applications
Creates, updates, deletes, gets or lists an applications resource.
Overview
| Name | applications |
| Type | Resource |
| Id | okta.apps.applications |
Fields
The following fields are returned by SELECT queries:
- list_applications
- get_application
| Name | Datatype | Description |
|---|---|---|
id | string | Unique ID for the app instance |
_embedded | object | Embedded resources related to the app using the JSON Hypertext Application Language specification. If the expand=user/{userId} query parameter is specified, then the assigned Application User is embedded. |
_links | object | Discoverable resources related to the app |
accessibility | object | Specifies access settings for the app |
created | string (date-time) | Timestamp when the application object was created |
features | array | Enabled app features > Note: See Application Features for app provisioning features. |
label | string | User-defined display name for app |
lastUpdated | string (date-time) | Timestamp when the application object was last updated |
licensing | object | Licenses for the app |
orn | string | The Okta resource name (ORN) for the current app instance |
profile | object | Contains any valid JSON schema for specifying properties that can be referenced from a request (only available to OAuth 2.0 client apps). For example, add an app manager contact email address or define an allowlist of groups that you can then reference using the Okta Expression Language getFilteredGroups function. > Notes: > * profile isn't encrypted, so don't store sensitive data in it. > * profile doesn't limit the level of nesting in the JSON schema you created, but there is a practical size limit. Okta recommends a JSON schema size of 1 MB or less for best performance. |
signOnMode | string | Authentication mode for the app | signOnMode | Description | | ---------- | ----------- | | AUTO_LOGIN | Secure Web Authentication (SWA) | | BASIC_AUTH | HTTP Basic Authentication with Okta Browser Plugin | | BOOKMARK | Just a bookmark (no-authentication) | | BROWSER_PLUGIN | Secure Web Authentication (SWA) with Okta Browser Plugin | | OPENID_CONNECT | Federated Authentication with OpenID Connect (OIDC) | | SAML_1_1 | Federated Authentication with SAML 1.1 WebSSO (not supported for custom apps) | | SAML_2_0 | Federated Authentication with SAML 2.0 WebSSO | | SECURE_PASSWORD_STORE | Secure Web Authentication (SWA) with POST (plugin not required) | | WS_FEDERATION | Federated Authentication with WS-Federation Passive Requestor Profile | Select the signOnMode for your custom app: |
status | string | App instance status |
universalLogout | object | <div class="x-lifecycle-container"><x-lifecycle class="oie"></x-lifecycle></div> Universal Logout properties for the app. These properties are only returned and can't be updated. (example: ACTIVE) |
visibility | object | Specifies visibility settings for the app |
| Name | Datatype | Description |
|---|---|---|
id | string | Unique ID for the app instance |
_embedded | object | Embedded resources related to the app using the JSON Hypertext Application Language specification. If the expand=user/{userId} query parameter is specified, then the assigned Application User is embedded. |
_links | object | Discoverable resources related to the app |
accessibility | object | Specifies access settings for the app |
created | string (date-time) | Timestamp when the application object was created |
features | array | Enabled app features > Note: See Application Features for app provisioning features. |
label | string | User-defined display name for app |
lastUpdated | string (date-time) | Timestamp when the application object was last updated |
licensing | object | Licenses for the app |
orn | string | The Okta resource name (ORN) for the current app instance |
profile | object | Contains any valid JSON schema for specifying properties that can be referenced from a request (only available to OAuth 2.0 client apps). For example, add an app manager contact email address or define an allowlist of groups that you can then reference using the Okta Expression Language getFilteredGroups function. > Notes: > * profile isn't encrypted, so don't store sensitive data in it. > * profile doesn't limit the level of nesting in the JSON schema you created, but there is a practical size limit. Okta recommends a JSON schema size of 1 MB or less for best performance. |
