newAzureAdOidcIdentityProvider()

API Stability Long-Term

The newAzureAdOidcIdentityProvider() GraphQL mutation field is used to set up a new Azure AD OIDC IDP. It's a root operation.

For more information on the Azure related to this field, see the Service Fabric & LogScale reference page.

Syntax

Below is the syntax for the newAzureAdOidcIdentityProvider() mutation field:

graphql

newAzureAdOidcIdentityProvider(
     name: string!,
     tenantId: string!,
     clientID: string!,
     clientSecret: string!,
     domains: [string]!,
     enableDebug: boolean,
     scopeClaim: string
   ): OidcIdentityProvider!

The default for enableDebug is false. There are no special input datatypes for this mutation field. Below is an example of how it might be used:

Raw

graphql

mutation {
  newAzureAdOidcIdentityProvider( 
     name: "myAzure-IDP",
     tenantId: "123abc",
     clientID: "456efg",
     clientSecret: "MD39xf83M301",
     domains: ["humio"],
     enableDebug: false    
  ) 
  { id }
}

Mac OS or Linux (curl)

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  newAzureAdOidcIdentityProvider( 
     name: \"myAzure-IDP\",
     tenantId: \"123abc\",
     clientID: \"456efg\",
     clientSecret: \"MD39xf83M301\",
     domains: [\"humio\"],
     enableDebug: false    
  ) 
  { id }
}"
}
EOF

Mac OS or Linux (curl) One-line

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  newAzureAdOidcIdentityProvider( 
     name: \"myAzure-IDP\",
     tenantId: \"123abc\",
     clientID: \"456efg\",
     clientSecret: \"MD39xf83M301\",
     domains: [\"humio\"],
     enableDebug: false    
  ) 
  { id }
}"
}
EOF

Windows Cmd and curl

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "mutation { ^
  newAzureAdOidcIdentityProvider(  ^
     name: \"myAzure-IDP\", ^
     tenantId: \"123abc\", ^
     clientID: \"456efg\", ^
     clientSecret: \"MD39xf83M301\", ^
     domains: [\"humio\"], ^
     enableDebug: false     ^
  )  ^
  { id } ^
}" ^
} '

Windows Powershell and curl

powershell

curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "mutation {
  newAzureAdOidcIdentityProvider( 
     name: \"myAzure-IDP\",
     tenantId: \"123abc\",
     clientID: \"456efg\",
     clientSecret: \"MD39xf83M301\",
     domains: [\"humio\"],
     enableDebug: false    
  ) 
  { id }
}"
}'
    "$YOUR_LOGSCALE_URL/graphql"

Perl

perl

#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/graphql';

my $query = "mutation {
  newAzureAdOidcIdentityProvider( 
     name: \"myAzure-IDP\",
     tenantId: \"123abc\",
     clientID: \"456efg\",
     clientSecret: \"MD39xf83M301\",
     domains: [\"humio\"],
     enableDebug: false    
  ) 
  { id }
}";
$query =~ s/\n/ /g;
my $json = sprintf('{"query" : "%s"}',$query);
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";

Python

python

#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/graphql'
mydata = r'''{"query" : "mutation {
  newAzureAdOidcIdentityProvider( 
     name: \"myAzure-IDP\",
     tenantId: \"123abc\",
     clientID: \"456efg\",
     clientSecret: \"MD39xf83M301\",
     domains: [\"humio\"],
     enableDebug: false    
  ) 
  { id }
}"
}'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)

Node.js

javascript

const https = require('https');

const data = JSON.stringify(
    {"query" : "mutation {
  newAzureAdOidcIdentityProvider( 
     name: \"myAzure-IDP\",
     tenantId: \"123abc\",
     clientID: \"456efg\",
     clientSecret: \"MD39xf83M301\",
     domains: [\"humio\"],
     enableDebug: false    
  ) 
  { id }
}"
}
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL',
  path: 'graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();

Example Responses

Success (HTTP Response Code 200 OK)

json

{
  "data": {
    "newAzureAdOidcIdentityProvider": {
      "id": "abc123"
    }
  }
}

Returned Datatypes

The returned datatype OidcIdentityProvider has several parameters. Below is a list of them along with a description of each:

Table: OidcIdentityProvider

Parameter	Type	Required	Stability	Description
Some arguments may be required, as indicated in the Required column. For return datatypes, this indicates that you must specify which fields you want returned in the results.
Table last updated: Jun 26, 2025
authenticationMethod	AuthenticationMethodAuth	yes	`Long-Term`	The authentication method used. See AuthenticationMethodAuth.
authorizationEndpoint	string		`Long-Term`	A URL to the endpoint a user should be redirected to when authorizing.
clientId	string	yes	`Long-Term`	The unique identifier for the client.
clientSecret	string	yes	`Long-Term`	The password for the client.
debug	boolean	yes	`Long-Term`	Whether debugging is enabled.
defaultIdp	boolean	yes	`Long-Term`	Whether the identity provider is the default.
domains	[string]	yes	`Long-Term`	The domains authorized by the OIDC identity providers.
federatedIdp	string		`Long-Term`	The Federated IdP.
groupsClaim	string		`Long-Term`	The name of the claim to interpret as the groups in LogScale. The value in the claim must be an array of strings. Optional. Defaults to humio-groups.
humioManaged	boolean	yes	`Long-Term`	Whether authentication is managed by LogScale.
id	string	yes	`Long-Term`	The unique identifier for the OIDC identity provider.
issuer	string	yes	`Long-Term`	The issuer of the OIDC authentication.
jwksEndpoint	string		`Long-Term`	A URL to the JWKS endpoint for retrieving keys for validating tokens. Required.
lazyCreateUsers	boolean	yes	`Long-Term`	Whether to wait to create users until necessary.
name	string	yes	`Long-Term`	The name of the OIDC identity provider.
registrationEndpoint	string		`Long-Term`	To use OIDC as a client, PUBLIC_URL must be set, LogScale must be registered as a client with your OpenID provider, and the provider must allow `%PUBLIC_URL%/auth/oidc` as a valid redirect endpoint for the client.
scopeClaim	string		`Long-Term`	The scope claim.
scopes	[string]	yes	`Long-Term`	Comma-separated list of scopes to add in addition to the default requested scopes (openid, email, and profile).
tokenEndpoint	string		`Long-Term`	A URL to the token endpoint used to exchange a authentication code to an access token. Required for clients.
tokenEndpointAuthMethod	string	yes	`Long-Term`	A URL to the token endpoint used to exchange a authentication code to an access token. Required for clients.
userClaim	string	yes	`Long-Term`	The name of the claim to interpret as username in LogScale. The value in the claim must be a string. Defaults to humio-user. Can be set to email if using emails as usernames.
userInfoEndpoint	string		`Long-Term`	A URL to the user info endpoint used to retrieve user information from an access token.

Versions of this Page

GraphQL Mutations

GraphQL API Stability

GraphQL Groups

GraphQL Queries

GraphQL Datatypes