Oidc

Creates an OIDC Identity Provider.

This resource allows you to create and configure an OIDC Identity Provider.

Example Usage

using Pulumi;
using Okta = Pulumi.Okta;

class MyStack : Stack
{
    public MyStack()
    {
        var example = new Okta.Idp.Oidc("example", new Okta.Idp.OidcArgs
        {
            AcsBinding = "HTTP-POST",
            AcsType = "INSTANCE",
            AuthorizationBinding = "HTTP-REDIRECT",
            AuthorizationUrl = "https://idp.example.com/authorize",
            ClientId = "efg456",
            ClientSecret = "efg456",
            IssuerUrl = "https://id.example.com",
            JwksBinding = "HTTP-REDIRECT",
            JwksUrl = "https://idp.example.com/keys",
            Scopes = 
            {
                "openid",
            },
            TokenBinding = "HTTP-POST",
            TokenUrl = "https://idp.example.com/token",
            UserInfoBinding = "HTTP-REDIRECT",
            UserInfoUrl = "https://idp.example.com/userinfo",
            UsernameTemplate = "idpuser.email",
        });
    }

}

Coming soon!

import pulumi
import pulumi_okta as okta

example = okta.idp.Oidc("example",
    acs_binding="HTTP-POST",
    acs_type="INSTANCE",
    authorization_binding="HTTP-REDIRECT",
    authorization_url="https://idp.example.com/authorize",
    client_id="efg456",
    client_secret="efg456",
    issuer_url="https://id.example.com",
    jwks_binding="HTTP-REDIRECT",
    jwks_url="https://idp.example.com/keys",
    scopes=["openid"],
    token_binding="HTTP-POST",
    token_url="https://idp.example.com/token",
    user_info_binding="HTTP-REDIRECT",
    user_info_url="https://idp.example.com/userinfo",
    username_template="idpuser.email")

import * as pulumi from "@pulumi/pulumi";
import * as okta from "@pulumi/okta";

const example = new okta.idp.Oidc("example", {
    acsBinding: "HTTP-POST",
    acsType: "INSTANCE",
    authorizationBinding: "HTTP-REDIRECT",
    authorizationUrl: "https://idp.example.com/authorize",
    clientId: "efg456",
    clientSecret: "efg456",
    issuerUrl: "https://id.example.com",
    jwksBinding: "HTTP-REDIRECT",
    jwksUrl: "https://idp.example.com/keys",
    scopes: ["openid"],
    tokenBinding: "HTTP-POST",
    tokenUrl: "https://idp.example.com/token",
    userInfoBinding: "HTTP-REDIRECT",
    userInfoUrl: "https://idp.example.com/userinfo",
    usernameTemplate: "idpuser.email",
});

Create a Oidc Resource

new Oidc(name: string, args: OidcArgs, opts?: CustomResourceOptions);

def Oidc(resource_name, opts=None, account_link_action=None, account_link_group_includes=None, acs_binding=None, acs_type=None, authorization_binding=None, authorization_url=None, client_id=None, client_secret=None, deprovisioned_action=None, groups_action=None, groups_assignments=None, groups_attribute=None, groups_filters=None, issuer_mode=None, issuer_url=None, jwks_binding=None, jwks_url=None, max_clock_skew=None, name=None, profile_master=None, protocol_type=None, provisioning_action=None, request_signature_algorithm=None, request_signature_scope=None, response_signature_algorithm=None, response_signature_scope=None, scopes=None, status=None, subject_match_attribute=None, subject_match_type=None, suspended_action=None, token_binding=None, token_url=None, user_info_binding=None, user_info_url=None, username_template=None, __props__=None);

func NewOidc(ctx *Context, name string, args OidcArgs, opts ...ResourceOption) (*Oidc, error)

public Oidc(string name, OidcArgs args, CustomResourceOptions? opts = null)

name string: The unique name of the resource.
args OidcArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
opts ResourceOptions: A bag of options that control this resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args OidcArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args OidcArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

Oidc Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.

