ATTRIBUTE TYPE REFERS TO DESCRIPTION
ATTRIBUTE TYPE REFERS TO DESCRIPTION
created number Timestamp when the Application object was created
name string Unique key for the application definition
id string Unique ID for the app instance
signOnMode string Authentication mode for the app
lastUpdated number Timestamp when the Application object was last updated
settings object App settings
 identityStoreId string identityStoreId
 implicitAssignment boolean implicitAssignment
 inlineHookId string inlineHookId
 notes object ApplicationSettingsNotes
 admin string admin
 enduser string enduser
 signOn object AutoLoginApplicationSettingsSignOn
 loginUrl string Primary URL of the sign-in page for this app.
 redirectUrl string Secondary URL of the sign-in page for this app
 notifications object ApplicationSettingsNotifications
 vpn object ApplicationSettingsNotificationsVpn
 helpUrl string helpUrl
 message string message
 network object ApplicationSettingsNotificationsVpnNetwork
 connection string connection
 exclude list<string> exclude
 include list<string> include
features list<string> Enabled app features
label string User-defined display name for app
accessibility list<object> Specifies access settings for the app
 errorRedirectUrl string Custom error page URL for the app
 loginRedirectUrl string Custom login page URL for the app
 selfService boolean Represents whether the app can be self-assignable by users
licensing object ApplicationLicensing
 seatCount number Number of licenses purchased for the app
status string App instance status
visibility object ApplicationVisibility
 autoLaunch boolean Automatically signs in to the app when user signs into Okta
 autoSubmitToolbar boolean Automatically sign in when user lands on the sign-in page
 hide object Hides the app for specific end-user apps
 iOS boolean iOS
 web boolean web
_links object Discoverable resources related to the app
 self object Link Object
 hints object Describes allowed HTTP verbs for the href Object
 allow list<string> HttpMethod
 href string Link URI
 name string Link name
 type string The media type of the link. If omitted it is implicitly application/json
 users object Link Object
 href string Link URI
 name string Link name
 type string The media type of the link. If omitted it is implicitly application/json
 hints object Describes allowed HTTP verbs for the href Object
 allow list<string> HttpMethod
 logo list<object> Link Object
 href string Link URI
 name string Link name
 type string The media type of the link. If omitted it is implicitly application/json
 hints object Describes allowed HTTP verbs for the href Object
 allow list<string> HttpMethod
 accessPolicy object Link Object
 href string Link URI
 name string Link name
 type string The media type of the link. If omitted it is implicitly application/json
 hints object Describes allowed HTTP verbs for the href Object
 allow list<string> HttpMethod
 activate object Link Object
 href string Link URI
 name string Link name
 type string The media type of the link. If omitted it is implicitly application/json
 hints object Describes allowed HTTP verbs for the href Object
 allow list<string> HttpMethod
 deactivate object Link Object
 type string The media type of the link. If omitted it is implicitly application/json
 hints object Describes allowed HTTP verbs for the href Object
 allow list<string> HttpMethod
 href string Link URI
 name string Link name
 groups object Link Object
 type string The media type of the link. If omitted it is implicitly application/json
 hints object Describes allowed HTTP verbs for the href Object
 allow list<string> HttpMethod
 href string Link URI
 name string Link name
 metadata object Link Object
 href string Link URI
 name string Link name
 type string The media type of the link. If omitted it is implicitly application/json
 hints object Describes allowed HTTP verbs for the href Object
 allow list<string> HttpMethod
ATTRIBUTE TYPE REFERS TO DESCRIPTION
id string ID of the Grant object
issuer string The issuer of your org authorization server. This is typically your Okta domain.
status string Status
clientId string Application Client ID of the app integration
createdBy object User that created the object
 id string User ID
 type string Type of user
scopeId string The name of the Okta scope for which consent is granted
userId string User ID that granted consent (if source is END_USER)
source string User type source that granted consent
created number Timestamp when the object was created
lastUpdated number Timestamp when the object was last updated
ATTRIBUTE TYPE REFERS TO DESCRIPTION
ATTRIBUTE TYPE REFERS TO DESCRIPTION
lastUpdated number Timestamp when the object was last updated
appId string Application Client ID of the assigned app integration
priority number priority
id string ID of the application group object
groupId string Group Group ID that is assigned to application.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
ATTRIBUTE TYPE REFERS TO DESCRIPTION
lastUpdated number Timestamp when the object was last updated
appId string Application Client ID of the assigned app integration
scope string Indicates if the assignment is direct (USER) or by group membership (GROUP).
externalId string The ID of the user in the target app that's linked to the Okta Application User object.
id string ID of the application user object
userId string User User ID that is assigned to application.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
ATTRIBUTE TYPE REFERS TO DESCRIPTION
ATTRIBUTE TYPE REFERS TO DESCRIPTION
permissions list<string> The permissions associated with the Connected Application.
