@maccuaa/intellitrust-admin-sdk
Version:
TypeScript SDK client for Entrust Identity as a Service Administration API
955 lines • 362 kB
TypeScript
import * as Oazapfts from "@oazapfts/runtime";
declare const defaults: Oazapfts.Defaults<Oazapfts.CustomHeaders>;
declare const servers: {
server1: string;
};
type AccountInfo = {
/** The ISO-3166-1 code of the country the company is located in. */
companyCountry?: string;
/** The name of the company the account belongs to. */
companyName: string;
/** The ISO-3166-2 code for the state/province the company is located in. */
companyState?: string;
/** Whether or not the legal agreement has been acknowledged for the account. */
legalAcknowledged?: boolean;
};
type ErrorInfo = {
/** Error Codes specific to cause of failure. */
errorCode?: string;
/** Additional Error Message describing the error. */
errorMessage?: string;
/** Optional additional error information. */
parameters?: object[];
};
type AccountInfoParms = {
/** The name of the company the account belongs to. The value must be between 1 and 100 characters. */
companyName?: string;
/** Whether or not the legal agreement has been acknowledged for the account. This value can only be changed from false to true. */
legalAcknowledged?: boolean;
};
type Acr = {
/** The unique UUID assigned to the acr when it is created. */
id: string;
/** The name of the acr. */
name?: string;
/** A flag indicating if the authentication flow can be modified or deleted. */
readOnly?: boolean;
/** List of resource rule names using the acr. */
resourceRules?: string[];
};
type AcrParms = {
/** The name of the acr. */
name: string;
};
type AdminApiAuthentication = {
/** Administration API application id */
applicationId: string;
/** If set to true, a session cookie named INTELLITRUST_SESSION_ID is returned with the authentication response. This cookie must be returned with all subsequent requests. */
enableWebSession?: boolean;
/** Shared Secret */
sharedSecret: string;
};
type AdminApiAuthenticationResult = {
/** Authorization token returned after a successful authentication. */
authToken?: string;
/** Creation time of the authentication token. */
creationTime?: string;
/** Expiry time of the authentication token. */
expirationTime?: string;
};
type ApplicationInfo = {
/** The template the application was created from. */
applicationTemplate?: string;
/** The UUID of the template the application was created from. */
applicationTemplateId?: string;
/** The application authentication method. */
authenticationMethod?: string;
/** The UUID of the application. */
id?: string;
/** The name of the application. */
name?: string;
};
type AdminApiApplication = {
/** Determines if the application can use a long-lived token for authentication. */
allowLongLivedToken?: boolean;
/** The name of the application template specific to this application type. */
applicationTemplate: string;
/** Application template id specific to this application type. */
applicationTemplateId?: string;
/** Short description of application. */
description?: string;
/** Application ID. */
id?: string;
/** The UUID of the IP Addresses list. */
ipListId?: string;
/** Last successful authentication time to use administration api */
lastAuthnDate?: string;
/** Base64 encoded logo image. */
logo?: string;
/** Name of application. */
name: string;
/** The UUID of the Site role to be associated with the API application. Pass an empty string value to unset the site role. */
roleId?: string;
/** Shared secret for application. */
sharedSecret?: string;
/** The UUID of the service provider role to be associated with the API application. Pass an empty string to unset the service provider role. */
spRoleId?: string;
};
type AdminApiApplicationParms = {
/** Determines if a long-lived token is allowed in this application. */
allowLongLivedToken?: boolean;
/** The UUID of the application template. This value is only used when creating a new application. If not specified, the default admininstration API template is used. */
applicationTemplateId?: string;
/** Short description of application. */
description?: string;
/** The UUID of the IP Addresses list. */
ipListId?: string;
/** Base64 encoded logo image. */
logo?: string;
/** Name of application. */
name: string;
/** The UUID of the Site role to be associated with the API application. Pass an empty string value to unset the site role. Either this value or spRoleId is required when creating the application. */
roleId?: string;
/** The UUID of the service provider role to be associated with the API application. Pass an empty string to unset the service provider role. Either this value or roleId is required when creating the application. */
spRoleId?: string;
};
type ProtectedOfflineSettings = {
/** Maximum number of IntelliTrust Desktops (or clients in general) that are allowed to be registered with a token for downloading OTPs. */
protectedOfflineOTPMaxClients?: number;
/** Maximum number of hours' worth of offline OTPs that a client is allowed to possess. */
protectedOfflineOTPMaxRefill?: number;
/** Default number of hours' worth of offline OTPs that is returned. */
protectedOfflineOTPMinorRefill?: number;
/** This controls the length of the private salt and is measured in bits. The values map as follows: Normal = 14, Strong = 17, and Very Strong = 20 */
protectedOfflineOTPProtection?: "NORMAL" | "STRONG" | "VERYSTRONG";
/** Defines whether tokens can be used offline. */
protectedOfflineOTPSupport?: boolean;
};
type AuthApiApplication = {
/** Defines whether ignore ip address for rba will be allowed or not. */
allowIgnoreIpAddressForRba?: boolean;
/** Application template specific to this application type. */
applicationTemplate: string;
/** Application template id specific to this application type. */
applicationTemplateId?: string;
/** Indicates the source of client IP address for risk analysis */
clientIpSource?: "NOT_INCLUDED" | "PROVIDED" | "FROM_CONNECTION";
/** Short description of application. */
description?: string;
/** Application id. */
id?: string;
/** Base64 encoded logo image. */
logo?: string;
/** Name of application. */
name: string;
