OIDC
Create Identity Provider (OIDC)¶
Create an OIDC-based Identity Provider using the rctl CLI.
Create OIDC Identity Provider Using CLI¶
./rctl create idp <idp-name> <idp-type> <domain-name> <idp-admin-email> <group-name> <client-id> <client-secret> <op-domain-url> <description> --authType oidc
Example
./rctl create idp demoidp okta dummydomain.co user@dummydomain.co demogroup dummyclientid dummyclientsecret https://integrator-3525358-admin.okta.com/ "OIDC IdP created via RCTL" --authType oidc
Output
Creating OIDC IdP with name: demoidp, type: okta, domain: dummydomain.co, admin: user@dummydomain.co,
group: demogroup, clientID: dummyclientid, clientSecret: dummyclientsecret,
opDomainURL: https://integrator-3525358-admin.okta.com/, description: OIDC IdP created via RCTL
Success patching IdP with name: demoidp
********* IMPORTANT *********
PLEASE USE BELOW REDIRECT URL TO CONFIGURE IdP
Redirect URL:
https://qc-console.stage.rafay.dev/auth/v1/oidc/callback/81dbe2f0-0150-4536-81fb-007b7b841b18/
Group Attribute Name:
demogroup
EMAIL FOR DOMAIN VERIFICATION FOR IDP HAS BEEN SENT TO user@dummydomain.co. PLEASE VERIFY DOMAIN.
Create OIDC Identity Provider Using YAML File¶
./rctl create idp -f ./oidc_idp.yaml --authType oidc
Example Yaml File
name: oidcidp
description: create oidc idp using yaml file via rctl
idp_name: okta
idp_admin: admin@dummydomain.co
domain: dummydomain.co
client_id: 0oaylauz7g9Axb7pH697
group_attribute_name: groups
webhook_payload:
custom:
k2: v2
k3: v3
k1: v1
optional:
- first_name
- last_name
- trigger_type
client_secret: dummysecret
op_domain_url: http://integrator-3525358.okta.com
Output
Success patching IdP with name: oidcidp
********* IMPORTANT *********
PLEASE USE BELOW REDIRECT URL TO CONFIGURE IdP
Redirect URL:
https://qc-console.stage.rafay.dev/auth/v1/oidc/callback/8dd77a71-b323-49e1-90e3-2029263fe071/
Group Attribute Name:
groups
EMAIL FOR DOMAIN VERIFICATION FOR IDP HAS BEEN SENT TO admin@dummydomain.co. PLEASE VERIFY DOMAIN.
Creating Keycloak Identity Provider¶
Example
idp_name: keycloak
idp_admin: user@dummydomainkeycloak.co
domain: dummydomainkeycloak.co
webhook_url: https://webhook.site/c9efe01a-e322-491d-9ffa-bf0b3e8d2a34
webhook_trigger_type: SSO_USER_LOGIN
webhook_secret: demowebhooksecret
client_id: democlientidfile
group_attribute_name: demogroupsfile
webhook_payload:
custom:
k2: v2
k3: v3
input: fileupdate
optional:
- first_name
- trigger_type
client_secret: democlientsecretfile
op_domain_url: https://keycloak.qasimplified.com:8443/
discovery_endpoint: https://keycloak.qasimplified.com:8443/realms/master/.well-known/openid-configuration
./rctl create idp -f oidc_idp.yaml --authType oidc
Output
Success patching IdP with name: demoidpfilekeycloak
********* IMPORTANT *********
PLEASE USE BELOW REDIRECT URL TO CONFIGURE IdP
Redirect URL:
https://qc-console.stage.rafay.dev/auth/v1/oidc/callback/9753439c-4948-4abd-bf95-ed72dead07bf/
Group Attribute Name:
demogroupsfile
EMAIL FOR DOMAIN VERIFICATION FOR IDP HAS BEEN SENT TO user@dummydomainkeycloak.co. PLEASE VERIFY DOMAIN.
Error Outputs
- Same Domain Error
Error: server error [return code: 500]:
{"error":"rpc error: code = Unknown desc = failed to create OIDC config: ERROR #23505 duplicate key value violates unique constraint \"authsrv_idp_oidc_partner_id_domain_orgid_uniq\""}
- Domain and Admin Email Mismatch
Error: server error [return code: 500]:
{"error":"rpc error: code = Unknown desc = failed to create OIDC config: IdP admin's email domain admin@dummydomain2.co does not match the provided domain dummydomain1.co"}
- Duplicate IdP Name
Error: server error [return code: 500]:
{"error":"rpc error: code = Unknown desc = OIDC config with name demoidp already exists"}
Update Identity Provider (OIDC)¶
Update an existing OIDC Identity Provider using CLI flags or a YAML file.