Inputs

The Oidc resource accepts the following input properties:

AcsBinding string: The method of making an ACS request. It can be set to "HTTP-POST" or "HTTP-REDIRECT".
AuthorizationBinding string: The method of making an authorization request. It can be set to "HTTP-POST" or "HTTP-REDIRECT".
AuthorizationUrl string: IdP Authorization Server (AS) endpoint to request consent from the user and obtain an authorization code grant.
ClientId string: Unique identifier issued by AS for the Okta IdP instance.
ClientSecret string: Client secret issued by AS for the Okta IdP instance.
IssuerUrl string: URI that identifies the issuer.
JwksBinding string: The method of making a request for the OIDC JWKS. It can be set to "HTTP-POST" or "HTTP-REDIRECT".
JwksUrl string: Endpoint where the signer of the keys publishes its keys in a JWK Set.
Scopes List<string>: The scopes of the IdP.
TokenBinding string: The method of making a token request. It can be set to "HTTP-POST" or "HTTP-REDIRECT".
TokenUrl string: IdP Authorization Server (AS) endpoint to exchange the authorization code grant for an access token.
AccountLinkAction string: Specifies the account linking action for an IdP user.
AccountLinkGroupIncludes List<string>: Group memberships to determine link candidates.
AcsType string: The type of ACS. Default is "INSTANCE".
DeprovisionedAction string: Action for a previously deprovisioned IdP user during authentication. Can be "NONE" or "REACTIVATE".
GroupsAction string: Provisioning action for IdP user’s group memberships. It can be "NONE", "SYNC", "APPEND", or "ASSIGN".
GroupsAssignments List<string>: List of Okta Group IDs to add an IdP user as a member with the "ASSIGN" groups_action.
GroupsAttribute string: IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
GroupsFilters List<string>: Whitelist of Okta Group identifiers that are allowed for the "APPEND" or "SYNC" groups_action.
IssuerMode string: Indicates whether Okta uses the original Okta org domain URL, or a custom domain URL. It can be "ORG_URL" or "CUSTOM_URL".
MaxClockSkew int: Maximum allowable clock-skew when processing messages from the IdP.
Name string: The Application’s display name.
ProfileMaster bool: Determines if the IdP should act as a source of truth for user profile attributes.
ProtocolType string: The type of protocol to use. It can be "OIDC" or "OAUTH2".
ProvisioningAction string: Provisioning action for an IdP user during authentication.
RequestSignatureAlgorithm string: algorithm to use to sign requests
RequestSignatureScope string: algorithm to use to sign response
ResponseSignatureAlgorithm string: algorithm to use to sign requests
ResponseSignatureScope string: algorithm to use to sign response
Status string: Status of the IdP.
SubjectMatchAttribute string: Okta user profile attribute for matching transformed IdP username. Only for matchType "CUSTOM_ATTRIBUTE".
SubjectMatchType string: Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default it is set to "USERNAME". It can be set to "USERNAME", "EMAIL", "USERNAME_OR_EMAIL" or "CUSTOM_ATTRIBUTE".
SuspendedAction string: Action for a previously suspended IdP user during authentication. Can be set to "NONE" or "UNSUSPEND"
UserInfoBinding string
UserInfoUrl string: Protected resource endpoint that returns claims about the authenticated user.
UsernameTemplate string: Okta EL Expression to generate or transform a unique username for the IdP user.