connectedAppName string Name of the Connected Application.
riskScore number The risk score associated with the Connected Application.
appID string The unique identifier of Connected Application
riskLevel string The risk level associated with the Connected Application.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
created number When the group was created
lastMembershipUpdated number When the group member was last updated
lastUpdated number When was group last updated
type string Type of the group
profile object profile
 description string description of the group
 name string name
id string Group's unique ID
ATTRIBUTE TYPE REFERS TO DESCRIPTION
id string Role Assignment ID
status string Status of the GroupRoleAssignment
created number When the GroupRoleAssignment was created
lastUpdated number When the GroupRoleAssignment was lastUpdated
label string Role Label of the role assignment
assignmentType string assignmentType
type string type
group_id string Group Target group id of the role assignment
ATTRIBUTE TYPE REFERS TO DESCRIPTION
id string ID of the group user object
user_id string User User ID that is assigned to group.
group_id string Group ID of the assigned group
lastUpdated number Timestamp when the object was last updated
ATTRIBUTE TYPE REFERS TO DESCRIPTION
ATTRIBUTE TYPE REFERS TO DESCRIPTION
ATTRIBUTE TYPE REFERS TO DESCRIPTION
status string Status of the IdP. Possible values: ACTIVE or INACTIVE
type string Type of IdP. Possible values: AMAZON, APPLE, DISCORD, FACEBOOK, GITHUB, GITLAB, GOOGLE, LINKEDIN, LOGINGOV, LOGINGOV_SANDBOX, MICROSOFT, OIDC, PAYPAL, PAYPAL_SANDBOX, SALESFORCE, SAML2, SPOTIFY, X509, XERO, YAHOO, YAHOOJP
created number Timestamp when the IdP was created
id string Unique key for the IdP
issuerMode string Indicates whether Okta uses the original Okta org domain URL or a custom domain URL in the request to the social IdP. Possible values: ORG_URL, CUSTOM_URL, or DYNAMIC
lastUpdated number Timestamp when the IdP was last updated
name string Unique name for the IdP
policy object Policy settings for IdP type
 accountLink object Policy rules to link an IdP User to an existing Okta User
 action string Specifies the account linking action for an IdP User. Possible values: AUTO, DISABLED
 filter object Allowlist for link candidates
 groups object Group memberships to determine link candidates
 include list<string> Specifies the allow list of Group identifiers to match against
 mapAMRClaims boolean Determines whether the IdP should map AMR claims from the IdP to the Okta session
 maxClockSkew number Maximum allowable clock skew when processing messages from the IdP
 provisioning object Policy rules to just-in-time (JIT) provision an IdP User as a new Okta User
 conditions object Conditional behaviors for an IdP User during authentication
 deprovisioned object Behavior for a previously deprovisioned IdP User during authentication
 action string Action for a previously deprovisioned IdP User during authentication. Possible values: NONE, REACTIVATE
 suspended object Behavior for a previously suspended IdP User during authentication
 action string Action for a previously suspended IdP User during authentication. Possible values: NONE, UNSUSPEND
 groups object Provisioning settings for a User's Group memberships
 action string Provisioning action for the IdP User's Group memberships. Possible values: NONE, APPEND, ASSIGN, SYNC
 assignments list<string> List of OKTA_GROUP Group identifiers to add an IdP User as a member with the ASSIGN action
 filter list<string> Allowlist of OKTA_GROUP Group identifiers for the APPEND or SYNC provisioning action
 sourceAttributeName string IdP User profile attribute name (case-insensitive) for an array value that contains Group memberships
 profileMaster boolean Determines if the IdP should act as a source of truth for User profile attributes
 action string Provisioning action for an IdP User during authentication. Possible values: AUTO, DISABLED
 subject object Policy rules to select the Okta sign-in identifier for the IdP User and determine matching rules
 filter string Optional regular expression pattern (opens new window) used to filter untrusted IdP usernames
 matchAttribute string Okta User profile attribute for matching a transformed IdP username. Only for matchType CUSTOM_ATTRIBUTE
 matchType string Determines the Okta User profile attribute match conditions for account linking and authentication of the transformed IdP username. Possible values: USERNAME, EMAIL, USERNAME_OR_EMAIL or CUSTOM_ATTRIBUTE
 userNameTemplate object Okta Expression Language (EL) expression to generate or transform a unique username for the IdP User
 template string Okta EL Expression to generate or transform a unique username for the IdP User
protocol object Protocol settings for IdP type
 algorithms object Settings for signing and verifying SAML messages
 request object Algorithm settings used to secure an <AuthnRequest> message
 signature object Algorithm settings used to sign an <AuthnRequest> message
 algorithm string The XML digital Signature Algorithm used when signing an <AuthnRequest> message. Possible values: SHA-1 or SHA-256
 scope string Specifies whether to digitally sign <AuthnRequest> messages to the IdP. Possible values: REQUEST or NONE
 response object Algorithm settings used to verify a <SAMLResponse> message
