Okta v4.16.0, Apr 9 25

Okta v4.16.0 published on Wednesday, Apr 9, 2025 by Pulumi

okta.idp.Oidc

Explore with Pulumi AI

Okta v4.16.0 published on Wednesday, Apr 9, 2025 by Pulumi

Example Usage

TypeScript
Python
Go
C#
Java
YAML

import * as pulumi from "@pulumi/pulumi";
import * as okta from "@pulumi/okta";

const example = new okta.idp.Oidc("example", {
    name: "example",
    authorizationUrl: "https://idp.example.com/authorize",
    authorizationBinding: "HTTP-REDIRECT",
    tokenUrl: "https://idp.example.com/token",
    tokenBinding: "HTTP-POST",
    userInfoUrl: "https://idp.example.com/userinfo",
    userInfoBinding: "HTTP-REDIRECT",
    jwksUrl: "https://idp.example.com/keys",
    jwksBinding: "HTTP-REDIRECT",
    scopes: ["openid"],
    clientId: "efg456",
    clientSecret: "efg456",
    issuerUrl: "https://id.example.com",
    usernameTemplate: "idpuser.email",
});

import pulumi
import pulumi_okta as okta

example = okta.idp.Oidc("example",
    name="example",
    authorization_url="https://idp.example.com/authorize",
    authorization_binding="HTTP-REDIRECT",
    token_url="https://idp.example.com/token",
    token_binding="HTTP-POST",
    user_info_url="https://idp.example.com/userinfo",
    user_info_binding="HTTP-REDIRECT",
    jwks_url="https://idp.example.com/keys",
    jwks_binding="HTTP-REDIRECT",
    scopes=["openid"],
    client_id="efg456",
    client_secret="efg456",
    issuer_url="https://id.example.com",
    username_template="idpuser.email")

package main

import (
	"github.com/pulumi/pulumi-okta/sdk/v4/go/okta/idp"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := idp.NewOidc(ctx, "example", &idp.OidcArgs{
			Name:                 pulumi.String("example"),
			AuthorizationUrl:     pulumi.String("https://idp.example.com/authorize"),
			AuthorizationBinding: pulumi.String("HTTP-REDIRECT"),
			TokenUrl:             pulumi.String("https://idp.example.com/token"),
			TokenBinding:         pulumi.String("HTTP-POST"),
			UserInfoUrl:          pulumi.String("https://idp.example.com/userinfo"),
			UserInfoBinding:      pulumi.String("HTTP-REDIRECT"),
			JwksUrl:              pulumi.String("https://idp.example.com/keys"),
			JwksBinding:          pulumi.String("HTTP-REDIRECT"),
			Scopes: pulumi.StringArray{
				pulumi.String("openid"),
			},
			ClientId:         pulumi.String("efg456"),
			ClientSecret:     pulumi.String("efg456"),
			IssuerUrl:        pulumi.String("https://id.example.com"),
			UsernameTemplate: pulumi.String("idpuser.email"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Okta = Pulumi.Okta;

return await Deployment.RunAsync(() => 
{
    var example = new Okta.Idp.Oidc("example", new()
    {
        Name = "example",
        AuthorizationUrl = "https://idp.example.com/authorize",
        AuthorizationBinding = "HTTP-REDIRECT",
        TokenUrl = "https://idp.example.com/token",
        TokenBinding = "HTTP-POST",
        UserInfoUrl = "https://idp.example.com/userinfo",
        UserInfoBinding = "HTTP-REDIRECT",
        JwksUrl = "https://idp.example.com/keys",
        JwksBinding = "HTTP-REDIRECT",
        Scopes = new[]
        {
            "openid",
        },
        ClientId = "efg456",
        ClientSecret = "efg456",
        IssuerUrl = "https://id.example.com",
        UsernameTemplate = "idpuser.email",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.okta.idp.Oidc;
import com.pulumi.okta.idp.OidcArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new Oidc("example", OidcArgs.builder()
            .name("example")
            .authorizationUrl("https://idp.example.com/authorize")
            .authorizationBinding("HTTP-REDIRECT")
            .tokenUrl("https://idp.example.com/token")
            .tokenBinding("HTTP-POST")
            .userInfoUrl("https://idp.example.com/userinfo")
            .userInfoBinding("HTTP-REDIRECT")
            .jwksUrl("https://idp.example.com/keys")
            .jwksBinding("HTTP-REDIRECT")
            .scopes("openid")
            .clientId("efg456")
            .clientSecret("efg456")
            .issuerUrl("https://id.example.com")
            .usernameTemplate("idpuser.email")
            .build());

    }
}

resources:
  example:
    type: okta:idp:Oidc
    properties:
      name: example
      authorizationUrl: https://idp.example.com/authorize
      authorizationBinding: HTTP-REDIRECT
      tokenUrl: https://idp.example.com/token
      tokenBinding: HTTP-POST
      userInfoUrl: https://idp.example.com/userinfo
      userInfoBinding: HTTP-REDIRECT
      jwksUrl: https://idp.example.com/keys
      jwksBinding: HTTP-REDIRECT
      scopes:
        - openid
      clientId: efg456
      clientSecret: efg456
      issuerUrl: https://id.example.com
      usernameTemplate: idpuser.email

Create Oidc Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

new Oidc(name: string, args: OidcArgs, opts?: CustomResourceOptions);

@overload
def Oidc(resource_name: str,
         args: OidcArgs,
         opts: Optional[ResourceOptions] = None)

@overload
def Oidc(resource_name: str,
         opts: Optional[ResourceOptions] = None,
         issuer_url: Optional[str] = None,
         token_url: Optional[str] = None,
         authorization_binding: Optional[str] = None,
         authorization_url: Optional[str] = None,
         client_id: Optional[str] = None,
         client_secret: Optional[str] = None,
         token_binding: Optional[str] = None,
         scopes: Optional[Sequence[str]] = None,
         jwks_url: Optional[str] = None,
         jwks_binding: Optional[str] = None,
         name: Optional[str] = None,
         request_signature_algorithm: Optional[str] = None,
         groups_filters: Optional[Sequence[str]] = None,
         groups_attribute: Optional[str] = None,
         groups_assignments: Optional[Sequence[str]] = None,
         max_clock_skew: Optional[int] = None,
         account_link_action: Optional[str] = None,
         pkce_required: Optional[bool] = None,
         profile_master: Optional[bool] = None,
         protocol_type: Optional[str] = None,
         provisioning_action: Optional[str] = None,
         issuer_mode: Optional[str] = None,
         request_signature_scope: Optional[str] = None,
         groups_action: Optional[str] = None,
         status: Optional[str] = None,
         subject_match_attribute: Optional[str] = None,
         subject_match_type: Optional[str] = None,
         suspended_action: Optional[str] = None,
         deprovisioned_action: Optional[str] = None,
         account_link_group_includes: Optional[Sequence[str]] = None,
         user_info_binding: Optional[str] = None,
         user_info_url: Optional[str] = None,
         username_template: Optional[str] = None)

func NewOidc(ctx *Context, name string, args OidcArgs, opts ...ResourceOption) (*Oidc, error)

public Oidc(string name, OidcArgs args, CustomResourceOptions? opts = null)

public Oidc(String name, OidcArgs args)
public Oidc(String name, OidcArgs args, CustomResourceOptions options)

type: okta:idp:Oidc
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args OidcArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args OidcArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args OidcArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args OidcArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args OidcArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

