Overview
Identity Providers
An Identity Provider is a named object that provides configuration to describe an external and/or social identity provider. This configuration will be used to perform an alternative login to the standard FusionAuth local login. FusionAuth currently supports a number of different identity provider types:
- Apple
- Epic Games - requires a paid edition.
- External JWT
- HYPR
- Nintendo - requires a paid edition.
- OpenID Connect
- SAML v2
- SAML v2 IdP Initiated - requires a paid edition.
- Sony PlayStation Network - requires a paid edition.
- Steam - requires a paid edition.
- Twitch - requires a paid edition.
- Xbox - requires a paid edition.
The type of the identity provider will determine the object’s properties as well as the validation that is performed. You can click into any of the identity provider API docs to get a list of that identity provider’s properties.
To learn how to configure these Identity Providers using the FusionAuth UI, go here Identity Providers.
Link APIs
The way a link is established between an identity provider and FusionAuth is determined by the linkingStrategy for each identity provider. An API is provided to manually link and unlink a user to a 3rd party identity provider. To learn more about managing links between FusionAuth and a 3rd party identity provider, see the Link APIs.
Global Operations
Retrieve all Identity Providers
Request
Response
Response Codes| Code | Description |
|---|---|
| 200 | The request was successful. The response will contain a JSON body. |
| 400 | The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present. |
| 401 | You did not supply a valid Authorization header. The header was omitted or your API key was not valid. The response will be empty. See Authentication. |
| 500 | There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty. |
Response Body
The response JSON might include different types of identity providers. Therefore, you should refer to the documentation for each type of identity provider to determine the response JSON format for that particular type. Each type has a Retrieve section in its documentation. This format will be the same format used by this API.
identityProvidersArrayThe list of Identity Provider objects.
Example Response JSON
{
"identityProviders": [
{
"claimMap": {
"first_name": "firstName",
"last_name": "lastName",
"dept": "RegistrationData"
},
"domains": [
"acme.com",
"acme.org"
],
"headerKeyParameter": "kid",
"id": "a4e78daa-33a6-4844-b081-7779af1f09a4",
"insertInstant": 1595361142909,
"lastUpdateInstant": 1595361143101,
"name": "Acme Corp. ADFS",
"oauth2": {
"authorization_endpoint": "https://acme.com/adfs/oauth2/authorize?client_id=cf3b00da-9551-460a-ad18-33232e6cbff0&response_type=code&redirect_uri=https://acme.com/oauth2/redirect",
"token_endpoint": "https://acme.com/adfs/oauth2/token"
},
"type": "ExternalJWT",
"uniqueIdentityClaim": "email"
},
{
"appId": "385572258114379",
"applicationConfiguration": {
"1c212e59-0d0e-6b1a-ad48-f4f92793be32": {
"createRegistration": true,
"enabled": true
}
},
"buttonText": "Login with Facebook",
"client_secret": "72417eb5aa454ef2373b361d721cb074",
"enabled": true,
"fields": "email",
"id": "56abdcc7-8bd9-4321-9621-4e9bbebae494",
"insertInstant": 1595361142909,
"lastUpdateInstant": 1595361143101,
"name": "Facebook",
"permissions": "email,profile_image",
"type": "Facebook"
},
{
"applicationConfiguration": {
"1c212e59-0d0e-6b1a-ad48-f4f92793be32": {
"createRegistration": true,
"enabled": true
}
},
"buttonText": "Login with Google",
"client_id": "254311943570-8e2i2hds0qdnee4124socceeh2q2mtjl.apps.googleusercontent.com",
"client_secret": "BRr7x7xz_-cXxIFznBDIdxF1",
"enabled": true,
"id": "82339786-3dff-42a6-aac6-1f1ceecb6c46",
"insertInstant": 1595361142909,
"lastUpdateInstant": 1595361143101,
"name": "Google",
"scope": "profile",
"type": "Google"
},
{
"applicationConfiguration": {
"1c212e59-0d0e-6b1a-ad48-f4f92793be32": {
"createRegistration": true,
"enabled": true
}
},
"buttonText": "Login with Twitter",
"consumerKey": "24iuleLRKIZUNhxuuUK6yDZwb",
"consumerSecret": "e2ZpAaAfxv2j9eeh6JTeNcXMWdVLjRNriXm4wSZt1f1Ss3Syp4",
"enabled": true,
"id": "45bb233c-0901-4236-b5ca-ac46e2e0a5a5",
"insertInstant": 1595361142909,
"lastUpdateInstant": 1595361143101,
"name": "Twitter",
"type": "Twitter"
}
]
}Search for Identity Providers
This API has been available since 1.45.0
This API is used to search for Identity Providers and may be called using the GET or POST HTTP methods. Examples of each are provided below. The POST method is provided to allow for a richer request object without worrying about exceeding the maximum length of a URL. Calling this API with either the GET or POST HTTP method will provide the same search results given the same query parameters.
