identityprovider.v1

key is the ID of the OAuth provider.

endpoint is the URL that identifies an OAuth authorization server.

This endpoint is used to interact with the provider. It must be a

URI [RFC3986] with a scheme component that must be https, a host component,

and optionally, port and path components, but no query or fragment components.

client_id is the ID that the OAuth authorization server issues to the

registered client.

client_secret is the secret that the OAuth authorization server issues

to the registered client.

algorithms is the set of signing algorithms. This is an optional field.

If specified, only this set of algorithms may be used to sign the JWT.

Otherwise, this defaults to the set of algorithms that the provider supports.

link_to_shared_provider indicates whether or not use the provider as a shared

provider. This is an optional field and set to false by default.

jwks_uri is where signing keys are downloaded. This is an optional field.

Only needed if the default construction from endpoint would be incorrect.

permitted_email_domains are domains of emails that users are allowed to use.

This is an optional field. If not set, all domains are accepted by default.

roles_scope_name is the name for a scope tied to a claim that holds

CloudVision roles in ID Token. CloudVision uses scope values to specify

what access privileges are being requested for id token. CloudVision

appends this value to scope query parameter in the authorization request URL.

This is an optional field. If not set, CloudVision determines that

mapping roles from the provider is disabled. If it’s set, roles_claim_name

also needs to be set.

bearer_token_introspection_endpoint is the provider instrospection endpoint used

in Bearer Token based login support for CloudVision. This is an optional field.

If specified, this endpoint will be used to verify bearer tokens generated via

the provider to log in automated user accounts.

roles_claim_name is the name for a claim that holds CloudVision roles in ID Token.

CloudVision uses this value to look up roles in the ID Token.

This is an optional field. If not set, CloudVision determines that

mapping roles from the provider is disabled. If it’s set, roles_scope_name

also needs to be set.

provider_id is the ID of the OAuth provider.

key is the ID of the SAML provider.

idp_issuer identifies the SAML provider. There is no restriction on its format

other than a string to carry the issuer’s name.

idp_metadata_url is the URL that CloudVision uses to fetch the

SAML provider metadata.

authreq_binding specifies the ProtocolBinding used to send SAML authentication

request to the SAML provider.

email_attrname specifies the Attribute name for email ID in Assertion of SAMLResponse

from the SAML provider.

link_to_shared_provider indicates whether or not use the provider as a shared

provider. This is an optional field and set to false by default.

permitted_email_domains are domains of emails that users are allowed to use.

This is an optional field. If not set, all domains are accepted by default.

force_saml_authn indicates wether or not enable force authentication in SAML login.

This is an optional field. If not set, it defaults to false.

roles_attrname specifies the Attribute name for CloudVision roles in the Assertion

of SAMLResponse. This is an optional field. If not set, CloudVision determines that

mapping roles from the provider is disabled.

org_attrname specifies the Attribute name for CloudVision organization/tenant in

the Assertion of SAMLResponse. This is an optional field. CloudVision supports use

of certain shared SAML Identity Providers for authenticating users across multiple

CloudVision organizations/tenants. In case a given organization uses a shared provider,

then, CloudVision needs this attribute to determine if the organization that

the shared SAML Identity Provider is sending the assertion for is the same as the

one the user requested to be logged into. For an existing user on CloudVision,

the user’s email is used to determine which organization the user belongs to do

the same verification but in case a dynamic user creation is needed and the given

user doesn’t exist on CloudVision currently then the matching organization attribute

from the shared Identity Privder becomes necessary. Dynamic user creation is

disabled for a given organization using shared Identity Provider if this attribute

is not specified.

username_attrname specifies Attribute name for CloudVision users’ username in the

Assertion of SAMLResponse. This is an optional field as long as mapping roles from

provider is not enabled. Once enabled, this field becomes mandatory.

provider_id is the ID of the SAML provider.

PROTOCOL_BINDING_UNSPECIFIED indicates that a protocol binding is unspecified.

PROTOCOL_BINDING_HTTP_POST indicates HTTP-POST SAML protocol binding.

PROTOCOL_BINDING_HTTP_REDIRECT indicates HTTP-Redirect SAML protocol binding.

Time holds the timestamp of the last item included in the metadata calculation.

Operation indicates how the value in this response should be considered.

Under non-subscribe requests, this value should always be INITIAL. In a subscription,

once all initial data is streamed and the client begins to receive modification updates,

you should not see INITIAL again.

Count is the number of items present under the conditions of the request.

PartialEqFilter provides a way to server-side filter a DeleteAll.

This requires all provided fields to be equal to the response.

A filtered DeleteAll will use GetAll with filter to find things to delete.

This describes the class of delete error.

A DeleteAllResponse is only sent when there is an error.

This indicates the error message from the delete failure.

This is the key of the OAuthConfig instance that failed to be deleted.

Time indicates the (UTC) timestamp when the key was being deleted.

Key indicates which OAuthConfig instance to remove.

This field must always be set.

Key echoes back the key of the deleted OAuthConfig instance.

Time indicates the (UTC) timestamp at which the system recognizes the

deletion. The only guarantees made about this timestamp are:

- it is after the time the request was received

- a time-ranged query with StartTime==DeletedAt will not include this instance.

key contains a list of OAuthConfig keys to delete

Key uniquely identifies a OAuthConfig instance to retrieve.

This value must be populated.

Time indicates the time for which you are interested in the data.

If no time is given, the server will use the time at which it makes the request.

Value is the value requested.

This structure will be fully-populated as it exists in the datastore. If

optional fields were not given at creation, these fields will be empty or

set to default values.

Time carries the (UTC) timestamp of the last-modification of the

OAuthConfig instance in this response.