TypeScript
Python
Go
C#
Java
YAML

var oidcResource = new Okta.Idp.Oidc("oidcResource", new()
{
    IssuerUrl = "string",
    TokenUrl = "string",
    AuthorizationBinding = "string",
    AuthorizationUrl = "string",
    ClientId = "string",
    ClientSecret = "string",
    TokenBinding = "string",
    Scopes = new[]
    {
        "string",
    },
    JwksUrl = "string",
    JwksBinding = "string",
    Name = "string",
    RequestSignatureAlgorithm = "string",
    GroupsFilters = new[]
    {
        "string",
    },
    GroupsAttribute = "string",
    GroupsAssignments = new[]
    {
        "string",
    },
    MaxClockSkew = 0,
    AccountLinkAction = "string",
    PkceRequired = false,
    ProfileMaster = false,
    ProtocolType = "string",
    ProvisioningAction = "string",
    IssuerMode = "string",
    RequestSignatureScope = "string",
    GroupsAction = "string",
    Status = "string",
    SubjectMatchAttribute = "string",
    SubjectMatchType = "string",
    SuspendedAction = "string",
    DeprovisionedAction = "string",
    AccountLinkGroupIncludes = new[]
    {
        "string",
    },
    UserInfoBinding = "string",
    UserInfoUrl = "string",
    UsernameTemplate = "string",
});

example, err := idp.NewOidc(ctx, "oidcResource", &idp.OidcArgs{
	IssuerUrl:            pulumi.String("string"),
	TokenUrl:             pulumi.String("string"),
	AuthorizationBinding: pulumi.String("string"),
	AuthorizationUrl:     pulumi.String("string"),
	ClientId:             pulumi.String("string"),
	ClientSecret:         pulumi.String("string"),
	TokenBinding:         pulumi.String("string"),
	Scopes: pulumi.StringArray{
		pulumi.String("string"),
	},
	JwksUrl:                   pulumi.String("string"),
	JwksBinding:               pulumi.String("string"),
	Name:                      pulumi.String("string"),
	RequestSignatureAlgorithm: pulumi.String("string"),
	GroupsFilters: pulumi.StringArray{
		pulumi.String("string"),
	},
	GroupsAttribute: pulumi.String("string"),
	GroupsAssignments: pulumi.StringArray{
		pulumi.String("string"),
	},
	MaxClockSkew:          pulumi.Int(0),
	AccountLinkAction:     pulumi.String("string"),
	PkceRequired:          pulumi.Bool(false),
	ProfileMaster:         pulumi.Bool(false),
	ProtocolType:          pulumi.String("string"),
	ProvisioningAction:    pulumi.String("string"),
	IssuerMode:            pulumi.String("string"),
	RequestSignatureScope: pulumi.String("string"),
	GroupsAction:          pulumi.String("string"),
	Status:                pulumi.String("string"),
	SubjectMatchAttribute: pulumi.String("string"),
	SubjectMatchType:      pulumi.String("string"),
	SuspendedAction:       pulumi.String("string"),
	DeprovisionedAction:   pulumi.String("string"),
	AccountLinkGroupIncludes: pulumi.StringArray{
		pulumi.String("string"),
	},
	UserInfoBinding:  pulumi.String("string"),
	UserInfoUrl:      pulumi.String("string"),
	UsernameTemplate: pulumi.String("string"),
})

var oidcResource = new Oidc("oidcResource", OidcArgs.builder()
    .issuerUrl("string")
    .tokenUrl("string")
    .authorizationBinding("string")
    .authorizationUrl("string")
    .clientId("string")
    .clientSecret("string")
    .tokenBinding("string")
    .scopes("string")
    .jwksUrl("string")
    .jwksBinding("string")
    .name("string")
    .requestSignatureAlgorithm("string")
    .groupsFilters("string")
    .groupsAttribute("string")
    .groupsAssignments("string")
    .maxClockSkew(0)
    .accountLinkAction("string")
    .pkceRequired(false)
    .profileMaster(false)
    .protocolType("string")
    .provisioningAction("string")
    .issuerMode("string")
    .requestSignatureScope("string")
    .groupsAction("string")
    .status("string")
    .subjectMatchAttribute("string")
    .subjectMatchType("string")
    .suspendedAction("string")
    .deprovisionedAction("string")
    .accountLinkGroupIncludes("string")
    .userInfoBinding("string")
    .userInfoUrl("string")
    .usernameTemplate("string")
    .build());

oidc_resource = okta.idp.Oidc("oidcResource",
    issuer_url="string",
    token_url="string",
    authorization_binding="string",
    authorization_url="string",
    client_id="string",
    client_secret="string",
    token_binding="string",
    scopes=["string"],
    jwks_url="string",
    jwks_binding="string",
    name="string",
    request_signature_algorithm="string",
    groups_filters=["string"],
    groups_attribute="string",
    groups_assignments=["string"],
    max_clock_skew=0,
    account_link_action="string",
    pkce_required=False,
    profile_master=False,
    protocol_type="string",
    provisioning_action="string",
    issuer_mode="string",
    request_signature_scope="string",
    groups_action="string",
    status="string",
    subject_match_attribute="string",
    subject_match_type="string",
    suspended_action="string",
    deprovisioned_action="string",
    account_link_group_includes=["string"],
    user_info_binding="string",
    user_info_url="string",
    username_template="string")

const oidcResource = new okta.idp.Oidc("oidcResource", {
    issuerUrl: "string",
    tokenUrl: "string",
    authorizationBinding: "string",
    authorizationUrl: "string",
    clientId: "string",
    clientSecret: "string",
    tokenBinding: "string",
    scopes: ["string"],
    jwksUrl: "string",
    jwksBinding: "string",
    name: "string",
    requestSignatureAlgorithm: "string",
    groupsFilters: ["string"],
    groupsAttribute: "string",
    groupsAssignments: ["string"],
    maxClockSkew: 0,
    accountLinkAction: "string",
    pkceRequired: false,
    profileMaster: false,
    protocolType: "string",
    provisioningAction: "string",
    issuerMode: "string",
    requestSignatureScope: "string",
    groupsAction: "string",
    status: "string",
    subjectMatchAttribute: "string",
    subjectMatchType: "string",
    suspendedAction: "string",
    deprovisionedAction: "string",
    accountLinkGroupIncludes: ["string"],
    userInfoBinding: "string",
    userInfoUrl: "string",
    usernameTemplate: "string",
});

type: okta:idp:Oidc
properties:
    accountLinkAction: string
    accountLinkGroupIncludes:
        - string
    authorizationBinding: string
    authorizationUrl: string
    clientId: string
    clientSecret: string
    deprovisionedAction: string
    groupsAction: string
    groupsAssignments:
        - string
    groupsAttribute: string
    groupsFilters:
        - string
    issuerMode: string
    issuerUrl: string
    jwksBinding: string
    jwksUrl: string
    maxClockSkew: 0
    name: string
    pkceRequired: false
    profileMaster: false
    protocolType: string
    provisioningAction: string
    requestSignatureAlgorithm: string
    requestSignatureScope: string
    scopes:
        - string
    status: string
    subjectMatchAttribute: string
    subjectMatchType: string
    suspendedAction: string
    tokenBinding: string
    tokenUrl: string
    userInfoBinding: string
    userInfoUrl: string
    usernameTemplate: string

Oidc Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The Oidc resource accepts the following input properties:

AuthorizationBinding string: The method of making an authorization request. It can be set to HTTP-POST or HTTP-REDIRECT.
AuthorizationUrl string: IdP Authorization Server (AS) endpoint to request consent from the user and obtain an authorization code grant.
ClientId string: Unique identifier issued by AS for the Okta IdP instance.
ClientSecret string: Client secret issued by AS for the Okta IdP instance.
IssuerUrl string: URI that identifies the issuer.
JwksBinding string: The method of making a request for the OIDC JWKS. It can be set to HTTP-POST or HTTP-REDIRECT
JwksUrl string: Endpoint where the keys signer publishes its keys in a JWK Set.
Scopes List<string>: The scopes of the IdP.
TokenBinding string: The method of making a token request. It can be set to HTTP-POST or HTTP-REDIRECT.
TokenUrl string: IdP Authorization Server (AS) endpoint to exchange the authorization code grant for an access token.
AccountLinkAction string: Specifies the account linking action for an IdP user. Default: AUTO
AccountLinkGroupIncludes List<string>: Group memberships to determine link candidates.
DeprovisionedAction string: Action for a previously deprovisioned IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
GroupsAction string: Provisioning action for IdP user's group memberships. It can be NONE, SYNC, APPEND, or ASSIGN. Default: NONE
GroupsAssignments List<string>: List of Okta Group IDs to add an IdP user as a member with the ASSIGN groups_action.
GroupsAttribute string: IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
GroupsFilters List<string>: Whitelist of Okta Group identifiers that are allowed for the APPEND or SYNC groups_action.
IssuerMode string: Indicates whether Okta uses the original Okta org domain URL, a custom domain URL, or dynamic. It can be ORG_URL, CUSTOM_URL, or DYNAMIC. Default: ORG_URL
MaxClockSkew int: Maximum allowable clock-skew when processing messages from the IdP.
Name string: Name of the IdP
PkceRequired bool: Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/idps/#oauth-2-0-and-openid-connect-client-object
ProfileMaster bool: Determines if the IdP should act as a source of truth for user profile attributes.
ProtocolType string: The type of protocol to use. It can be OIDC or OAUTH2. Default: OIDC
ProvisioningAction string: Provisioning action for an IdP user during authentication. Default: AUTO
RequestSignatureAlgorithm string: The HMAC Signature Algorithm used when signing an authorization request. Defaults to HS256. It can be HS256, HS384, HS512, SHA-256. RS256, RS384, or RS512. NOTE: SHA-256 an undocumented legacy value and not continue to be valid. See API docs https://developer.okta.com/docs/reference/api/idps/#oidc-request-signature-algorithm-object
RequestSignatureScope string: Specifies whether to digitally sign an AuthnRequest messages to the IdP. Defaults to REQUEST. It can be REQUEST or NONE.
Status string: Default to ACTIVE
SubjectMatchAttribute string: Okta user profile attribute for matching transformed IdP username. Only for matchType CUSTOM_ATTRIBUTE.
SubjectMatchType string: Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default, it is set to USERNAME. It can be set to USERNAME, EMAIL, USERNAME_OR_EMAIL or CUSTOM_ATTRIBUTE.
SuspendedAction string: Action for a previously suspended IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
UserInfoBinding string
UserInfoUrl string: Protected resource endpoint that returns claims about the authenticated user.
UsernameTemplate string: Okta EL Expression to generate or transform a unique username for the IdP user. Default: idpuser.email

AuthorizationBinding string: The method of making an authorization request. It can be set to HTTP-POST or HTTP-REDIRECT.
AuthorizationUrl string: IdP Authorization Server (AS) endpoint to request consent from the user and obtain an authorization code grant.
ClientId string: Unique identifier issued by AS for the Okta IdP instance.
ClientSecret string: Client secret issued by AS for the Okta IdP instance.
IssuerUrl string: URI that identifies the issuer.
JwksBinding string: The method of making a request for the OIDC JWKS. It can be set to HTTP-POST or HTTP-REDIRECT
JwksUrl string: Endpoint where the keys signer publishes its keys in a JWK Set.
Scopes []string: The scopes of the IdP.
TokenBinding string: The method of making a token request. It can be set to HTTP-POST or HTTP-REDIRECT.
TokenUrl string: IdP Authorization Server (AS) endpoint to exchange the authorization code grant for an access token.
AccountLinkAction string: Specifies the account linking action for an IdP user. Default: AUTO
AccountLinkGroupIncludes []string: Group memberships to determine link candidates.
DeprovisionedAction string: Action for a previously deprovisioned IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
GroupsAction string: Provisioning action for IdP user's group memberships. It can be NONE, SYNC, APPEND, or ASSIGN. Default: NONE
GroupsAssignments []string: List of Okta Group IDs to add an IdP user as a member with the ASSIGN groups_action.
GroupsAttribute string: IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
GroupsFilters []string: Whitelist of Okta Group identifiers that are allowed for the APPEND or SYNC groups_action.
IssuerMode string: Indicates whether Okta uses the original Okta org domain URL, a custom domain URL, or dynamic. It can be ORG_URL, CUSTOM_URL, or DYNAMIC. Default: ORG_URL
MaxClockSkew int: Maximum allowable clock-skew when processing messages from the IdP.
Name string: Name of the IdP
PkceRequired bool: Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/idps/#oauth-2-0-and-openid-connect-client-object
ProfileMaster bool: Determines if the IdP should act as a source of truth for user profile attributes.
ProtocolType string: The type of protocol to use. It can be OIDC or OAUTH2. Default: OIDC
ProvisioningAction string: Provisioning action for an IdP user during authentication. Default: AUTO
RequestSignatureAlgorithm string: The HMAC Signature Algorithm used when signing an authorization request. Defaults to HS256. It can be HS256, HS384, HS512, SHA-256. RS256, RS384, or RS512. NOTE: SHA-256 an undocumented legacy value and not continue to be valid. See API docs https://developer.okta.com/docs/reference/api/idps/#oidc-request-signature-algorithm-object
RequestSignatureScope string: Specifies whether to digitally sign an AuthnRequest messages to the IdP. Defaults to REQUEST. It can be REQUEST or NONE.
Status string: Default to ACTIVE
SubjectMatchAttribute string: Okta user profile attribute for matching transformed IdP username. Only for matchType CUSTOM_ATTRIBUTE.
SubjectMatchType string: Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default, it is set to USERNAME. It can be set to USERNAME, EMAIL, USERNAME_OR_EMAIL or CUSTOM_ATTRIBUTE.
SuspendedAction string: Action for a previously suspended IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
UserInfoBinding string
UserInfoUrl string: Protected resource endpoint that returns claims about the authenticated user.
UsernameTemplate string: Okta EL Expression to generate or transform a unique username for the IdP user. Default: idpuser.email

