List Identity Providers
POST/idps/templates/_search
List Identity Providers
Request​
Header Parameters
The default is always the organization of the requesting user. If you like to get/set a result of another organization include the header. Make sure the user has permission to access the requested data.
- application/json
- application/grpc
- application/grpc-web+proto
Body
required
Array [
- IDP_OWNER_TYPE_SYSTEM: system is managed by the ZITADEL administrators
- IDP_OWNER_TYPE_ORG: org is managed by de organization administrators
]
query
object
Object unspecific list filters like offset, limit and asc/desc.
Maximum amount of events returned. The default is set to 1000 in https://github.com/zitadel/zitadel/blob/new-eventstore/cmd/zitadel/startup.yaml. If the limit exceeds the maximum configured ZITADEL will throw an error. If no limit is present the default is taken.
default is descending
queries
object[]
idpIdQuery
object
idpNameQuery
object
Possible values: [TEXT_QUERY_METHOD_EQUALS
, TEXT_QUERY_METHOD_EQUALS_IGNORE_CASE
, TEXT_QUERY_METHOD_STARTS_WITH
, TEXT_QUERY_METHOD_STARTS_WITH_IGNORE_CASE
, TEXT_QUERY_METHOD_CONTAINS
, TEXT_QUERY_METHOD_CONTAINS_IGNORE_CASE
, TEXT_QUERY_METHOD_ENDS_WITH
, TEXT_QUERY_METHOD_ENDS_WITH_IGNORE_CASE
]
Default value: TEXT_QUERY_METHOD_EQUALS
defines which text equality method is used
ownerTypeQuery
object
Possible values: [IDP_OWNER_TYPE_UNSPECIFIED
, IDP_OWNER_TYPE_SYSTEM
, IDP_OWNER_TYPE_ORG
]
Default value: IDP_OWNER_TYPE_UNSPECIFIED
the owner of the identity provider.
Body
required
Array [
- IDP_OWNER_TYPE_SYSTEM: system is managed by the ZITADEL administrators
- IDP_OWNER_TYPE_ORG: org is managed by de organization administrators
]
query
object
Object unspecific list filters like offset, limit and asc/desc.
Maximum amount of events returned. The default is set to 1000 in https://github.com/zitadel/zitadel/blob/new-eventstore/cmd/zitadel/startup.yaml. If the limit exceeds the maximum configured ZITADEL will throw an error. If no limit is present the default is taken.
default is descending
queries
object[]
idpIdQuery
object
idpNameQuery
object
Possible values: [TEXT_QUERY_METHOD_EQUALS
, TEXT_QUERY_METHOD_EQUALS_IGNORE_CASE
, TEXT_QUERY_METHOD_STARTS_WITH
, TEXT_QUERY_METHOD_STARTS_WITH_IGNORE_CASE
, TEXT_QUERY_METHOD_CONTAINS
, TEXT_QUERY_METHOD_CONTAINS_IGNORE_CASE
, TEXT_QUERY_METHOD_ENDS_WITH
, TEXT_QUERY_METHOD_ENDS_WITH_IGNORE_CASE
]
Default value: TEXT_QUERY_METHOD_EQUALS
defines which text equality method is used
ownerTypeQuery
object
Possible values: [IDP_OWNER_TYPE_UNSPECIFIED
, IDP_OWNER_TYPE_SYSTEM
, IDP_OWNER_TYPE_ORG
]
Default value: IDP_OWNER_TYPE_UNSPECIFIED
the owner of the identity provider.
Body
required
Array [
- IDP_OWNER_TYPE_SYSTEM: system is managed by the ZITADEL administrators
- IDP_OWNER_TYPE_ORG: org is managed by de organization administrators
]
query
object
Object unspecific list filters like offset, limit and asc/desc.