 signature object Algorithm settings for verifying <SAMLResponse> messages and <Assertion> elements from the IdP
 algorithm string The minimum XML digital Signature Algorithm allowed when verifying a <SAMLResponse> message or <Assertion> element. Possible values: SHA-1 or SHA-256
 scope string Specifies whether to verify a <SAMLResponse> message or <Assertion> element XML digital signature. Possible values: RESPONSE, ASSERTION, or ANY
 endpoints object SAML 2.0 HTTP binding settings for IdP and SP (Okta)
 acs object Okta's SPSSODescriptor endpoint where the IdP sends a <SAMLResponse> message
 binding string HTTP binding used to receive a <SAMLResponse> message from the IdP. Possible values: HTTP-POST
 type string Determines whether to publish an instance-specific (trust) or organization (shared) ACS endpoint in the SAML metadata. Possible values: INSTANCE or ORG
 sso object IdP's SingleSignOnService endpoint where Okta sends an <AuthnRequest> message
 binding string HTTP binding used to send an <AuthnRequest> message to the IdP. Possible values: HTTP-POST or HTTP-Redirect
 destination string URI reference that indicates the address to which the <AuthnRequest> message is sent
 url string URL of the binding-specific endpoint to send an <AuthnRequest> message to the IdP
 relayState object Relay state settings for IdP
 format string The format used to generate the relayState in the SAML request. FROM_URL is used if this value is null. Possible values: OPAQUE or FROM_URL
 settings object Advanced settings for the SAML 2.0 protocol
 honorPersistentNameId boolean Determines if the IdP should persist account linking when the incoming assertion NameID format is urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
 nameFormat string The name identifier format to use
 type string SAML 2.0 protocol
properties object Properties specific to the type of IdP
 ialValue string The type of identity verification (IAL) value for the Login.gov IdP. Applies to IDP type: LOGINGOV, LOGINGOV_SANDBOX
 aalValue string The authentication assurance level (AAL) value for the Login.gov IdP. Applies to IDP type: LOGINGOV, LOGINGOV_SANDBOX
 additionalAmr list<string> The additional Assurance Methods References (AMR) values for Smart Card IdPs. Supported values: sc (smart card), hwk (hardware-secured key), pin (personal identification number), and mfa (multifactor authentication) Applies to IDP type: X509
ATTRIBUTE TYPE REFERS TO DESCRIPTION
ATTRIBUTE TYPE REFERS TO DESCRIPTION
ATTRIBUTE TYPE REFERS TO DESCRIPTION
id string Role ID
description string Description of the role
created number When the role was created
lastUpdated number When the role was last updated
label string Label of the role
permissions list<object> Permissions associated with the role
 label string label of the permission
 created number When the permission was created
 lastUpdated number When the permission was lastUpdated
 conditions string Permission conditions.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
lastUpdated number When the RoleAssignment was lastUpdated
label string Role Label of the role assignment
assignmentType string assignmentType
type string type
user_id string User Target user id of the role assignment (only valid if assignmentType is User)
id string Role Assignment ID
status string Status of the RoleAssignment
created number When the RoleAssignment was created
ATTRIBUTE TYPE REFERS TO DESCRIPTION
ATTRIBUTE TYPE REFERS TO DESCRIPTION
ATTRIBUTE TYPE REFERS TO DESCRIPTION
activated number When the user was activated
statusChanged number When the user status was changed
lastLogin number When was the last login for the user
lastUpdated number When was User last updated
passwordChanged number When was the user password last changed
provider object provider
 type string type
 name string name
id string User's account ID
created number When the user was created
profile object profile
 displayName string displayName
 managerId string managerId
 preferredLanguage string preferredLanguage
 primaryPhone string primaryPhone
 state string state
 title string title
 login string login
 city string city
 userType string userType
 zipCode string zipCode
 firstName string firstName
 streetAddress string streetAddress
 nickName string nickName
 profileUrl string profileUrl
 email string email
 honorificSuffix string honorificSuffix
 locale string locale
 postalAddress string postalAddress
 costCenter string costCenter
 countryCode string countryCode
 middleName string middleName
 organization string organization
 department string department
 employeeNumber string employeeNumber
 division string division
 honorificPrefix string honorificPrefix
 manager string manager
 lastName string lastName
 secondEmail string secondEmail
 mobilePhone string mobilePhone
 timezone string timezone
status string Status of the User
type object Type of the User
 lastUpdated number A timestamp from when the User Type was most recently updated
 lastUpdatedBy string The user ID of the most recent account to edit the User Type
 name string The name of the User Type
 id string id
 created number A timestamp from when the User Type was created
 createdBy string The user ID of the account that created the User Type
 default boolean A boolean value to indicate if this is the default User Type
 description string The human-readable description of the User Type
ATTRIBUTE TYPE REFERS TO DESCRIPTION