authorizationBinding String: The method of making an authorization request. It can be set to HTTP-POST or HTTP-REDIRECT.
authorizationUrl String: IdP Authorization Server (AS) endpoint to request consent from the user and obtain an authorization code grant.
clientId String: Unique identifier issued by AS for the Okta IdP instance.
clientSecret String: Client secret issued by AS for the Okta IdP instance.
issuerUrl String: URI that identifies the issuer.
jwksBinding String: The method of making a request for the OIDC JWKS. It can be set to HTTP-POST or HTTP-REDIRECT
jwksUrl String: Endpoint where the keys signer publishes its keys in a JWK Set.
scopes List<String>: The scopes of the IdP.
tokenBinding String: The method of making a token request. It can be set to HTTP-POST or HTTP-REDIRECT.
tokenUrl String: IdP Authorization Server (AS) endpoint to exchange the authorization code grant for an access token.
accountLinkAction String: Specifies the account linking action for an IdP user. Default: AUTO
accountLinkGroupIncludes List<String>: Group memberships to determine link candidates.
deprovisionedAction String: Action for a previously deprovisioned IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
groupsAction String: Provisioning action for IdP user's group memberships. It can be NONE, SYNC, APPEND, or ASSIGN. Default: NONE
groupsAssignments List<String>: List of Okta Group IDs to add an IdP user as a member with the ASSIGN groups_action.
groupsAttribute String: IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
groupsFilters List<String>: Whitelist of Okta Group identifiers that are allowed for the APPEND or SYNC groups_action.
issuerMode String: Indicates whether Okta uses the original Okta org domain URL, a custom domain URL, or dynamic. It can be ORG_URL, CUSTOM_URL, or DYNAMIC. Default: ORG_URL
maxClockSkew Integer: Maximum allowable clock-skew when processing messages from the IdP.
name String: Name of the IdP
pkceRequired Boolean: Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/idps/#oauth-2-0-and-openid-connect-client-object
profileMaster Boolean: Determines if the IdP should act as a source of truth for user profile attributes.
protocolType String: The type of protocol to use. It can be OIDC or OAUTH2. Default: OIDC
provisioningAction String: Provisioning action for an IdP user during authentication. Default: AUTO
requestSignatureAlgorithm String: The HMAC Signature Algorithm used when signing an authorization request. Defaults to HS256. It can be HS256, HS384, HS512, SHA-256. RS256, RS384, or RS512. NOTE: SHA-256 an undocumented legacy value and not continue to be valid. See API docs https://developer.okta.com/docs/reference/api/idps/#oidc-request-signature-algorithm-object
requestSignatureScope String: Specifies whether to digitally sign an AuthnRequest messages to the IdP. Defaults to REQUEST. It can be REQUEST or NONE.
status String: Default to ACTIVE
subjectMatchAttribute String: Okta user profile attribute for matching transformed IdP username. Only for matchType CUSTOM_ATTRIBUTE.
subjectMatchType String: Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default, it is set to USERNAME. It can be set to USERNAME, EMAIL, USERNAME_OR_EMAIL or CUSTOM_ATTRIBUTE.
suspendedAction String: Action for a previously suspended IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
userInfoBinding String
userInfoUrl String: Protected resource endpoint that returns claims about the authenticated user.
usernameTemplate String: Okta EL Expression to generate or transform a unique username for the IdP user. Default: idpuser.email

authorizationBinding string: The method of making an authorization request. It can be set to HTTP-POST or HTTP-REDIRECT.
authorizationUrl string: IdP Authorization Server (AS) endpoint to request consent from the user and obtain an authorization code grant.
clientId string: Unique identifier issued by AS for the Okta IdP instance.
clientSecret string: Client secret issued by AS for the Okta IdP instance.
issuerUrl string: URI that identifies the issuer.
jwksBinding string: The method of making a request for the OIDC JWKS. It can be set to HTTP-POST or HTTP-REDIRECT
jwksUrl string: Endpoint where the keys signer publishes its keys in a JWK Set.
scopes string[]: The scopes of the IdP.
tokenBinding string: The method of making a token request. It can be set to HTTP-POST or HTTP-REDIRECT.
tokenUrl string: IdP Authorization Server (AS) endpoint to exchange the authorization code grant for an access token.
accountLinkAction string: Specifies the account linking action for an IdP user. Default: AUTO
accountLinkGroupIncludes string[]: Group memberships to determine link candidates.
deprovisionedAction string: Action for a previously deprovisioned IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
groupsAction string: Provisioning action for IdP user's group memberships. It can be NONE, SYNC, APPEND, or ASSIGN. Default: NONE
groupsAssignments string[]: List of Okta Group IDs to add an IdP user as a member with the ASSIGN groups_action.
groupsAttribute string: IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
groupsFilters string[]: Whitelist of Okta Group identifiers that are allowed for the APPEND or SYNC groups_action.
issuerMode string: Indicates whether Okta uses the original Okta org domain URL, a custom domain URL, or dynamic. It can be ORG_URL, CUSTOM_URL, or DYNAMIC. Default: ORG_URL
maxClockSkew number: Maximum allowable clock-skew when processing messages from the IdP.
name string: Name of the IdP
pkceRequired boolean: Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/idps/#oauth-2-0-and-openid-connect-client-object
profileMaster boolean: Determines if the IdP should act as a source of truth for user profile attributes.
protocolType string: The type of protocol to use. It can be OIDC or OAUTH2. Default: OIDC
provisioningAction string: Provisioning action for an IdP user during authentication. Default: AUTO
requestSignatureAlgorithm string: The HMAC Signature Algorithm used when signing an authorization request. Defaults to HS256. It can be HS256, HS384, HS512, SHA-256. RS256, RS384, or RS512. NOTE: SHA-256 an undocumented legacy value and not continue to be valid. See API docs https://developer.okta.com/docs/reference/api/idps/#oidc-request-signature-algorithm-object
requestSignatureScope string: Specifies whether to digitally sign an AuthnRequest messages to the IdP. Defaults to REQUEST. It can be REQUEST or NONE.
status string: Default to ACTIVE
subjectMatchAttribute string: Okta user profile attribute for matching transformed IdP username. Only for matchType CUSTOM_ATTRIBUTE.
subjectMatchType string: Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default, it is set to USERNAME. It can be set to USERNAME, EMAIL, USERNAME_OR_EMAIL or CUSTOM_ATTRIBUTE.
suspendedAction string: Action for a previously suspended IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
userInfoBinding string
userInfoUrl string: Protected resource endpoint that returns claims about the authenticated user.
usernameTemplate string: Okta EL Expression to generate or transform a unique username for the IdP user. Default: idpuser.email

