Skip to main content

Create a new set of OIDC provider credentials for SSO

Create a new set of OIDC provider credentials for your organization to use with SSO. Includes a client ID, client secret, and the name of the provider. The client ID and client secret should be generated separately using the third-party identity provider you wish to integrate with (such as Google). Not all identity providers are currently supported.

Header Parameters
  • SlashID-OrgID string required

    The organization ID

    Example: af5fbd30-7ce7-4548-8b30-4cd59cb2aba1
  • SlashID-Required-Consistency string

    Possible values: [local_region, all_regions]

    Default value: local_region

    The consistency level required for this request. If the consistency level is not achieved within the timeout, the request will fail with a 408 Request Timeout error. 408 Request Timeout error indicates that request was not handled within the timeout, but it may still be handled after request timeout. Allowed values: * local_region: Wait while the request executes in the local region. * all_regions: Wait while the request executes across all regions. You can learn more about our replication model on our Cross-region Replication Model page.

  • SlashID-Required-Consistency-Timeout integer

    Possible values: >= 1 and <= 120

    Default value: 30

    The maximum amount of seconds to wait for the requested consistency level to be achieved. If the consistency level is not achieved within this time, the request will fail with a 408 Request Timeout error. 408 Request Timeout error indicates that request was not handled within the timeout, but it may still be handled after request timeout. You can learn more about our replication model on our Cross-region Replication Model page.

Request Body
  • client_id string required
  • client_secret string required
  • provider string required

    Possible values: [google, github, bitbucket, gitlab, facebook, line, azuread, okta, apple]

  • label string
  • external_cred string

    External credential ID

  • external_cred_id string

    External credential ID

  • enable_in_slashid_oidc_authz_server boolean

    Indicates whether these credentials can be used for SSO authentication during an OIDC flow in which SlashID acts as the Authorization Server.

  • options object

    Options for supported third-party providers.

  • google object
  • authorize_scopes string[]

    Default value: openid,email,profile

    The scopes of access granted by the access_token expressed as a list of space-delimited, case-sensitive strings.

    Read Google's documentation to know more.

    Note: scopes openid, email, and profile are always requested.

  • github object
  • authorize_scopes string[]

    Default value: read:user,user:email

    The scopes of access granted by the access_token expressed as a list of space-delimited, case-sensitive strings.

    Read GitHub's documentation to know more.

    Note: scopes read:user and user:email are always requested.

  • bitbucket object
  • authorize_scopes string[]

    Default value: account

    The scopes of access granted by the access_token expressed as a list of space-delimited, case-sensitive strings.

    Read Bitbucket's documentation to know more.

    Note: scope account is always requested.

  • gitlab object
  • authorize_scopes string[]

    Default value: read_user

    The scopes of access granted by the access_token expressed as a list of space-delimited, case-sensitive strings.

    Read GitLab's documentation to know more.

    Note: scope read_user is always requested.

  • facebook object
  • authorize_scopes string[]

    Default value: email,public_profile

    The scopes of access granted by the access_token expressed as a list of space-delimited, case-sensitive strings.

    Read Facebook's documentation to know more.

    Note: scopes email and public_profile are always requested.

  • line object
  • authorize_scopes string[]

    Default value: openid,email,profile

    The scopes of access granted by the access_token expressed as a list of space-delimited, case-sensitive strings.

    Read Line's documentation to know more.

    Note: scopes openid, email, and profile are always requested.

  • azuread object
  • authorize_scopes string[]

    Default value: openid,email,profile,User.Read

    The scopes of access granted by the access_token expressed as a list of space-delimited, case-sensitive strings.

    Read Azure AD's documentation to know more.

    Note: scopes openid, email, profile, and User.Read are always requested.

  • tenant string

    Default value: common

    The tenant ID of the Azure AD tenant (a GUID), its tenant domain, or one of the pseudo tenants: common, organizations or consumer.

    Read Azure AD's documentation to know more.

  • okta object
  • authorize_scopes string[]

    Default value: openid,email,profile

    The scopes of access granted by the access_token expressed as a list of space-delimited, case-sensitive strings.