Request
Request Parameters
applicationIdUUIDRestricts the results to Identity Providers enabled for the given Application.
nameStringThe case-insensitive string to search for in the Identity Provider name. This can contain wildcards using the asterisk character (*). If no wildcards are present, this parameter value will be interpreted as *value*.
numberOfResultsIntegerDefaults to 25The number of results to return from the search.
orderByStringDefaults to name ASCThe field to order the search results as well as an order direction.
The possible values are:
enabled- whether the identity provider is enabled globallyid- the unique Id of the Identity ProviderinsertInstant- the instant when the Identity Provider was createdname- the Identity Provider nametype- the type of the Identity Provider
The order direction is optional. Possible values of the order direction are ASC or DESC. If omitted, the default sort order is ASC.
For example, to order the results by the insert instant in a descending order, use insertInstant DESC.
startRowIntegerDefaults to 0The offset into the total results. In order to paginate the results, increment this value by the numberOfResults for subsequent requests.
For example, if the total search results are greater than the page size designated by numberOfResults , set this value to 25 to retrieve results 26-50, assuming the default page size.
typeStringThe type of Identity Provider to return.
The possible values are:
AppleEpicGamesExternalJWTFacebookGoogleHYPRLinkedInNintendoOpenIDConnectSAMLv2SAMLv2IdPInitiatedSonyPSNSteamTwitchTwitterXbox
When calling the API using a POST request you will send the search criteria in a JSON request body.
Request Body
search.applicationIdUUIDRestricts the results to Identity Providers enabled for the given Application.
search.nameStringThe case-insensitive string to search for in the Identity Provider name. This can contain wildcards using the asterisk character (*). If no wildcards are present, this parameter value will be interpreted as *value*.
search.numberOfResultsIntegerDefaults to 25The number of results to return from the search.
search.orderByStringDefaults to name ASCThe field to order the search results as well as an order direction.
The possible values are:
enabled- whether the identity provider is enabled globallyid- the unique Id of the Identity ProviderinsertInstant- the instant when the Identity Provider was createdname- the Identity Provider nametype- the type of the Identity Provider
The order direction is optional. Possible values of the order direction are ASC or DESC. If omitted, the default sort order is ASC.
For example, to order the results by the insert instant in a descending order, use insertInstant DESC.
search.startRowIntegerDefaults to 0The offset into the total results. In order to paginate the results, increment this value by the numberOfResults for subsequent requests.
For example, if the total search results are greater than the page size designated by numberOfResults , set this value to 25 to retrieve results 26-50, assuming the default page size.
search.typeStringThe type of Identity Provider to return.
The possible values are:
AppleEpicGamesExternalJWTFacebookGoogleHYPRLinkedInNintendoOpenIDConnectSAMLv2SAMLv2IdPInitiatedSonyPSNSteamTwitchTwitterXbox
Example Request JSON
{
"search": {
"applicationId": "1c212e59-0d0e-6b1a-ad48-f4f92793be32",
"name": "twit",
"numberOfResults": 25,
"orderBy": "insertInstant",
"startRow": 0
}
}Response
The response for this API contains the Identity Providers matching the search criteria in paginated format and the total number of results matching the search criteria.