authorization_binding str: The method of making an authorization request. It can be set to HTTP-POST or HTTP-REDIRECT.
authorization_url str: IdP Authorization Server (AS) endpoint to request consent from the user and obtain an authorization code grant.
client_id str: Unique identifier issued by AS for the Okta IdP instance.
client_secret str: Client secret issued by AS for the Okta IdP instance.
issuer_url str: URI that identifies the issuer.
jwks_binding str: The method of making a request for the OIDC JWKS. It can be set to HTTP-POST or HTTP-REDIRECT
jwks_url str: Endpoint where the keys signer publishes its keys in a JWK Set.
scopes Sequence[str]: The scopes of the IdP.
token_binding str: The method of making a token request. It can be set to HTTP-POST or HTTP-REDIRECT.
token_url str: IdP Authorization Server (AS) endpoint to exchange the authorization code grant for an access token.
account_link_action str: Specifies the account linking action for an IdP user. Default: AUTO
account_link_group_includes Sequence[str]: Group memberships to determine link candidates.
deprovisioned_action str: Action for a previously deprovisioned IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
groups_action str: Provisioning action for IdP user's group memberships. It can be NONE, SYNC, APPEND, or ASSIGN. Default: NONE
groups_assignments Sequence[str]: List of Okta Group IDs to add an IdP user as a member with the ASSIGN groups_action.
groups_attribute str: IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
groups_filters Sequence[str]: Whitelist of Okta Group identifiers that are allowed for the APPEND or SYNC groups_action.
issuer_mode str: Indicates whether Okta uses the original Okta org domain URL, a custom domain URL, or dynamic. It can be ORG_URL, CUSTOM_URL, or DYNAMIC. Default: ORG_URL
max_clock_skew int: Maximum allowable clock-skew when processing messages from the IdP.
name str: Name of the IdP
pkce_required bool: Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/idps/#oauth-2-0-and-openid-connect-client-object
profile_master bool: Determines if the IdP should act as a source of truth for user profile attributes.
protocol_type str: The type of protocol to use. It can be OIDC or OAUTH2. Default: OIDC
provisioning_action str: Provisioning action for an IdP user during authentication. Default: AUTO
request_signature_algorithm str: The HMAC Signature Algorithm used when signing an authorization request. Defaults to HS256. It can be HS256, HS384, HS512, SHA-256. RS256, RS384, or RS512. NOTE: SHA-256 an undocumented legacy value and not continue to be valid. See API docs https://developer.okta.com/docs/reference/api/idps/#oidc-request-signature-algorithm-object
request_signature_scope str: Specifies whether to digitally sign an AuthnRequest messages to the IdP. Defaults to REQUEST. It can be REQUEST or NONE.
status str: Default to ACTIVE
subject_match_attribute str: Okta user profile attribute for matching transformed IdP username. Only for matchType CUSTOM_ATTRIBUTE.
subject_match_type str: Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default, it is set to USERNAME. It can be set to USERNAME, EMAIL, USERNAME_OR_EMAIL or CUSTOM_ATTRIBUTE.
suspended_action str: Action for a previously suspended IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
user_info_binding str
user_info_url str: Protected resource endpoint that returns claims about the authenticated user.
username_template str: Okta EL Expression to generate or transform a unique username for the IdP user. Default: idpuser.email

authorizationBinding String: The method of making an authorization request. It can be set to HTTP-POST or HTTP-REDIRECT.
authorizationUrl String: IdP Authorization Server (AS) endpoint to request consent from the user and obtain an authorization code grant.
clientId String: Unique identifier issued by AS for the Okta IdP instance.
clientSecret String: Client secret issued by AS for the Okta IdP instance.
issuerUrl String: URI that identifies the issuer.
jwksBinding String: The method of making a request for the OIDC JWKS. It can be set to HTTP-POST or HTTP-REDIRECT
jwksUrl String: Endpoint where the keys signer publishes its keys in a JWK Set.
scopes List<String>: The scopes of the IdP.
tokenBinding String: The method of making a token request. It can be set to HTTP-POST or HTTP-REDIRECT.
tokenUrl String: IdP Authorization Server (AS) endpoint to exchange the authorization code grant for an access token.
accountLinkAction String: Specifies the account linking action for an IdP user. Default: AUTO
accountLinkGroupIncludes List<String>: Group memberships to determine link candidates.
deprovisionedAction String: Action for a previously deprovisioned IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
groupsAction String: Provisioning action for IdP user's group memberships. It can be NONE, SYNC, APPEND, or ASSIGN. Default: NONE
groupsAssignments List<String>: List of Okta Group IDs to add an IdP user as a member with the ASSIGN groups_action.
groupsAttribute String: IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
groupsFilters List<String>: Whitelist of Okta Group identifiers that are allowed for the APPEND or SYNC groups_action.
issuerMode String: Indicates whether Okta uses the original Okta org domain URL, a custom domain URL, or dynamic. It can be ORG_URL, CUSTOM_URL, or DYNAMIC. Default: ORG_URL
maxClockSkew Number: Maximum allowable clock-skew when processing messages from the IdP.
name String: Name of the IdP
pkceRequired Boolean: Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/idps/#oauth-2-0-and-openid-connect-client-object
profileMaster Boolean: Determines if the IdP should act as a source of truth for user profile attributes.
protocolType String: The type of protocol to use. It can be OIDC or OAUTH2. Default: OIDC
provisioningAction String: Provisioning action for an IdP user during authentication. Default: AUTO
requestSignatureAlgorithm String: The HMAC Signature Algorithm used when signing an authorization request. Defaults to HS256. It can be HS256, HS384, HS512, SHA-256. RS256, RS384, or RS512. NOTE: SHA-256 an undocumented legacy value and not continue to be valid. See API docs https://developer.okta.com/docs/reference/api/idps/#oidc-request-signature-algorithm-object
requestSignatureScope String: Specifies whether to digitally sign an AuthnRequest messages to the IdP. Defaults to REQUEST. It can be REQUEST or NONE.
status String: Default to ACTIVE
subjectMatchAttribute String: Okta user profile attribute for matching transformed IdP username. Only for matchType CUSTOM_ATTRIBUTE.
subjectMatchType String: Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default, it is set to USERNAME. It can be set to USERNAME, EMAIL, USERNAME_OR_EMAIL or CUSTOM_ATTRIBUTE.
suspendedAction String: Action for a previously suspended IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
userInfoBinding String
userInfoUrl String: Protected resource endpoint that returns claims about the authenticated user.
usernameTemplate String: Okta EL Expression to generate or transform a unique username for the IdP user. Default: idpuser.email

Outputs

All input properties are implicitly available as output properties. Additionally, the Oidc resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.
Type string: Type of OIDC IdP.
UserTypeId string: User type ID. Can be used as target_id in the okta.profile.Mapping resource.

Id string: The provider-assigned unique ID for this managed resource.
Type string: Type of OIDC IdP.
UserTypeId string: User type ID. Can be used as target_id in the okta.profile.Mapping resource.

id String: The provider-assigned unique ID for this managed resource.
type String: Type of OIDC IdP.
userTypeId String: User type ID. Can be used as target_id in the okta.profile.Mapping resource.

id string: The provider-assigned unique ID for this managed resource.
type string: Type of OIDC IdP.
userTypeId string: User type ID. Can be used as target_id in the okta.profile.Mapping resource.

id str: The provider-assigned unique ID for this managed resource.
type str: Type of OIDC IdP.
user_type_id str: User type ID. Can be used as target_id in the okta.profile.Mapping resource.

id String: The provider-assigned unique ID for this managed resource.
type String: Type of OIDC IdP.
userTypeId String: User type ID. Can be used as target_id in the okta.profile.Mapping resource.

Look up Existing Oidc Resource

Get an existing Oidc resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

TypeScript
Python
Go
C#
Java
YAML

public static get(name: string, id: Input<ID>, state?: OidcState, opts?: CustomResourceOptions): Oidc