OAuthConfig carries the value to set into the datastore.

See the documentation on the OAuthConfig struct for which fields are required.

Value carries all the values given in the OAuthConfigSetRequest as well

as any server-generated values.

Time indicates the (UTC) timestamp at which the system recognizes the

creation. The only guarantees made about this timestamp are:

- it is after the time the request was received

- a time-ranged query with StartTime==CreatedAt will include this instance.

value contains a list of OAuthConfig values to write.

It is possible to provide more values than can fit within either:

- the maxiumum send size of the client

- the maximum receive size of the server

If this error occurs you must reduce the number of values sent.

See gRPC “maximum message size” documentation for more information.

Time indicates the time for which you are interested in the data.

If no time is given, the server will use the time at which it makes the request.

Value is the value requested.

This structure will be fully-populated as it exists in the datastore. If

optional fields were not given at creation, these fields will be empty or

set to default values.

Error is an optional field.

It should be filled when there is an error in the GetSome process.

PartialEqFilter provides a way to server-side filter a GetAll/Subscribe.

This requires all provided fields to be equal to the response.

While transparent to users, this field also allows services to optimize internal

subscriptions if filter(s) are sufficiently specific.

TimeRange allows limiting response data to within a specified time window.

If this field is populated, at least one of the two time fields are required.

For GetAll, the fields start and end can be used as follows:

* end: Returns the state of each OAuthConfig at end.

* Each OAuthConfig response is fully-specified (all fields set).

* start: Returns the state of each OAuthConfig at start, followed by updates until now.

* Each OAuthConfig response at start is fully-specified, but updates may be partial.

* start and end: Returns the state of each OAuthConfig at start, followed by updates

until end.

* Each OAuthConfig response at start is fully-specified, but updates until end may

be partial.

This field is not allowed in the Subscribe RPC.

Value is a value deemed relevant to the initiating request.

This structure will always have its key-field populated. Which other fields are

populated, and why, depends on the value of Operation and what triggered this notification.

Time holds the timestamp of this OAuthConfig’s last modification.

Operation indicates how the OAuthConfig value in this response should be considered.

Under non-subscribe requests, this value should always be INITIAL. In a subscription,

once all initial data is streamed and the client begins to receive modification updates,

you should not see INITIAL again.

PartialEqFilter provides a way to server-side filter a DeleteAll.

This requires all provided fields to be equal to the response.

A filtered DeleteAll will use GetAll with filter to find things to delete.

This describes the class of delete error.

A DeleteAllResponse is only sent when there is an error.

This indicates the error message from the delete failure.

This is the key of the SAMLConfig instance that failed to be deleted.

Time indicates the (UTC) timestamp when the key was being deleted.

Key indicates which SAMLConfig instance to remove.

This field must always be set.

Key echoes back the key of the deleted SAMLConfig instance.

Time indicates the (UTC) timestamp at which the system recognizes the

deletion. The only guarantees made about this timestamp are:

- it is after the time the request was received

- a time-ranged query with StartTime==DeletedAt will not include this instance.

key contains a list of SAMLConfig keys to delete

Key uniquely identifies a SAMLConfig instance to retrieve.

This value must be populated.

Time indicates the time for which you are interested in the data.

If no time is given, the server will use the time at which it makes the request.

Value is the value requested.

This structure will be fully-populated as it exists in the datastore. If

optional fields were not given at creation, these fields will be empty or

set to default values.

Time carries the (UTC) timestamp of the last-modification of the

SAMLConfig instance in this response.

SAMLConfig carries the value to set into the datastore.

See the documentation on the SAMLConfig struct for which fields are required.

Value carries all the values given in the SAMLConfigSetRequest as well

as any server-generated values.

Time indicates the (UTC) timestamp at which the system recognizes the

creation. The only guarantees made about this timestamp are:

- it is after the time the request was received

- a time-ranged query with StartTime==CreatedAt will include this instance.

value contains a list of SAMLConfig values to write.

It is possible to provide more values than can fit within either:

- the maxiumum send size of the client

- the maximum receive size of the server

If this error occurs you must reduce the number of values sent.

See gRPC “maximum message size” documentation for more information.

Time indicates the time for which you are interested in the data.

If no time is given, the server will use the time at which it makes the request.

Value is the value requested.

This structure will be fully-populated as it exists in the datastore. If

optional fields were not given at creation, these fields will be empty or

set to default values.

Error is an optional field.

It should be filled when there is an error in the GetSome process.

PartialEqFilter provides a way to server-side filter a GetAll/Subscribe.

This requires all provided fields to be equal to the response.

While transparent to users, this field also allows services to optimize internal

subscriptions if filter(s) are sufficiently specific.

TimeRange allows limiting response data to within a specified time window.

If this field is populated, at least one of the two time fields are required.

For GetAll, the fields start and end can be used as follows:

* end: Returns the state of each SAMLConfig at end.

* Each SAMLConfig response is fully-specified (all fields set).

* start: Returns the state of each SAMLConfig at start, followed by updates until now.

* Each SAMLConfig response at start is fully-specified, but updates may be partial.

* start and end: Returns the state of each SAMLConfig at start, followed by updates

until end.

* Each SAMLConfig response at start is fully-specified, but updates until end may

be partial.

This field is not allowed in the Subscribe RPC.

Value is a value deemed relevant to the initiating request.

This structure will always have its key-field populated. Which other fields are

populated, and why, depends on the value of Operation and what triggered this notification.

Time holds the timestamp of this SAMLConfig’s last modification.

Operation indicates how the SAMLConfig value in this response should be considered.

Under non-subscribe requests, this value should always be INITIAL. In a subscription,

once all initial data is streamed and the client begins to receive modification updates,

you should not see INITIAL again.