identity_provider

idstring<uuid>

namestringrequired

Identity provider name, must be unique

Possible values: >= 2 characters and <= 2042 characters

Example: Acme identity provider

token_typestringrequired

Token type. Only "JWT" is supported.

Possible values: [JWT]

Example: JWT

jwt_issuerstringrequired

JWT issuer

Possible values: <= 2042 characters

Example: acme

jwt_audiencestring

Expected JWT audience. JWT aud claim must either have a single matching value or it must be have an array of values of which at least one value must match.

Possible values: <= 2042 characters

Example: privx

jwt_subject_typestringrequired

JWT subject claim format

Possible values: [plain, dn]

Example: dn

jwt_subject_dn_username_attributestring

If jwt_subject_type is "dn" then jwt_subject_dn_username_attribute specifies the name of the attribute to be used as username when resolving the user

Example: cn

custom_attributes object[]

Array [

field_namestringrequired

Name of JWT token claim

typestringrequired

Type of the custom attribute validation. "string_pattern" compares a claim value to a glob pattern. "numeric_range" checks that the claim value is within an expected numeric range. "ip_range" checks that claim value is an IP address within an IP range. "ip_client" check that claim value matches the IP address from which the token login REST API request is made.

Possible values: [string_pattern, numeric_range, ip_range, ip_client]

expected_valuestring

Expected claim value as glob pattern when type is "string_pattern"

startstring

Start value. If type is numeric_range then start must be an integer or a float value in string format. If type is ip_range then start must be a valid IPv4 or IPv6 address.

endstring

End value. If type is numeric_range then the type of the value must match start and the value must not be smaller than start. If type is ip_range then the IP version must match start and the value must not be smaller than start.

]

public_key_methodstring

Method for obtaining the token verification public key

Possible values: [static, x5u, x5u-publickey]

public_keys object[]

Array [

key_idstringrequired

Key ID

Example: key-1

commentstring

Comment

public_keystringrequired

Public key in PKIX PEM format

Example: -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoopkfuxiDKcB3XGT3TlF 14dyBUTJctzO80O2iX69GVzcXcx/TFVo8J1f8QASxHaW8w5GyLyNVMjc0lhoKM9T Prb5RN/wXchfBCRYxMu57sVcvD1e7JR586ELebX1206ZL9/jyeFK4wVjaPxcBbhC Eb/Gw1dcSxlt0SoeconCv2yRsRVxxQCHv91HAvg2S17uC3K/AxU4gOoGzlK/dEYi 6TztKimKhuxkNFcT9l5gDIWoQQXLPCxN7ayqJ60MBw/N8esbgrgAYfGPgOEWnRDY 59aAuOMzVBlRVFnrBRU+pVlINcDens1DaZP8Dut7gdaZs8fJQ8KmvfrYQm9uOFCn CwIDAQAB -----END PUBLIC KEY-----

]

x5u_trust_anchorstring<PEM certificate or certificate chain>

Trust anchor for verifying X.509 certificates fetched from x5u urls. Required if public_key_method is "x5u"