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        account_link_action: Optional[str] = None,
        account_link_group_includes: Optional[Sequence[str]] = None,
        authorization_binding: Optional[str] = None,
        authorization_url: Optional[str] = None,
        client_id: Optional[str] = None,
        client_secret: Optional[str] = None,
        deprovisioned_action: Optional[str] = None,
        groups_action: Optional[str] = None,
        groups_assignments: Optional[Sequence[str]] = None,
        groups_attribute: Optional[str] = None,
        groups_filters: Optional[Sequence[str]] = None,
        issuer_mode: Optional[str] = None,
        issuer_url: Optional[str] = None,
        jwks_binding: Optional[str] = None,
        jwks_url: Optional[str] = None,
        max_clock_skew: Optional[int] = None,
        name: Optional[str] = None,
        pkce_required: Optional[bool] = None,
        profile_master: Optional[bool] = None,
        protocol_type: Optional[str] = None,
        provisioning_action: Optional[str] = None,
        request_signature_algorithm: Optional[str] = None,
        request_signature_scope: Optional[str] = None,
        scopes: Optional[Sequence[str]] = None,
        status: Optional[str] = None,
        subject_match_attribute: Optional[str] = None,
        subject_match_type: Optional[str] = None,
        suspended_action: Optional[str] = None,
        token_binding: Optional[str] = None,
        token_url: Optional[str] = None,
        type: Optional[str] = None,
        user_info_binding: Optional[str] = None,
        user_info_url: Optional[str] = None,
        user_type_id: Optional[str] = None,
        username_template: Optional[str] = None) -> Oidc

func GetOidc(ctx *Context, name string, id IDInput, state *OidcState, opts ...ResourceOption) (*Oidc, error)

public static Oidc Get(string name, Input<string> id, OidcState? state, CustomResourceOptions? opts = null)

public static Oidc get(String name, Output<String> id, OidcState state, CustomResourceOptions options)

resources:  _:    type: okta:idp:Oidc    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AccountLinkAction string: Specifies the account linking action for an IdP user. Default: AUTO
AccountLinkGroupIncludes List<string>: Group memberships to determine link candidates.
AuthorizationBinding string: The method of making an authorization request. It can be set to HTTP-POST or HTTP-REDIRECT.
AuthorizationUrl string: IdP Authorization Server (AS) endpoint to request consent from the user and obtain an authorization code grant.
ClientId string: Unique identifier issued by AS for the Okta IdP instance.
ClientSecret string: Client secret issued by AS for the Okta IdP instance.
DeprovisionedAction string: Action for a previously deprovisioned IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
GroupsAction string: Provisioning action for IdP user's group memberships. It can be NONE, SYNC, APPEND, or ASSIGN. Default: NONE
GroupsAssignments List<string>: List of Okta Group IDs to add an IdP user as a member with the ASSIGN groups_action.
GroupsAttribute string: IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
GroupsFilters List<string>: Whitelist of Okta Group identifiers that are allowed for the APPEND or SYNC groups_action.
IssuerMode string: Indicates whether Okta uses the original Okta org domain URL, a custom domain URL, or dynamic. It can be ORG_URL, CUSTOM_URL, or DYNAMIC. Default: ORG_URL
IssuerUrl string: URI that identifies the issuer.
JwksBinding string: The method of making a request for the OIDC JWKS. It can be set to HTTP-POST or HTTP-REDIRECT
JwksUrl string: Endpoint where the keys signer publishes its keys in a JWK Set.
MaxClockSkew int: Maximum allowable clock-skew when processing messages from the IdP.
Name string: Name of the IdP
PkceRequired bool: Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/idps/#oauth-2-0-and-openid-connect-client-object
ProfileMaster bool: Determines if the IdP should act as a source of truth for user profile attributes.
ProtocolType string: The type of protocol to use. It can be OIDC or OAUTH2. Default: OIDC
ProvisioningAction string: Provisioning action for an IdP user during authentication. Default: AUTO
RequestSignatureAlgorithm string: The HMAC Signature Algorithm used when signing an authorization request. Defaults to HS256. It can be HS256, HS384, HS512, SHA-256. RS256, RS384, or RS512. NOTE: SHA-256 an undocumented legacy value and not continue to be valid. See API docs https://developer.okta.com/docs/reference/api/idps/#oidc-request-signature-algorithm-object
RequestSignatureScope string: Specifies whether to digitally sign an AuthnRequest messages to the IdP. Defaults to REQUEST. It can be REQUEST or NONE.
Scopes List<string>: The scopes of the IdP.
Status string: Default to ACTIVE
SubjectMatchAttribute string: Okta user profile attribute for matching transformed IdP username. Only for matchType CUSTOM_ATTRIBUTE.
SubjectMatchType string: Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default, it is set to USERNAME. It can be set to USERNAME, EMAIL, USERNAME_OR_EMAIL or CUSTOM_ATTRIBUTE.
SuspendedAction string: Action for a previously suspended IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
TokenBinding string: The method of making a token request. It can be set to HTTP-POST or HTTP-REDIRECT.
TokenUrl string: IdP Authorization Server (AS) endpoint to exchange the authorization code grant for an access token.
Type string: Type of OIDC IdP.
UserInfoBinding string
UserInfoUrl string: Protected resource endpoint that returns claims about the authenticated user.
UserTypeId string: User type ID. Can be used as target_id in the okta.profile.Mapping resource.
UsernameTemplate string: Okta EL Expression to generate or transform a unique username for the IdP user. Default: idpuser.email

AccountLinkAction string: Specifies the account linking action for an IdP user. Default: AUTO
AccountLinkGroupIncludes []string: Group memberships to determine link candidates.
AuthorizationBinding string: The method of making an authorization request. It can be set to HTTP-POST or HTTP-REDIRECT.
AuthorizationUrl string: IdP Authorization Server (AS) endpoint to request consent from the user and obtain an authorization code grant.
ClientId string: Unique identifier issued by AS for the Okta IdP instance.
ClientSecret string: Client secret issued by AS for the Okta IdP instance.
DeprovisionedAction string: Action for a previously deprovisioned IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
GroupsAction string: Provisioning action for IdP user's group memberships. It can be NONE, SYNC, APPEND, or ASSIGN. Default: NONE
GroupsAssignments []string: List of Okta Group IDs to add an IdP user as a member with the ASSIGN groups_action.
GroupsAttribute string: IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
GroupsFilters []string: Whitelist of Okta Group identifiers that are allowed for the APPEND or SYNC groups_action.
IssuerMode string: Indicates whether Okta uses the original Okta org domain URL, a custom domain URL, or dynamic. It can be ORG_URL, CUSTOM_URL, or DYNAMIC. Default: ORG_URL
IssuerUrl string: URI that identifies the issuer.
JwksBinding string: The method of making a request for the OIDC JWKS. It can be set to HTTP-POST or HTTP-REDIRECT
JwksUrl string: Endpoint where the keys signer publishes its keys in a JWK Set.
MaxClockSkew int: Maximum allowable clock-skew when processing messages from the IdP.
Name string: Name of the IdP
PkceRequired bool: Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/idps/#oauth-2-0-and-openid-connect-client-object
ProfileMaster bool: Determines if the IdP should act as a source of truth for user profile attributes.
ProtocolType string: The type of protocol to use. It can be OIDC or OAUTH2. Default: OIDC
ProvisioningAction string: Provisioning action for an IdP user during authentication. Default: AUTO
RequestSignatureAlgorithm string: The HMAC Signature Algorithm used when signing an authorization request. Defaults to HS256. It can be HS256, HS384, HS512, SHA-256. RS256, RS384, or RS512. NOTE: SHA-256 an undocumented legacy value and not continue to be valid. See API docs https://developer.okta.com/docs/reference/api/idps/#oidc-request-signature-algorithm-object
RequestSignatureScope string: Specifies whether to digitally sign an AuthnRequest messages to the IdP. Defaults to REQUEST. It can be REQUEST or NONE.
Scopes []string: The scopes of the IdP.
Status string: Default to ACTIVE
SubjectMatchAttribute string: Okta user profile attribute for matching transformed IdP username. Only for matchType CUSTOM_ATTRIBUTE.
SubjectMatchType string: Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default, it is set to USERNAME. It can be set to USERNAME, EMAIL, USERNAME_OR_EMAIL or CUSTOM_ATTRIBUTE.
SuspendedAction string: Action for a previously suspended IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
TokenBinding string: The method of making a token request. It can be set to HTTP-POST or HTTP-REDIRECT.
TokenUrl string: IdP Authorization Server (AS) endpoint to exchange the authorization code grant for an access token.
Type string: Type of OIDC IdP.
UserInfoBinding string
UserInfoUrl string: Protected resource endpoint that returns claims about the authenticated user.
UserTypeId string: User type ID. Can be used as target_id in the okta.profile.Mapping resource.
UsernameTemplate string: Okta EL Expression to generate or transform a unique username for the IdP user. Default: idpuser.email