AcsBinding string: The method of making an ACS request. It can be set to "HTTP-POST" or "HTTP-REDIRECT".
AuthorizationBinding string: The method of making an authorization request. It can be set to "HTTP-POST" or "HTTP-REDIRECT".
AuthorizationUrl string: IdP Authorization Server (AS) endpoint to request consent from the user and obtain an authorization code grant.
ClientId string: Unique identifier issued by AS for the Okta IdP instance.
ClientSecret string: Client secret issued by AS for the Okta IdP instance.
IssuerUrl string: URI that identifies the issuer.
JwksBinding string: The method of making a request for the OIDC JWKS. It can be set to "HTTP-POST" or "HTTP-REDIRECT".
JwksUrl string: Endpoint where the signer of the keys publishes its keys in a JWK Set.
Scopes []string: The scopes of the IdP.
TokenBinding string: The method of making a token request. It can be set to "HTTP-POST" or "HTTP-REDIRECT".
TokenUrl string: IdP Authorization Server (AS) endpoint to exchange the authorization code grant for an access token.
AccountLinkAction string: Specifies the account linking action for an IdP user.
AccountLinkGroupIncludes []string: Group memberships to determine link candidates.
AcsType string: The type of ACS. Default is "INSTANCE".
DeprovisionedAction string: Action for a previously deprovisioned IdP user during authentication. Can be "NONE" or "REACTIVATE".
GroupsAction string: Provisioning action for IdP user’s group memberships. It can be "NONE", "SYNC", "APPEND", or "ASSIGN".
GroupsAssignments []string: List of Okta Group IDs to add an IdP user as a member with the "ASSIGN" groups_action.
GroupsAttribute string: IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
GroupsFilters []string: Whitelist of Okta Group identifiers that are allowed for the "APPEND" or "SYNC" groups_action.
IssuerMode string: Indicates whether Okta uses the original Okta org domain URL, or a custom domain URL. It can be "ORG_URL" or "CUSTOM_URL".
MaxClockSkew int: Maximum allowable clock-skew when processing messages from the IdP.
Name string: The Application’s display name.
ProfileMaster bool: Determines if the IdP should act as a source of truth for user profile attributes.
ProtocolType string: The type of protocol to use. It can be "OIDC" or "OAUTH2".
ProvisioningAction string: Provisioning action for an IdP user during authentication.
RequestSignatureAlgorithm string: algorithm to use to sign requests
RequestSignatureScope string: algorithm to use to sign response
ResponseSignatureAlgorithm string: algorithm to use to sign requests
ResponseSignatureScope string: algorithm to use to sign response
Status string: Status of the IdP.
SubjectMatchAttribute string: Okta user profile attribute for matching transformed IdP username. Only for matchType "CUSTOM_ATTRIBUTE".
SubjectMatchType string: Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default it is set to "USERNAME". It can be set to "USERNAME", "EMAIL", "USERNAME_OR_EMAIL" or "CUSTOM_ATTRIBUTE".
SuspendedAction string: Action for a previously suspended IdP user during authentication. Can be set to "NONE" or "UNSUSPEND"
UserInfoBinding string
UserInfoUrl string: Protected resource endpoint that returns claims about the authenticated user.
UsernameTemplate string: Okta EL Expression to generate or transform a unique username for the IdP user.