Maximum amount of events returned. The default is set to 1000 in https://github.com/zitadel/zitadel/blob/new-eventstore/cmd/zitadel/startup.yaml. If the limit exceeds the maximum configured ZITADEL will throw an error. If no limit is present the default is taken.
default is descending
queries
object[]
idpIdQuery
object
idpNameQuery
object
Possible values: [TEXT_QUERY_METHOD_EQUALS
, TEXT_QUERY_METHOD_EQUALS_IGNORE_CASE
, TEXT_QUERY_METHOD_STARTS_WITH
, TEXT_QUERY_METHOD_STARTS_WITH_IGNORE_CASE
, TEXT_QUERY_METHOD_CONTAINS
, TEXT_QUERY_METHOD_CONTAINS_IGNORE_CASE
, TEXT_QUERY_METHOD_ENDS_WITH
, TEXT_QUERY_METHOD_ENDS_WITH_IGNORE_CASE
]
Default value: TEXT_QUERY_METHOD_EQUALS
defines which text equality method is used
ownerTypeQuery
object
Possible values: [IDP_OWNER_TYPE_UNSPECIFIED
, IDP_OWNER_TYPE_SYSTEM
, IDP_OWNER_TYPE_ORG
]
Default value: IDP_OWNER_TYPE_UNSPECIFIED
the owner of the identity provider.
Responses​
- 200
- default
A successful response.
- application/json
- application/grpc
- application/grpc-web+proto
- Schema
- Example (from schema)
Schema
Array [
- IDP_OWNER_TYPE_SYSTEM: system is managed by the ZITADEL administrators
- IDP_OWNER_TYPE_ORG: org is managed by de organization administrators
]
details
object
the last time the view got updated
result
object[]
details
object
on read: the sequence of the last event reduced by the projection
on manipulation: the timestamp of the event(s) added by the manipulation
on read: the timestamp of the first event of the object
on create: the timestamp of the event(s) added by the manipulation
on read: the timestamp of the last event reduced by the projection
on manipulation: the
Possible values: [IDP_STATE_UNSPECIFIED
, IDP_STATE_ACTIVE
, IDP_STATE_INACTIVE
]
Default value: IDP_STATE_UNSPECIFIED
Possible values: [IDP_OWNER_TYPE_UNSPECIFIED
, IDP_OWNER_TYPE_SYSTEM
, IDP_OWNER_TYPE_ORG
]
Default value: IDP_OWNER_TYPE_UNSPECIFIED
the owner of the identity provider.
Possible values: [PROVIDER_TYPE_UNSPECIFIED
, PROVIDER_TYPE_OIDC
, PROVIDER_TYPE_JWT
, PROVIDER_TYPE_LDAP
, PROVIDER_TYPE_OAUTH
, PROVIDER_TYPE_AZURE_AD
, PROVIDER_TYPE_GITHUB
, PROVIDER_TYPE_GITHUB_ES
, PROVIDER_TYPE_GITLAB
, PROVIDER_TYPE_GITLAB_SELF_HOSTED
, PROVIDER_TYPE_GOOGLE
, PROVIDER_TYPE_APPLE
, PROVIDER_TYPE_SAML
]
Default value: PROVIDER_TYPE_UNSPECIFIED
config
object
options
object
Enable if users should be able to manually link an existing ZITADEL user with an external account. Disable if users should only be allowed to link the proposed account in case of active auto_linking.
Enable if users should be able to manually create a new account in ZITADEL when using an external account. Disable if users should not be able to edit account information when auto_creation is enabled.
Enable if a new account in ZITADEL should be created automatically when login with an external account.
Enable if a the ZITADEL account fields should be updated automatically on each login.
Possible values: [AUTO_LINKING_OPTION_UNSPECIFIED
, AUTO_LINKING_OPTION_USERNAME
, AUTO_LINKING_OPTION_EMAIL
]
Default value: AUTO_LINKING_OPTION_UNSPECIFIED
Enable if users should get prompted to link an existing ZITADEL user to an external account if the selected attribute matches.