accountLinkAction String: Specifies the account linking action for an IdP user. Default: AUTO
accountLinkGroupIncludes List<String>: Group memberships to determine link candidates.
authorizationBinding String: The method of making an authorization request. It can be set to HTTP-POST or HTTP-REDIRECT.
authorizationUrl String: IdP Authorization Server (AS) endpoint to request consent from the user and obtain an authorization code grant.
clientId String: Unique identifier issued by AS for the Okta IdP instance.
clientSecret String: Client secret issued by AS for the Okta IdP instance.
deprovisionedAction String: Action for a previously deprovisioned IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
groupsAction String: Provisioning action for IdP user's group memberships. It can be NONE, SYNC, APPEND, or ASSIGN. Default: NONE
groupsAssignments List<String>: List of Okta Group IDs to add an IdP user as a member with the ASSIGN groups_action.
groupsAttribute String: IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
groupsFilters List<String>: Whitelist of Okta Group identifiers that are allowed for the APPEND or SYNC groups_action.
issuerMode String: Indicates whether Okta uses the original Okta org domain URL, a custom domain URL, or dynamic. It can be ORG_URL, CUSTOM_URL, or DYNAMIC. Default: ORG_URL
issuerUrl String: URI that identifies the issuer.
jwksBinding String: The method of making a request for the OIDC JWKS. It can be set to HTTP-POST or HTTP-REDIRECT
jwksUrl String: Endpoint where the keys signer publishes its keys in a JWK Set.
maxClockSkew Integer: Maximum allowable clock-skew when processing messages from the IdP.
name String: Name of the IdP
pkceRequired Boolean: Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/idps/#oauth-2-0-and-openid-connect-client-object
profileMaster Boolean: Determines if the IdP should act as a source of truth for user profile attributes.
protocolType String: The type of protocol to use. It can be OIDC or OAUTH2. Default: OIDC
provisioningAction String: Provisioning action for an IdP user during authentication. Default: AUTO
requestSignatureAlgorithm String: The HMAC Signature Algorithm used when signing an authorization request. Defaults to HS256. It can be HS256, HS384, HS512, SHA-256. RS256, RS384, or RS512. NOTE: SHA-256 an undocumented legacy value and not continue to be valid. See API docs https://developer.okta.com/docs/reference/api/idps/#oidc-request-signature-algorithm-object
requestSignatureScope String: Specifies whether to digitally sign an AuthnRequest messages to the IdP. Defaults to REQUEST. It can be REQUEST or NONE.
scopes List<String>: The scopes of the IdP.
status String: Default to ACTIVE
subjectMatchAttribute String: Okta user profile attribute for matching transformed IdP username. Only for matchType CUSTOM_ATTRIBUTE.
subjectMatchType String: Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default, it is set to USERNAME. It can be set to USERNAME, EMAIL, USERNAME_OR_EMAIL or CUSTOM_ATTRIBUTE.
suspendedAction String: Action for a previously suspended IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
tokenBinding String: The method of making a token request. It can be set to HTTP-POST or HTTP-REDIRECT.
tokenUrl String: IdP Authorization Server (AS) endpoint to exchange the authorization code grant for an access token.
type String: Type of OIDC IdP.
userInfoBinding String
userInfoUrl String: Protected resource endpoint that returns claims about the authenticated user.
userTypeId String: User type ID. Can be used as target_id in the okta.profile.Mapping resource.
usernameTemplate String: Okta EL Expression to generate or transform a unique username for the IdP user. Default: idpuser.email

accountLinkAction string: Specifies the account linking action for an IdP user. Default: AUTO
accountLinkGroupIncludes string[]: Group memberships to determine link candidates.
authorizationBinding string: The method of making an authorization request. It can be set to HTTP-POST or HTTP-REDIRECT.
authorizationUrl string: IdP Authorization Server (AS) endpoint to request consent from the user and obtain an authorization code grant.
clientId string: Unique identifier issued by AS for the Okta IdP instance.
clientSecret string: Client secret issued by AS for the Okta IdP instance.
deprovisionedAction string: Action for a previously deprovisioned IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
groupsAction string: Provisioning action for IdP user's group memberships. It can be NONE, SYNC, APPEND, or ASSIGN. Default: NONE
groupsAssignments string[]: List of Okta Group IDs to add an IdP user as a member with the ASSIGN groups_action.
groupsAttribute string: IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
groupsFilters string[]: Whitelist of Okta Group identifiers that are allowed for the APPEND or SYNC groups_action.
issuerMode string: Indicates whether Okta uses the original Okta org domain URL, a custom domain URL, or dynamic. It can be ORG_URL, CUSTOM_URL, or DYNAMIC. Default: ORG_URL
issuerUrl string: URI that identifies the issuer.
jwksBinding string: The method of making a request for the OIDC JWKS. It can be set to HTTP-POST or HTTP-REDIRECT
jwksUrl string: Endpoint where the keys signer publishes its keys in a JWK Set.
maxClockSkew number: Maximum allowable clock-skew when processing messages from the IdP.
name string: Name of the IdP
pkceRequired boolean: Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/idps/#oauth-2-0-and-openid-connect-client-object
profileMaster boolean: Determines if the IdP should act as a source of truth for user profile attributes.
protocolType string: The type of protocol to use. It can be OIDC or OAUTH2. Default: OIDC
provisioningAction string: Provisioning action for an IdP user during authentication. Default: AUTO
requestSignatureAlgorithm string: The HMAC Signature Algorithm used when signing an authorization request. Defaults to HS256. It can be HS256, HS384, HS512, SHA-256. RS256, RS384, or RS512. NOTE: SHA-256 an undocumented legacy value and not continue to be valid. See API docs https://developer.okta.com/docs/reference/api/idps/#oidc-request-signature-algorithm-object
requestSignatureScope string: Specifies whether to digitally sign an AuthnRequest messages to the IdP. Defaults to REQUEST. It can be REQUEST or NONE.
scopes string[]: The scopes of the IdP.
status string: Default to ACTIVE
subjectMatchAttribute string: Okta user profile attribute for matching transformed IdP username. Only for matchType CUSTOM_ATTRIBUTE.
subjectMatchType string: Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default, it is set to USERNAME. It can be set to USERNAME, EMAIL, USERNAME_OR_EMAIL or CUSTOM_ATTRIBUTE.
suspendedAction string: Action for a previously suspended IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
tokenBinding string: The method of making a token request. It can be set to HTTP-POST or HTTP-REDIRECT.
tokenUrl string: IdP Authorization Server (AS) endpoint to exchange the authorization code grant for an access token.
type string: Type of OIDC IdP.
userInfoBinding string
userInfoUrl string: Protected resource endpoint that returns claims about the authenticated user.
userTypeId string: User type ID. Can be used as target_id in the okta.profile.Mapping resource.
usernameTemplate string: Okta EL Expression to generate or transform a unique username for the IdP user. Default: idpuser.email

