Identity
Was this helpful?
Was this helpful?
Must be set to true
Must be set to true
true
Possible values: ID of the entity. If set, updates the corresponding existing entity.
ID of the entity. If set, updates the corresponding existing entity.
No content
Must be set to true
true
Possible values: Must be set to true
true
Possible values: ID of the group alias.
alias123
ID of the group alias.
alias123
No content
Must be set to true
true
Possible values: ID of the group. If set, updates the corresponding existing group.
group123
ID of the group. If set, updates the corresponding existing group.
group123
No content
Must be set to true
true
Possible values: Name of the group.
Admins
Name of the group.
Admins
No content
Must be set to true
true
Possible values: Retrieve details of a specific MFA login enforcement rule by name.
Name for this login enforcement configuration
require-admin-mfa
Remove an existing MFA login enforcement rule identified by its name.
Name for this login enforcement configuration
require-admin-mfa
No content
Retrieve a list of all configured Multi-Factor Authentication (MFA) methods in the system.
Must be set to true
true
Possible values: Retrieve the configuration for the Duo MFA method if it is enabled and configured.
Must be set to true
true
Possible values: The unique identifier for this MFA method.
The unique identifier for this MFA method.
No content
Must be set to true
The unique identifier for this MFA method.
The unique identifier for this MFA method.
No content
Must be set to true
The unique identifier for the PingID MFA method configuration.
Must be set to 'true'
to list configurations
The unique identifier for this TOTP MFA method.
The unique identifier for this TOTP MFA method.
No content
The unique identifier for this MFA method.
Must be set to true
to trigger the listing functionality
Name of the OIDC assignment
Name of the OIDC assignment
No content
Must be set to true
true
Possible values: Name of the key
default
Name of the key
default
No content
Must be set to true
true
Possible values: Filters the list of OIDC providers to those that allow the given client ID in their set of allowed_client_ids.
""
Example: my-client-id
Name of the provider
my-oidc-provider
Name of the provider
my-oidc-provider
No content
Name of the OIDC provider
my-oidc-provider
Name of the OIDC provider
my-oidc-provider
Name of the OIDC provider
example-provider
OAuth 2.0 response type
code
Client identifier
my-client-id
Callback URI after successful authorization
https://example.com/callback
Requested scopes
openid profile email
Client state to be returned after auth
abc123
Name of the provider
example-provider
Must be set to 'true'
to list configured roles
true
Possible values: Name of the role
developer-role
Name of the role
developer-role
No content
Must be set to 'true'
to list configured scopes
true
Possible values: Name of the scope
read-only
Name of the scope
read-only
No content
Name of the role
developer-role
Must be set to 'true'
to list all alias IDs
true
Possible values: ID of the persona
123e4567-e89b-12d3-a456-426614174000
ID of the persona
123e4567-e89b-12d3-a456-426614174000
No content
Name of the alias.
Entity ID the alias should be associated with.
Accessor of the mount that the alias belongs to.
ID of the alias
Entity ID to which this alias should be tied to
Entity ID to which this alias should be tied to. This field is deprecated in favor of 'canonical_id'.
Mount accessor to which this alias belongs to
Name of the alias
If set true, tokens tied to this identity will not be able to be used (but will not be revoked).
ID of the entity. If set, updates the corresponding existing entity.
Metadata to be associated with the entity. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2
Name of the entity
Policies to be tied to the entity.
Entity ID to which this alias belongs
User provided key-value pairs
Entity ID to which this alias belongs. This field is deprecated, use canonical_id.
ID of the entity alias. If set, updates the corresponding entity alias.
Mount accessor to which this alias belongs to; unused for a modify
Name of the alias; unused for a modify
ID of the alias
Entity ID to which this alias should be tied to
User provided key-value pairs
Entity ID to which this alias belongs to. This field is deprecated, use canonical_id.
(Unused)
(Unused)
ID of the entity. If set, updates the corresponding existing entity.
If set true, tokens tied to this identity will not be able to be used (but will not be revoked).
Metadata to be associated with the entity. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2
Name of the entity
Policies to be tied to the entity.
Alias IDs to keep in case of conflicting aliases. Ignored if no conflicting aliases found
Setting this will follow the 'mine' strategy for merging MFA secrets. If there are secrets of the same type both in entities that are merged from and in entity into which all others are getting merged, secrets in the destination will be unaltered. If not set, this API will throw an error containing all the conflicts.
Entity IDs which need to get merged
Entity ID into which all the other entities need to get merged
Name of the entity
If set true, tokens tied to this identity will not be able to be used (but will not be revoked).
ID of the entity. If set, updates the corresponding existing entity.
Metadata to be associated with the entity. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2
Policies to be tied to the entity.
ID of the group. If set, updates the corresponding existing group.
Entity IDs to be assigned as group members.
Group IDs to be assigned as group members.
Metadata to be associated with the group. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2
Name of the group.
Policies to be tied to the group.
Type of the group, 'internal' or 'external'. Defaults to 'internal'
ID of the group to which this is an alias.
ID of the group alias.
Mount accessor to which this alias belongs to.
Alias of the group.
ID of the group alias.
alias123
ID of the group to which this is an alias.
Mount accessor to which this alias belongs to.
Alias of the group.
ID of the group. If set, updates the corresponding existing group.
group123
Entity IDs to be assigned as group members.
Group IDs to be assigned as group members.
Metadata to be associated with the group. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2
Name of the group.
Policies to be tied to the group.
Type of the group, 'internal' or 'external'. Defaults to 'internal'
Name of the group.
Admins
ID of the group. If set, updates the corresponding existing group.
Entity IDs to be assigned as group members.
