Identity
Was this helpful?
Was this helpful?
Must be set to true
Must be set to true
truePossible values: ID of the entity. If set, updates the corresponding existing entity.
ID of the entity. If set, updates the corresponding existing entity.
No content
Must be set to true
truePossible values: Must be set to true
truePossible values: ID of the group alias.
alias123ID of the group alias.
alias123No content
Must be set to true
truePossible values: ID of the group. If set, updates the corresponding existing group.
group123ID of the group. If set, updates the corresponding existing group.
group123No content
Must be set to true
truePossible values: Name of the group.
AdminsName of the group.
AdminsNo content
Must be set to true
truePossible values: Retrieve details of a specific MFA login enforcement rule by name.
Name for this login enforcement configuration
require-admin-mfaRemove an existing MFA login enforcement rule identified by its name.
Name for this login enforcement configuration
require-admin-mfaNo content
Retrieve a list of all configured Multi-Factor Authentication (MFA) methods in the system.
Must be set to true
truePossible values: Retrieve the configuration for the Duo MFA method if it is enabled and configured.
Must be set to true
truePossible values: The unique identifier for this MFA method.
The unique identifier for this MFA method.
No content
Must be set to true
The unique identifier for this MFA method.
The unique identifier for this MFA method.
No content
Must be set to true
The unique identifier for the PingID MFA method configuration.
Must be set to 'true' to list configurations
The unique identifier for this TOTP MFA method.
The unique identifier for this TOTP MFA method.
No content
The unique identifier for this MFA method.
Must be set to true to trigger the listing functionality
Name of the OIDC assignment
Name of the OIDC assignment
No content
Must be set to true
truePossible values: Name of the key
defaultName of the key
defaultNo content
Must be set to true
truePossible values: Filters the list of OIDC providers to those that allow the given client ID in their set of allowed_client_ids.
""Example: my-client-idName of the provider
my-oidc-providerName of the provider
my-oidc-providerNo content
Name of the OIDC provider
my-oidc-providerName of the OIDC provider
my-oidc-providerName of the OIDC provider
example-providerOAuth 2.0 response type
codeClient identifier
my-client-idCallback URI after successful authorization
https://example.com/callbackRequested scopes
openid profile emailClient state to be returned after auth
abc123Name of the provider
example-providerMust be set to 'true' to list configured roles
truePossible values: Name of the role
developer-roleName of the role
developer-roleNo content
Must be set to 'true' to list configured scopes
truePossible values: Name of the scope
read-onlyName of the scope
read-onlyNo content
Name of the role
developer-roleMust be set to 'true' to list all alias IDs
truePossible values: ID of the persona
123e4567-e89b-12d3-a456-426614174000ID of the persona
123e4567-e89b-12d3-a456-426614174000No content
Name of the alias.
Entity ID the alias should be associated with.
Accessor of the mount that the alias belongs to.
ID of the alias
Entity ID to which this alias should be tied to
Entity ID to which this alias should be tied to. This field is deprecated in favor of 'canonical_id'.
Mount accessor to which this alias belongs to
Name of the alias
If set true, tokens tied to this identity will not be able to be used (but will not be revoked).
ID of the entity. If set, updates the corresponding existing entity.
Metadata to be associated with the entity. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2
Name of the entity
Policies to be tied to the entity.
Entity ID to which this alias belongs
User provided key-value pairs
Entity ID to which this alias belongs. This field is deprecated, use canonical_id.
ID of the entity alias. If set, updates the corresponding entity alias.
Mount accessor to which this alias belongs to; unused for a modify
Name of the alias; unused for a modify
ID of the alias
Entity ID to which this alias should be tied to
User provided key-value pairs
Entity ID to which this alias belongs to. This field is deprecated, use canonical_id.
(Unused)
(Unused)
ID of the entity. If set, updates the corresponding existing entity.
If set true, tokens tied to this identity will not be able to be used (but will not be revoked).
Metadata to be associated with the entity. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2
Name of the entity
Policies to be tied to the entity.
Alias IDs to keep in case of conflicting aliases. Ignored if no conflicting aliases found
Setting this will follow the 'mine' strategy for merging MFA secrets. If there are secrets of the same type both in entities that are merged from and in entity into which all others are getting merged, secrets in the destination will be unaltered. If not set, this API will throw an error containing all the conflicts.
Entity IDs which need to get merged
Entity ID into which all the other entities need to get merged
Name of the entity
If set true, tokens tied to this identity will not be able to be used (but will not be revoked).
ID of the entity. If set, updates the corresponding existing entity.
Metadata to be associated with the entity. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2
Policies to be tied to the entity.
ID of the group. If set, updates the corresponding existing group.
Entity IDs to be assigned as group members.
Group IDs to be assigned as group members.
Metadata to be associated with the group. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2
Name of the group.
Policies to be tied to the group.
Type of the group, 'internal' or 'external'. Defaults to 'internal'
ID of the group to which this is an alias.
ID of the group alias.
Mount accessor to which this alias belongs to.
Alias of the group.
ID of the group alias.
alias123ID of the group to which this is an alias.
Mount accessor to which this alias belongs to.
Alias of the group.
ID of the group. If set, updates the corresponding existing group.
group123Entity IDs to be assigned as group members.
Group IDs to be assigned as group members.
Metadata to be associated with the group. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2
Name of the group.
Policies to be tied to the group.
Type of the group, 'internal' or 'external'. Defaults to 'internal'
Name of the group.
AdminsID of the group. If set, updates the corresponding existing group.
Entity IDs to be assigned as group members.
Group IDs to be assigned as group members.