ldap
object
attributes
object
google
object
client id of the Google application
the scopes requested by ZITADEL during the request to Google
oauth
object
client id generated by the identity provider
the endpoint where ZITADEL send the user to authenticate
the endpoint where ZITADEL can get the token
the endpoint where ZITADEL can get the user information
the scopes requested by ZITADEL during the request on the identity provider
defines how the attribute is called where ZITADEL can get the id of the user
oidc
object
the OIDC issuer of the identity provider
client id generated by the identity provider
the scopes requested by ZITADEL during the request on the identity provider
if true, provider information get mapped from the id token, not from the userinfo endpoint
jwt
object
the endpoint where the JWT can be extracted
the issuer of the JWT (for validation)
the endpoint to the key (JWK) which is used to sign the JWT with
the name of the header where the JWT is sent in, default is authorization
github
object
the client ID of the GitHub App
the scopes requested by ZITADEL during the request to GitHub
githubEs
object
the client ID of the GitHub App
the scopes requested by ZITADEL during the request to GitHub
gitlab
object
client id of the GitLab application
the scopes requested by ZITADEL during the request to GitLab
gitlabSelfHosted
object
client id of the GitLab application
the scopes requested by ZITADEL during the request to GitLab
azureAd
object
client id of the Azure AD application
tenant
object
Defines what user accounts should be able to login (Personal, Organizational, All)
Possible values: [AZURE_AD_TENANT_TYPE_COMMON
, AZURE_AD_TENANT_TYPE_ORGANISATIONS
, AZURE_AD_TENANT_TYPE_CONSUMERS
]
Default value: AZURE_AD_TENANT_TYPE_COMMON
Azure AD doesn't send if the email has been verified. Enable this if the user email should always be added verified in ZITADEL (no verification emails will be sent)
the scopes requested by ZITADEL during the request to Azure AD
apple
object
Client id (App ID or Service ID) provided by Apple
Team ID provided by Apple
ID of the private key generated by Apple
the scopes requested by ZITADEL during the request to Apple
saml
object
Metadata of the SAML identity provider.
Possible values: [SAML_BINDING_UNSPECIFIED
, SAML_BINDING_POST
, SAML_BINDING_REDIRECT
, SAML_BINDING_ARTIFACT
]
Default value: SAML_BINDING_UNSPECIFIED
Binding which defines the type of communication with the identity provider.
Boolean which defines if the authentication requests are signed.
Possible values: [SAML_NAME_ID_FORMAT_UNSPECIFIED
, SAML_NAME_ID_FORMAT_EMAIL_ADDRESS
, SAML_NAME_ID_FORMAT_PERSISTENT
, SAML_NAME_ID_FORMAT_TRANSIENT
]
Default value: SAML_NAME_ID_FORMAT_UNSPECIFIED
nameid-format
for the SAML Request.
Optional name of the attribute, which will be used to map the user
in case the nameid-format returned is urn:oasis:names:tc:SAML:2.0:nameid-format:transient
.
{
"details": {
"totalResult": "2",
"processedSequence": "267831",
"viewTimestamp": "2024-12-20T16:04:47.421Z"
},
"result": [
{
"id": "69629023906488334",
"details": {
"sequence": "2",
"creationDate": "2024-12-20T16:04:47.421Z",
"changeDate": "2024-12-20T16:04:47.421Z",
"resourceOwner": "69629023906488334"
},
"state": "IDP_STATE_UNSPECIFIED",
"name": "Google",
"owner": "IDP_OWNER_TYPE_UNSPECIFIED",
"type": "PROVIDER_TYPE_UNSPECIFIED",
"config": {
"options": {
"isLinkingAllowed": true,
"isCreationAllowed": true,
"isAutoCreation": true,
"isAutoUpdate": true,
"autoLinking": "AUTO_LINKING_OPTION_UNSPECIFIED"
},
"ldap": {
"servers": [
"string"
],
"startTls": true,
"baseDn": "string",
"bindDn": "string",
"userBase": "string",
"userObjectClasses": [
"string"
],
"userFilters": [
"string"
],
"timeout": "string",
"attributes": {
"idAttribute": "string",
"firstNameAttribute": "string",
"lastNameAttribute": "string",
"displayNameAttribute": "string",