signOnMode | string | Authentication mode for the app | signOnMode | Description | | ---------- | ----------- | | AUTO_LOGIN | Secure Web Authentication (SWA) | | BASIC_AUTH | HTTP Basic Authentication with Okta Browser Plugin | | BOOKMARK | Just a bookmark (no-authentication) | | BROWSER_PLUGIN | Secure Web Authentication (SWA) with Okta Browser Plugin | | OPENID_CONNECT | Federated Authentication with OpenID Connect (OIDC) | | SAML_1_1 | Federated Authentication with SAML 1.1 WebSSO (not supported for custom apps) | | SAML_2_0 | Federated Authentication with SAML 2.0 WebSSO | | SECURE_PASSWORD_STORE | Secure Web Authentication (SWA) with POST (plugin not required) | | WS_FEDERATION | Federated Authentication with WS-Federation Passive Requestor Profile | Select the signOnMode for your custom app: |
status | string | App instance status |
universalLogout | object | <div class="x-lifecycle-container"><x-lifecycle class="oie"></x-lifecycle></div> Universal Logout properties for the app. These properties are only returned and can't be updated. (example: ACTIVE) |
visibility | object | Specifies visibility settings for the app |
Methods
The following methods are available for this resource:
| Name | Accessible by | Required Params | Optional Params | Description |
|---|---|---|---|---|
list_applications | select | subdomain | q, after, useOptimization, limit, filter, expand, includeNonDeleted | Lists all apps in the org with pagination. A subset of apps can be returned that match a supported filter expression or query. The results are [paginated]https://developer.okta.com/docs/api#pagination according to the limit parameter. If there are multiple pages of results, the header contains a next link. Treat the link as an opaque value (follow it, don't parse it).> Note: To list all of a member's assigned app links, use the List all assigned app links endpoint in the User Resources API. |
get_application | select | subdomain | expand | Retrieves an application from your Okta organization by id |
create_application | insert | subdomain, data__signOnMode, data__label | activate, OktaAccessGateway-Agent | Creates an app instance in your Okta org. You can either create an OIN app instance or a custom app instance: * OIN app instances have prescribed name (key app definition) and signOnMode options. See the OIN schemas for the request body.* For custom app instances, select the signOnMode that pertains to your app and specify the required parameters in the request body. |
replace_application | replace | subdomain, data__signOnMode, data__label | Replaces properties for an application > Notes: > * All required properties must be specified in the request body > * You can't modify system-assigned properties, such as id, name, status, created, and lastUpdated. The values for these properties in the PUT request body are ignored. | |
delete_application | delete | subdomain | Deletes an inactive application | |
activate_application | exec | subdomain | Activates an inactive application | |
deactivate_application | exec | subdomain | Deactivates an active application > Note: Deactivating an app triggers a full reconciliation of all users assigned to the app by groups. This reconcile process removes the app assignment for the deactivated app, and might also correct assignments that were supposed to be removed but failed previously. | |
upload_application_logo | exec | subdomain, file | Uploads a logo for the app instance. If the app already has a logo, this operation replaces the previous logo. The logo is visible in the Admin Console as an icon for your app instance. If you have one appLink object configured, this logo also appears in the End-User Dashboard as an icon for your app.> Note: If you have multiple appLink objects, use the Admin Console to add logos for each app link.> You can't use the API to add logos for multiple app links. | |
assign_application_policy | exec | subdomain | Assigns an app to an authentication policy, identified by policyId.If the app was previously assigned to another policy, this operation replaces that assignment with the updated policy identified by policyId.> Note: When you merge duplicate authentication policies, the policy and mapping CRUD operations may be unavailable during the consolidation. When the consolidation is complete, you receive an email with merged results. | |
preview_samlmetadata_for_application | exec | kid, subdomain | Previews the SSO SAML metadata for an application |
Parameters
Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.