acsBinding string: The method of making an ACS request. It can be set to "HTTP-POST" or "HTTP-REDIRECT".
authorizationBinding string: The method of making an authorization request. It can be set to "HTTP-POST" or "HTTP-REDIRECT".
authorizationUrl string: IdP Authorization Server (AS) endpoint to request consent from the user and obtain an authorization code grant.
clientId string: Unique identifier issued by AS for the Okta IdP instance.
clientSecret string: Client secret issued by AS for the Okta IdP instance.
issuerUrl string: URI that identifies the issuer.
jwksBinding string: The method of making a request for the OIDC JWKS. It can be set to "HTTP-POST" or "HTTP-REDIRECT".
jwksUrl string: Endpoint where the signer of the keys publishes its keys in a JWK Set.
scopes string[]: The scopes of the IdP.
tokenBinding string: The method of making a token request. It can be set to "HTTP-POST" or "HTTP-REDIRECT".
tokenUrl string: IdP Authorization Server (AS) endpoint to exchange the authorization code grant for an access token.
accountLinkAction string: Specifies the account linking action for an IdP user.
accountLinkGroupIncludes string[]: Group memberships to determine link candidates.
acsType string: The type of ACS. Default is "INSTANCE".
deprovisionedAction string: Action for a previously deprovisioned IdP user during authentication. Can be "NONE" or "REACTIVATE".
groupsAction string: Provisioning action for IdP user’s group memberships. It can be "NONE", "SYNC", "APPEND", or "ASSIGN".
groupsAssignments string[]: List of Okta Group IDs to add an IdP user as a member with the "ASSIGN" groups_action.
groupsAttribute string: IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
groupsFilters string[]: Whitelist of Okta Group identifiers that are allowed for the "APPEND" or "SYNC" groups_action.
issuerMode string: Indicates whether Okta uses the original Okta org domain URL, or a custom domain URL. It can be "ORG_URL" or "CUSTOM_URL".
maxClockSkew number: Maximum allowable clock-skew when processing messages from the IdP.
name string: The Application’s display name.
profileMaster boolean: Determines if the IdP should act as a source of truth for user profile attributes.
protocolType string: The type of protocol to use. It can be "OIDC" or "OAUTH2".
provisioningAction string: Provisioning action for an IdP user during authentication.
requestSignatureAlgorithm string: algorithm to use to sign requests
requestSignatureScope string: algorithm to use to sign response
responseSignatureAlgorithm string: algorithm to use to sign requests
responseSignatureScope string: algorithm to use to sign response
status string: Status of the IdP.
subjectMatchAttribute string: Okta user profile attribute for matching transformed IdP username. Only for matchType "CUSTOM_ATTRIBUTE".
subjectMatchType string: Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default it is set to "USERNAME". It can be set to "USERNAME", "EMAIL", "USERNAME_OR_EMAIL" or "CUSTOM_ATTRIBUTE".
suspendedAction string: Action for a previously suspended IdP user during authentication. Can be set to "NONE" or "UNSUSPEND"
userInfoBinding string
userInfoUrl string: Protected resource endpoint that returns claims about the authenticated user.
usernameTemplate string: Okta EL Expression to generate or transform a unique username for the IdP user.

acs_binding str: The method of making an ACS request. It can be set to "HTTP-POST" or "HTTP-REDIRECT".
authorization_binding str: The method of making an authorization request. It can be set to "HTTP-POST" or "HTTP-REDIRECT".
authorization_url str: IdP Authorization Server (AS) endpoint to request consent from the user and obtain an authorization code grant.
client_id str: Unique identifier issued by AS for the Okta IdP instance.
client_secret str: Client secret issued by AS for the Okta IdP instance.
issuer_url str: URI that identifies the issuer.
jwks_binding str: The method of making a request for the OIDC JWKS. It can be set to "HTTP-POST" or "HTTP-REDIRECT".
jwks_url str: Endpoint where the signer of the keys publishes its keys in a JWK Set.
scopes List[str]: The scopes of the IdP.
token_binding str: The method of making a token request. It can be set to "HTTP-POST" or "HTTP-REDIRECT".
token_url str: IdP Authorization Server (AS) endpoint to exchange the authorization code grant for an access token.
account_link_action str: Specifies the account linking action for an IdP user.
account_link_group_includes List[str]: Group memberships to determine link candidates.
acs_type str: The type of ACS. Default is "INSTANCE".
deprovisioned_action str: Action for a previously deprovisioned IdP user during authentication. Can be "NONE" or "REACTIVATE".
groups_action str: Provisioning action for IdP user’s group memberships. It can be "NONE", "SYNC", "APPEND", or "ASSIGN".
groups_assignments List[str]: List of Okta Group IDs to add an IdP user as a member with the "ASSIGN" groups_action.
groups_attribute str: IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
groups_filters List[str]: Whitelist of Okta Group identifiers that are allowed for the "APPEND" or "SYNC" groups_action.
issuer_mode str: Indicates whether Okta uses the original Okta org domain URL, or a custom domain URL. It can be "ORG_URL" or "CUSTOM_URL".
max_clock_skew float: Maximum allowable clock-skew when processing messages from the IdP.
name str: The Application’s display name.
profile_master bool: Determines if the IdP should act as a source of truth for user profile attributes.
protocol_type str: The type of protocol to use. It can be "OIDC" or "OAUTH2".
provisioning_action str: Provisioning action for an IdP user during authentication.
request_signature_algorithm str: algorithm to use to sign requests
request_signature_scope str: algorithm to use to sign response
response_signature_algorithm str: algorithm to use to sign requests
response_signature_scope str: algorithm to use to sign response
status str: Status of the IdP.
subject_match_attribute str: Okta user profile attribute for matching transformed IdP username. Only for matchType "CUSTOM_ATTRIBUTE".
subject_match_type str: Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default it is set to "USERNAME". It can be set to "USERNAME", "EMAIL", "USERNAME_OR_EMAIL" or "CUSTOM_ATTRIBUTE".
suspended_action str: Action for a previously suspended IdP user during authentication. Can be set to "NONE" or "UNSUSPEND"
user_info_binding str
user_info_url str: Protected resource endpoint that returns claims about the authenticated user.
username_template str: Okta EL Expression to generate or transform a unique username for the IdP user.

