IdentityProvider

Represents an external authentication provider for federated identity management and single sign-on (SSO). Supports SAML 2.0, OpenID Connect, OAuth 2.0, LDAP, and social providers with protocol-specific configuration, attribute mapping, and trust management. Enables enterprise SSO, customer identity federation, and social login across organizational boundaries.

13 properties

Schema

Properties

Property	Type	Mode	Description	Required
name	string	stored	Human-readable name for this identity provider (displayed in login UI) Example: `"Corporate Azure AD"`	Required
displayName	string	stored	User-facing display name shown on login screens and account settings Example: `"Sign in with Company SSO"`	Optional
protocol	string	stored	Authentication protocol used by this provider Values: `saml2, oidc, oauth2, ldap, social` Example: `"oidc"`	Required
status	string	stored	Current operational status of this identity provider Values: `active, inactive, testing, deprecated` Example: `"active"`	Required
configuration	json	stored	Protocol-specific configuration including endpoints, client credentials, and protocol parameters. OIDC: {issuer, authorizationEndpoint, tokenEndpoint, jwksUri, clientId, clientSecret}, SAML: {ssoUrl, sloUrl, entityId, certificate}, OAuth2: {authorizationUrl, tokenUrl, clientId, clientSecret, scopes}, LDAP: {serverUrl, bindDn, baseDn, searchFilter}	Required
attributeMapping	json	stored	Maps external provider attributes/claims to internal user attributes (e.g., {email: 'emailAddress', givenName: 'firstName', familyName: 'lastName', groups: 'memberOf'})	Required
allowedDomains	string[]	stored	Email domains authorized to authenticate through this provider (empty array allows all domains) Example: `["example.com","subsidiary.example.com"]`	Optional
isDefault	boolean	stored	Whether this is the default identity provider for new users (only one should be default)	Optional
autoProvision	boolean	stored	Whether to automatically create user accounts on first successful authentication Example: `true`	Required
autoLinkByEmail	boolean	stored	Whether to automatically link federated identity to existing users with matching email addresses Example: `true`	Optional
iconUrl	string	stored	URL to provider logo/icon displayed in login UI Example: `"https://cdn.example.com/logos/azure-ad.svg"`	Optional
metadata	json	stored	Additional provider-specific metadata (e.g., organizationId, tenantId, region, raw SAML/OIDC metadata)	Optional
linkedUsersCount	number	calculated	Number of users with federated identities linked to this provider (via FederatedIdentity)	Optional

Examples

Example 1

{
  "@type": "IdentityProvider",
  "name": "Enterprise OIDC Provider",
  "displayName": "Sign in with Corporate SSO",
  "protocol": "oidc",
  "status": "active",
  "configuration": {
    "issuer": "https://idp.enterprise-a.example/v2.0",
    "authorizationEndpoint": "https://idp.enterprise-a.example/oauth2/v2.0/authorize",
    "tokenEndpoint": "https://idp.enterprise-a.example/oauth2/v2.0/token",
    "jwksUri": "https://idp.enterprise-a.example/discovery/v2.0/keys",
    "clientId": "app-client-id-12345",
    "clientSecret": "encrypted-client-secret",
    "scopes": [
      "openid",
      "profile",
      "email"
    ]
  },
  "attributeMapping": {
    "email": "preferred_username",
    "givenName": "given_name",
    "familyName": "family_name",
    "groups": "groups"
  },
  "allowedDomains": [
    "enterprise-a.example"
  ],
  "isDefault": true,
  "autoProvision": true,
  "autoLinkByEmail": true,
  "iconUrl": "https://cdn.enterprise-a.example/logos/sso.svg"
}

Example 2

{
  "@type": "IdentityProvider",
  "name": "Social Provider A",
  "displayName": "Sign in with Social Provider",
  "protocol": "oidc",
  "status": "active",
  "configuration": {
    "issuer": "https://auth.social-provider-a.example",
    "authorizationEndpoint": "https://auth.social-provider-a.example/oauth2/authorize",
    "tokenEndpoint": "https://auth.social-provider-a.example/oauth2/token",
    "jwksUri": "https://auth.social-provider-a.example/oauth2/certs",
    "clientId": "123456789-abcdefghijk",
    "clientSecret": "encrypted-social-secret",
    "scopes": [
      "openid",
      "email",
      "profile"
    ]
  },
  "attributeMapping": {
    "email": "email",
    "givenName": "given_name",
    "familyName": "family_name",
    "picture": "picture"
  },
  "allowedDomains": [
    "example.com",
    "partner.com"
  ],
  "isDefault": false,
  "autoProvision": true,
  "autoLinkByEmail": true,
  "iconUrl": "https://social-provider-a.example/favicon.ico"
}

Example 3

{
  "@type": "IdentityProvider",
  "name": "Corporate SAML IdP",
  "displayName": "Employee Portal Login",
  "protocol": "saml2",
  "status": "active",
  "configuration": {
    "entityId": "https://saml.corp.example.com",
    "ssoUrl": "https://saml.corp.example.com/sso",
    "sloUrl": "https://saml.corp.example.com/slo",
    "certificate": "MIIDXTCCAkWgAwIBAgIJAKL0UG+mRZ...",
    "signatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
    "nameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
  },
  "attributeMapping": {
    "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
    "givenName": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
    "familyName": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
    "department": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/department"
  },
  "allowedDomains": [
    "corp.example.com"
  ],
  "isDefault": false,
  "autoProvision": true,
  "autoLinkByEmail": false,
  "iconUrl": "https://corp.example.com/assets/logo.png"
}

Example 4

{
  "@type": "IdentityProvider",
  "name": "Developer Platform OAuth",
  "displayName": "Sign in with Dev Platform",
  "protocol": "oauth2",
  "status": "active",
  "configuration": {
    "authorizationUrl": "https://oauth.devplatform.example/authorize",
    "tokenUrl": "https://oauth.devplatform.example/access_token",
    "userInfoUrl": "https://api.devplatform.example/user",
    "clientId": "Iv1.a1b2c3d4e5f6g7h8",
    "clientSecret": "encrypted-oauth-secret",
    "scopes": [
      "read:user",
      "user:email"
    ]
  },
  "attributeMapping": {
    "email": "email",
    "username": "login",
    "name": "name",
    "avatar": "avatar_url"
  },
  "allowedDomains": [],
  "isDefault": false,
  "autoProvision": true,
  "autoLinkByEmail": true,
  "iconUrl": "https://devplatform.example/favicon.svg"
}

Example 5

{
  "@type": "IdentityProvider",
  "name": "Corporate LDAP",
  "displayName": "Active Directory",
  "protocol": "ldap",
  "status": "active",
  "configuration": {
    "serverUrl": "ldaps://ldap.corp.example.com:636",
    "bindDn": "cn=service-account,ou=services,dc=corp,dc=example,dc=com",
    "bindPassword": "encrypted-ldap-password",
    "baseDn": "ou=users,dc=corp,dc=example,dc=com",
    "searchFilter": "(|(uid={username})(mail={username}))",
    "useTls": true,
    "tlsVerify": true
  },
  "attributeMapping": {
    "email": "mail",
    "username": "uid",
    "givenName": "givenName",
    "familyName": "sn",
    "department": "departmentNumber",
    "phone": "telephoneNumber"
  },
  "allowedDomains": [
    "corp.example.com"
  ],
  "isDefault": false,
  "autoProvision": true,
  "autoLinkByEmail": false
}