"nickNameAttribute": "string",
"preferredUsernameAttribute": "string",
"emailAttribute": "string",
"emailVerifiedAttribute": "string",
"phoneAttribute": "string",
"phoneVerifiedAttribute": "string",
"preferredLanguageAttribute": "string",
"avatarUrlAttribute": "string",
"profileAttribute": "string"
}
},
"google": {
"clientId": "client-id",
"scopes": [
"openid",
"profile",
"email"
]
},
"oauth": {
"clientId": "client-id",
"authorizationEndpoint": "https://accounts.google.com/o/oauth2/v2/auth",
"tokenEndpoint": "https://oauth2.googleapis.com/token",
"userEndpoint": "https://openidconnect.googleapis.com/v1/userinfo",
"scopes": [
"openid",
"profile",
"email"
],
"idAttribute": "user_id"
},
"oidc": {
"issuer": "https://accounts.google.com/",
"clientId": "client-id",
"scopes": [
"openid",
"profile",
"email"
],
"isIdTokenMapping": true
},
"jwt": {
"jwtEndpoint": "https://accounts.google.com",
"issuer": "https://accounts.google.com",
"keysEndpoint": "https://accounts.google.com/keys",
"headerName": "x-auth-token"
},
"github": {
"clientId": "client-id",
"scopes": [
"openid",
"profile",
"email"
]
},
"githubEs": {
"clientId": "client-id",
"authorizationEndpoint": "string",
"tokenEndpoint": "string",
"userEndpoint": "string",
"scopes": [
"openid",
"profile",
"email"
]
},
"gitlab": {
"clientId": "client-id",
"scopes": [
"openid",
"profile",
"email"
]
},
"gitlabSelfHosted": {
"issuer": "string",
"clientId": "client-id",
"scopes": [
"openid",
"profile",
"email"
]
},
"azureAd": {
"clientId": "client-id",
"tenant": {
"tenantType": "AZURE_AD_TENANT_TYPE_COMMON",
"tenantId": "string"
},
"emailVerified": true,
"scopes": [
"openid",
"profile",
"email",
"User.Read"
]
},
"apple": {
"clientId": "com.client.id",
"teamId": "ALT03JV3OS",
"keyId": "OGKDK25KD",
"scopes": [
"name",
"email"
]
},
"saml": {
"metadataXml": "string",
"binding": "SAML_BINDING_UNSPECIFIED",
"withSignedRequest": true,
"nameIdFormat": "SAML_NAME_ID_FORMAT_UNSPECIFIED",
"transientMappingAttributeName": "string"
}
}
}
]
}
- Schema
- Example (from schema)
Schema
Array [
- IDP_OWNER_TYPE_SYSTEM: system is managed by the ZITADEL administrators
- IDP_OWNER_TYPE_ORG: org is managed by de organization administrators
]
details
object
the last time the view got updated
result
object[]
details
object
on read: the sequence of the last event reduced by the projection
on manipulation: the timestamp of the event(s) added by the manipulation
on read: the timestamp of the first event of the object
on create: the timestamp of the event(s) added by the manipulation
on read: the timestamp of the last event reduced by the projection
on manipulation: the
Possible values: [IDP_STATE_UNSPECIFIED
, IDP_STATE_ACTIVE
, IDP_STATE_INACTIVE
]
Default value: IDP_STATE_UNSPECIFIED
Possible values: [IDP_OWNER_TYPE_UNSPECIFIED
, IDP_OWNER_TYPE_SYSTEM
, IDP_OWNER_TYPE_ORG
]
Default value: IDP_OWNER_TYPE_UNSPECIFIED
the owner of the identity provider.
Possible values: [PROVIDER_TYPE_UNSPECIFIED
, PROVIDER_TYPE_OIDC
, PROVIDER_TYPE_JWT
, PROVIDER_TYPE_LDAP
, PROVIDER_TYPE_OAUTH
, PROVIDER_TYPE_AZURE_AD
, PROVIDER_TYPE_GITHUB
, PROVIDER_TYPE_GITHUB_ES
, PROVIDER_TYPE_GITLAB
, PROVIDER_TYPE_GITLAB_SELF_HOSTED
, PROVIDER_TYPE_GOOGLE
, PROVIDER_TYPE_APPLE
, PROVIDER_TYPE_SAML
]
Default value: PROVIDER_TYPE_UNSPECIFIED
config
object
options
object
Enable if users should be able to manually link an existing ZITADEL user with an external account. Disable if users should only be allowed to link the proposed account in case of active auto_linking.
Enable if users should be able to manually create a new account in ZITADEL when using an external account. Disable if users should not be able to edit account information when auto_creation is enabled.
Enable if a new account in ZITADEL should be created automatically when login with an external account.
Enable if a the ZITADEL account fields should be updated automatically on each login.