    Read [Okta's documentation]https://help.okta.com/en-us/content/topics/apps/apps_app_integration_wizard_oidc.htm) to know more.

    Note: scopes openid, email, profile are always requested.

  • organization_url string

    The organization URL for Okta.

    Read Okta's documentation to know more.

  • apple object
  • authorize_scopes string[]

    Default value: openid,email,name

    The scopes of access granted by the access_token expressed as a list of space-delimited, case-sensitive strings.

    Note: scopes openid, email, name are always requested.

  • private_key string required

    An ES256 private key downloaded from your Apple developer account in PKCS8 format.

  • team_id string required

    The 10-character Team ID associated with your Apple developer account. This will be used as the issuer claim in client secret JWTs.

  • key_id string required

    A 10-character key identifier generated for the Account and Organizational Data Sharing private key associated with your developer account.

  • secret_lifetime string required

    The lifetime of each generated client secret. The value provided should be a string that can be parsed as a Golang time.Duration; for example, "1m" (one minute), "24h" (24 hours). The lifetime may not be less than 5 minutes (300 seconds), and may not be more than 15,777,000 seconds (6 months). If not set, defaults to 30 days.

Responses

OK

Schema
  • meta object
  • pagination object
  • limit integer
  • offset integer
  • total_count int64
  • errors object[]
  • httpcode integer
  • message string
POST /organizations/sso/oidc/provider-credentials
https://api.slashid.com

Authorization

type: apiKeyname: SlashID-API-Keyin: header

Request

ApiKeyAuth
SlashID-OrgID — header required
SlashID-Required-Consistency — header
SlashID-Required-Consistency-Timeout — header
Body
{

  "client_id": "string",

  "client_secret": "string",

  "provider": "google",

  "label": "string",

  "external_cred": "string",

  "external_cred_id": "string",

  "enable_in_slashid_oidc_authz_server": true,

  "options": {

    "google": {

      "authorize_scopes": [

        "string"

      ]

    },

    "github": {

      "authorize_scopes": [

        "string"

      ]

    },

    "bitbucket": {

      "authorize_scopes": [

        "string"

      ]

    },

    "gitlab": {

      "authorize_scopes": [

        "string"

      ]

    },

    "facebook": {

      "authorize_scopes": [

        "string"

      ]

    },

    "line": {

      "authorize_scopes": [

        "string"

      ]

    },

    "azuread": {

      "authorize_scopes": [

        "string"

      ],

      "tenant": "common"

    },

    "okta": {

      "authorize_scopes": [

        "string"

      ],

      "organization_url": "string"

    },

    "apple": {

      "authorize_scopes": [

        "string"

      ],

      "private_key": "string",

      "team_id": "string",

      "key_id": "string",

      "secret_lifetime": "string"

    }

  }

}

curl -L -X POST 'https://api.slashid.com/organizations/sso/oidc/provider-credentials' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'SlashID-OrgID: <SLASHID_ORG_ID_VALUE>' \
-H 'SlashID-API-Key: <API_KEY_VALUE>' \
--data-raw '{
  "client_id": "string",
  "client_secret": "string",
  "provider": "google",
  "label": "string",
  "external_cred": "string",
  "external_cred_id": "string",
  "enable_in_slashid_oidc_authz_server": true,
  "options": {
    "google": {
      "authorize_scopes": [
        "string"
      ]
    },
    "github": {
      "authorize_scopes": [
        "string"
      ]
    },
    "bitbucket": {
      "authorize_scopes": [
        "string"
      ]
    },
    "gitlab": {
      "authorize_scopes": [
        "string"
      ]
    },
    "facebook": {
      "authorize_scopes": [
        "string"
      ]
    },
    "line": {
      "authorize_scopes": [
        "string"
      ]
    },
    "azuread": {
      "authorize_scopes": [
        "string"
      ],
      "tenant": "common"
    },
    "okta": {
      "authorize_scopes": [
        "string"
      ],
      "organization_url": "string"
    },
    "apple": {
      "authorize_scopes": [
        "string"
      ],
      "private_key": "string",
      "team_id": "string",
      "key_id": "string",
      "secret_lifetime": "string"
    }
  }
}'