FusionAuth developer image
FusionAuth developer logo
  • Back to site
  • Expert Advice
  • Blog
  • Developers
  • Downloads
  • Account
  • Contact sales
Navigate to...
  • Welcome
  • Getting Started
    • Getting Started
    • 5-minute Setup Guide
      • Overview
      • Docker
      • Fast Path
      • Sandbox
    • Setup Wizard & First Login
    • Register a User and Login
    • Self-service Registration
    • Start and Stop FusionAuth
    • Core Concepts
      • Overview
      • Users
      • Roles
      • Groups
      • Registrations
      • Applications
      • Tenants
      • Identity Providers
      • Authentication/Authorization
      • Integration Points
    • Example Apps
      • Overview
      • Dart
      • Go
      • Java
      • JavaScript
      • .NET Core
      • PHP
      • Python
      • Ruby
    • Tutorials
  • Installation Guide
    • Overview
    • System Requirements
    • Server Layout
    • Cloud
    • Cluster
    • Docker
    • Fast Path
    • Kubernetes
      • Overview
      • Deployment Guide
      • Minikube Setup
      • Amazon EKS Setup
      • Google GKE Setup
      • Microsoft AKS Setup
    • Kickstart™
    • Homebrew
    • Marketplaces
    • Packages
    • Database
    • FusionAuth App
    • FusionAuth Search
    • Common Configuration
  • Migration Guide
    • Overview
    • General
    • Auth0
    • Keycloak
    • Amazon Cognito
    • Firebase
    • Microsoft Azure AD B2C
    • Tutorial
  • Admin Guide
    • Overview
    • Account Portal
    • Config Management
    • Editions and Features
    • Key Rotation
    • Licensing
    • Monitoring
    • Prometheus Setup
    • Proxy Setup
    • Reference
      • Overview
      • Configuration
      • CORS
      • Data Types
      • Hosted Login Pages Cookies
      • Known Limitations
      • Password Hashes
    • Releases
    • Roadmap
    • Search And FusionAuth
    • Securing
    • Switch Search Engines
    • Technical Support
    • Troubleshooting
    • Upgrading
    • WebAuthn
  • Login Methods
    • Identity Providers
      • Overview
      • Apple
      • Epic Games
      • External JWT
        • Overview
        • Example
      • Facebook
      • Google
      • HYPR
      • LinkedIn
      • Nintendo
      • OpenID Connect
        • Overview
        • Amazon Cognito
        • Azure AD
        • Discord
        • Github
      • Sony PlayStation Network
      • Steam
      • Twitch
      • Twitter
      • SAML v2
        • Overview
        • ADFS
        • Azure AD
      • SAML v2 IdP Initiated
        • Overview
        • Okta
      • Xbox
    • OIDC & OAuth 2.0
      • Overview
      • Endpoints
      • Tokens
      • OAuth Modes
    • Passwordless
      • Overview
      • Magic Links
      • WebAuthn & Passkeys
    • SAML v2 IdP
      • Overview
      • Google
      • Zendesk
  • Developer Guide
    • Overview
    • API Gateways
      • Overview
      • ngrok Cloud Edge
    • Client Libraries & SDKs
      • Overview
      • Dart
      • Go
      • Java
      • JavaScript
      • .NET Core
      • Node
      • OpenAPI
      • PHP
      • Python
      • React
      • Ruby
      • Typescript
    • Events & Webhooks
      • Overview
      • Writing a Webhook
      • Securing Webhooks
      • Events
        • Overview
        • Audit Log Create
        • Event Log Create
        • JWT Public Key Update
        • JWT Refresh
        • JWT Refresh Token Revoke
        • Kickstart Success
        • Group Create
        • Group Create Complete
        • Group Delete
        • Group Delete Complete
        • Group Update
        • Group Update Complete
        • Group Member Add
        • Group Member Add Complete
        • Group Member Remove
        • Group Member Remove Complete
        • Group Member Update
        • Group Member Update Complete
        • User Action
        • User Bulk Create
        • User Create
        • User Create Complete
        • User Deactivate
        • User Delete
        • User Delete Complete
        • User Email Update
        • User Email Verified
        • User IdP Link
        • User IdP Unlink
        • User Login Failed
        • User Login Id Dup. Create
        • User Login Id Dup. Update
        • User Login New Device
        • User Login Success
        • User Login Suspicious
        • User Password Breach
