signing_keys
Creates, updates, deletes, gets or lists a signing_keys resource.
Overview
| Name | signing_keys |
| Type | Resource |
| Id | okta.idps.signing_keys |
Fields
The following fields are returned by SELECT queries:
- list_identity_provider_signing_keys
- get_identity_provider_signing_key
| Name | Datatype | Description |
|---|---|---|
created | string (date-time) | Timestamp when the object was created (example: 2016-01-03T18:15:47.000Z) |
e | string | The exponent value for the RSA public key (example: AQAB) |
expiresAt | string (date-time) | Timestamp when the object expires (example: 2016-01-03T18:15:47.000Z) |
kid | string | Unique identifier for the key (example: your-key-id) |
kty | string | Identifies the cryptographic algorithm family used with the key (example: RSA) |
lastUpdated | string (date-time) | Timestamp when the object was last updated (example: 2016-01-03T18:15:47.000Z) |
n | string | The modulus value for the RSA public key (example: 101438407598598116085679865987760095721749307901605456708912786847324207000576780508113360584555007890315805735307890113536927352312915634368993759211767770602174860126854831344273970871509573365292777620005537635317282520456901584213746937262823585533063042033441296629204165064680610660631365266976782082747) |
use | string | Intended use of the public key (example: sig) |
x5c | array | Base64-encoded X.509 certificate chain with DER encoding |
x5t#S256 | string | Base64url-encoded SHA-256 thumbprint of the DER encoding of an X.509 certificate (example: wzPVobIrveR1x-PCbjsFGNV-6zn7Rm9KuOWOG4Rk6jE) |
| Name | Datatype | Description |
|---|---|---|
created | string (date-time) | Timestamp when the object was created (example: 2016-01-03T18:15:47.000Z) |
e | string | The exponent value for the RSA public key (example: AQAB) |
expiresAt | string (date-time) | Timestamp when the object expires (example: 2016-01-03T18:15:47.000Z) |
kid | string | Unique identifier for the key (example: your-key-id) |
kty | string | Identifies the cryptographic algorithm family used with the key (example: RSA) |
lastUpdated | string (date-time) | Timestamp when the object was last updated (example: 2016-01-03T18:15:47.000Z) |
n | string | The modulus value for the RSA public key (example: 101438407598598116085679865987760095721749307901605456708912786847324207000576780508113360584555007890315805735307890113536927352312915634368993759211767770602174860126854831344273970871509573365292777620005537635317282520456901584213746937262823585533063042033441296629204165064680610660631365266976782082747) |
use | string | Intended use of the public key (example: sig) |
x5c | array | Base64-encoded X.509 certificate chain with DER encoding |
x5t#S256 | string | Base64url-encoded SHA-256 thumbprint of the DER encoding of an X.509 certificate (example: wzPVobIrveR1x-PCbjsFGNV-6zn7Rm9KuOWOG4Rk6jE) |
Methods
The following methods are available for this resource:
| Name | Accessible by | Required Params | Optional Params | Description |
|---|---|---|---|---|
list_identity_provider_signing_keys | select | subdomain | Lists all signing key credentials for an identity provider (IdP) | |
get_identity_provider_signing_key | select | subdomain | Retrieves a specific identity provider (IdP) key credential by kid | |
generate_identity_provider_signing_key | insert | validityYears, subdomain | Generates a new X.509 certificate for an identity provider (IdP) signing key credential to be used for signing assertions sent to the IdP. IdP signing keys are read-only. > Note: To update an IdP with the newly generated key credential, update your IdP using the returned key's kid in the signing credential. | |
clone_identity_provider_key | exec | targetIdpId, subdomain | Clones an X.509 certificate for an identity provider (IdP) signing key credential from a source IdP to target IdP > Caution: Sharing certificates isn't a recommended security practice. > Note: If the key is already present in the list of key credentials for the target IdP, you receive a 400 error response. |
Parameters
Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.
| Name | Datatype | Description |
|---|---|---|
subdomain | string | The domain of your organization. This can be a provided subdomain of an official okta domain (okta.com, oktapreview.com, etc) or one of your configured custom domains. (default: my-org) |
targetIdpId | string | id of the target IdP |
validityYears | integer (int32) | expiry of the IdP key credential |
SELECT examples
- list_identity_provider_signing_keys
- get_identity_provider_signing_key
Lists all signing key credentials for an identity provider (IdP)
SELECT
created,
e,
expiresAt,
kid,
kty,
lastUpdated,
n,
use,
x5c,
x5t#S256
FROM okta.idps.signing_keys
WHERE subdomain = '{{ subdomain }}' -- required
;
Retrieves a specific identity provider (IdP) key credential by kid
SELECT
created,
e,
expiresAt,
kid,
kty,
lastUpdated,
n,
use,
x5c,
x5t#S256
FROM okta.idps.signing_keys
WHERE subdomain = '{{ subdomain }}' -- required
;
INSERT examples
- generate_identity_provider_signing_key
- Manifest
Generates a new X.509 certificate for an identity provider (IdP) signing key credential to be used for signing assertions sent to the IdP. IdP signing keys are read-only.
> Note: To update an IdP with the newly generated key credential, update your IdP using the returned key's kid in the signing credential.
INSERT INTO okta.idps.signing_keys (
validityYears,
subdomain
)
SELECT
'{{ validityYears }}',
'{{ subdomain }}'
RETURNING
created,
e,
expiresAt,
kid,
kty,
lastUpdated,
n,
use,
x5c,
x5t#S256
;
# Description fields are for documentation purposes
- name: signing_keys
props:
- name: validityYears
value: integer (int32)
description: Required parameter for the signing_keys resource.
- name: subdomain
value: string
description: Required parameter for the signing_keys resource.
Lifecycle Methods
- clone_identity_provider_key
Clones an X.509 certificate for an identity provider (IdP) signing key credential from a source IdP to target IdP
> Caution: Sharing certificates isn't a recommended security practice.
> Note: If the key is already present in the list of key credentials for the target IdP, you receive a 400 error response.
EXEC okta.idps.signing_keys.clone_identity_provider_key
@targetIdpId='{{ targetIdpId }}' --required,
@subdomain='{{ subdomain }}' --required
;