Possible values: [AUTO_LINKING_OPTION_UNSPECIFIED
, AUTO_LINKING_OPTION_USERNAME
, AUTO_LINKING_OPTION_EMAIL
]
Default value: AUTO_LINKING_OPTION_UNSPECIFIED
Enable if users should get prompted to link an existing ZITADEL user to an external account if the selected attribute matches.
ldap
object
attributes
object
google
object
client id of the Google application
the scopes requested by ZITADEL during the request to Google
oauth
object
client id generated by the identity provider
the endpoint where ZITADEL send the user to authenticate
the endpoint where ZITADEL can get the token
the endpoint where ZITADEL can get the user information
the scopes requested by ZITADEL during the request on the identity provider
defines how the attribute is called where ZITADEL can get the id of the user
oidc
object
the OIDC issuer of the identity provider
client id generated by the identity provider
the scopes requested by ZITADEL during the request on the identity provider
if true, provider information get mapped from the id token, not from the userinfo endpoint
jwt
object
the endpoint where the JWT can be extracted
the issuer of the JWT (for validation)
the endpoint to the key (JWK) which is used to sign the JWT with
the name of the header where the JWT is sent in, default is authorization
github
object
the client ID of the GitHub App
the scopes requested by ZITADEL during the request to GitHub
githubEs
object
the client ID of the GitHub App
the scopes requested by ZITADEL during the request to GitHub
gitlab
object
client id of the GitLab application
the scopes requested by ZITADEL during the request to GitLab
gitlabSelfHosted
object
client id of the GitLab application
the scopes requested by ZITADEL during the request to GitLab
azureAd
object
client id of the Azure AD application
tenant
object
Defines what user accounts should be able to login (Personal, Organizational, All)
Possible values: [AZURE_AD_TENANT_TYPE_COMMON
, AZURE_AD_TENANT_TYPE_ORGANISATIONS
, AZURE_AD_TENANT_TYPE_CONSUMERS
]
Default value: AZURE_AD_TENANT_TYPE_COMMON
Azure AD doesn't send if the email has been verified. Enable this if the user email should always be added verified in ZITADEL (no verification emails will be sent)
the scopes requested by ZITADEL during the request to Azure AD
apple
object
Client id (App ID or Service ID) provided by Apple
Team ID provided by Apple
ID of the private key generated by Apple
the scopes requested by ZITADEL during the request to Apple
saml
object
Metadata of the SAML identity provider.
Possible values: [SAML_BINDING_UNSPECIFIED
, SAML_BINDING_POST
, SAML_BINDING_REDIRECT
, SAML_BINDING_ARTIFACT
]
Default value: SAML_BINDING_UNSPECIFIED
Binding which defines the type of communication with the identity provider.
Boolean which defines if the authentication requests are signed.
Possible values: [SAML_NAME_ID_FORMAT_UNSPECIFIED
, SAML_NAME_ID_FORMAT_EMAIL_ADDRESS
, SAML_NAME_ID_FORMAT_PERSISTENT
, SAML_NAME_ID_FORMAT_TRANSIENT
]
Default value: SAML_NAME_ID_FORMAT_UNSPECIFIED
nameid-format
for the SAML Request.
Optional name of the attribute, which will be used to map the user
in case the nameid-format returned is urn:oasis:names:tc:SAML:2.0:nameid-format:transient
.