/** Flag indicating if passkey authentication is allowed for this application. This flag has been deprecated and is no longer used. */
passkeyEnabled?: boolean;
protectedOfflineSettings?: ProtectedOfflineSettings;
/** Defines whether user values function is enabled. */
userValuesEnabled?: boolean;
/** Defines whether verification for a user must be satisfied. */
verificationRequired?: boolean;
};
type AuthApiApplicationParms = {
/** Flag indicates if ignore ip address for rba will be allowed or not. */
allowIgnoreIpAddressForRba?: boolean;
/** Application template specific to this application type. */
applicationTemplate: string;
/** Application template id specific to this application type. */
applicationTemplateId?: string;
/** Indicates the source of client IP address for risk analysis */
clientIpSource?: "NOT_INCLUDED" | "PROVIDED" | "FROM_CONNECTION";
/** Short description of application. */
description?: string;
/** Unique UUID for the application used when creating a new application. If not specified, IDaaS will generate a random UUID. */
id?: string;
/** Base64 encoded logo image. */
logo?: string;
/** Name of the application. */
name: string;
/** Flag indicating if passkey authentication is allowed for this application. */
passkeyEnabled?: boolean;
protectedOfflineSettings?: ProtectedOfflineSettings;
/** Flag indicating if user client values is allowed for this application. */
userValuesEnabled?: boolean;
/** Defines whether verification for a user must be satisfied. */
verificationRequired?: boolean;
};
type ApplicationTemplate = {
/** The type the application template. Possible values are SAML20, RADIUS, AAAS, IDG, OIDC, AUTHAPI, ADMINAPI, SIEMAPI. */
authenticationMethod: string;
/** The description of application template. */
description?: string;
/** The UUID of the application template. */
id: string;
/** The name of the application template. */
name: string;
};
type OrderByAttribute = {
/** Identifies whether to order results in ascending order. */
ascending: boolean;
/** Identifies the attribute. */
name: string;
};
type SearchByAttribute = {
/** Identifies the attribute we are searching for. */
name: string;
/** Identifies the operator. */
operator: "EQUALS" | "NOT_EQUALS" | "CONTAINS" | "NOT_CONTAINS" | "STARTS_WITH" | "ENDS_WITH" | "GREATER_THAN" | "GREATER_THAN_OR_EQUAL" | "LESS_THAN" | "LESS_THAN_OR_EQUAL" | "IN" | "EXISTS" | "NOT_EXISTS";
/** Identifies the value of the attribute we are searching for. */
value?: string;
};
type SearchParms = {
/** Users search only: additional, non-core attributes to include in the returned object. Attribute names are specific to the returned object. */
attributes?: string[];
/** Identifies the page to return when paging over a result set--if present, search by / order by attributes are ignored. */
cursor?: string;
/** Identifies the maximum number of items to include in a page (1-100). */
limit?: number;
orderByAttribute?: OrderByAttribute;
/** Identifies attributes for searching purposes. Some end-points have pre-defined values and ignore this attribute. */
searchByAttributes?: SearchByAttribute[];
};
type AsyncOperationStatus = {
/** The error message describing the first error encountered processing the operation. */
errorMessage?: string;
/** The unique UUID of the operation. Used to get status and results of operation. */
id: string;
/** The time this operation was initialized. */
initTime?: string;
/** The name of the operation. It can be null for operations not named. */
name?: string;
/** The time at which the operation completed processing. */
processingEndTime?: string;
/** The time at which the operation began processing. */
processingStartTime?: string;
/** How long the operation took to complete processing in milliseconds. */
processingTime?: number;
/** The state of the operation. */
state: "FAILED" | "CANCELLED" | "COMPLETED" | "PROCESSING" | "SCHEDULED";
/** The subject of this operation. */
subject?: string;
};
type Paging = {
/** The page limit used (1-100) */
limit: number;
/** The cursor pointing to the next page. */
nextCursor?: string;
/** The cursor pointing to the previous page. */
prevCursor?: string;
};
type Token = {
/** The algorithm type used by the token that was created or loaded into the system to generate OTP values. */
algorithmType?: "AT" | "OATH_HOTP" | "OATH_OCRA" | "OATH_TOTP" | "VENDOR";
/** Actions that can be performed on this token. */
allowedActions?: ("ACTIVATE" | "REACTIVATE" | "ACTIVATE_COMPLETE" | "DELETE" | "UNLOCK" | "ENABLE" | "DISABLE" | "RESET" | "ASSIGN" | "UNASSIGN")[];
/** A flag indicating if the token was activated on a verified app. */
appVerified: boolean;
/** Optional text describing this token. */
description?: string;
/** A flag indicating if the token is activated on a verified device. */
deviceVerified: boolean;
/** The UUIDs of groups to which this token belongs. This value is only used for unassigned tokens. Only groups to which the current administrator has access will be returned. */
groups?: string[];
/** The unique UUID assigned to the token when it is created. */
id?: string;
/** The identity verification status of the token. */
identityVerificationStatus?: "NOT_REQUIRED" | "REQUIRED" | "PENDING" | "VERIFIED" | "FAILED";
/** Optional label to identify an assigned token: a String up to 100 characters. */
label?: string;
/** The date on which the token was last used for authentication. This value will be null if the token has never been used. */
lastUsedDate?: string;
/** The date on which the token was created or loaded into the system. */
loadDate?: string;
/** Base-64 encoded logo. If a custom logo is provided by the customer it is returned. Otherwise a system default logo is returned. */
logo?: string;
/** An optional name for the token. */
name?: string;
/** The mobile device platform on which an Entrust Soft Token was activated. */
platform?: string;
/** A flag indicating if the Entrust Soft Token has registered for transactions. Only tokens that are registered can perform token push authentication. */
registeredForTransactions?: boolean;
/** The serial number of the token either generated when the token was created or loaded into the system. */
