Appearance

Configure external identity providers for single sign-on and list available provider types.

GET/auth/identity-provider-types

List available identity provider types

Returns a list of identity provider types that organizations can configure. Only enabled and visible providers are returned.

Responses

Responses

A list of identity provider types is returned.

application/json
JSON
{
  
"items": [
  
  
{
  
  
  
"id": "keycloak",
  
  
  
"name": "string",
  
  
  
"description": "string",
  
  
  
"providerType": "string",
  
  
  
"capabilities": {
  
  
  
  
"dcr": {
  
  
  
  
  
"supported": true,
  
  
  
  
  
"requiresToken": true,
  
  
  
  
  
"tokenType": "string"
  
  
  
  
},
  
  
  
  
"requiresClientSecret": true
  
  
  
},
  
  
  
"metadata": {
  
  
  
  
"documentationUrl": "string",
  
  
  
  
"logoUrl": "string",
  
  
  
  
"setupComplexity": "string",
  
  
  
  
"vendorType": "string",
  
  
  
  
"defaultIssuer": "string",
  
  
  
  
"issuerTemplate": "string"
  
  
  
},
  
  
  
"enabled": true,
  
  
  
"visible": true,
  
  
  
"displayOrder": 0,
  
  
  
"createdAt": "string",
  
  
  
"updatedAt": "string"
  
  
}
  
]
}
GET/auth/idps

List identity providers

Returns a paginated list of all identity providers configured for the organization, including their type, status, and issuer information.

Authorization

OrganizationAPI Key (header: LakeSail-Organization-Id)

Parameters

limitinteger
limit

The maximum number of items to list.

Type
integer
Format
"int32"
Minimum
0
Maximum
100
Default
100
markerstring
marker

The pagination token returned from the previous list operation.

Type
string
Responses

Responses

A list of identity providers is returned.

application/json
JSON
{
  
"items": [
  
  
{
  
  
  
"id": "A1B2C3D4E5",
  
  
  
"identityProviderTypeId": "keycloak",
  
  
  
"name": "Production Cluster",
  
  
  
"config": {
  
  
  
  
"oidc": {
  
  
  
  
  
"issuer": "string",
  
  
  
  
  
"clientId": "string",
  
  
  
  
  
"clientSecretConfigured": true,
  
  
  
  
  
"scopes": [
  
  
  
  
  
  
"string"
  
  
  
  
  
]
  
  
  
  
}
  
  
  
}
  
  
}
  
],
  
"marker": "string"
}
POST/auth/idps

Create an identity provider

Configures a new external identity provider (e.g. Okta, Azure AD, Google Workspace) for single sign-on. Users can then authenticate through this provider to access the organization.

Request Body

application/json
JSON
{
  
"identityProviderTypeId": "keycloak",
  
"name": "Production Cluster",
  
"configWrite": {
  
  
"oidc": {
  
  
  
"issuer": "string",
  
  
  
"clientId": "string",
  
  
  
"clientSecret": "string",
  
  
  
"scopes": [
  
  
  
  
"string"
  
  
  
]
  
  
}
  
}
}
Responses

Responses

The identity provider was created successfully.

application/json
JSON
{
  
"id": "A1B2C3D4E5",
  
"identityProviderTypeId": "keycloak",
  
"name": "Production Cluster",
  
"config": {
  
  
"oidc": {
  
  
  
"issuer": "string",
  
  
  
"clientId": "string",
  
  
  
"clientSecretConfigured": true,
  
  
  
"scopes": [
  
  
  
  
"string"
  
  
  
]
  
  
}
  
},
  
"configWrite": {
  
  
"oidc": {
  
  
  
"issuer": "string",
  
  
  
"clientId": "string",
  
  
  
"clientSecret": "string",
  
  
  
"scopes": [
  
  
  
  
"string"
  
  
  
]
  
  
}
  
},
  
"createdAt": "string",
  
"createdBy": "A1B2C3D4E5",
  
"updatedAt": "string",
  
"updatedBy": "A1B2C3D4E5"
}
POST/auth/idps/auto-setup

Auto-setup identity provider

Discovers the OIDC configuration from the provider's base URL and automatically
registers LakeSail as an OAuth client using Dynamic Client Registration (RFC 7591).

The provider URL must be a fully-qualified URL including the scheme (http:// or https://).

Note: Not all identity providers support Dynamic Client Registration. The endpoint
will return an error if the provider does not support it.