        • User Password Reset Send
        • User Password Reset Start
        • User Password Reset Success
        • User Password Update
        • User Reactivate
        • User Reg. Create
        • User Reg. Create Complete
        • User Reg. Delete
        • User Reg. Delete Complete
        • User Registration Update
        • User Reg. Update Complete
        • User Reg. Verified
        • User 2FA Method Add
        • User 2FA Method Remove
        • User Update
        • User Update Complete
    • Guides
      • Overview
      • Authentication Tokens
      • Exposing A Local Instance
      • JSON Web Tokens
      • Key Master
      • Localization and Internationalization
      • Multi-Factor Authentication
      • Multi-Tenant
      • Passwordless
      • Registration-based Email Verification
      • Searching With Elasticsearch
      • Securing Your APIs
      • Silent Mode
      • Single Sign-on
      • Two Factor (pre 1.26)
    • Integrations
      • Overview
      • CleanSpeak
      • Kafka
      • Twilio
    • Plugins
      • Overview
      • Writing a Plugin
      • Custom Password Hashing
    • User Control & Gating
      • Overview
      • Gate Unverified Users
      • Gate Unverified Registrations
      • User Account Lockout
  • Customization
    • Email & Templates
      • Overview
      • Configure Email
      • Email Templates
      • Email Variables
      • Message Templates
    • Lambdas
      • Overview
      • Apple Reconcile
      • Client Cred. JWT Populate
      • Epic Games Reconcile
      • External JWT Reconcile
      • Facebook Reconcile
      • Google Reconcile
      • HYPR Reconcile
      • JWT Populate
      • LDAP Connector Reconcile
      • LinkedIn Reconcile
      • Nintendo Reconcile
      • OpenID Connect Reconcile
      • SAML v2 Populate
      • SAML v2 Reconcile
      • SCIM Group Req. Converter
      • SCIM Group Resp. Convtr.
      • SCIM User Req. Converter
      • SCIM User Resp. Converter
      • Sony PSN Reconcile
      • Steam Reconcile
      • Twitch Reconcile
      • Twitter Reconcile
      • Xbox Reconcile
    • Messengers
      • Overview
      • Generic Messenger
      • Twilio Messenger
    • Themes
      • Overview
      • Examples
      • Helpers
      • Localization
      • Template Variables
  • Premium Features
    • Overview
    • Advanced Registration Forms
    • Advanced Threat Detection
    • Application Specific Themes
    • Breached Password Detection
    • Connectors
      • Overview
      • Generic Connector
      • LDAP Connector
      • FusionAuth Connector
    • Entity Management
    • SCIM
      • Overview
      • Azure AD Client
      • Okta Client
      • SCIM-SDK
    • Self Service Account Mgmt
      • Overview
      • Updating User Data & Password
      • Add Two-Factor Authenticator
      • Add Two-Factor Email
      • Add Two-Factor SMS
      • Add WebAuthn Passkey
      • Customizing
      • Troubleshooting
    • WebAuthn
  • APIs
    • Overview
    • Authentication
    • Errors
    • API Explorer
    • Actioning Users
    • API Keys
    • Applications
    • Audit Logs
    • Connectors
      • Overview
      • Generic
      • LDAP
    • Consents
    • Emails
    • Entity Management
      • Overview
      • Entities
      • Entity Types
      • Grants
    • Event Logs
    • Families
    • Forms
    • Form Fields
    • Groups
    • Identity Providers
      • Overview
      • Links
      • Apple
      • External JWT
      • Epic Games
      • Facebook
      • Google
      • HYPR
      • LinkedIn
      • Nintendo
      • OpenID Connect
      • SAML v2
      • SAML v2 IdP Initiated
      • Sony PlayStation Network
      • Steam
      • Twitch
      • Twitter
      • Xbox
    • Integrations
    • IP Access Control Lists
    • JWT
    • Keys
    • Lambdas
    • Login
    • Message Templates
    • Messengers
      • Overview
      • Generic
      • Twilio
    • Multi-Factor/Two Factor
    • Passwordless
    • Reactor
    • Registrations
    • Reports
    • SCIM
      • Overview
      • SCIM User
      • SCIM Group
      • SCIM EnterpriseUser
      • SCIM Service Provider Config.
    • System
    • Tenants
    • Themes
    • Users
    • User Actions
    • User Action Reasons
    • User Comments
    • WebAuthn
    • Webhooks
  • Release Notes