serialNumber?: string;
/** The state of the token. For most tokens, only tokens in the ACTIVE state can be used for authentication. Google Authenticator tokens in the ACTIVATING state can also be used for authentication. */
state?: "NEW" | "ACTIVATING" | "ACTIVE" | "INACTIVE" | "UNASSIGNED";
/** A flag indicating if the Token supports challenge response processing. */
supportsChallengeResponse?: boolean;
/** A flag indicating if the Token supports response processing. */
supportsResponse?: boolean;
/** A flag indicating if the Token supports signature processing. */
supportsSignature?: boolean;
/** A flag indicating if the Token supports unlock processing. */
supportsUnlock?: boolean;
/** A flag indicating if the Token supports unlock using TOTP processing. */
supportsUnlockTOTP?: boolean;
/** The type of token specified when the token was created or loaded into the system. */
"type"?: "ENTRUST_PHYSICAL_TOKEN" | "ENTRUST_SOFT_TOKEN" | "GOOGLE_AUTHENTICATOR" | "OATH_PHYSICAL_TOKEN" | "ENTRUST_LEGACY_TOKEN";
/** If the token is assigned to a user, this value specifies that user's user id. */
userId?: string;
};
type TokensPage = {
paging?: Paging;
/** A single page with the list of assigned tokens found. */
results: Token[];
};
type UserAttribute = {
/** The UUID for this user attribute. Generated when the user attribute is created. */
id?: string;
/** A flag indicating if users must have a value for this user attribute. */
mandatory: boolean;
/** The name of this user attribute. */
name: string;
/** A flag indicating if this user attribute is one of the system defined user attributes. */
systemDefined: boolean;
/** Type of user attribute. Currently only used to specify the type of contact if the attribute is to be used for OTP delivery. */
"type"?: "NONE" | "OTP_EMAIL" | "OTP_SMS" | "OTP_VOICE" | "OTP_WECHAT" | "OTP_WHATSAPP";
/** A flag indicating if this attribute is intended to be unique. */
"unique": boolean;
};
type DirectoryAttributeMapping = {
/** The name of the directory attribute being mapped. */
directoryAttributeName?: string;
/** The UUID of the Directory the attribute mapping belongs to. */
directoryId?: string;
/** The UUID of the attribute mapping. */
id?: string;
userAttribute?: UserAttribute;
/** The UUID of the Identity as a Service User Attribute being mapped to. */
userAttributeId?: string;
};
type OtpVerificationAuthenticateValue = {
/** The unique challenge response identifier used for authentication */
challengeId: string;
/** The otp response */
challengeResponse: string;
};
type OtpVerificationAuthenticateResponse = {
/** The number of attempts left for authentication failure */
attemptsLeft: number;
/** The challenge Id of the user's input */
challengeId: string;
/** The error message during the authentication */
errorCode?: string;
/** A boolean value which indicates if the authentication is successful */
success: boolean;
};
type Error = {
/** The server error code */
code: string;
/** A human-readable representation of the error */
message: string;
/** The target of the error */
target?: string;
};
type OtpVerificationChallengeValue = {
/** Type of contact delivery. Only supported for OTP contact attributes. */
"type": "NONE" | "OTP_EMAIL" | "OTP_SMS" | "OTP_VOICE" | "OTP_WECHAT" | "OTP_WHATSAPP";
/** The exact email or phone number that the OTP will be sent to. */
value: string;
};
type OtpVerificationChallengeResponse = {
/** The unique challenge response identifier which will be used for authentication. */
challengeId: string;
};
type DirectoryConnection = {
/** The SSL certificate to connect to the Directory with. */
certificate?: string;
/** The UUID of the Directory the connection belongs to. */
directoryId?: string;
/** The Directory hostname or IP address. */
hostname?: string;
/** The UUID of the Directory connection. */
id?: string;
/** The Directory port. */
port?: number;
/** Whether or not to connect to the Directory using an SSL certificate. */
useSsl?: boolean;
};
type DirectorySync = {
/** The rate at which the directory will be queried in milliseconds */
crawlFrequency?: number;
directory?: Directory;
/** The ID of the directory. */
directoryId?: string;
/** The UUID of the Directory Sync Gateway Agent. */
directorySyncAgentId?: string;
/** Group desynchronization will be done based on the selected option. */
groupDesyncPolicy?: "GROUP_LOCALLY_MANAGED" | "GROUP_DELETED";
/** The group name attribute */
groupNameAttribute?: string;
/** The Group Object Class */
groupObjectClass?: string;
/** Group synchronization will be done based on the selected option. */
groupSynchronizationType?: "ALL" | "FILTER" | "NONE";
/** The UUID of the directory. */
id?: string;
/** The last time the directory was updated. */
lastUpdate?: string;
/** The number of records that should returned per query. Default is 25. */
pageSize?: number;
/** The status of the Directory Sync. */
state?: "UNKNOWN" | "ERROR" | "PENDING_CHANGES" | "SYNCED" | "OUT_OF_SYNC" | "CRAWLING" | "CRAWL_COMPLETE" | "NOTIFYING_GROUPS" | "NOTIFYING_GROUPS_USERS" | "NOTIFYING_USERS" | "NOTIFY_COMPLETE" | "SYNCING" | "FAILED";
/** User synchronization will be done based on the selected option. */
userDesyncPolicy?: "USER_LOCALLY_MANAGED_ENABLED" | "USER_LOCALLY_MANAGED_DISABLED" | "USER_DELETED";
/** The User Object Class */
userObjectClass?: string;
/** The User Unique Id Attribute */
userUniqueIdAttribute?: string;
/** How long to wait between notifications in milliseconds. */
waitBetweenNotifications?: number;
};
type GroupFilter = {
/** The UUID of the Directory the group filter belongs to. */
directoryId?: string;
/** The UUID of the group filter. */
id?: string;
/** The name of the group to filter on. */
name?: string;
};
type SearchBase = {
/** The UUID of the Directory the seachbase belongs to. */
directoryId?: string;
/** Whether or not an empty searchbase is empty? */
emptySearchBase?: boolean;
/** The UUID of the searchbase. */
id?: string;
/** The searchbase node. */
node?: string;
/** Whether or not a sub-tree is included? */
subsearchbasesIncluded?: boolean;
};
type Directory = {