Group IDs to be assigned as group members.
Metadata to be associated with the group. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2
Policies to be tied to the group.
Type of the group, 'internal' or 'external'. Defaults to 'internal'
ID of the alias.
Accessor of the mount to which the alias belongs to. This should be supplied in conjunction with 'alias_name'.
Name of the alias. This should be supplied in conjunction with 'alias_mount_accessor'.
ID of the entity.
Name of the entity.
ID of the alias.
Accessor of the mount to which the alias belongs to. This should be supplied in conjunction with 'alias_name'.
Name of the alias. This should be supplied in conjunction with 'alias_mount_accessor'.
ID of the group.
Name of the group.
Create a new or update an existing MFA login enforcement rule.
Name for this login enforcement configuration
require-admin-mfa
Array of auth mount accessor IDs
Array of auth mount types
Array of identity entity IDs
Array of identity group IDs
Array of Method IDs that determine what methods will be enforced
The unique identifier for this MFA method.
Okta API key.
The base domain to use for the Okta API. When not specified in the configuration, "okta.com" is used.
The unique name identifier for this MFA method.
Name of the organization to be used in the Okta API.
If true, the username will only match the primary email for the account. Defaults to false.
(DEPRECATED) Use base_url instead.
A template string for mapping Identity names to MFA method names. Values to substitute should be placed in {{}}. For example, "{{entity.name}}@example.com". If blank, the Entity's name field will be used as-is.
The unique identifier for the PingID MFA method configuration.
The unique name identifier for this MFA method.
The settings file provided by Ping, Base64-encoded. This must be a settings file suitable for third-party clients, not the PingID SDK or PingFederate.
A template string for mapping Identity names to MFA method names. Values to subtitute should be placed in {{}}. For example, "{{alias.name}}@example.com". Currently-supported mappings: alias.name: The name returned by the mount configured via the mount_accessor parameter If blank, the Alias's name field will be used as-is.
Identifier of the entity from which the MFA method secret needs to be removed.
The unique identifier for this MFA method.
Entity ID on which the generated secret needs to get stored.
The unique identifier for this MFA method.
The unique identifier for this MFA method.
The unique identifier for this TOTP MFA method.
The hashing algorithm used to generate the TOTP token. Options include SHA1, SHA256 and SHA512.
SHA1
The number of digits in the generated TOTP token. This value can either be 6 or 8.
6
The name of the key's issuing organization.
Determines the size in bytes of the generated key.
20
Max number of allowed validation attempts.
The unique name identifier for this MFA method.
The length of time used to generate a counter for the TOTP token calculation.
30
The pixel size of the generated square QR code.
200
The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1.
1
Name of the OIDC assignment
Comma separated string or array of identity entity IDs
Comma separated string or array of identity group IDs
Name of the client.
The time-to-live for access tokens obtained by the client.
24h
Comma separated string or array of assignment resources.
The client type based on its ability to maintain confidentiality of credentials. The following client types are supported: 'confidential', 'public'. Defaults to 'confidential'.
confidential
The time-to-live for ID tokens obtained by the client.
24h
A reference to a named key resource. Cannot be modified after creation. Defaults to the 'default' key.
default
Comma separated string or array of redirect URIs used by the client. One of these values must exactly match the redirect_uri parameter value used in each authentication request.
Issuer URL to be used in the iss claim of the token. If not set, Vault's app_addr will be used.
Optional client_id to verify
Token to verify
Name of the key
default
Signing algorithm to use. This will default to RS256.
RS256
Comma separated string or array of role client ids allowed to use this key for signing. If empty no roles are allowed. If "*" all roles are allowed.
How often to generate a new keypair.
24h
Controls how long the public portion of a key will be available for verification after being rotated.
24h
Name of the key
default-key
Controls how long the public portion of a key will be available for verification after being rotated. Setting verification_ttl here will override the verification_ttl set on the key.
Name of the provider
my-oidc-provider
The client IDs that are permitted to use the provider
Specifies what will be used for the iss claim of ID tokens.
The scopes supported for requesting on the provider
Name of the OIDC provider
example-provider
The ID of the requesting client.
The code challenge derived from the code verifier.
The method that was used to derive the code challenge. The following methods are supported: 'S256', 'plain'. Defaults to 'plain'.
plain
The allowable elapsed time in seconds since the last time the end-user was actively authenticated.
The value that will be returned in the ID token nonce claim after a token exchange.
The redirection URI to which the response will be sent.
The OIDC authentication flow to be used. The following response types are supported: 'code'
A space-delimited, case-sensitive list of scopes to be requested. The 'openid' scope is required.
The value used to maintain state between the authentication request and client.
Name of the provider
example-provider
The ID of the requesting client.
The secret of the requesting client.
The authorization code received from the provider's authorization endpoint.
The code verifier associated with the authorization code.
The authorization grant type. The following grant types are supported: 'authorization_code'.
The callback location where the authentication response was sent.
Name of the provider
example-provider
Name of the role
developer-role
Optional client_id
The OIDC key to use for generating tokens. The specified key must already exist.
The template string to use for generating tokens. This may be in string-ified JSON or base64 format.
TTL of the tokens generated against the role.
24h
Name of the scope
read-only
The description of the scope
The template string to use for the scope. This may be in string-ified JSON or base64 format.
Entity ID to which this persona belongs to
ID of the persona
Metadata to be associated with the persona. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2
Mount accessor to which this persona belongs to
Name of the persona
ID of the persona
123e4567-e89b-12d3-a456-426614174000
Entity ID to which this persona should be tied to
Metadata to be associated with the persona. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2
Mount accessor to which this persona belongs to
Name of the persona