    Identity Provider API Overview

    Overview

    An Identity Provider is a named object that provides configuration to describe an external and/or social identity provider. This configuration will be used to perform an alternative login to the standard FusionAuth local login. FusionAuth currently supports a number of different identity provider types:

    • Apple

    • Epic Games - requires a paid edition.

    • External JWT

    • Facebook

    • Google

    • HYPR

    • LinkedIn

    • Nintendo - requires a paid edition.

    • OpenID Connect

    • SAML v2

    • SAML v2 IdP Initiated - requires a paid edition.

    • Sony PlayStation Network - requires a paid edition.

    • Steam - requires a paid edition.

    • Twitch - requires a paid edition.

    • Twitter

    • Xbox - requires a paid edition.

    The type of the identity provider will determine the object’s properties as well as the validation that is performed. You can click into any of the identity provider API docs to get a list of that identity provider’s properties.

    To learn how to configure these Identity Providers using the FusionAuth UI, go here Identity Providers.

    Link APIs

    The way a link is established between an identity provider and FusionAuth is determined by the linkingStrategy for each identity provider. An API is provided to manually link and unlink a user to a 3rd party identity provider. To learn more about managing links between FusionAuth and a 3rd party identity provider, see the Link APIs.

    Global Operations

    • Retrieve all Identity Providers

    • Lookup an Identity Provider

    Retrieve all Identity Providers

    Request

    Retrieve all of the Identity Providers

    URI

    GET /api/identity-provider

    Response

    Table 1. Response Codes
    Code Description

    200

    The request was successful. The response will contain a JSON body.

    400

    The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present.

    401

    You did not supply a valid Authorization header. The header was omitted or your API key was not valid. The response will be empty. See Authentication.

    500

    There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty.

    The response JSON might include different types of identity providers. Therefore, you should refer to the documentation for each type of identity provider to determine the response JSON format for that particular type. Each type has a Retrieve section in its documentation. This format will be the same format used by this API.

    Example Response JSON
    
    {
      "identityProviders": [
        {
          "claimMap": {
            "first_name": "firstName",
            "last_name": "lastName",
            "dept": "RegistrationData"
          },
          "domains": [
            "acme.com",
            "acme.org"
          ],
          "headerKeyParameter" : "kid",
          "id" : "a4e78daa-33a6-4844-b081-7779af1f09a4",
          "insertInstant": 1595361142909,
          "lastUpdateInstant": 1595361143101,
          "name": "Acme Corp. ADFS",
          "oauth2" : {
            "authorization_endpoint" : "https://acme.com/adfs/oauth2/authorize?client_id=cf3b00da-9551-460a-ad18-33232e6cbff0&response_type=code&redirect_uri=https://acme.com/oauth2/redirect",
            "token_endpoint" : "https://acme.com/adfs/oauth2/token"
          },
          "type": "ExternalJWT",
          "uniqueIdentityClaim": "email"
        },
        {
          "appId": "385572258114379",
          "applicationConfiguration": {
            "1c212e59-0d0e-6b1a-ad48-f4f92793be32": {
              "createRegistration": true,
              "enabled": true
            }
          },
          "buttonText": "Login with Facebook",
          "client_secret": "72417eb5aa454ef2373b361d721cb074",
          "enabled": true,
          "fields": "email",
          "id" : "56abdcc7-8bd9-4321-9621-4e9bbebae494",
          "insertInstant": 1595361142909,
          "lastUpdateInstant": 1595361143101,
          "name": "Facebook",
          "permissions": "email,profile_image",
          "type": "Facebook"
        },
        {
          "applicationConfiguration": {
            "1c212e59-0d0e-6b1a-ad48-f4f92793be32": {
              "createRegistration": true,
              "enabled": true
            }
          },
          "buttonText": "Login with Google",
          "client_id": "254311943570-8e2i2hds0qdnee4124socceeh2q2mtjl.apps.googleusercontent.com",
          "client_secret": "BRr7x7xz_-cXxIFznBDIdxF1",
          "enabled": true,
          "id": "82339786-3dff-42a6-aac6-1f1ceecb6c46",
          "insertInstant": 1595361142909,
          "lastUpdateInstant": 1595361143101,
          "name": "Google",
          "scope": "profile",
          "type": "Google"
        },
        {
          "applicationConfiguration": {
            "1c212e59-0d0e-6b1a-ad48-f4f92793be32": {
              "createRegistration": true,
              "enabled": true
            }
          },
          "buttonText": "Login with Twitter",
          "consumerKey": "24iuleLRKIZUNhxuuUK6yDZwb",
          "consumerSecret": "e2ZpAaAfxv2j9eeh6JTeNcXMWdVLjRNriXm4wSZt1f1Ss3Syp4",
          "enabled": true,
          "id": "45bb233c-0901-4236-b5ca-ac46e2e0a5a5",
          "insertInstant": 1595361142909,
          "lastUpdateInstant": 1595361143101,
          "name": "Twitter",
          "type": "Twitter"
        }
      ]
    }

