> ## Documentation Index
> Fetch the complete documentation index at: https://docs.nx1cloud.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Create identity provider

> Create a new identity provider with optional claim/group mappers.



## OpenAPI

````yaml post /api/identity-providers
openapi: 3.1.0
info:
  title: Nx1 AI API
  description: |

    AI API for Nx1 Data Platform Management and Automated Data Tasks.

    Authentication is required via PSK in Authorization header.

    Default PSK is | [ask a friend] |
  version: 0.10.2
servers: []
security: []
paths:
  /api/identity-providers:
    post:
      tags:
        - Identity providers
      summary: Create identity provider
      description: Create a new identity provider with optional claim/group mappers.
      operationId: create_identity_provider_api_identity_providers_post
      requestBody:
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/CreateIdpRequest'
        required: true
      responses:
        '201':
          description: Identity provider created.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/IdpResponse'
        '400':
          description: Bad Request
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
        '403':
          description: Forbidden
        '409':
          description: Alias already exists.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
        '422':
          description: Validation Error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/HTTPValidationError'
      security:
        - OAuth2AuthorizationCodeBearer: []
        - APIKeyHeader: []
components:
  schemas:
    CreateIdpRequest:
      properties:
        alias:
          type: string
          title: Alias
          description: Unique alias. Ensure it's URL-safe and in lowercase.
        display_name:
          type: string
          title: Display Name
          description: Human-readable display name
        provider_id:
          $ref: '#/components/schemas/IdpProtocol'
          description: Protocol type.
        enabled:
          type: boolean
          title: Enabled
          description: Whether the IdP is active
          default: true
        known_provider:
          anyOf:
            - $ref: '#/components/schemas/KnownProvider'
            - type: 'null'
          description: Known provider preset for this configuration.
        oidc_config:
          anyOf:
            - $ref: '#/components/schemas/OidcConfig'
            - type: 'null'
          description: OIDC config. Required when `provider_id=oidc`
        saml_config:
          anyOf:
            - $ref: '#/components/schemas/SamlConfig'
            - type: 'null'
          description: SAML config. Required when `provider_id=saml`
        ldap_config:
          anyOf:
            - $ref: '#/components/schemas/LdapConfig'
            - type: 'null'
          description: LDAP config. Required when `provider_id=ldap`
        mappers:
          items:
            $ref: '#/components/schemas/IdpMapperConfig'
          type: array
          title: Mappers
          description: Claim/attribute mappers
      type: object
      required:
        - alias
        - display_name
        - provider_id
      title: CreateIdpRequest
      description: Request to create an identity provider.
    IdpResponse:
      properties:
        alias:
          type: string
          title: Alias
        display_name:
          type: string
          title: Display Name
        provider_id:
          type: string
          title: Provider Id
        enabled:
          type: boolean
          title: Enabled
        internal_id:
          anyOf:
            - type: string
            - type: 'null'
          title: Internal Id
        known_provider:
          anyOf:
            - $ref: '#/components/schemas/KnownProvider'
            - type: 'null'
        config:
          additionalProperties: true
          type: object
          title: Config
          description: Provider configuration. NexusOne masks the secrets.
        mapper_count:
          type: integer
          title: Mapper Count
          description: Number of configured mappers.
          default: 0
      type: object
      required:
        - alias
        - display_name
        - provider_id
        - enabled
      title: IdpResponse
      description: Response for a single identity provider.
    ErrorResponse:
      properties:
        error:
          type: string
          title: Error
          description: A brief description of the error that occurred.
        code:
          type: integer
          title: Code
          description: The HTTP status code associated with the error.
          default: 500
      type: object
      required:
        - error
      title: ErrorResponse
    HTTPValidationError:
      properties:
        detail:
          items:
            $ref: '#/components/schemas/ValidationError'
          type: array
          title: Detail
      type: object
      title: HTTPValidationError
    IdpProtocol:
      type: string
      enum:
        - oidc
        - saml
        - ldap
      title: IdpProtocol
    KnownProvider:
      type: string
      enum:
        - okta
        - entra_id
        - auth0
        - google
        - github
        - ping_identity
        - onelogin
        - custom_oidc
        - custom_saml
        - active_directory
      title: KnownProvider
    OidcConfig:
      properties:
        authorization_url:
          type: string
          title: Authorization Url
          description: Authorization endpoint URL.