{
"details": {
"totalResult": "2",
"processedSequence": "267831",
"viewTimestamp": "2024-12-20T16:04:47.425Z"
},
"result": [
{
"id": "69629023906488334",
"details": {
"sequence": "2",
"creationDate": "2024-12-20T16:04:47.425Z",
"changeDate": "2024-12-20T16:04:47.425Z",
"resourceOwner": "69629023906488334"
},
"state": "IDP_STATE_UNSPECIFIED",
"name": "Google",
"owner": "IDP_OWNER_TYPE_UNSPECIFIED",
"type": "PROVIDER_TYPE_UNSPECIFIED",
"config": {
"options": {
"isLinkingAllowed": true,
"isCreationAllowed": true,
"isAutoCreation": true,
"isAutoUpdate": true,
"autoLinking": "AUTO_LINKING_OPTION_UNSPECIFIED"
},
"ldap": {
"servers": [
"string"
],
"startTls": true,
"baseDn": "string",
"bindDn": "string",
"userBase": "string",
"userObjectClasses": [
"string"
],
"userFilters": [
"string"
],
"timeout": "string",
"attributes": {
"idAttribute": "string",
"firstNameAttribute": "string",
"lastNameAttribute": "string",
"displayNameAttribute": "string",
"nickNameAttribute": "string",
"preferredUsernameAttribute": "string",
"emailAttribute": "string",
"emailVerifiedAttribute": "string",
"phoneAttribute": "string",
"phoneVerifiedAttribute": "string",
"preferredLanguageAttribute": "string",
"avatarUrlAttribute": "string",
"profileAttribute": "string"
}
},
"google": {
"clientId": "client-id",
"scopes": [
"openid",
"profile",
"email"
]
},
"oauth": {
"clientId": "client-id",
"authorizationEndpoint": "https://accounts.google.com/o/oauth2/v2/auth",
"tokenEndpoint": "https://oauth2.googleapis.com/token",
"userEndpoint": "https://openidconnect.googleapis.com/v1/userinfo",
"scopes": [
"openid",
"profile",
"email"
],
"idAttribute": "user_id"
},
"oidc": {
"issuer": "https://accounts.google.com/",
"clientId": "client-id",
"scopes": [
"openid",
"profile",
"email"
],
"isIdTokenMapping": true
},
"jwt": {
"jwtEndpoint": "https://accounts.google.com",
"issuer": "https://accounts.google.com",
"keysEndpoint": "https://accounts.google.com/keys",
"headerName": "x-auth-token"
},
"github": {
"clientId": "client-id",
"scopes": [
"openid",
"profile",
"email"
]
},
"githubEs": {
"clientId": "client-id",
"authorizationEndpoint": "string",
"tokenEndpoint": "string",
"userEndpoint": "string",
"scopes": [
"openid",
"profile",
"email"
]
},
"gitlab": {
"clientId": "client-id",
"scopes": [
"openid",
"profile",
"email"
]
},
"gitlabSelfHosted": {
"issuer": "string",
"clientId": "client-id",
"scopes": [
"openid",
"profile",
"email"
]
},
"azureAd": {
"clientId": "client-id",
"tenant": {
"tenantType": "AZURE_AD_TENANT_TYPE_COMMON",
"tenantId": "string"
},
"emailVerified": true,
"scopes": [
"openid",
"profile",
"email",
"User.Read"
]
},
"apple": {
"clientId": "com.client.id",
"teamId": "ALT03JV3OS",
"keyId": "OGKDK25KD",
"scopes": [
"name",
"email"
]
},
"saml": {
"metadataXml": "string",
"binding": "SAML_BINDING_UNSPECIFIED",
"withSignedRequest": true,
"nameIdFormat": "SAML_NAME_ID_FORMAT_UNSPECIFIED",
"transientMappingAttributeName": "string"
}
}
}
]
}
- Schema
- Example (from schema)
Schema
Array [
- IDP_OWNER_TYPE_SYSTEM: system is managed by the ZITADEL administrators
- IDP_OWNER_TYPE_ORG: org is managed by de organization administrators
]
details
object
the last time the view got updated
result
object[]
details
object
on read: the sequence of the last event reduced by the projection
on manipulation: the timestamp of the event(s) added by the manipulation
on read: the timestamp of the first event of the object
on create: the timestamp of the event(s) added by the manipulation
on read: the timestamp of the last event reduced by the projection
on manipulation: the
Possible values: [IDP_STATE_UNSPECIFIED
, IDP_STATE_ACTIVE
, IDP_STATE_INACTIVE
]
Default value: IDP_STATE_UNSPECIFIED
Possible values: [IDP_OWNER_TYPE_UNSPECIFIED
, IDP_OWNER_TYPE_SYSTEM
, IDP_OWNER_TYPE_ORG
]
Default value: IDP_OWNER_TYPE_UNSPECIFIED
the owner of the identity provider.