Example: -----BEGIN CERTIFICATE----- MIIDXzCCAkegAwIBAgIUKDzwc7wsPLlP4YVLEZDAme2lDUUwDQYJKoZIhvcNAQEL BQAwPzELMAkGA1UEBhMCRkkxEjAQBgNVBAoMCVNTSENPTVNFQzEMMAoGA1UECwwD UiZEMQ4wDAYDVQQDDAVQUklWWDAeFw0yMjA1MTkwODUyMjlaFw0yMzA1MTQwODUy MjlaMD8xCzAJBgNVBAYTAkZJMRIwEAYDVQQKDAlTU0hDT01TRUMxDDAKBgNVBAsM A1ImRDEOMAwGA1UEAwwFUFJJVlgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQCiimR+7GIMpwHdcZPdOUXXh3IFRMly3M7zQ7aJfr0ZXNxdzH9MVWjwnV/x ABLEdpbzDkbIvI1UyNzSWGgoz1M+tvlE3/BdyF8EJFjEy7nuxVy8PV7slHnzoQt5 tfXbTpkv3+PJ4UrjBWNo/FwFuEIRv8bDV1xLGW3RKh5yicK/bJGxFXHFAIe/3UcC +DZLXu4Lcr8DFTiA6gbOUr90RiLpPO0qKYqG7GQ0VxP2XmAMhahBBcs8LE3trKon rQwHD83x6xuCuABh8Y+A4RadENjn1oC44zNUGVFUWesFFT6lWUg1wN6ezUNpk/wO 63uB1pmzx8lDwqa9+thCb244UKcLAgMBAAGjUzBRMB0GA1UdDgQWBBRs5UC6jHc0 uqp1ABqZrONLE1Rv1TAfBgNVHSMEGDAWgBRs5UC6jHc0uqp1ABqZrONLE1Rv1TAP BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQA8lbh+wEJKZlEVtIJ/ wswLjwnzXc0MxGJL7/zVAfn1XKN+igAhKFUK13tziRjM68/Qbe9ckr2VRmvNLOxE ALsPx0poKruAMWuu3p1JHNjm3MrLRsC/K+Fogi1r1RiSoyZFBS2HVl+5hDbtW2bx UEm1dqYzELyAnjuIJFN1gZwMQP3abHuGQnmIF0nNHyNMBVU64i5mHuSulCY+pGur x93kOQNESHRGoYhCQwYJSI03BfcIRrv5BPCd98tpSfNXgoOga1vFSb1AwiWpq/zL u5z8eBbsLf9xmkylqMNZbZWsJFMv0r43cLA87Qo848YsJYpk51iIOZgGR6xTQF0+ Q+M6 -----END CERTIFICATE-----

x5u_tls_trust_anchorstring<PEM certificate or certificate chain>

Trust anchor for TLS server certificates used when fetching X.509 certificates or public keys from x5u urls. If not specified then system trust anchors will be used.

Example: -----BEGIN CERTIFICATE----- MIIDIzCCAgugAwIBAgIUV19HtBxY1nF7nfgk9X/YIyba4XEwDQYJKoZIhvcNAQEL BQAwITELMAkGA1UEBhMCRkkxEjAQBgNVBAoMCVNTSENPTVNFQzAeFw0yMjA1MTkx MjI0NDhaFw0yMzA1MTkxMjI0NDhaMCExCzAJBgNVBAYTAkZJMRIwEAYDVQQKDAlT U0hDT01TRUMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtsoOmkZ7L PqTwPvhbMItewr92kY6HfityYmQ5gCHp6T03X6jvhiZYNM0FuhhGYHr9RNnBEuTB U1eKYgb59lUsLtNWAxy1D2riQ4/2P2jU6ldSEUrzAHQ0tYlkGAWecpzh601XBE9f Bde1kDPzw5qdUGIt8oLTCaY0FydBHNOopxvbpO7kJGAxA8jsYrmvXaglMBSmChPg rubfTp1D07VuRDAJEQW9kwYWbO9PSSRGsGsg2ZQRpJpvqLzLb7iBjG68kJik+zBA YT4AkjItf71XvkzI+X18Rn4RuaYgKXUX5S1BVGy6JqbC+Zd6X/sJBsxx3h67RG8/ brOr2h86bgJ/AgMBAAGjUzBRMB0GA1UdDgQWBBT3gsAZ1c+rjewKAhZ/y/yHjC2w hjAfBgNVHSMEGDAWgBT3gsAZ1c+rjewKAhZ/y/yHjC2whjAPBgNVHRMBAf8EBTAD AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAQjNPfE7oTbYY8eqv9NoEB/OUD3VJRHFVT ffYIag8/X1pz3lG1hYBy2XXSw4+1XDOH9Rgf+Ol78Sbse38ciVoZkwotkInJjdat 6x5keBNdSQj97/Ec0xPZeM6ArTeajl12qlvgZUjUhz3xKdNwmbsBKGL+YdgMeOBg zyRcqMvynOH3KlxYyXbiEtx+Sw3FQflKZ+VZhlmmplsgnqk9YOByX6DZlP5thI2C Pew6jTFHtJosa7G5l3V8qwQc1KXYkPIUr6yMOZhxrHuqZR+QuujXb4CFe8idHmgF TDfPuHLK9IAd4MfPxVwMhvvWezbYAnqojCF73n4k6KLKXH262s7s -----END CERTIFICATE-----

x5u_prefixstring<uri>

The url in the token's x5u claim must start with the x5u_prefix or it will be rejected. x5u_prefix must be a valid https url. Required if public_key_method is "x5u-publickey".