        token_url:
          type: string
          title: Token Url
          description: Token endpoint URL.
        user_info_url:
          anyOf:
            - type: string
            - type: 'null'
          title: User Info Url
          description: UserInfo endpoint URL.
        client_id:
          type: string
          title: Client Id
          description: OAuth 2.0 client ID.
        client_secret:
          type: string
          title: Client Secret
          description: OAuth 2.0 client secret.
        issuer:
          anyOf:
            - type: string
            - type: 'null'
          title: Issuer
          description: Issuer URL. It enables OIDC discovery.
        default_scope:
          type: string
          title: Default Scope
          description: Default scopes.
          default: openid email profile
        sync_mode:
          type: string
          title: Sync Mode
          description: >-
            Sync mode. Available options: `INHERIT`, `IMPORT`, `LEGACY`,
            `FORCE`.
          default: INHERIT
        validate_signature:
          type: boolean
          title: Validate Signature
          description: Validate IdP token signature.
          default: true
        use_jwks_url:
          type: boolean
          title: Use Jwks Url
          description: Use the JSON Web Key Set (JWKS) URL for signature validation.
          default: true
        pkce_enabled:
          type: boolean
          title: Pkce Enabled
          description: >-
            Enable Proof Key for Code Exchange (PKCE). Some providers like Okta
            require it.
          default: false
        pkce_method:
          type: string
          title: Pkce Method
          description: >-
            Proof Key for Code Exchange (PKCE) challenge method. Available
            options: `S256` or `plain`.
          default: S256
      type: object
      required:
        - authorization_url
        - token_url
        - client_id
        - client_secret
      title: OidcConfig
      description: OIDC-specific IdP configuration.
    SamlConfig:
      properties:
        single_sign_on_service_url:
          type: string
          title: Single Sign On Service Url
          description: SAML SSO endpoint URL.
        single_logout_service_url:
          anyOf:
            - type: string
            - type: 'null'
          title: Single Logout Service Url
          description: SAML Single Logout (SLO) endpoint URL.
        name_id_policy_format:
          type: string
          title: Name Id Policy Format
          description: NameID policy format.
          default: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
        signing_certificate:
          anyOf:
            - type: string
            - type: 'null'
          title: Signing Certificate
          description: IdP signing certificate in Privacy-Enhanced Mail (PEM) format.
        want_authn_requests_signed:
          type: boolean
          title: Want Authn Requests Signed
          description: Sign AuthnRequests.
          default: true
        post_binding_authn_request:
          type: boolean
          title: Post Binding Authn Request
          description: Use POST binding for AuthnRequest.
          default: true
        post_binding_response:
          type: boolean
          title: Post Binding Response
          description: Use POST binding for response.
          default: true
        sync_mode:
          type: string
          title: Sync Mode
          description: Sync mode.
          default: INHERIT
      type: object
      required:
        - single_sign_on_service_url
      title: SamlConfig
      description: SAML-specific IdP configuration.
    LdapConfig:
      properties:
        connection_url:
          type: string
          title: Connection Url
          description: LDAP connection URL. For example, `ldaps://ad.example.com:636`.
        bind_dn:
          type: string
          title: Bind Dn
          description: DN of the service account used to bind/search.
        bind_credential:
          type: string
          title: Bind Credential
          description: Password for the bind DN.
        users_dn:
          type: string
          title: Users Dn
          description: Base DN where users reside.
        users_filter:
          anyOf:
            - type: string
            - type: 'null'
          title: Users Filter
          description: >-
            LDAP filter to scope user sync. For example,
            `(memberOf=CN=nx1,OU=Groups,DC=ex,DC=com)`.
        vendor:
          type: string
          title: Vendor
          description: LDAP vendor. One of `ad`, `rhds`, `edir`, `tivoli`, `other`.
          default: ad
        username_ldap_attribute:
          type: string
          title: Username Ldap Attribute
          description: LDAP attribute used as username.
