221534",
  "oidc_client_secret": "83bcd1d3-cded-4BeB-903e-938359a87053",
  "oidc_scopes_enabled": [
    "profile",
    "email",
    "phone",
    "address",
    "offline_access",
    "privx_roles"
  ],
  "oidc_response_types_supported": [
    "code",
    "id_token token",
    "id_token"
  ],
  "oidc_grant_types_supported": [
    "authorization_code",
    "refresh_token",
    "implicit"
  ],
  "oidc_code_challenge_method_enabled": true,
  "oidc_auth_method_enabled": "client_secret_basic",
  "oidc_auth_method_post": true,
  "oidc_grant_type_refresh_token": true,
  "oidc_default_logout_redirect_uri": "string",
  "oidc_allowed_redirect_uris": [
    "https://thirdpartysite/authorize/callback"
  ],
  "oidc_attribute_mapping": {
    "email": "sub"
  },
  "oidc_signature_algorithm": "RS256",
  "oidc_access_token_valid_in_minutes": 5,
  "oidc_refresh_token_valid_in_minutes": 480,
  "saml_identifier": "https://privx_endpoint/saml/IdForServiceProvider1",
  "saml_sso_service_url": "Provided by server",
  "saml_metadata_url": "Provided by server",
  "saml_acs_url": "https://thirdpartysite/login/callback",
  "saml_attribute_mapping": {},
  "saml_public_x509_certificate": "Provider by server",
  "user_filter": "(dn=johndoe*)",
  "enabled": true
}