/** The name of the AD attribute value that will be mapped into comma seperated string value of alias */
aliasMappingName?: string;
/** The SSL certificate to connect to the Directory with. */
certificate?: string;
/** Directory attribure mappings. */
directoryAttributeMappings?: DirectoryAttributeMapping[];
/** The connections that you want to connect when syncing. */
directoryConnections?: DirectoryConnection[];
directorySync?: DirectorySync;
/** The UUID of the directory sync */
directorySyncId?: string;
/** Directory group filters. */
groupFilters?: GroupFilter[];
/** The hostname of the Directory Can be an IP address or a hostname. */
hostname?: string;
/** The UUID of the Directory. */
id?: string;
/** The name of the Directory. */
name?: string;
/** The password to connect to the Directory with. */
password?: string;
/** The port to connect to the Directory over. */
port?: number;
/** The root domain naming context of the Directory. */
rootDomainNamingContext?: string;
/** The searchbases that you want to search when syncing. */
searchBases?: SearchBase[];
/** The type of the Directory. */
"type"?: "AD" | "LDAP";
/** Whether or not to connect to the Directory using an SSL certificate. */
useSsl?: boolean;
/** The username to connect to the Directory with. Value must be a fully distinguished name or UPN. */
userName?: string;
};
type DirectorySyncStatusInfo = {
/** The name of the directory. */
directoryName?: string;
/** The name of the directory or searchbase is being processed. */
directoryOrSearchBaseBeingProcessed?: string;
/** Comma separated list of errors occurred during the AD-sync process. */
errors?: string;
/** The number of groups added. */
groupsAdded?: number;
/** The number of groups successfully created in the service database. */
groupsCreateCount?: number;
/** The number of groups successfully deleted from the service database. */
groupsDeleteCount?: number;
/** The number of groups failed to be uploaded. */
groupsFailCount?: number;
/** The number of groups skipped due to errors. */
groupsFailed?: number;
/** The number of groups processed successfully. */
groupsProcessedSuccessfully?: number;
/** The number of groups removed. */
groupsRemoved?: number;
/** The number of groups changed. */
groupsSyncedWithChanges?: number;
/** The number of groups synced with no changes. */
groupsSyncedWithNoChanges?: number;
/** The number of groups successfully updated in the service database. */
groupsUpdateCount?: number;
/** The UUID of the DirectorySyncStatusInfo. */
id?: string;
/** The number of search bases already processed. */
searchbasesProcessed?: number;
/** The status of the Directory Sync processed. */
state?: "CRAWLING" | "CRAWL_COMPLETE" | "ERROR" | "NOTIFYING_GROUPS" | "NOTIFYING_GROUPS_USERS" | "NOTIFYING_USERS" | "NOTIFY_COMPLETE" | "OUT_OF_SYNC" | "PENDING_CHANGES" | "SYNCED" | "UNKNOWN";
/** The time when the synchronization was started. */
syncStarted?: string;
/** The last time the directory was updated. */
syncUpdated?: string;
/** Total number of search bases to be processed. */
totalSearchbases?: number;
/** Number of users added. */
usersAdded?: number;
/** The number of users successfully created in the service database. */
usersCreateCount?: number;
/** The number of users successfully deleted from the service database. */
usersDeleteCount?: number;
/** The number of users failed to be uploaded. */
usersFailCount?: number;
/** The number of users skipped due to errors. */
usersFailed?: number;
/** The number of users processed successfully. */
usersProcessedSuccessfully?: number;
/** The number of users removed. */
usersRemoved?: number;
/** The number of users synced with changes. */
usersSyncedWithChanges?: number;
/** The number of users synced with no changes. */
usersSyncedWithNoChanges?: number;
/** The number of users successfully updated in the service database. */
usersUpdateCount?: number;
};
type IdentityProvider = {
/** A flag indicating if the external identity provider can be used for user authentication. */
authenticationEnabled?: boolean;
/** The URI of the logo to display on the login button for this external identity provider. */
buttonImage?: string;
/** The unique text to display on the login button for this external identity provider. */
buttonText?: string;
/** A flag indicating if the user should be created after authenticating to the external identity provider if it doesn't exist. The user attributes specified by the userAttributeMappings attribute are used to populate the user in IDaaS. This value is used if authenticationEnabled is true. */
createUser?: boolean;
/** A flag indicating if this is the tenant's default identity provider. This value applies only to non-domain based identity providers. Only one identity provider can be set as the default at a time. */
defaultProvider?: boolean;
/** The space separated list of domains associated with the external identity provider for use with user authentication. */
domains?: string;
/** The UUID of the external identity provider. */
id?: string;
/** The issuer URI for the external OIDC identity provider or the issuer, or IDP Entity ID, for the external SAML identity provider. */
issuer?: string;
/** The unique name of the external identity provider. */
name?: string;
/** The type of the external identity provider. */
protocol?: "OIDC" | "SAML";
/** The client identifier provided by the external OIDC identity provider or the SP entity ID provided to the external SAML identity provider. */
spId?: string;
/** The type of the external identity provider. */
"type"?: string;
/** The verification certificate2 DN used with the external identity provider. */
verificationCertificate2DN?: string;
/** The verification certificate2 expiry date used with the external identity provider. */
verificationCertificate2ExpiryDate?: string;
/** The verification certificate DN used with the external identity provider. */
verificationCertificateDN?: string;
/** The verification certificate expiry date used with the external identity provider. */
verificationCertificateExpiryDate?: string;
/** A flag indicating if the external identity provider can be used for user verification. */
verificationEnabled?: boolean;