Example: https://privx.io/token-issuer

enabledboolean

Enable/Disable Identity Provider

users_directorystring<uuid>required

ID of the PrivX user directory from which the users are resolved by token's sub claim. OIDC user directories are not supported.

authorstring<uuid>

Identity Provider Author

createdstring<date-time>

Creation time

updatedstring<date-time>

Time of the last update

updated_bystring

ID of the user who last updated the identity provider

identity_provider

{
  "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
  "name": "Acme identity provider",
  "token_type": "JWT",
  "jwt_issuer": "acme",
  "jwt_audience": "privx",
  "jwt_subject_type": "dn",
  "jwt_subject_dn_username_attribute": "cn",
  "custom_attributes": [
    {
      "field_name": "email",
      "type": "string_pattern",
      "expected_value": "*@privx.io"
    },
    {
      "field_name": "instances",
      "type": "ip_range",
      "start": "192.168.3.1",
      "end": "192.168.3.254"
    },
    {
      "field_name": "instances",
      "type": "ip_client"
    },
    {
      "field_name": "uid",
      "type": "numeric_range",
      "start": "1001",
      "end": "65535"
    }
  ],
  "public_key_method": "static",
  "public_keys": [
    {
      "key_id": "key-1",
      "comment": "string",
      "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoopkfuxiDKcB3XGT3TlF\n14dyBUTJctzO80O2iX69GVzcXcx/TFVo8J1f8QASxHaW8w5GyLyNVMjc0lhoKM9T\nPrb5RN/wXchfBCRYxMu57sVcvD1e7JR586ELebX1206ZL9/jyeFK4wVjaPxcBbhC\nEb/Gw1dcSxlt0SoeconCv2yRsRVxxQCHv91HAvg2S17uC3K/AxU4gOoGzlK/dEYi\n6TztKimKhuxkNFcT9l5gDIWoQQXLPCxN7ayqJ60MBw/N8esbgrgAYfGPgOEWnRDY\n59aAuOMzVBlRVFnrBRU+pVlINcDens1DaZP8Dut7gdaZs8fJQ8KmvfrYQm9uOFCn\nCwIDAQAB\n-----END PUBLIC KEY-----\n"
    }
  ],
  "x5u_trust_anchor": "-----BEGIN CERTIFICATE-----\nMIIDXzCCAkegAwIBAgIUKDzwc7wsPLlP4YVLEZDAme2lDUUwDQYJKoZIhvcNAQEL\nBQAwPzELMAkGA1UEBhMCRkkxEjAQBgNVBAoMCVNTSENPTVNFQzEMMAoGA1UECwwD\nUiZEMQ4wDAYDVQQDDAVQUklWWDAeFw0yMjA1MTkwODUyMjlaFw0yMzA1MTQwODUy\nMjlaMD8xCzAJBgNVBAYTAkZJMRIwEAYDVQQKDAlTU0hDT01TRUMxDDAKBgNVBAsM\nA1ImRDEOMAwGA1UEAwwFUFJJVlgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\nAoIBAQCiimR+7GIMpwHdcZPdOUXXh3IFRMly3M7zQ7aJfr0ZXNxdzH9MVWjwnV/x\nABLEdpbzDkbIvI1UyNzSWGgoz1M+tvlE3/BdyF8EJFjEy7nuxVy8PV7slHnzoQt5\ntfXbTpkv3+PJ4UrjBWNo/FwFuEIRv8bDV1xLGW3RKh5yicK/bJGxFXHFAIe/3UcC\n+DZLXu4Lcr8DFTiA6gbOUr90RiLpPO0qKYqG7GQ0VxP2XmAMhahBBcs8LE3trKon\nrQwHD83x6xuCuABh8Y+A4RadENjn1oC44zNUGVFUWesFFT6lWUg1wN6ezUNpk/wO\n63uB1pmzx8lDwqa9+thCb244UKcLAgMBAAGjUzBRMB0GA1UdDgQWBBRs5UC6jHc0\nuqp1ABqZrONLE1Rv1TAfBgNVHSMEGDAWgBRs5UC6jHc0uqp1ABqZrONLE1Rv1TAP\nBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQA8lbh+wEJKZlEVtIJ/\nwswLjwnzXc0MxGJL7/zVAfn1XKN+igAhKFUK13tziRjM68/Qbe9ckr2VRmvNLOxE\nALsPx0poKruAMWuu3p1JHNjm3MrLRsC/K+Fogi1r1RiSoyZFBS2HVl+5hDbtW2bx\nUEm1dqYzELyAnjuIJFN1gZwMQP3abHuGQnmIF0nNHyNMBVU64i5mHuSulCY+pGur\nx93kOQNESHRGoYhCQwYJSI03BfcIRrv5BPCd98tpSfNXgoOga1vFSb1AwiWpq/zL\nu5z8eBbsLf9xmkylqMNZbZWsJFMv0r43cLA87Qo848YsJYpk51iIOZgGR6xTQF0+\nQ+M6\n-----END CERTIFICATE-----\n",
  "x5u_tls_trust_anchor": "-----BEGIN CERTIFICATE-----\nMIIDIzCCAgugAwIBAgIUV19HtBxY1nF7nfgk9X/YIyba4XEwDQYJKoZIhvcNAQEL\nBQAwITELMAkGA1UEBhMCRkkxEjAQBgNVBAoMCVNTSENPTVNFQzAeFw0yMjA1MTkx\nMjI0NDhaFw0yMzA1MTkxMjI0NDhaMCExCzAJBgNVBAYTAkZJMRIwEAYDVQQKDAlT\nU0hDT01TRUMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtsoOmkZ7L\nPqTwPvhbMItewr92kY6HfityYmQ5gCHp6T03X6jvhiZYNM0FuhhGYHr9RNnBEuTB\nU1eKYgb59lUsLtNWAxy1D2riQ4/2P2jU6ldSEUrzAHQ0tYlkGAWecpzh601XBE9f\nBde1kDPzw5qdUGIt8oLTCaY0FydBHNOopxvbpO7kJGAxA8jsYrmvXaglMBSmChPg\nrubfTp1D07VuRDAJEQW9kwYWbO9PSSRGsGsg2ZQRpJpvqLzLb7iBjG68kJik+zBA\nYT4AkjItf71XvkzI+X18Rn4RuaYgKXUX5S1BVGy6JqbC+Zd6X/sJBsxx3h67RG8/\nbrOr2h86bgJ/AgMBAAGjUzBRMB0GA1UdDgQWBBT3gsAZ1c+rjewKAhZ/y/yHjC2w\nhjAfBgNVHSMEGDAWgBT3gsAZ1c+rjewKAhZ/y/yHjC2whjAPBgNVHRMBAf8EBTAD\nAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAQjNPfE7oTbYY8eqv9NoEB/OUD3VJRHFVT\nffYIag8/X1pz3lG1hYBy2XXSw4+1XDOH9Rgf+Ol78Sbse38ciVoZkwotkInJjdat\n6x5keBNdSQj97/Ec0xPZeM6ArTeajl12qlvgZUjUhz3xKdNwmbsBKGL+YdgMeOBg\nzyRcqMvynOH3KlxYyXbiEtx+Sw3FQflKZ+VZhlmmplsgnqk9YOByX6DZlP5thI2C\nPew6jTFHtJosa7G5l3V8qwQc1KXYkPIUr6yMOZhxrHuqZR+QuujXb4CFe8idHmgF\nTDfPuHLK9IAd4MfPxVwMhvvWezbYAnqojCF73n4k6KLKXH262s7s\n-----END CERTIFICATE-----\n",
  "x5u_prefix": "https://privx.io/token-issuer",
  "enabled": true,
  "users_directory": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
  "author": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
  "created": "2024-07-29T15:51:28.071Z",
  "updated": "2024-07-29T15:51:28.071Z",
  "updated_by": "string"
}