Updates the OpenID Connect federation configuration.

put

https://{tenanturl}/v1.0/oidc/federation

Modify federation settings for this tenant.

Entitlements required: manageFederations (Manage federations)

Recent Requests

Time	Status	User Agent
Retrieving recent requests…

Loading…

Body Params

Federation settings

issuerHostname

string

required

Host name used for the JWT issuer. It must be the tenant host name or one of the vanity host names. The full issuer string will be https://{issuerHostname}/oidc/endpoint/default

idTokenLifetime

object

required

sendExtendedAttributes

boolean

Add extended attributes to the 'ext' claim in ID token or user info.

jwtValidationTimeSkewInSeconds

int32

Time skew for JWT 'iat', 'exp' and 'nbf' validation in seconds. Maximum 300, minimum 0. Default is 0.

enforceClientAuthOnDeviceAuthEndpoint

boolean

Whether to enforce client authentication on device authorization endpoint.

deviceFlowPollingInterval

object

deviceFlowCodeLifetime

object

extraMetadataAttributes

object

Top level attributes for well-known endpoint to override the existing attribute.

excludeJWKSCertificateChain

boolean

Setting to exclude 'x5c' in JWKS.

excludeJWKSCertificateThumbprint

boolean

Setting to exclude 'x5t' and 'x5t#S256' in JWKS.

mtlsEndpointBaseURI

string

Base URL for MTLS endpoints. This must include the protocol scheme like https.

defaultSigningKey

string

Default signing key for JWT.

defaultEncryptionKey

string

Default encryption key for JWT.

refreshTokenFaultToleranceLifetime

object

refreshTokenFaultToleranceOption

string

enum

Refresh token fault tolerance option.

Allowed:

tokenExchangeIdTokenToleranceWindow

object

exchangeForSSOSessionOption

string

enum

Options to exchange token for SSO session. When this is not set, token exchange for SSO session will be allowed.

Allowed:

rotatedSecretLifetime

int32

Default lifetime in days for rotated client secrets.

clientSecretLength

int32

Auto-generated client secret length. Default to 10 if not provided.

scopeToClaimsMap

object

Scope to claims mapping. This map configures which claims should be produced in ID token or user info for a particular scope.

switchToNew

boolean

Setting to fully switch to new OIDC implementation.

clientAssertionAudienceOption

string

enum

Option for how client assertion's audience is validated. 'issuer_only' allows only for the issuer value to be in the audience claim and expects the claim to be a string instead of an array. This is the recommended option. 'legacy' allows for issuer, token endpoint, or the endpoint where this client assertion is being used on in the audience claim, as per RFC 7523. When not set, the default value is 'legacy'.

Allowed:

allowPlainPKCE

boolean

Indicates whether plain PKCE is allowed. Default is true.

parDefaultLifetime

int32

Pushed authorization requests default lifetime.

Responses

204

The federation configuration was updated.

403

Access was forbidden.

Language

URL

Loading…

Response

Choose an example:

*/*

400The request was invalid.

409Conflicting modifications. Try again later.

500An internal server error occurred.