};
type SmsVoice = {
/** The number of entitlements allotted to the current account. If the account is an SP then entitlements can be allocated to child accounts. */
allotment?: number;
/** The entitlements consumed since start date during the entitlement period. */
consumed?: number;
/** The date when the entitlement will end. */
endDate?: string;
/** The date when the grace period for the entitlement will end. */
gracePeriodEndDate?: string;
/** The overage type of this entitlement. */
overageType?: "YES" | "NO" | "UNLIMITED";
/** The number of SMS/Voice credits allowed during the period. */
quantity?: number;
/** The number of SMS/Voice credits allowed when the entitlement is renewed. */
renewalQuantity?: number;
/** The date when the entitlement starts. */
startDate?: string;
};
type UserEntitlement = {
/** The number of entitlements allotted to the current account. If the account is an SP then entitlements can be allocated to child accounts. For subscriber accounts, the allotment is always the same as the quantity amount. */
allotment?: number;
/** The used quantity of this entitlement. */
consumed?: number;
/** The date when the entitlement ends. */
endDate?: string;
/** The date when the grace period for the entitlement will end. */
gracePeriodEndDate?: string;
/** The quantity of entitlements purchased for the account. */
quantity?: number;
/** The date when the entitlement starts. */
startDate?: string;
};
type AccountEntitlement = {
smsVoice?: SmsVoice;
users?: UserEntitlement;
};
type FidoRegisterChallenge = {
/** Attestation preference for passkey/FIDO2 registration. Determines how much information about the authenticator (security key/passkey) is shared during registration. NONE: No authenticator details shared (recommended for privacy). INDIRECT: Basic information shared in a privacy-preserving way (balanced approach). DIRECT: Full authenticator details shared (use when you need to verify specific device models). */
attestation?: "NONE" | "INDIRECT" | "DIRECT";
/** The registration challenge generated by Identity as a Service. This is a base-64 encoded value. */
challenge?: string;
/** The IDs of FIDO tokens already registered to this user. These values are base-64 encoded. */
registeredCredentials?: string[];
/** The names of FIDO tokens already registered to this user. */
registeredCredentialsNames?: string[];
/** Should the token be embedded on the device or stored externally? */
registrationAuthenticatorAttachment?: "EITHER" | "PLATFORM" | "CROSS_PLATFORM";
/** Should the User ID be stored on the Passkey/FIDO2 token? */
registrationRequireResidentKey?: "DISCOURAGED" | "PREFERRED" | "REQUIRED";
/** Should the token perform user verification? */
registrationUserVerification?: "DISCOURAGED" | "PREFERRED" | "REQUIRED";
/** The name of this relying party. This is the name of the Identity as a Service account. */
rpName?: string;
/** The number of seconds that the client will wait for the FIDO token to respond. This field is deprecated, use 'timeoutMillis' instead. */
timeout?: number;
/** The time in milliseconds that the client will wait for the FIDO token to respond. */
timeoutMillis?: number;
/** The display name of this user. It will be 'firstname lastname' of the user */
userDisplayName?: string;
/** The id of this user. It will be UUID of the user base-64 encoded. */
userId?: string;
/** The name of this user. It will be the userId of the user. */
userName?: string;
};
type FidoRegisterResponse = {
/** The FIDO attestationObject data returned from the FIDO token. This is a base-64 encoded value. */
attestationObject?: string;
/** The FIDO clientData returned from the FIDO token. This is a base-64 encoded value. */
clientDataJSON?: string;
/** The name for the new FIDO token. */
name?: string;
/** Specifies the domain name (relying party ID) of your application and the passkey is registered with. Provide the domain only (e.g., example.com), without protocol (https://). Required if using a custom domain different from your IDaaS tenant's hostname. */
rpId?: string;
/** The transport methods used during registration (e.g., 'usb', 'nfc', 'ble', 'internal'). Used to determine authenticator capabilities. */
transports?: string[];
/** Flag indicating if the userId was stored on the registered FIDO2 token. Defaults to false if not set. */
userIdStored?: boolean;
};
type FidoToken = {
/** The AAGUID of the authenticator that created this FIDO token. */
aaguid?: string;
/** Indicates whether the AAGUID reported by the authenticator was cryptographically verified via a full certificate chain against the FIDO MDS trust anchors. True only for DIRECT attestation; false for INDIRECT (cert chain not verified); null for NONE (no attestation collected). */
aaguidVerified?: boolean;
/** The signature algorithm of the authenticator that created this FIDO token. */
algorithm?: string;
/** Administration actions that can be performed on this FIDO token. */
allowedActions?: ("DELETE" | "ENABLE" | "DISABLE" | "RENAME")[];
/** Attestation format of the authenticator that created this FIDO token. */
attestationFormat?: string;
/** Indicates if this FIDO token contains attested data. */
attestedData?: boolean;
/** The authenticator model of the authenticator that created this FIDO token. */
authenticatorModel?: string;
/** Indicates if this FIDO token is eligible for backup. */
backupEligible?: boolean;
/** Indicates if this FIDO token is currently backed up. */
backupStatus?: boolean;
/** The date on which the FIDO token was created. */
createDate?: string;
/** The icon of the authenticator that created this FIDO token. */
icon?: string;
/** The unique UUID assigned to the fido token when it is registered. */
id?: string;
/** The date on which this FIDO token was last used for authentication. This value will be null if the FIDO token has never been used. */
lastUsedDate?: string;
/** The name of this FIDO token. */
name?: string;
/** The origin of where the FIDO token was generated. */
origin?: string;
/** The relying party ID of where the FIDO token was generated. */
relyingPartyId?: string;