Possible values: [PROVIDER_TYPE_UNSPECIFIED
, PROVIDER_TYPE_OIDC
, PROVIDER_TYPE_JWT
, PROVIDER_TYPE_LDAP
, PROVIDER_TYPE_OAUTH
, PROVIDER_TYPE_AZURE_AD
, PROVIDER_TYPE_GITHUB
, PROVIDER_TYPE_GITHUB_ES
, PROVIDER_TYPE_GITLAB
, PROVIDER_TYPE_GITLAB_SELF_HOSTED
, PROVIDER_TYPE_GOOGLE
, PROVIDER_TYPE_APPLE
, PROVIDER_TYPE_SAML
]
Default value: PROVIDER_TYPE_UNSPECIFIED
config
object
options
object
Enable if users should be able to manually link an existing ZITADEL user with an external account. Disable if users should only be allowed to link the proposed account in case of active auto_linking.
Enable if users should be able to manually create a new account in ZITADEL when using an external account. Disable if users should not be able to edit account information when auto_creation is enabled.
Enable if a new account in ZITADEL should be created automatically when login with an external account.
Enable if a the ZITADEL account fields should be updated automatically on each login.
Possible values: [AUTO_LINKING_OPTION_UNSPECIFIED
, AUTO_LINKING_OPTION_USERNAME
, AUTO_LINKING_OPTION_EMAIL
]
Default value: AUTO_LINKING_OPTION_UNSPECIFIED
Enable if users should get prompted to link an existing ZITADEL user to an external account if the selected attribute matches.
ldap
object
attributes
object
google
object
client id of the Google application
the scopes requested by ZITADEL during the request to Google
oauth
object
client id generated by the identity provider
the endpoint where ZITADEL send the user to authenticate
the endpoint where ZITADEL can get the token
the endpoint where ZITADEL can get the user information
the scopes requested by ZITADEL during the request on the identity provider
defines how the attribute is called where ZITADEL can get the id of the user
oidc
object
the OIDC issuer of the identity provider
client id generated by the identity provider
the scopes requested by ZITADEL during the request on the identity provider
if true, provider information get mapped from the id token, not from the userinfo endpoint
jwt
object
the endpoint where the JWT can be extracted
the issuer of the JWT (for validation)
the endpoint to the key (JWK) which is used to sign the JWT with
the name of the header where the JWT is sent in, default is authorization
github
object
the client ID of the GitHub App
the scopes requested by ZITADEL during the request to GitHub
githubEs
object
the client ID of the GitHub App
the scopes requested by ZITADEL during the request to GitHub
gitlab
object
client id of the GitLab application
the scopes requested by ZITADEL during the request to GitLab
gitlabSelfHosted
object
client id of the GitLab application
the scopes requested by ZITADEL during the request to GitLab
azureAd
object
client id of the Azure AD application
tenant
object
Defines what user accounts should be able to login (Personal, Organizational, All)
Possible values: [AZURE_AD_TENANT_TYPE_COMMON
, AZURE_AD_TENANT_TYPE_ORGANISATIONS
, AZURE_AD_TENANT_TYPE_CONSUMERS
]
Default value: AZURE_AD_TENANT_TYPE_COMMON
Azure AD doesn't send if the email has been verified. Enable this if the user email should always be added verified in ZITADEL (no verification emails will be sent)
the scopes requested by ZITADEL during the request to Azure AD
apple
object
Client id (App ID or Service ID) provided by Apple
Team ID provided by Apple
ID of the private key generated by Apple
the scopes requested by ZITADEL during the request to Apple
saml
object
Metadata of the SAML identity provider.
Possible values: [SAML_BINDING_UNSPECIFIED
, SAML_BINDING_POST
, SAML_BINDING_REDIRECT
, SAML_BINDING_ARTIFACT
]
Default value: SAML_BINDING_UNSPECIFIED
Binding which defines the type of communication with the identity provider.
Boolean which defines if the authentication requests are signed.
Possible values: [SAML_NAME_ID_FORMAT_UNSPECIFIED
, SAML_NAME_ID_FORMAT_EMAIL_ADDRESS
, SAML_NAME_ID_FORMAT_PERSISTENT
, SAML_NAME_ID_FORMAT_TRANSIENT
]
Default value: SAML_NAME_ID_FORMAT_UNSPECIFIED
nameid-format
for the SAML Request.
Optional name of the attribute, which will be used to map the user
in case the nameid-format returned is urn:oasis:names:tc:SAML:2.0:nameid-format:transient
.