Request Body

application/json
JSON
{
  
"name": "Company SSO",
  
"providerUrl": "https://keycloak.example.com/realms/myrealm",
  
"providerType": "okta",
  
"initialAccessToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..."
}
Responses

Responses

Identity provider was successfully auto-configured.

application/json
JSON
{
  
"id": "A1B2C3D4E5",
  
"identityProviderTypeId": "keycloak",
  
"name": "Production Cluster",
  
"config": {
  
  
"oidc": {
  
  
  
"issuer": "string",
  
  
  
"clientId": "string",
  
  
  
"clientSecretConfigured": true,
  
  
  
"scopes": [
  
  
  
  
"string"
  
  
  
]
  
  
}
  
}
}
GET/auth/idps/{idp}

Describe an identity provider

Returns the configuration details of an identity provider, including its type, issuer URL, and client settings.

Authorization

OrganizationAPI Key (header: LakeSail-Organization-Id)
Responses

Responses

The information about the identity provider is returned.

application/json
JSON
{
  
"id": "A1B2C3D4E5",
  
"identityProviderTypeId": "keycloak",
  
"name": "Production Cluster",
  
"config": {
  
  
"oidc": {
  
  
  
"issuer": "string",
  
  
  
"clientId": "string",
  
  
  
"clientSecretConfigured": true,
  
  
  
"scopes": [
  
  
  
  
"string"
  
  
  
]
  
  
}
  
},
  
"configWrite": {
  
  
"oidc": {
  
  
  
"issuer": "string",
  
  
  
"clientId": "string",
  
  
  
"clientSecret": "string",
  
  
  
"scopes": [
  
  
  
  
"string"
  
  
  
]
  
  
}
  
},
  
"createdAt": "string",
  
"createdBy": "A1B2C3D4E5",
  
"updatedAt": "string",
  
"updatedBy": "A1B2C3D4E5"
}
DELETE/auth/idps/{idp}

Delete an identity provider

Removes an identity provider configuration. Users who authenticated exclusively through this provider will need an alternative sign-in method.

Responses

Responses

The requested operation was done successfully.

PATCH/auth/idps/{idp}

Update an identity provider

Modifies an identity provider's configuration, such as its display name, issuer URL, or client settings. Changes take effect for subsequent sign-in attempts.

Request Body

application/json
JSON
{
  
"name": "Production Cluster",
  
"configWrite": {
  
  
"oidc": {
  
  
  
"issuer": "string",
  
  
  
"clientId": "string",
  
  
  
"clientSecret": "string",
  
  
  
"scopes": [
  
  
  
  
"string"
  
  
  
]
  
  
}
  
}
}
Responses

Responses

The identity provider was updated successfully.

application/json
JSON
{
  
"id": "A1B2C3D4E5",
  
"identityProviderTypeId": "keycloak",
  
"name": "Production Cluster",
  
"config": {
  
  
"oidc": {
  
  
  
"issuer": "string",
  
  
  
"clientId": "string",
  
  
  
"clientSecretConfigured": true,
  
  
  
"scopes": [
  
  
  
  
"string"
  
  
  
]
  
  
}
  
}
}
POST/auth/idps/{idp}/rotate-secret

Rotate an identity provider's client secret

Updates the client secret for an identity provider. The new secret must be obtained
from the identity provider's admin console first.

Request Body

application/json
JSON
{
  
"clientSecret": "string"
}
Responses

Responses

The client secret was rotated successfully.

application/json
JSON
{
  
"id": "A1B2C3D4E5",
  
"identityProviderTypeId": "keycloak",
  
"name": "Production Cluster",
  
"config": {
  
  
"oidc": {
  
  
  
"issuer": "string",
  
  
  
"clientId": "string",
  
  
  
"clientSecretConfigured": true,
  
  
  
"scopes": [
  
  
  
  
"string"
  
  
  
]
  
  
}
  
}
}
POST/auth/idps/{idp}/test-connection

Test an identity provider connection

Validates the identity provider configuration by attempting to discover and fetch
the OIDC configuration from the provider's well-known endpoint.

Responses

Responses

The connection test result.

application/json
JSON
{
  
"success": true,
  
"message": "string",
  
"details": {
  
  
"issuer": "string",
  
  
"endpoints": {
  
  
  
"authorization": "string",
  
  
  
"token": "string",
  
  
  
"userinfo": "string",
  
  
  
"jwks": "string",
  
  
  
"endSession": "string"
  
  
},
  
  
"backchannelLogoutSupported": true,
  
  
"backchannelLogoutSessionSupported": true,
  
  
"frontchannelLogoutSupported": true,
  
  
"scopesSupported": [
  
  
  
"string"
  
  
],
  
  
"claimsSupported": [
  
  
  
"string"
  
  
]
  
}
}