/** The state of this FIDO token. Only FIDO tokens in the ACTIVE state can be used for authentication. */
state?: "ACTIVE" | "INACTIVE";
/** The user Id of the user who owns this FIDO token. */
userId?: string;
/** Indicates if the userId was stored on the FIDO token. */
userIdStored?: boolean;
/** Indicates if the user was present during the registration or authentication ceremony that created or last used this FIDO token. */
userPresent?: boolean;
/** The UUID of the user who owns this FIDO token. */
userUUID?: string;
/** Indicates if the user was verified during the registration or authentication ceremony that created or last used this FIDO token. */
userVerified?: boolean;
};
type FidoTokenParms = {
/** The name of this FIDO token. */
name?: string;
/** The state of this FIDO token. Only FIDO tokens in the ACTIVE state can be used for authentication. */
state?: "ACTIVE" | "INACTIVE";
};
type FidoTokenDetails = {
/** Authenticator Attestation GUID. */
aaguid?: string;
/** Indicates whether the AAGUID reported by the authenticator was cryptographically verified via a full certificate chain against the FIDO MDS trust anchors. True only for DIRECT attestation; false for INDIRECT (cert chain not verified); null for NONE (no attestation collected). */
aaguidVerified?: boolean;
/** Cryptographic algorithm used by the token. */
algorithm?: string;
/** Model name of the authenticator. */
authenticatorModel?: string;
/** Type of authenticator device. */
authenticatorType?: string;
/** Whether the credential is eligible for backup. */
backupEligible?: boolean;
/** Current backup state of the credential. */
backupStatus?: boolean;
/** FIDO certification status. */
certificationStatus?: string;
/** Timestamp when the token was registered. */
createDate?: string;
/** Cryptographic strength in bits. */
cryptoStrength?: number;
/** Base64-encoded icon for the authenticator. */
icon?: string;
/** Unique identifier of the FIDO token. */
id?: string;
/** Methods used to protect the authenticator's private key (e.g., software, hardware, TEE, secure element). */
keyProtection?: string[];
/** Timestamp when the token was last used for authentication. */
lastUsedDate?: string;
/** Protection mechanisms for the biometric matcher component (e.g., software, TEE, on-chip). */
matcherProtection?: string[];
/** Name of the FIDO token. */
name?: string;
/** FIDO protocol family. */
protocolFamily?: string;
/** Relying Party ID associated with the token. */
rpId?: string;
/** Current state of the token. */
state?: "ACTIVE" | "INACTIVE";
/** Supported transport protocols. */
transports?: string[];
/** User ID of the token owner. */
userId?: string;
/** Whether user presence was confirmed during registration. */
userPresent?: boolean;
/** Whether user verification was performed during registration. */
userVerified?: boolean;
};
type FidoTokensPage = {
paging?: Paging;
/** A single page with the list of fido tokens found. */
results: FidoTokenDetails[];
};
type EmailParms = {
/** The name of the user attribute to use for email delivery. If not provided, the system-defined email attribute will be used. */
emailAttributeName?: string;
};
type GridCreateParms = {
emailParms?: EmailParms;
/** If provided, the given grid contents are used for the new Grid Card. The grid contents must match the grid settings for grid size, grid cell size and cell alphabet. The administrator must have the GRIDCONTENTS:ADD permission to set the grid contents. This argument is ignored when creating unassigned grids. */
gridContent?: string[][];
/** When creating unassigned grids the list of UUIDs of groups to which the grids will belong. If not specified, the grids will not belong to any groups. */
groups?: string[];
/** The number of grids to create when creating unassigned grids. If not specified, it defaults to 1. */
numberOfGrids?: number;
/** If provided, the given grid serial number is used for the new Grid Card. */
serialNumber?: number;
/** The state (ACTIVE, INACTIVE, or PENDING) of the new grid. If not specified, the state defaults to PENDING. This argument is ignored when creating unassigned grids. */
state?: "ACTIVE" | "INACTIVE" | "UNASSIGNED" | "PENDING" | "CANCELED";
};
type Grid = {
/** A list of what actions are currently allowed for this grid. */
allowedActions?: ("CANCEL" | "DELETE" | "ENABLE" | "DISABLE" | "ASSIGN" | "UNASSIGN")[];
/** For unassigned grids which were assigned to the user, the date on which the grid was assigned. */
assignDate?: string;
/** The date on which the grid was created. */
createDate?: string;
/** A flag indicating if this grid is currently expired. */
expired?: boolean;
/** If the grid policy defines an expiry date, the date on which this grid will expire. Expired grids cannot be used for authentication. */
expiryDate?: string;
/** The grid contents of this grid. Only administrators with the GRIDCONTENTS:VIEW permission will receive this value. */
gridContents?: string[][];
/** The UUIDs of groups to which this grid belongs. This value is only used for unassigned grids. Only groups to which the current administrator has access will be returned. */
groups?: string[];
/** The unique UUID assigned to the grid when it is created. */
id?: string;
/** The date on which this grid was last used for authentication. This value will be null if the grid has never been used. */
lastUsedDate?: string;
/** The unique numeric serial number assigned to the grid when it is created. */
serialNumber?: number;
/** The state of this grid. Only grids in the ACTIVE or PENDING state can be used for authentication. */
state?: "ACTIVE" | "INACTIVE" | "UNASSIGNED" | "PENDING" | "CANCELED";
/** The UUID of the user who owns this grid. If the grid is not assigned, this value will be null. */
userId?: string;
/** The user Id for this user. If the grid is not assigned, this value will be null. */
userName?: string;
};
type GridProperties = {
/** The maximum number of unassigned grids that can be created per request. */
maxGridGeneratePerRequest?: number;
/** The maximum number of unassigned grids that are allowed in the system. */
maxGridTotalUnassigned?: number;
};
type GridExport = {