{
"details": {
"totalResult": "2",
"processedSequence": "267831",
"viewTimestamp": "2024-12-20T16:04:47.429Z"
},
"result": [
{
"id": "69629023906488334",
"details": {
"sequence": "2",
"creationDate": "2024-12-20T16:04:47.429Z",
"changeDate": "2024-12-20T16:04:47.429Z",
"resourceOwner": "69629023906488334"
},
"state": "IDP_STATE_UNSPECIFIED",
"name": "Google",
"owner": "IDP_OWNER_TYPE_UNSPECIFIED",
"type": "PROVIDER_TYPE_UNSPECIFIED",
"config": {
"options": {
"isLinkingAllowed": true,
"isCreationAllowed": true,
"isAutoCreation": true,
"isAutoUpdate": true,
"autoLinking": "AUTO_LINKING_OPTION_UNSPECIFIED"
},
"ldap": {
"servers": [
"string"
],
"startTls": true,
"baseDn": "string",
"bindDn": "string",
"userBase": "string",
"userObjectClasses": [
"string"
],
"userFilters": [
"string"
],
"timeout": "string",
"attributes": {
"idAttribute": "string",
"firstNameAttribute": "string",
"lastNameAttribute": "string",
"displayNameAttribute": "string",
"nickNameAttribute": "string",
"preferredUsernameAttribute": "string",
"emailAttribute": "string",
"emailVerifiedAttribute": "string",
"phoneAttribute": "string",
"phoneVerifiedAttribute": "string",
"preferredLanguageAttribute": "string",
"avatarUrlAttribute": "string",
"profileAttribute": "string"
}
},
"google": {
"clientId": "client-id",
"scopes": [
"openid",
"profile",
"email"
]
},
"oauth": {
"clientId": "client-id",
"authorizationEndpoint": "https://accounts.google.com/o/oauth2/v2/auth",
"tokenEndpoint": "https://oauth2.googleapis.com/token",
"userEndpoint": "https://openidconnect.googleapis.com/v1/userinfo",
"scopes": [
"openid",
"profile",
"email"
],
"idAttribute": "user_id"
},
"oidc": {
"issuer": "https://accounts.google.com/",
"clientId": "client-id",
"scopes": [
"openid",
"profile",
"email"
],
"isIdTokenMapping": true
},
"jwt": {
"jwtEndpoint": "https://accounts.google.com",
"issuer": "https://accounts.google.com",
"keysEndpoint": "https://accounts.google.com/keys",
"headerName": "x-auth-token"
},
"github": {
"clientId": "client-id",
"scopes": [
"openid",
"profile",
"email"
]
},
"githubEs": {
"clientId": "client-id",
"authorizationEndpoint": "string",
"tokenEndpoint": "string",
"userEndpoint": "string",
"scopes": [
"openid",
"profile",
"email"
]
},
"gitlab": {
"clientId": "client-id",
"scopes": [
"openid",
"profile",
"email"
]
},
"gitlabSelfHosted": {
"issuer": "string",
"clientId": "client-id",
"scopes": [
"openid",
"profile",
"email"
]
},
"azureAd": {
"clientId": "client-id",
"tenant": {
"tenantType": "AZURE_AD_TENANT_TYPE_COMMON",
"tenantId": "string"
},
"emailVerified": true,
"scopes": [
"openid",
"profile",
"email",
"User.Read"
]
},
"apple": {
"clientId": "com.client.id",
"teamId": "ALT03JV3OS",
"keyId": "OGKDK25KD",
"scopes": [
"name",
"email"
]
},
"saml": {
"metadataXml": "string",
"binding": "SAML_BINDING_UNSPECIFIED",
"withSignedRequest": true,
"nameIdFormat": "SAML_NAME_ID_FORMAT_UNSPECIFIED",
"transientMappingAttributeName": "string"
}
}
}
]
}
An unexpected error response.
- application/json
- application/grpc
- application/grpc-web+proto
- Schema
- Example (from schema)
Schema
Array [
]
details
object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
- Schema
- Example (from schema)
Schema
Array [
]
details
object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
- Schema
- Example (from schema)
Schema
Array [
]
details
object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}