account_link_action str: Specifies the account linking action for an IdP user. Default: AUTO
account_link_group_includes Sequence[str]: Group memberships to determine link candidates.
authorization_binding str: The method of making an authorization request. It can be set to HTTP-POST or HTTP-REDIRECT.
authorization_url str: IdP Authorization Server (AS) endpoint to request consent from the user and obtain an authorization code grant.
client_id str: Unique identifier issued by AS for the Okta IdP instance.
client_secret str: Client secret issued by AS for the Okta IdP instance.
deprovisioned_action str: Action for a previously deprovisioned IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
groups_action str: Provisioning action for IdP user's group memberships. It can be NONE, SYNC, APPEND, or ASSIGN. Default: NONE
groups_assignments Sequence[str]: List of Okta Group IDs to add an IdP user as a member with the ASSIGN groups_action.
groups_attribute str: IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
groups_filters Sequence[str]: Whitelist of Okta Group identifiers that are allowed for the APPEND or SYNC groups_action.
issuer_mode str: Indicates whether Okta uses the original Okta org domain URL, a custom domain URL, or dynamic. It can be ORG_URL, CUSTOM_URL, or DYNAMIC. Default: ORG_URL
issuer_url str: URI that identifies the issuer.
jwks_binding str: The method of making a request for the OIDC JWKS. It can be set to HTTP-POST or HTTP-REDIRECT
jwks_url str: Endpoint where the keys signer publishes its keys in a JWK Set.
max_clock_skew int: Maximum allowable clock-skew when processing messages from the IdP.
name str: Name of the IdP
pkce_required bool: Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/idps/#oauth-2-0-and-openid-connect-client-object
profile_master bool: Determines if the IdP should act as a source of truth for user profile attributes.
protocol_type str: The type of protocol to use. It can be OIDC or OAUTH2. Default: OIDC
provisioning_action str: Provisioning action for an IdP user during authentication. Default: AUTO
request_signature_algorithm str: The HMAC Signature Algorithm used when signing an authorization request. Defaults to HS256. It can be HS256, HS384, HS512, SHA-256. RS256, RS384, or RS512. NOTE: SHA-256 an undocumented legacy value and not continue to be valid. See API docs https://developer.okta.com/docs/reference/api/idps/#oidc-request-signature-algorithm-object
request_signature_scope str: Specifies whether to digitally sign an AuthnRequest messages to the IdP. Defaults to REQUEST. It can be REQUEST or NONE.
scopes Sequence[str]: The scopes of the IdP.
status str: Default to ACTIVE
subject_match_attribute str: Okta user profile attribute for matching transformed IdP username. Only for matchType CUSTOM_ATTRIBUTE.
subject_match_type str: Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default, it is set to USERNAME. It can be set to USERNAME, EMAIL, USERNAME_OR_EMAIL or CUSTOM_ATTRIBUTE.
suspended_action str: Action for a previously suspended IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
token_binding str: The method of making a token request. It can be set to HTTP-POST or HTTP-REDIRECT.
token_url str: IdP Authorization Server (AS) endpoint to exchange the authorization code grant for an access token.
type str: Type of OIDC IdP.
user_info_binding str
user_info_url str: Protected resource endpoint that returns claims about the authenticated user.
user_type_id str: User type ID. Can be used as target_id in the okta.profile.Mapping resource.
username_template str: Okta EL Expression to generate or transform a unique username for the IdP user. Default: idpuser.email

accountLinkAction String: Specifies the account linking action for an IdP user. Default: AUTO
accountLinkGroupIncludes List<String>: Group memberships to determine link candidates.
authorizationBinding String: The method of making an authorization request. It can be set to HTTP-POST or HTTP-REDIRECT.
authorizationUrl String: IdP Authorization Server (AS) endpoint to request consent from the user and obtain an authorization code grant.
clientId String: Unique identifier issued by AS for the Okta IdP instance.
clientSecret String: Client secret issued by AS for the Okta IdP instance.
deprovisionedAction String: Action for a previously deprovisioned IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
groupsAction String: Provisioning action for IdP user's group memberships. It can be NONE, SYNC, APPEND, or ASSIGN. Default: NONE
groupsAssignments List<String>: List of Okta Group IDs to add an IdP user as a member with the ASSIGN groups_action.
groupsAttribute String: IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
groupsFilters List<String>: Whitelist of Okta Group identifiers that are allowed for the APPEND or SYNC groups_action.
issuerMode String: Indicates whether Okta uses the original Okta org domain URL, a custom domain URL, or dynamic. It can be ORG_URL, CUSTOM_URL, or DYNAMIC. Default: ORG_URL
issuerUrl String: URI that identifies the issuer.
jwksBinding String: The method of making a request for the OIDC JWKS. It can be set to HTTP-POST or HTTP-REDIRECT
jwksUrl String: Endpoint where the keys signer publishes its keys in a JWK Set.
maxClockSkew Number: Maximum allowable clock-skew when processing messages from the IdP.
name String: Name of the IdP
pkceRequired Boolean: Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/idps/#oauth-2-0-and-openid-connect-client-object
profileMaster Boolean: Determines if the IdP should act as a source of truth for user profile attributes.
protocolType String: The type of protocol to use. It can be OIDC or OAUTH2. Default: OIDC
provisioningAction String: Provisioning action for an IdP user during authentication. Default: AUTO
requestSignatureAlgorithm String: The HMAC Signature Algorithm used when signing an authorization request. Defaults to HS256. It can be HS256, HS384, HS512, SHA-256. RS256, RS384, or RS512. NOTE: SHA-256 an undocumented legacy value and not continue to be valid. See API docs https://developer.okta.com/docs/reference/api/idps/#oidc-request-signature-algorithm-object
requestSignatureScope String: Specifies whether to digitally sign an AuthnRequest messages to the IdP. Defaults to REQUEST. It can be REQUEST or NONE.
scopes List<String>: The scopes of the IdP.
status String: Default to ACTIVE
subjectMatchAttribute String: Okta user profile attribute for matching transformed IdP username. Only for matchType CUSTOM_ATTRIBUTE.
subjectMatchType String: Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default, it is set to USERNAME. It can be set to USERNAME, EMAIL, USERNAME_OR_EMAIL or CUSTOM_ATTRIBUTE.
suspendedAction String: Action for a previously suspended IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
tokenBinding String: The method of making a token request. It can be set to HTTP-POST or HTTP-REDIRECT.
tokenUrl String: IdP Authorization Server (AS) endpoint to exchange the authorization code grant for an access token.
type String: Type of OIDC IdP.
userInfoBinding String
userInfoUrl String: Protected resource endpoint that returns claims about the authenticated user.
userTypeId String: User type ID. Can be used as target_id in the okta.profile.Mapping resource.
usernameTemplate String: Okta EL Expression to generate or transform a unique username for the IdP user. Default: idpuser.email

Import

$ pulumi import okta:idp/oidc:Oidc example <idp_id>

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Okta pulumi/pulumi-okta
License: Apache-2.0
Notes: This Pulumi package is based on the okta Terraform Provider.

Okta v4.16.0 published on Wednesday, Apr 9, 2025 by Pulumi

pulumi/pulumi-okta

okta.idp.Oidc

On this page

On this page

Example Usage

Create Oidc Resource

Constructor syntax

Parameters

Constructor example

Oidc Resource Properties

Inputs

Outputs

Look up Existing Oidc Resource

Import

Package Details

On this page

On this page