Metadata to be associated with the group. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2
Policies to be tied to the group.
Type of the group, 'internal' or 'external'. Defaults to 'internal'
ID of the alias.
Accessor of the mount to which the alias belongs to. This should be supplied in conjunction with 'alias_name'.
Name of the alias. This should be supplied in conjunction with 'alias_mount_accessor'.
ID of the entity.
Name of the entity.
ID of the alias.
Accessor of the mount to which the alias belongs to. This should be supplied in conjunction with 'alias_name'.
Name of the alias. This should be supplied in conjunction with 'alias_mount_accessor'.
ID of the group.
Name of the group.
Create a new or update an existing MFA login enforcement rule.
Name for this login enforcement configuration
require-admin-mfaArray of auth mount accessor IDs
Array of auth mount types
Array of identity entity IDs
Array of identity group IDs
Array of Method IDs that determine what methods will be enforced
The unique identifier for this MFA method.
Okta API key.
The base domain to use for the Okta API. When not specified in the configuration, "okta.com" is used.
The unique name identifier for this MFA method.
Name of the organization to be used in the Okta API.
If true, the username will only match the primary email for the account. Defaults to false.
(DEPRECATED) Use base_url instead.
A template string for mapping Identity names to MFA method names. Values to substitute should be placed in {{}}. For example, "{{entity.name}}@example.com". If blank, the Entity's name field will be used as-is.
The unique identifier for the PingID MFA method configuration.
The unique name identifier for this MFA method.
The settings file provided by Ping, Base64-encoded. This must be a settings file suitable for third-party clients, not the PingID SDK or PingFederate.
A template string for mapping Identity names to MFA method names. Values to subtitute should be placed in {{}}. For example, "{{alias.name}}@example.com". Currently-supported mappings: alias.name: The name returned by the mount configured via the mount_accessor parameter If blank, the Alias's name field will be used as-is.
Identifier of the entity from which the MFA method secret needs to be removed.
The unique identifier for this MFA method.
Entity ID on which the generated secret needs to get stored.
The unique identifier for this MFA method.
The unique identifier for this MFA method.
The unique identifier for this TOTP MFA method.
The hashing algorithm used to generate the TOTP token. Options include SHA1, SHA256 and SHA512.
SHA1The number of digits in the generated TOTP token. This value can either be 6 or 8.
6The name of the key's issuing organization.
Determines the size in bytes of the generated key.
20Max number of allowed validation attempts.
The unique name identifier for this MFA method.
The length of time used to generate a counter for the TOTP token calculation.
30The pixel size of the generated square QR code.
200The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1.
1Name of the OIDC assignment
Comma separated string or array of identity entity IDs
Comma separated string or array of identity group IDs
Name of the client.
The time-to-live for access tokens obtained by the client.
24hComma separated string or array of assignment resources.
The client type based on its ability to maintain confidentiality of credentials. The following client types are supported: 'confidential', 'public'. Defaults to 'confidential'.
confidentialThe time-to-live for ID tokens obtained by the client.
24hA reference to a named key resource. Cannot be modified after creation. Defaults to the 'default' key.
defaultComma separated string or array of redirect URIs used by the client. One of these values must exactly match the redirect_uri parameter value used in each authentication request.
Issuer URL to be used in the iss claim of the token. If not set, Vault's app_addr will be used.
Optional client_id to verify
Token to verify
Name of the key
defaultSigning algorithm to use. This will default to RS256.
RS256Comma separated string or array of role client ids allowed to use this key for signing. If empty no roles are allowed. If "*" all roles are allowed.
How often to generate a new keypair.
24hControls how long the public portion of a key will be available for verification after being rotated.
24hName of the key
default-keyControls how long the public portion of a key will be available for verification after being rotated. Setting verification_ttl here will override the verification_ttl set on the key.
Name of the provider
my-oidc-providerThe client IDs that are permitted to use the provider
Specifies what will be used for the iss claim of ID tokens.
The scopes supported for requesting on the provider
Name of the OIDC provider
example-providerThe ID of the requesting client.
The code challenge derived from the code verifier.
The method that was used to derive the code challenge. The following methods are supported: 'S256', 'plain'. Defaults to 'plain'.
plainThe allowable elapsed time in seconds since the last time the end-user was actively authenticated.
The value that will be returned in the ID token nonce claim after a token exchange.
The redirection URI to which the response will be sent.
The OIDC authentication flow to be used. The following response types are supported: 'code'
A space-delimited, case-sensitive list of scopes to be requested. The 'openid' scope is required.
The value used to maintain state between the authentication request and client.
Name of the provider
example-providerThe ID of the requesting client.
The secret of the requesting client.
The authorization code received from the provider's authorization endpoint.
The code verifier associated with the authorization code.
The authorization grant type. The following grant types are supported: 'authorization_code'.
The callback location where the authentication response was sent.
Name of the provider
example-providerName of the role
developer-roleOptional client_id
The OIDC key to use for generating tokens. The specified key must already exist.
The template string to use for generating tokens. This may be in string-ified JSON or base64 format.
TTL of the tokens generated against the role.
24hName of the scope
read-onlyThe description of the scope
The template string to use for the scope. This may be in string-ified JSON or base64 format.
Entity ID to which this persona belongs to
ID of the persona
Metadata to be associated with the persona. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2
Mount accessor to which this persona belongs to
Name of the persona
ID of the persona
123e4567-e89b-12d3-a456-426614174000Entity ID to which this persona should be tied to
Metadata to be associated with the persona. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2
Mount accessor to which this persona belongs to
Name of the persona