Creates an OpenID Connect (OIDC) identity provider (IdP) to configure a trust relationship between Alibaba Cloud and an external IdP.

Prerequisites

Before you call this operation, make sure that the information such as the URL of the issuer, the fingerprints of HTTPS certificates, and the client IDs are obtained from an external IdP, such as Google G Suite or Okta.

Limits

  • You can create a maximum of 100 OIDC IdPs in an Alibaba Cloud account.
  • You can add a maximum of 20 client IDs to an OIDC IdP.
  • You can add a maximum of five fingerprints to an OIDC IdP.

Description

This topic provides an example on how to create an IdP named TestOIDCProvider to configure a trust relationship between the external IdP Okta and Alibaba Cloud.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes CreateOIDCProvider

The operation that you want to perform. Set the value to CreateOIDCProvider.

OIDCProviderName String Yes TestOIDCProvider

The name of the OIDC IdP.

The name can contain letters, digits, and special characters and cannot start or end with the special characters. The special characters are periods, (.), hyphens (-), and underscores (_).

The name can be up to 128 characters in length.

IssuerUrl String Yes https://dev-xxxxxx.okta.com

The URL of the issuer, which is provided by the external IdP Okta. The URL of the issuer must be unique within an Alibaba Cloud account.

The URL of the issuer must start with https and be in the valid URL format. The URL cannot contain query parameters that follow a question mark (?) or logon information that is identified by at signs (@). The URL cannot be a fragment URL that contains number signs (#).

The URL can be up to 255 characters in length.

Description String No This is an OIDC Provider.

The description of the OIDC IdP.

The description can be up to 256 characters in length.

ClientIds String No 498469743454717****

The ID of the client, which is provided by the external IdP Okta. If you want to specify multiple client IDs, separate the client IDs with commas (,).

The client ID can contain letters, digits, and special characters and cannot start with the special characters. The special characters are periods, (.), hyphens (-), underscores (_), colons (:), and forward slashes (/).

The client ID can be up to 64 characters in length.

Fingerprints String No 902ef2deeb3c5b13ea4c3d5193629309e231****

The fingerprint of the HTTPS certificate, which is provided by the external IdP Okta. If you want to specify multiple fingerprints, separate the fingerprints with commas (,).

The fingerprint can contain letters and digits.

The fingerprint can be up to 40 characters in length.

For more information about common request parameters, see Common parameters.

Response parameters

Parameter Type Example Description
RequestId String 64B11B41-636D-51E3-A39B-C8703CD2218C

The ID of the request.

OIDCProvider Object

The information about the OIDC IdP.

UpdateDate String 2021-11-11T06:56:03Z

The time when the OIDC IdP was modified. The time is displayed in UTC.

Description String This is an OIDC Provider.

The description of the OIDC IdP.

OIDCProviderName String TestOIDCProvider

The name of the OIDC IdP.

CreateDate String 2021-11-11T06:56:03Z

The time when the OIDC IdP was created. The time is displayed in UTC.

Arn String acs:ram::177242285274****:oidc-provider/TestOIDCProvider

The Alibaba Cloud Resource Name (ARN) of the OIDC IdP.

IssuerUrl String https://dev-xxxxxx.okta.com

The URL of the issuer.

Fingerprints String 902ef2deeb3c5b13ea4c3d5193629309e231****

The fingerprint of the HTTPS certificate.

ClientIds String 498469743454717****

The ID of the client.

GmtCreate String 1636613763000

The timestamp when the OIDC IdP was created.

GmtModified String 1636613763000

The timestamp when the OIDC IdP was modified.

Examples

Sample requests

https://[Endpoint]/?Action=CreateOIDCProvider
&OIDCProviderName=TestOIDCProvider
&IssuerUrl=https://dev-xxxxxx.okta.com
&Description=This is an OIDC Provider.
&ClientIds=498469743454717****
&Fingerprints=902ef2deeb3c5b13ea4c3d5193629309e231****
&<Common request parameters>

Sample success responses

XML format 

HTTP/1.1 200 OK
Content-Type:application/xml

<CreateOIDCProviderResponse>
    <RequestId>64B11B41-636D-51E3-A39B-C8703CD2218C</RequestId>
    <OIDCProvider>
        <UpdateDate>2021-11-11T06:56:03Z</UpdateDate>
        <Description>This is an OIDC Provider.</Description>
        <OIDCProviderName>TestOIDCProvider</OIDCProviderName>
        <CreateDate>2021-11-11T06:56:03Z</CreateDate>
        <Arn>acs:ram::177242285274****:oidc-provider/TestOIDCProvider</Arn>
        <IssuerUrl>https://dev-xxxxxx.okta.com</IssuerUrl>
        <Fingerprints>902ef2deeb3c5b13ea4c3d5193629309e231****</Fingerprints>
        <ClientIds>498469743454717****</ClientIds>
        <GmtCreate>1636613763000</GmtCreate>
        <GmtModified>1636613763000</GmtModified>
    </OIDCProvider>
</CreateOIDCProviderResponse>

JSON format 

HTTP/1.1 200 OK
Content-Type:application/json

{
  "RequestId" : "64B11B41-636D-51E3-A39B-C8703CD2218C",
  "OIDCProvider" : {
    "UpdateDate" : "2021-11-11T06:56:03Z",
    "Description" : "This is an OIDC Provider.",
    "OIDCProviderName" : "TestOIDCProvider",
    "CreateDate" : "2021-11-11T06:56:03Z",
    "Arn" : "acs:ram::177242285274****:oidc-provider/TestOIDCProvider",
    "IssuerUrl" : "https://dev-xxxxxx.okta.com",
    "Fingerprints" : "902ef2deeb3c5b13ea4c3d5193629309e231****",
    "ClientIds" : "498469743454717****",
    "GmtCreate" : "1636613763000",
    "GmtModified" : "1636613763000"
  }
}

Error codes

For a list of error codes, visit the API Error Center.