| Name | Datatype | Description |
|---|---|---|
kid | string | |
subdomain | string | The domain of your organization. This can be a provided subdomain of an official okta domain (okta.com, oktapreview.com, etc) or one of your configured custom domains. (default: my-org) |
OktaAccessGateway-Agent | string | |
activate | boolean | Executes activation lifecycle operation when creating the app |
after | string | Specifies the [pagination]https://developer.okta.com/docs/api#pagination cursor for the next page of results. Treat this as an opaque value obtained through the next link relationship. |
expand | string | An optional query parameter to return the specified Application User in the _embedded property. Valid value: expand=user/{userId} |
filter | string | Filters apps by status, user.id, group.id, credentials.signing.kid or name expression that supports the eq operator |
includeNonDeleted | boolean | Specifies whether to include non-active, but not deleted apps in the results |
limit | integer (int32) | Specifies the number of results per page |
q | string | Searches for apps with name or label properties that starts with the q value using the startsWith operation |
useOptimization | boolean | Specifies whether to use query optimization. If you specify useOptimization=true in the request query, the response contains a subset of app instance properties. |
SELECT examples
- list_applications
- get_application
Lists all apps in the org with pagination. A subset of apps can be returned that match a supported filter expression or query. The results are [paginated]https://developer.okta.com/docs/api#pagination according to the limit parameter. If there are multiple pages of results, the header contains a next link. Treat the link as an opaque value (follow it, don't parse it).
> Note: To list all of a member's assigned app links, use the List all assigned app links endpoint in the User Resources API.
SELECT
id,
_embedded,
_links,
accessibility,
created,
features,
label,
lastUpdated,
licensing,
orn,
profile,
signOnMode,
status,
universalLogout,
visibility
FROM okta.apps.applications
WHERE subdomain = '{{ subdomain }}' -- required
AND q = '{{ q }}'
AND after = '{{ after }}'
AND useOptimization = '{{ useOptimization }}'
AND limit = '{{ limit }}'
AND filter = '{{ filter }}'
AND expand = '{{ expand }}'
AND includeNonDeleted = '{{ includeNonDeleted }}';
Retrieves an application from your Okta organization by id
SELECT
id,
_embedded,
_links,
accessibility,
created,
features,
label,
lastUpdated,
licensing,
orn,
profile,
signOnMode,
status,
universalLogout,
visibility
FROM okta.apps.applications
WHERE subdomain = '{{ subdomain }}' -- required
AND expand = '{{ expand }}';
INSERT examples
- create_application
- Manifest
Creates an app instance in your Okta org.
You can either create an OIN app instance or a custom app instance:
* OIN app instances have prescribed name (key app definition) and signOnMode options. See the OIN schemas for the request body.
* For custom app instances, select the signOnMode that pertains to your app and specify the required parameters in the request body.
INSERT INTO okta.apps.applications (
data__accessibility,
data__label,
data__licensing,
data__profile,
data__signOnMode,
data__visibility,
subdomain,
activate,
OktaAccessGateway-Agent
)
SELECT
'{{ accessibility }}',
'{{ label }}' --required,
'{{ licensing }}',
'{{ profile }}',
'{{ signOnMode }}' --required,
'{{ visibility }}',
'{{ subdomain }}',
'{{ activate }}',
'{{ OktaAccessGateway-Agent }}'
RETURNING
id,
_embedded,
_links,
accessibility,
created,
features,
label,
lastUpdated,
licensing,
orn,
profile,
signOnMode,
status,
universalLogout,
visibility
;
# Description fields are for documentation purposes
- name: applications
props:
- name: subdomain
value: string
description: Required parameter for the applications resource.
- name: accessibility
value: object
description: >
Specifies access settings for the app
- name: label
value: string
description: >
User-defined display name for app
- name: licensing
value: object
description: >
Licenses for the app
- name: profile
value: object
description: >
Contains any valid JSON schema for specifying properties that can be referenced from a request (only available to OAuth 2.0 client apps).
For example, add an app manager contact email address or define an allowlist of groups that you can then reference using the Okta Expression Language `getFilteredGroups` function.
> **Notes:**
> * `profile` isn't encrypted, so don't store sensitive data in it.
> * `profile` doesn't limit the level of nesting in the JSON schema you created, but there is a practical size limit. Okta recommends a JSON schema size of 1 MB or less for best performance.