Response Codes| Code | Description |
|---|---|
| 200 | The request was successful. The response will contain a JSON body. |
| 400 | The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present. |
| 401 | You did not supply a valid Authorization header. The header was omitted or your API key was not valid. The response will be empty. See Authentication. |
| 500 | There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty. |
Response Body
The response JSON might include different types of identity providers. Therefore, you should refer to the documentation for each type of identity provider to determine the response JSON format for that particular type. Each type has a Retrieve section in its documentation. This format will be the same format used by this API.
identityProvidersArrayThe list of Identity Provider objects.
totalIntegerThe total number of Identity Providers matching the search criteria. Use this value along with the numberOfResults and startRow in the search request to perform pagination.
Example Response JSON
{
"identityProviders": [
{
"applicationConfiguration": {
"1c212e59-0d0e-6b1a-ad48-f4f92793be32": {
"createRegistration": true,
"enabled": true
}
},
"buttonText": "Login with Twitter",
"consumerKey": "24iuleLRKIZUNhxuuUK6yDZwb",
"consumerSecret": "e2ZpAaAfxv2j9eeh6JTeNcXMWdVLjRNriXm4wSZt1f1Ss3Syp4",
"enabled": true,
"id": "45bb233c-0901-4236-b5ca-ac46e2e0a5a5",
"insertInstant": 1595361142909,
"lastUpdateInstant": 1595361143101,
"name": "Twitter",
"type": "Twitter"
}
],
"total": 1
}Lookup an Identity Provider
The Lookup API is intended to be used during an external login workflow.
For example, you might build your own login page. This page might collect the user’s email as the first step. That email address can be sent to this API to determine which identity provider was designated as the provider for this email address. If the identity provider is an OpenID Connect provider, then you might redirect the user over to that provider.
Request
Request Parameters
domainStringrequiredThe email domain or the full email address of the user.
For example,
jenny@acme.comandacme.comare functionally equivalent.
Response
The Lookup response is a subset of the Identity Provider configuration that would be returned by the normal identity provider retrieve operation. A 200 response code indicates the domain is managed and the response will contain a JSON body, a 404 response code indicates it is not managed by a configured Identity Provider.
| Code | Description |
|---|---|
| 200 | The request was successful. The response will contain a JSON body. |
| 400 | The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present. |
| 404 | The requested domain is not being managed by a configured Identity Provider. |
| 500 | There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty. |
Example Response JSON
identityProvider.applicationIdsArray<UUID>Available since 1.16.0The list of Application Ids that are enabled for this Identity Provider.
identityProvider.idUUIDThe unique Id of the Identity Provider.
identityProvider.idpEndpointStringAvailable since 1.16.0The configured SAML v2 endpoint. This value will only be returned for a SAML v2 Identity Provider. This may be used to aid in building the SAML request so that it does not need to be hard coded in your application.
identityProvider.insertInstantLongThe instant that the provider was added to the FusionAuth database.
identityProvider.lastUpdateInstantLongThe instant that the provider was updated in the FusionAuth database.
identityProvider.nameStringThe name of the Identity Provider.
identityProvider.oauth2.authorization_endpointStringThe OAuth2 Authorize endpoint. This may be used to as the redirect location to begin the authorize workflow so that it does not need to be hard coded in your application.
identityProvider.oauth2.token_endpointStringThe OAuth2 Token endpoint. This may be used during your integration so that this URI does not need to be hard coded in your application.
Example Response JSON for an ExternalJWT or OpenID Connect IdP
{
"identityProvider": {
"applicationIds": [
"0d5244df-053c-4ff6-b2db-1e04c388dae3"
],
"id": "a4e78daa-33a6-4844-b081-7779af1f09a4",
"name": "Acme Corp. ADFS OpenID Connect",
"oauth2": {
"authorization_endpoint": "https://acme.com/adfs/oauth2/authorize?client_id=cf3b00da-9551-460a-ad18-33232e6cbff0&response_type=code&redirect_uri=https://acme.com/oauth2/redirect",
"token_endpoint": "https://acme.com/adfs/oauth2/token"
}
}
}Example Response JSON for a SAML v2 IdP
{
"identityProvider": {
"applicationIds": [
"0d5244df-053c-4ff6-b2db-1e04c388dae3"
],
"id": "d94f81eb-287b-466a-ac6a-fb29c83f598c",
"idpEndpoint": "https://login.microsoftonline.com/475bffef-4669-4e64-8f6c-b1ff41f16242/saml2",
"name": "Acme Corp. SAML v2 ADFS"
}
}