Outputs

All input properties are implicitly available as output properties. Additionally, the Oidc resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.
Type string: Type of OIDC IdP.

Id string: The provider-assigned unique ID for this managed resource.
Type string: Type of OIDC IdP.

id string: The provider-assigned unique ID for this managed resource.
type string: Type of OIDC IdP.

id str: The provider-assigned unique ID for this managed resource.
type str: Type of OIDC IdP.

Look up an Existing Oidc Resource

Get an existing Oidc resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: OidcState, opts?: CustomResourceOptions): Oidc

static get(resource_name, id, opts=None, account_link_action=None, account_link_group_includes=None, acs_binding=None, acs_type=None, authorization_binding=None, authorization_url=None, client_id=None, client_secret=None, deprovisioned_action=None, groups_action=None, groups_assignments=None, groups_attribute=None, groups_filters=None, issuer_mode=None, issuer_url=None, jwks_binding=None, jwks_url=None, max_clock_skew=None, name=None, profile_master=None, protocol_type=None, provisioning_action=None, request_signature_algorithm=None, request_signature_scope=None, response_signature_algorithm=None, response_signature_scope=None, scopes=None, status=None, subject_match_attribute=None, subject_match_type=None, suspended_action=None, token_binding=None, token_url=None, type=None, user_info_binding=None, user_info_url=None, username_template=None, __props__=None);

func GetOidc(ctx *Context, name string, id IDInput, state *OidcState, opts ...ResourceOption) (*Oidc, error)

public static Oidc Get(string name, Input<string> id, OidcState? state, CustomResourceOptions? opts = null)