- name: signOnMode
value: string
description: >
Authentication mode for the app
| signOnMode | Description |
| ---------- | ----------- |
| AUTO_LOGIN | Secure Web Authentication (SWA) |
| BASIC_AUTH | HTTP Basic Authentication with Okta Browser Plugin |
| BOOKMARK | Just a bookmark (no-authentication) |
| BROWSER_PLUGIN | Secure Web Authentication (SWA) with Okta Browser Plugin |
| OPENID_CONNECT | Federated Authentication with OpenID Connect (OIDC) |
| SAML_1_1 | Federated Authentication with SAML 1.1 WebSSO (not supported for custom apps) |
| SAML_2_0 | Federated Authentication with SAML 2.0 WebSSO |
| SECURE_PASSWORD_STORE | Secure Web Authentication (SWA) with POST (plugin not required) |
| WS_FEDERATION | Federated Authentication with WS-Federation Passive Requestor Profile |
Select the `signOnMode` for your custom app:
valid_values: ['AUTO_LOGIN', 'BASIC_AUTH', 'BOOKMARK', 'BROWSER_PLUGIN', 'OPENID_CONNECT', 'SAML_1_1', 'SAML_2_0', 'SECURE_PASSWORD_STORE', 'WS_FEDERATION']
- name: visibility
value: object
description: >
Specifies visibility settings for the app
- name: activate
value: boolean
description: Executes activation lifecycle operation when creating the app
- name: OktaAccessGateway-Agent
value: string
REPLACE examples
- replace_application
Replaces properties for an application
> Notes:
> * All required properties must be specified in the request body
> * You can't modify system-assigned properties, such as id, name, status, created, and lastUpdated. The values for these properties in the PUT request body are ignored.
REPLACE okta.apps.applications
SET
data__accessibility = '{{ accessibility }}',
data__label = '{{ label }}',
data__licensing = '{{ licensing }}',
data__profile = '{{ profile }}',
data__signOnMode = '{{ signOnMode }}',
data__visibility = '{{ visibility }}'
WHERE
subdomain = '{{ subdomain }}' --required
AND data__signOnMode = '{{ signOnMode }}' --required
AND data__label = '{{ label }}' --required
RETURNING
id,
_embedded,
_links,
accessibility,
created,
features,
label,
lastUpdated,
licensing,
orn,
profile,
signOnMode,
status,
universalLogout,
visibility;
DELETE examples
- delete_application
Deletes an inactive application
DELETE FROM okta.apps.applications
WHERE subdomain = '{{ subdomain }}' --required;
Lifecycle Methods
- activate_application
- deactivate_application
- upload_application_logo
- assign_application_policy
- preview_samlmetadata_for_application
Activates an inactive application
EXEC okta.apps.applications.activate_application
@subdomain='{{ subdomain }}' --required;
Deactivates an active application
> Note: Deactivating an app triggers a full reconciliation of all users assigned to the app by groups. This reconcile process removes the app assignment for the deactivated app, and might also correct assignments that were supposed to be removed but failed previously.
EXEC okta.apps.applications.deactivate_application
@subdomain='{{ subdomain }}' --required;
Uploads a logo for the app instance.
If the app already has a logo, this operation replaces the previous logo.
The logo is visible in the Admin Console as an icon for your app instance.
If you have one appLink object configured, this logo also appears in the End-User Dashboard as an icon for your app.
> Note: If you have multiple appLink objects, use the Admin Console to add logos for each app link.
> You can't use the API to add logos for multiple app links.
EXEC okta.apps.applications.upload_application_logo
@subdomain='{{ subdomain }}' --required
@@json=
'{
"file": "{{ file }}"
}';
Assigns an app to an authentication policy, identified by policyId.
If the app was previously assigned to another policy, this operation replaces that assignment with the updated policy identified by policyId.
> Note: When you merge duplicate authentication policies,
the policy and mapping CRUD operations may be unavailable during the consolidation. When the consolidation is complete, you receive an email with merged results.
EXEC okta.apps.applications.assign_application_policy
@subdomain='{{ subdomain }}' --required;
Previews the SSO SAML metadata for an application
EXEC okta.apps.applications.preview_samlmetadata_for_application
@kid='{{ kid }}' --required,
@subdomain='{{ subdomain }}' --required;