Update OIDC Identity Provider Using CLI Flags¶
./rctl update idp oidcidp \
--clientID oidcclientid \
--clientSecret oidcclientsecret \
--opDomainURL http://integrator-3525358.okta.com \
--groupAttributeName groups \
--webhookSecret secret \
--webhookURL https://webhookurl.com \
--webhookPayload '{
"custom": {
"k1": "v1",
"k2": "v2"
},
"optional": [
"first_name",
"last_name",
"trigger_type"
]
}' \
--authType oidc
Output
Updating OIDC IdP with name: oidcidp
Success patching IdP with name: oidcidp
********** IMPORTANT **********
PLEASE USE BELOW REDIRECT URL TO CONFIGURE IdP
------------------------------
Redirect URL:
https://qc-console.stage.rafay.dev/auth/v1/oidc/callback/86d77a71-b323-49e1-90e3-2029263fa071/
Group Attribute Name:
groups
Update OIDC Identity Provider Using YAML File¶
./rctl update idp -f ./oidc_idp.yaml --authType oidc
Example Yaml
idp_name: okta
idp_admin: admin@dummydemo.co
domain: dummydemo.co
client_id: 0oaylauz7g9Axb7pH697
group_attribute_name: groupsnew
webhook_payload:
custom:
k2: v2
k3: v3
k1: v1
op: rctl update
optional:
- first_name
- last_name
- trigger_type
webhook_url: https://dummywebhookurl
webhook_secret: dummysecret
webhook_trigger_type: SSO_USER_LOGIN
client_secret: dummysecret
op_domain_url: http://integrator-3525358.okta.com
Output
Success patching IdP with name: oidcidp
********** IMPORTANT **********
PLEASE USE BELOW REDIRECT URL TO CONFIGURE IdP
------------------------------
Redirect URL:
https://qc-console.stage.rafay.dev/auth/v1/oidc/callback/86d77a71-b323-49e1-90e3-2029263fa071/
Group Attribute Name:
groupsnew
Get Identity Provider (OIDC)¶
Get Identity Provider (Table View)¶
./rctl get idp oidcidp
+---------+----------+-------------+----------------------+----------------+-------------------+-----------+
| NAME | IDP NAME | DOMAIN | GROUP ATTRIBUTE NAME | DOMAIN VERIFIED| ENCRYPTION STATUS | AUTH TYPE |
+---------+----------+-------------+----------------------+----------------+-------------------+-----------+
| oidcidp | okta | dummydemo.co | groups | unverified | disabled | oidc |
+---------+----------+-------------+----------------------+----------------+-------------------+-----------+
Get Identity Provider (YAML Output)¶
./rctl get idp oidcidp --authType oidc -o yaml
rafaytypemeta:
apiversion: ""
kind: ""
metadata:
count: 1
offset: 0
limit: 1
items:
- id: 72d9gkg
name: oidcidp
idpname: okta
idpadmin: admin@dummydemo.co
domain: dummydemo.co
groupattributename: groups
domainverified: unverified
encryption: disabled
authtype: oidc
organizationid: 7w2lnkp
partnerid: rx28oml
createdat: 2026-01-12T10:38:08.69641Z
modifiedat: 2026-01-12T10:38:08.696411Z
Get Identity Provider (Detailed Output)¶
./rctl get idp oidcidp -o yaml --detailed --authType oidc
rafaytypemeta:
apiversion: ""
kind: ""
metadata:
count: 1
offset: 0
limit: 10
items:
- id: x3mxvkr
name: demoidpfile
description: create oidc idp using yaml file via rctl
createdat: 2025-12-19T17:29:05.044997Z
modifiedat: 2025-12-19T17:29:05.044997Z
trashed: false
idpname: okta
idpadmin: user@dummydomain.co
domain: dummydomain.co
domainverified: false
clientid: democlientid
opdomainurl: https://integrator-3525358-admin.okta.com
authorizationendpoint: https://integrator-3525358.okta.com/oauth2/default/v1/authorize
tokenendpoint: https://integrator-3525358.okta.com/oauth2/default/v1/token
userinfoendpoint: https://integrator-3525358.okta.com/oauth2/default/v1/userinfo
redirecturl: https://console-nikhil-testoidc.dev.rafay-edge.net/auth/v1/oidc/callback/70f14a7a-5b7d-4235-a04c-b6536f7a0e6d
jwksendpoint: https://integrator-3525358.okta.com/oauth2/default/v1/keys
discoveryendpoint: https://integrator-3525358-admin.okta.com/oauth2/default/.well-known/openid-configuration
scopes:
- openid
- profile
- email
groupattributename: demogroups
organizationid: 7w2lnkp
partnerid: rx28oml
authtype: oidc
webhookpayload:
custom:
k1: v1
k2: v2
k3: v3
optional:
- first_name
- last_name
- trigger_type
webhooktriggertype: SSO_USER_LOGIN
webhookurl: https://webhook.site/c9efe01a-e322-491d-9ffa-bf0b3e8d2a34
webhooksecret: 47fWfD3NyJz0eSh7vg0n6Zkx6nP4DNQAGNEI3J54DpTOcVkHKP8LfjZvD4
Invalid Identity Provider Name¶
./rctl get idp randomidp
Error: server error [return code: 500]: {"error":"rpc error: code = Unknown desc = IdP config not found"}
List Identity Providers (OIDC)¶
List all configured Identity Providers and view their summary or detailed configuration.