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AccountLinkAction string: Specifies the account linking action for an IdP user.
AccountLinkGroupIncludes List<string>: Group memberships to determine link candidates.
AcsBinding string: The method of making an ACS request. It can be set to "HTTP-POST" or "HTTP-REDIRECT".
AcsType string: The type of ACS. Default is "INSTANCE".
AuthorizationBinding string: The method of making an authorization request. It can be set to "HTTP-POST" or "HTTP-REDIRECT".
AuthorizationUrl string: IdP Authorization Server (AS) endpoint to request consent from the user and obtain an authorization code grant.
ClientId string: Unique identifier issued by AS for the Okta IdP instance.
ClientSecret string: Client secret issued by AS for the Okta IdP instance.
DeprovisionedAction string: Action for a previously deprovisioned IdP user during authentication. Can be "NONE" or "REACTIVATE".
GroupsAction string: Provisioning action for IdP user’s group memberships. It can be "NONE", "SYNC", "APPEND", or "ASSIGN".
GroupsAssignments List<string>: List of Okta Group IDs to add an IdP user as a member with the "ASSIGN" groups_action.
GroupsAttribute string: IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
GroupsFilters List<string>: Whitelist of Okta Group identifiers that are allowed for the "APPEND" or "SYNC" groups_action.
IssuerMode string: Indicates whether Okta uses the original Okta org domain URL, or a custom domain URL. It can be "ORG_URL" or "CUSTOM_URL".
IssuerUrl string: URI that identifies the issuer.
JwksBinding string: The method of making a request for the OIDC JWKS. It can be set to "HTTP-POST" or "HTTP-REDIRECT".
JwksUrl string: Endpoint where the signer of the keys publishes its keys in a JWK Set.
MaxClockSkew int: Maximum allowable clock-skew when processing messages from the IdP.
Name string: The Application’s display name.
ProfileMaster bool: Determines if the IdP should act as a source of truth for user profile attributes.
ProtocolType string: The type of protocol to use. It can be "OIDC" or "OAUTH2".
ProvisioningAction string: Provisioning action for an IdP user during authentication.
RequestSignatureAlgorithm string: algorithm to use to sign requests
RequestSignatureScope string: algorithm to use to sign response
ResponseSignatureAlgorithm string: algorithm to use to sign requests
ResponseSignatureScope string: algorithm to use to sign response
Scopes List<string>: The scopes of the IdP.
Status string: Status of the IdP.
SubjectMatchAttribute string: Okta user profile attribute for matching transformed IdP username. Only for matchType "CUSTOM_ATTRIBUTE".
SubjectMatchType string: Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default it is set to "USERNAME". It can be set to "USERNAME", "EMAIL", "USERNAME_OR_EMAIL" or "CUSTOM_ATTRIBUTE".
SuspendedAction string: Action for a previously suspended IdP user during authentication. Can be set to "NONE" or "UNSUSPEND"
TokenBinding string: The method of making a token request. It can be set to "HTTP-POST" or "HTTP-REDIRECT".
TokenUrl string: IdP Authorization Server (AS) endpoint to exchange the authorization code grant for an access token.
Type string: Type of OIDC IdP.
UserInfoBinding string
UserInfoUrl string: Protected resource endpoint that returns claims about the authenticated user.
UsernameTemplate string: Okta EL Expression to generate or transform a unique username for the IdP user.

AccountLinkAction string: Specifies the account linking action for an IdP user.
AccountLinkGroupIncludes []string: Group memberships to determine link candidates.
AcsBinding string: The method of making an ACS request. It can be set to "HTTP-POST" or "HTTP-REDIRECT".
AcsType string: The type of ACS. Default is "INSTANCE".
AuthorizationBinding string: The method of making an authorization request. It can be set to "HTTP-POST" or "HTTP-REDIRECT".
AuthorizationUrl string: IdP Authorization Server (AS) endpoint to request consent from the user and obtain an authorization code grant.
ClientId string: Unique identifier issued by AS for the Okta IdP instance.
ClientSecret string: Client secret issued by AS for the Okta IdP instance.
DeprovisionedAction string: Action for a previously deprovisioned IdP user during authentication. Can be "NONE" or "REACTIVATE".
GroupsAction string: Provisioning action for IdP user’s group memberships. It can be "NONE", "SYNC", "APPEND", or "ASSIGN".
GroupsAssignments []string: List of Okta Group IDs to add an IdP user as a member with the "ASSIGN" groups_action.
GroupsAttribute string: IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
GroupsFilters []string: Whitelist of Okta Group identifiers that are allowed for the "APPEND" or "SYNC" groups_action.
IssuerMode string: Indicates whether Okta uses the original Okta org domain URL, or a custom domain URL. It can be "ORG_URL" or "CUSTOM_URL".
IssuerUrl string: URI that identifies the issuer.
JwksBinding string: The method of making a request for the OIDC JWKS. It can be set to "HTTP-POST" or "HTTP-REDIRECT".
JwksUrl string: Endpoint where the signer of the keys publishes its keys in a JWK Set.
MaxClockSkew int: Maximum allowable clock-skew when processing messages from the IdP.
Name string: The Application’s display name.
ProfileMaster bool: Determines if the IdP should act as a source of truth for user profile attributes.
ProtocolType string: The type of protocol to use. It can be "OIDC" or "OAUTH2".
ProvisioningAction string: Provisioning action for an IdP user during authentication.
RequestSignatureAlgorithm string: algorithm to use to sign requests
RequestSignatureScope string: algorithm to use to sign response
ResponseSignatureAlgorithm string: algorithm to use to sign requests
ResponseSignatureScope string: algorithm to use to sign response
Scopes []string: The scopes of the IdP.
Status string: Status of the IdP.
SubjectMatchAttribute string: Okta user profile attribute for matching transformed IdP username. Only for matchType "CUSTOM_ATTRIBUTE".
SubjectMatchType string: Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default it is set to "USERNAME". It can be set to "USERNAME", "EMAIL", "USERNAME_OR_EMAIL" or "CUSTOM_ATTRIBUTE".
SuspendedAction string: Action for a previously suspended IdP user during authentication. Can be set to "NONE" or "UNSUSPEND"
TokenBinding string: The method of making a token request. It can be set to "HTTP-POST" or "HTTP-REDIRECT".
TokenUrl string: IdP Authorization Server (AS) endpoint to exchange the authorization code grant for an access token.
Type string: Type of OIDC IdP.
UserInfoBinding string
UserInfoUrl string: Protected resource endpoint that returns claims about the authenticated user.
UsernameTemplate string: Okta EL Expression to generate or transform a unique username for the IdP user.