    Lookup an Identity Provider

    The Lookup API is intended to be used during an external login workflow.

    For example, you might build your own login page. This page might collect the user’s email as the first step. That email address can be sent to this API to determine which identity provider was designated as the provider for this email address. If the identity provider is an OpenID Connect provider, then you might redirect the user over to that provider.

    Request

    Lookup an Identity Provider by domain/email

    URI

    GET /api/identity-provider/lookup?domain={domain}

    Request Parameters

    domain [String] Required

    The email domain or the full email address of the user.

    For example, jenny@acme.com and acme.com are functionally equivalent.

    Response

    The Lookup response is a subset of the Identity Provider configuration that would be returned by the normal identity provider retrieve operation. A 200 response code indicates the domain is managed and the response will contain a JSON body, a 404 response code indicates it is not managed by a configured Identity Provider.

    Table 2. Response Codes
    Code Description

    200

    The request was successful. The response will contain a JSON body.

    400

    The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present.

    404

    The requested domain is not being managed by a configured Identity Provider.

    500

    There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty.

    Example Response JSON

    identityProvider.applicationIds [Array<UUID>] Available since 1.16.0

    The list of Application Ids that are enabled for this Identity Provider.

    identityProvider.id [UUID]

    The unique Id of the Identity Provider.

    identityProvider.idpEndpoint [String] Available since 1.16.0

    The configured SAML v2 endpoint. This value will only be returned for a SAML v2 Identity Provider. This may be used to aid in building the SAML request so that it does not need to be hard coded in your application.

    identityProvider.insertInstant [Long]

    The instant that the provider was added to the FusionAuth database.

    identityProvider.lastUpdateInstant [Long]

    The instant that the provider was updated in the FusionAuth database.

    identityProvider.name [String]

    The name of the Identity Provider.

    identityProvider.oauth2.authorization_endpoint [String]

    The OAuth2 Authorize endpoint. This may be used to as the redirect location to begin the authorize workflow so that it does not need to be hard coded in your application.

    identityProvider.oauth2.token_endpoint [String]

    The OAuth2 Token endpoint. This may be used during your integration so that this URI does not need to be hard coded in your application.

    Example Response JSON for an ExternalJWT or OpenID Connect IdP
    
    {
      "identityProvider" : {
        "applicationIds": [
          "0d5244df-053c-4ff6-b2db-1e04c388dae3"
        ],
        "id" : "a4e78daa-33a6-4844-b081-7779af1f09a4",
        "name" : "Acme Corp. ADFS OpenID Connect",
        "oauth2" : {
          "authorization_endpoint" : "https://acme.com/adfs/oauth2/authorize?client_id=cf3b00da-9551-460a-ad18-33232e6cbff0&response_type=code&redirect_uri=https://acme.com/oauth2/redirect",
          "token_endpoint" : "https://acme.com/adfs/oauth2/token"
        }
      }
    }
    Example Response JSON for a SAML v2 IdP
    
    {
      "identityProvider" : {
        "applicationIds": [
          "0d5244df-053c-4ff6-b2db-1e04c388dae3"
        ],
        "id" : "d94f81eb-287b-466a-ac6a-fb29c83f598c",
        "idpEndpoint": "https://login.microsoftonline.com/475bffef-4669-4e64-8f6c-b1ff41f16242/saml2",
        "name" : "Acme Corp. SAML v2 ADFS"
      }
    }

    Feedback

    How helpful was this page?

    See a problem?

    File an issue in our docs repo

    Have a question or comment to share?

    Visit the FusionAuth community forum.

    © 2023 FusionAuth
    Subscribe for developer updates