List OIDC Identity Providers (Table View)¶
By default, the platform uses SAML. To list only OIDC IdPs, the --authType oidc flag must be specified.
./rctl get idp --authType oidc
| NAME | IDP NAME | DOMAIN | GROUP ATTRIBUTE NAME | DOMAIN VERIFIED | ENCRYPTION STATUS | AUTH TYPE |
|------------------------|----------|----------------------------|----------------------|-----------------|-------------------|-----------|
| oidcidp | okta | dummydemo.co | groups | unverified | disabled | oidc |
| demoidp | okta | dummydomain.co | demogroup | unverified | disabled | oidc |
| demoidpfilekeycloak | keycloak | dummydomainkeycloak.co | demogroupsfile | unverified | disabled | oidc |
| demo-keycloakoidc | keycloak | mycompany.com | group | unverified | disabled | oidc |
| OKTA-test1 | okta | denipl.com | groups | verified | disabled | oidc |
List All IdPs (SAML + OIDC)¶
./rctl get idp --authType all -o yaml
metadata:
count: 61
offset: 0
limit: 10
items:
- name: oidcidp
idpname: okta
idpadmin: admin@dummydemo.co
domain: dummydemo.co
groupattributename: groups
domainverified: unverified
encryption: disabled
authtype: oidc
- name: demoidp
idpname: okta
idpadmin: user@dummydomain.co
domain: dummydomain.co
groupattributename: demogroup
domainverified: unverified
encryption: disabled
authtype: oidc
- name: samlidp
idpname: okta
idpadmin: admin@dummydomain.co
domain: dummydomain.co
groupattributename: group
domainverified: unverified
encryption: enabled
authtype: saml
List OIDC Identity Providers (Detailed Output)¶
./rctl get idp -o yaml --detailed --authType oidc
metadata:
count: 5
offset: 0
limit: 10
items:
- name: demoidpfile
description: create oidc idp using yaml file via rctl
idpname: okta
idpadmin: user@dummydomain1.co
domain: dummydomain1.co
domainverified: false
clientid: democlientid
opdomainurl: https://integrator-3525358-admin.okta.com
authorizationendpoint: https://integrator-3525358.okta.com/oauth2/default/v1/authorize
tokenendpoint: https://integrator-3525358.okta.com/oauth2/default/v1/token
userinfoendpoint: https://integrator-3525358.okta.com/oauth2/default/v1/userinfo
redirecturl: https://qc-console.stage.rafay.dev/auth/v1/oidc/callback/70f14a7a-5b7d-4235-a04c-b6536f7a0e6d/
jwksendpoint: https://integrator-3525358.okta.com/oauth2/default/v1/keys
discoveryendpoint: https://integrator-3525358-admin.okta.com/oauth2/default/.well-known/openid-configuration
scopes:
- openid
- profile
- email
groupattributename: demogroups
authtype: oidc
webhookpayload:
custom:
k1: v1
k2: v2
k3: v3
optional:
- first_name
- last_name
- trigger_type
webhooktriggertype: SSO_USER_LOGIN
Delete Identity Provider (OIDC)¶
Delete an existing Identity Provider using the rctl CLI.
Delete Identity Provider¶
./rctl delete idp <idp-name>
Example
./rctl delete idp demoidpfile
Success deleting idp config: demoidpfile
Error Output
./rctl delete idp randomidp
Error: error fetching idp randomidp: server error [return code: 500]:
{"error":"rpc error: code = Unknown desc = IdP config not found"}