accountLinkAction string: Specifies the account linking action for an IdP user.
accountLinkGroupIncludes string[]: Group memberships to determine link candidates.
acsBinding string: The method of making an ACS request. It can be set to "HTTP-POST" or "HTTP-REDIRECT".
acsType string: The type of ACS. Default is "INSTANCE".
authorizationBinding string: The method of making an authorization request. It can be set to "HTTP-POST" or "HTTP-REDIRECT".
authorizationUrl string: IdP Authorization Server (AS) endpoint to request consent from the user and obtain an authorization code grant.
clientId string: Unique identifier issued by AS for the Okta IdP instance.
clientSecret string: Client secret issued by AS for the Okta IdP instance.
deprovisionedAction string: Action for a previously deprovisioned IdP user during authentication. Can be "NONE" or "REACTIVATE".
groupsAction string: Provisioning action for IdP user’s group memberships. It can be "NONE", "SYNC", "APPEND", or "ASSIGN".
groupsAssignments string[]: List of Okta Group IDs to add an IdP user as a member with the "ASSIGN" groups_action.
groupsAttribute string: IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
groupsFilters string[]: Whitelist of Okta Group identifiers that are allowed for the "APPEND" or "SYNC" groups_action.
issuerMode string: Indicates whether Okta uses the original Okta org domain URL, or a custom domain URL. It can be "ORG_URL" or "CUSTOM_URL".
issuerUrl string: URI that identifies the issuer.
jwksBinding string: The method of making a request for the OIDC JWKS. It can be set to "HTTP-POST" or "HTTP-REDIRECT".
jwksUrl string: Endpoint where the signer of the keys publishes its keys in a JWK Set.
maxClockSkew number: Maximum allowable clock-skew when processing messages from the IdP.
name string: The Application’s display name.
profileMaster boolean: Determines if the IdP should act as a source of truth for user profile attributes.
protocolType string: The type of protocol to use. It can be "OIDC" or "OAUTH2".
provisioningAction string: Provisioning action for an IdP user during authentication.
requestSignatureAlgorithm string: algorithm to use to sign requests
requestSignatureScope string: algorithm to use to sign response
responseSignatureAlgorithm string: algorithm to use to sign requests
responseSignatureScope string: algorithm to use to sign response
scopes string[]: The scopes of the IdP.
status string: Status of the IdP.
subjectMatchAttribute string: Okta user profile attribute for matching transformed IdP username. Only for matchType "CUSTOM_ATTRIBUTE".
subjectMatchType string: Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default it is set to "USERNAME". It can be set to "USERNAME", "EMAIL", "USERNAME_OR_EMAIL" or "CUSTOM_ATTRIBUTE".
suspendedAction string: Action for a previously suspended IdP user during authentication. Can be set to "NONE" or "UNSUSPEND"
tokenBinding string: The method of making a token request. It can be set to "HTTP-POST" or "HTTP-REDIRECT".
tokenUrl string: IdP Authorization Server (AS) endpoint to exchange the authorization code grant for an access token.
type string: Type of OIDC IdP.
userInfoBinding string
userInfoUrl string: Protected resource endpoint that returns claims about the authenticated user.
usernameTemplate string: Okta EL Expression to generate or transform a unique username for the IdP user.