/** Grid information formatted as a base64 encoded String. Formatting options are controlled in grid authenticator settings. */
content?: string;
};
type GridAssignParms = {
emailParms?: EmailParms;
/** When an end user is assigning a grid to themselves, this attribute specifies a grid challenge response proving that the user has possession of the grid being assigned. */
response?: string;
/** When the user to which a grid is to be assigned is known, this attribute specifies the serial number of the grid that will be assigned. */
serialNumber?: string;
/** When the specified grid is known, this attribute specifies the user Id or user alias of the user to which the grid will be assigned. */
userId?: string;
};
type GridsPage = {
paging?: Paging;
/** A single page from the list of GRIDs found. */
results: Grid[];
};
type Group = {
/** The attribute of this group. */
attribute?: string;
/** When the group was created. */
created?: string;
/** Whether the directory group is desynced. Desynced groups can be deleted. */
directoryDesynced?: boolean;
/** The externalId of this group. */
externalId?: string;
/** The UUID of this group. This value is generated when the group is created. */
id?: string;
/** When the group was last modified. */
lastModified?: string;
/** The name of this group. */
name: string;
/** The type of group indicating if this group was synchronized from a directory (LDAP_AD) or was created in Identity as a Service (MGMT_UI). */
"type"?: "LDAP_AD" | "MGMT_UI";
};
type GroupParms = {
/** The optional attribute of this group. Specify an empty string to remove the existing value of the attribute. */
attribute?: string;
/** The optional externalId of this group. Specify an empty string to remove the existing value of the externalId. */
externalId?: string;
/** The name of this group. This value is required when creating a group. */
name?: string;
};
type GroupId = {
/** The name or externalId of a group. */
id: string;
};
type GroupsPage = {
paging?: Paging;
/** A single page from the list of Groups found. */
results: Group[];
};
type IdentityProviderExternalGroupMapping = {
/** The external group name/ID returned from the identity provider. */
externalGroupId: string;
/** The Authorization Group UUID this external group maps to. */
groupId: string;
/** The UUID of the identity provider external group mapping. This value is generated once the mapping is created. */
id?: string;
/** The ID of the identity provider this external group mapping belongs to. */
identityProviderId?: string;
};
type OidcIdentityProviderAttributeMapping = {
/** The name of the claim being mapped. This value must be provided when creating or modifying an attribute mapping. */
claim: string;
/** The UUID of the OIDC identity provider attribute mapping. */
id?: string;
/** The UUID of the OIDC identity provider the attribute mapping belongs to. */
oidcIdentityProviderId?: string;
userAttribute?: UserAttribute;
/** The UUID of the IDaaS user attribute being mapped to. This value must be provided when creating or modifying an attribute mapping. */
userAttributeId: string;
};
type OidcIdentityProviderUserAuthMatchMapping = {
/** The name of the claim being mapped. This value must be provided when creating or modifying a user authentication match mapping. */
claim: string;
/** The UUID of the OIDC identity provider user authentication match mapping. */
id?: string;
/** The UUID of the OIDC identity provider the user authentication match mapping belongs to. */
oidcIdentityProviderId?: string;
userAttribute?: UserAttribute;
/** The UUID of the IDaaS user attribute being mapped to. This value must be provided when creating or modifying a user authentication match mapping. */
userAttributeId: string;
};
type OidcIdentityProviderUserVerMatchMapping = {
/** The name of the claim being mapped. This value must be provided when creating or modifying a user verification match mapping. */
claim: string;
/** The UUID of the OIDC identity provider user verification match mapping. */
id?: string;
/** The UUID of the OIDC identity provider the user verification match mapping belongs to. */
oidcIdentityProviderId?: string;
userAttribute?: UserAttribute;
/** The UUID of the IDaaS user attribute being mapped to. This value must be provided when creating or modifying a user verification match mapping. */
userAttributeId: string;
};
type OidcIdentityProvider = {
/** The space separated list of authentication context request values to request as part of the external OIDC identity provider user authentication or user verification request. */
acrValues?: string;
/** The space separated list of authentication method request values to request as part of the external OIDC identity provider user authentication or user verification request. */
amrValues?: string;
/** A flag indicating if the external OIDC identity provider can be used for user authentication. */
authenticationEnabled?: boolean;
/** The authorization endpoint for the external OIDC identity provider. */
authorizationEndpoint?: string;
/** The URI of the logo to display on the login button for this external OIDC identity provider. */
buttonImage?: string;
/** The unique text to display on the login button for this external OIDC identity provider. */
buttonText?: string;
/** The client authentication method to use with the external OIDC identity provider. */
clientAuthenticationMethod?: "CLIENT_SECRET_BASIC" | "CLIENT_SECRET_POST";
/** The client identifier provided by the external OIDC identity provider. */
clientId?: string;
/** The client secret provided by the external OIDC identity provider. Currently this value is not returned. */
clientSecret?: string;
/** A flag indicating if the user should be created after authenticating to the external OIDC identity provider if it doesn't exist. The user attributes specified by the userAttributeMappings attribute are used to populate the user in IDaaS. This value is used if authenticationEnabled is true. */
createUser?: boolean;
/** A flag indicating if this is the tenant's default identity provider. This value applies only to non-domain based identity providers. Only one identity provider can be set as the default at a time. */
