API Stability Long-Term

The newAzureAdOidcIdentityProvider() GraphQL mutation field is used to set up a new Azure AD OIDC IDP. It's a root operation.

For more information on the Azure related to this field, see the Service Fabric & LogScale reference page.

Syntax

Below is the syntax for the newAzureAdOidcIdentityProvider() mutation field:

graphql
newAzureAdOidcIdentityProvider(
     name: string!,
     tenantId: string!,
     clientID: string!,
     clientSecret: string!,
     domains: [string!]!,
     enableDebug: boolean,
     scopeClaim: string
   ): OidcIdentityProvider!

Below is an example of how this mutation field might be used:

Show:
graphql
mutation {
  newAzureAdOidcIdentityProvider( 
     name: "myAzure-IDP",
     tenantId: "123abc",
     clientID: "456efg",
     clientSecret: "MD39xf83M301",
     domains: ["humio"],
     enableDebug: false    
  ) 
  { id }
}

Returned Datatypes

The returned datatype OidcIdentityProvider has several parameters. Below is a list of them along with a description of each:

Table: OidcIdentityProvider

ParameterTypeRequiredDefaultStabilityDescription
Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column.
Table last updated: Sep 27, 2024
authenticationMethodAuthenticationMethodAuthyes Long-TermThe authentication method used. See AuthenticationMethodAuth.
authorizationEndpointstring  Long-TermA URL to the endpoint a user should be redirected to when authorizing.
clientIdstringyes Long-TermThe unique identifier for the client.
clientSecretstringyes Long-TermThe password for the client.
debugbooleanyes Long-TermWhether debugging is enabled.
defaultIdpbooleanyes Long-TermWhether the identity provider is the default.
domains[string]yes Long-TermThe domains authorized by the OIDC identity providers.
federatedIdpstring  Long-TermThe Federated IdP.
groupsClaimstring  Long-TermThe name of the claim to interpret as the groups in LogScale. The value in the claim must be an array of strings. Optional. Defaults to humio-groups.
humioManagedbooleanyes Long-TermWhether authentication is managed by LogScale.
idstringyes Long-TermThe unique identifier for the OIDC identity provider.
issuerstringyes Long-TermThe issuer of the OIDC authentication.
jwksEndpointstring  Long-TermA URL to the JWKS endpoint for retrieving keys for validating tokens. Required.
lazyCreateUsersbooleanyes Long-TermWhether to wait to create users until necessary.
namestringyes Long-TermThe name of the OIDC identity provider.
registrationEndpointstring  Long-TermTo use OIDC as a client, PUBLIC_URL must be set, LogScale must be registered as a client with your OpenID provider, and the provider must allow %PUBLIC_URL%/auth/oidc as a valid redirect endpoint for the client.
scopeClaimstring  Long-TermThe scope claim.
scopes[string]yes Long-TermComma-separated list of scopes to add in addition to the default requested scopes (openid, email, and profile).
tokenEndpointstring  Long-TermA URL to the token endpoint used to exchange a authentication code to an access token. Required for clients.
tokenEndpointAuthMethodstringyes Long-TermA URL to the token endpoint used to exchange a authentication code to an access token. Required for clients.
userClaimstringyes Long-TermThe name of the claim to interpret as username in LogScale. The value in the claim must be a string. Defaults to humio-user. Can be set to email if using emails as usernames.
userInfoEndpointstring  Long-TermA URL to the user info endpoint used to retrieve user information from an access token.