account_link_action str: Specifies the account linking action for an IdP user.
account_link_group_includes List[str]: Group memberships to determine link candidates.
acs_binding str: The method of making an ACS request. It can be set to "HTTP-POST" or "HTTP-REDIRECT".
acs_type str: The type of ACS. Default is "INSTANCE".
authorization_binding str: The method of making an authorization request. It can be set to "HTTP-POST" or "HTTP-REDIRECT".
authorization_url str: IdP Authorization Server (AS) endpoint to request consent from the user and obtain an authorization code grant.
client_id str: Unique identifier issued by AS for the Okta IdP instance.
client_secret str: Client secret issued by AS for the Okta IdP instance.
deprovisioned_action str: Action for a previously deprovisioned IdP user during authentication. Can be "NONE" or "REACTIVATE".
groups_action str: Provisioning action for IdP user’s group memberships. It can be "NONE", "SYNC", "APPEND", or "ASSIGN".
groups_assignments List[str]: List of Okta Group IDs to add an IdP user as a member with the "ASSIGN" groups_action.
groups_attribute str: IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
groups_filters List[str]: Whitelist of Okta Group identifiers that are allowed for the "APPEND" or "SYNC" groups_action.
issuer_mode str: Indicates whether Okta uses the original Okta org domain URL, or a custom domain URL. It can be "ORG_URL" or "CUSTOM_URL".
issuer_url str: URI that identifies the issuer.
jwks_binding str: The method of making a request for the OIDC JWKS. It can be set to "HTTP-POST" or "HTTP-REDIRECT".
jwks_url str: Endpoint where the signer of the keys publishes its keys in a JWK Set.
max_clock_skew float: Maximum allowable clock-skew when processing messages from the IdP.
name str: The Application’s display name.
profile_master bool: Determines if the IdP should act as a source of truth for user profile attributes.
protocol_type str: The type of protocol to use. It can be "OIDC" or "OAUTH2".
provisioning_action str: Provisioning action for an IdP user during authentication.
request_signature_algorithm str: algorithm to use to sign requests
request_signature_scope str: algorithm to use to sign response
response_signature_algorithm str: algorithm to use to sign requests
response_signature_scope str: algorithm to use to sign response
scopes List[str]: The scopes of the IdP.
status str: Status of the IdP.
subject_match_attribute str: Okta user profile attribute for matching transformed IdP username. Only for matchType "CUSTOM_ATTRIBUTE".
subject_match_type str: Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default it is set to "USERNAME". It can be set to "USERNAME", "EMAIL", "USERNAME_OR_EMAIL" or "CUSTOM_ATTRIBUTE".
suspended_action str: Action for a previously suspended IdP user during authentication. Can be set to "NONE" or "UNSUSPEND"
token_binding str: The method of making a token request. It can be set to "HTTP-POST" or "HTTP-REDIRECT".
token_url str: IdP Authorization Server (AS) endpoint to exchange the authorization code grant for an access token.
type str: Type of OIDC IdP.
user_info_binding str
user_info_url str: Protected resource endpoint that returns claims about the authenticated user.
username_template str: Okta EL Expression to generate or transform a unique username for the IdP user.

Package Details

Repository: https://github.com/pulumi/pulumi-okta
License: Apache-2.0
Notes: This Pulumi package is based on the okta Terraform Provider.

The Pulumi Platform

Get Started

Migrate to Pulumi

Solutions for All Teams and Engineers

Any Code

Any Cloud