          default: sAMAccountName
        rdn_ldap_attribute:
          type: string
          title: Rdn Ldap Attribute
          description: LDAP Relative Distinguished Name (RDN) attribute.
          default: sAMAccountName
        uuid_ldap_attribute:
          type: string
          title: Uuid Ldap Attribute
          description: LDAP attribute used as unique ID.
          default: objectGUID
        user_object_classes:
          type: string
          title: User Object Classes
          description: Comma-separated LDAP objectClasses for users.
          default: person, organizationalPerson, user
        search_scope:
          type: string
          title: Search Scope
          description: LDAP search scope. `1`=one level, `2`=subtree.
          default: '2'
        edit_mode:
          type: string
          title: Edit Mode
          description: Edit mode. One of `READ_ONLY`, `WRITABLE`, `UNSYNCED`.
          default: READ_ONLY
        use_truststore_spi:
          type: string
          title: Use Truststore Spi
          description: Truststore usage. One of `always`, `never`, `ldapsOnly`.
          default: always
        connection_timeout:
          type: integer
          title: Connection Timeout
          description: Connection timeout in milliseconds.
          default: 5000
        read_timeout:
          type: integer
          title: Read Timeout
          description: Read timeout in milliseconds.
          default: 10000
        pagination:
          type: boolean
          title: Pagination
          description: Enable LDAP pagination.
          default: true
        batch_size_for_sync:
          type: integer
          title: Batch Size For Sync
          description: Page size for sync operations.
          default: 1000
        full_sync_period:
          type: integer
          title: Full Sync Period
          description: Full sync period in seconds. `-1` to disable.
          default: 604800
        changed_sync_period:
          type: integer
          title: Changed Sync Period
          description: Changed-users sync period in seconds. `-1` to disable.
          default: 86400
        sync_registrations:
          type: boolean
          title: Sync Registrations
          description: Sync newly registered users back to LDAP.
          default: false
        import_enabled:
          type: boolean
          title: Import Enabled
          description: Import LDAP users into Keycloak's DB.
          default: true
        trust_email:
          type: boolean
          title: Trust Email
          description: Trust email addresses as verified.
          default: true
      type: object
      required:
        - connection_url
        - bind_dn
        - bind_credential
        - users_dn
      title: LdapConfig
      description: LDAP user federation configuration for Active Directory or generic LDAP.
    IdpMapperConfig:
      properties:
        id:
          anyOf:
            - type: string
            - type: 'null'
          title: Id
          description: Mapper ID. It's set by Keycloak and omits on create.
        name:
          type: string
          title: Name
          description: Mapper name. For example, `email-mapper`.
        identity_provider_mapper:
          type: string
          title: Identity Provider Mapper
          description: >-
            Mapper type. For example, `oidc-user-attribute-idp-mapper` or
            `saml-user-attribute-idp-mapper`.
        config:
          additionalProperties: true
          type: object
          title: Config
          description: >-
            Mapper config. It's keys vary by mapper types, such as `syncMode`,
            `claim`, or `user.attribute`.
      type: object
      required:
        - name
        - identity_provider_mapper
      title: IdpMapperConfig
      description: A single IdP mapper for claim or attribute mapping.
    ValidationError:
      properties:
        loc:
          items:
            anyOf:
              - type: string
              - type: integer
          type: array
          title: Location
        msg:
          type: string
          title: Message
        type:
          type: string
          title: Error Type
        input:
          title: Input
        ctx:
          type: object
          title: Context
      type: object
      required:
        - loc
        - msg
        - type
      title: ValidationError
  securitySchemes:
    OAuth2AuthorizationCodeBearer:
      type: oauth2
      flows:
        authorizationCode:
          scopes: {}
          authorizationUrl: >-
            https://sso-rapid.rapid.nx1cloud.com/realms/rapid/protocol/openid-connect/auth
          tokenUrl: >-
            https://sso-rapid.rapid.nx1cloud.com/realms/rapid/protocol/openid-connect/token
    APIKeyHeader:
      type: apiKey
      in: header
      name: Authorization-PSK

````