defaultProvider?: boolean;
/** The space separated list of domains associated with the external OIDC identity provider for use with user authentication. */
domains?: string;
/** The association between a group claim returned from the external OIDC identity provider and authorization groups. This mapping is used to associate OIDC identity provider external groups when a user is created or modified based on user authentication or when it is modified based on an external OIDC identity provider user verification. This value can only be set if createUser, updateUser, or updateVerificationUser is true and groupMapping is present. */
externalGroupMappings?: IdentityProviderExternalGroupMapping[];
/** The value of user fields that need to be set the external OIDC identity provider when acquiring user information. This value is used with a TWITTER IDP. */
fields?: string;
/** The UUIDs of groups that will be assigned to users created after an external OIDC identity provider user authentication. An empty list means the user will be assigned to All Groups. If configured, the full set of groups must be configured. This value is used if createUser is true. */
groupIds?: string[];
/** The association between a specified claim returned from the external OIDC identity provider and IDaaS groups. This mapping is used to associated IDaaS groups when a user is created or modified based on an external OIDC identity provider user authentication or when it is modified based on an external OIDC identity provider user verification. This value is used if createUser, updateUser, or updateVerificationUser is true. */
groupMapping?: string;
/** The UUID of the external OIDC identity provider. */
id?: string;
/** The space separated list of id token claims to request as part of the external OIDC identity provider user authentication or user verification request. */
idTokenClaims?: string;
/** The issuer URI for the external OIDC identity provider. */
issuer?: string;
/** The JWKS URI endpoint for the external OIDC identity provider used to verify a token signature. */
jwksUri?: string;
/** The max age to request as part of the external OIDC identity provider user authentication or user verification request. If -1, the value will not be included in the request. */
maxAge?: number;
/** The unique name of the external OIDC identity provider. */
name?: string;
/** The UUIDs of organizations that will be assigned to users created after an external OIDC identity provider user authentication. If configured, the full set of organizations must be configured. This value is used if createUser is true. */
organizationIds?: string[];
/** A flag indicating if the user information endpoint of the external OIDC identity provider should be signed and verified. */
requireUserinfoSignature?: boolean;
/** The revocation endpoint for the external OIDC identity provider. */
revocationEndpoint?: string;
/** The UUID of the role that will be assigned to users created after an external OIDC identity provider user authentication. An empty string means the user will not be assigned a role by default. This role acts as the default if role mapping is empty. This value can only be set if createUser is true. */
roleId?: string;
/** The association between a specified claim returned from the external OIDC identity provider and an IDaaS role. This mapping is used to associated an IDaaS role when a user is created or modified based on an external OIDC identity provider user authentication or when it is modified based on an external OIDC identity provider user verification. This value is used if createUser, updateUser, or updateVerificationUser is true. */
roleMapping?: string;
/** The space separated list of scopes to request as part of the external OIDC identity provider user authentication or user verification request. */
scopes?: string;
/** The token endpoint for the external OIDC identity provider. */
tokenEndpoint?: string;
/** The type of the external OIDC identity provider. Once created, this value cannot be updated. */
"type"?: "FACEBOOK" | "GENERIC" | "GOOGLE" | "IDV" | "MICROSOFT" | "SP" | "TWITTER";
/** A flag indicating if the user should be updated after authenticating to the external OIDC identity provider if it exists. The user attributes specified by the userAttributeMappings attribute are used to populate the user in IDaaS. This value is used if authenticationEnabled is true. */
updateUser?: boolean;
/** A flag indicating if the user should be updated after user verification to the external OIDC identity provider if it exists. The user attributes specified by the userAttributeMappings attribute are used to populate the user in IDaaS. This value is used if verificationEnabled is true. */
updateUserVerification?: boolean;
/** The IDaaS user attribute ID used to find IDaaS users associated with an external OIDC identity provider user authentication. This value is used if authenticationEnabled is true. */
userAttributeId?: string;
/** The association between the claims returned from the external OIDC identity provider and IDaaS user attributes. These attributes are used to populate user attributes when it is created or modified based on an external OIDC identity provider user authentication or when it is modified based on an external OIDC identity provider user verification. If configured, the full set of mappings must be configured. This value is used if createUser, updateUser, or updateVerificationUser is true. */
userAttributeMappings?: OidcIdentityProviderAttributeMapping[];
/** The association between the claims returned from the external OIDC identity provider and IDaaS user attributes. These attributes are used to match an existing IDaaS user based on an external OIDC identity provider user authentication. If configured, the full set of mappings must be configured. This value is used if authenticationEnabled is true. */
userAuthMatchMappings?: OidcIdentityProviderUserAuthMatchMapping[];
/** The external OIDC identity provider claim used to find IDaaS users associated with an external OIDC identity provider user authentication. This value is used if authenticationEnabled is true. */
userClaim?: