This is the spec for key rollover feature phase 1 MVP, based on https://gist.github.com/karlmcguinness-okta/4d1b743a949cdd937e16
Diff compared to original spec:
- no
id,lastUpdated,e,nattributes for keys - expose
x5t#S256instead ofx5tin JWK representation - update key endpoint accept
PUT(full update) instead ofPOST(partial update) - no
keyRolloverconvinence method
The credentials object has been extended with a signing object that contains a key reference to a key in the app's keystore. This pattern mirrors the IdP API /api/v1/idps/credentials/keys.
GET /api/v1/apps/0oaigsp4oKodxsVjn0g3 HTTP/1.1HTTP/1.1 200 OK
Content-Type: application/json
{
"id": "0oaigsp4oKodxsVjn0g3",
"name": "zendesk",
"label": "Zendesk",
"status": "ACTIVE",
"lastUpdated": "2015-12-03T20:03:58.000Z",
"created": "2015-12-03T19:36:19.000Z",
"accessibility": {
"selfService": false,
"errorRedirectUrl": null,
"loginRedirectUrl": null
},
"licensing": {
"seatCount": 0
},
"visibility": {
"autoSubmitToolbar": true,
"hide": {
"iOS": false,
"web": false
},
"appLinks": {
"login": true
}
},
"features": [],
"signOnMode": "SAML_2_0",
"credentials": {
"userNameTemplate": {
"template": "${source.login}",
"type": "BUILT_IN"
},
"signing": {
"kid": "akmio72mri0JkowgQ0g3"
}
},
"settings": {
"app": {
"companySubDomain": "aaa",
"authToken": null
},
"notifications": {
"vpn": {
"network": {
"connection": "DISABLED"
},
"message": null,
"helpUrl": null
}
},
"signOn": {
"defaultRelayState": null
}
},
"_links": {
"logo": [
{
"name": "medium",
"href": "http://rain.okta1.com:1802/img/logos/zendesk.png",
"type": "image/png"
}
],
"appLinks": [
{
"name": "login",
"href": "http://rain.okta1.com:1802/home/zendesk/0oaigsp4oKodxsVjn0g3/120",
"type": "text/html"
}
],
"help": {
"href": "http://rain-admin.okta1.com:1802/app/zendesk/0oaigsp4oKodxsVjn0g3/setup/help/SAML_2_0/external-doc",
"type": "text/html"
},
"users": {
"href": "http://rain.okta1.com:1802/api/v1/apps/0oaigsp4oKodxsVjn0g3/users"
},
"deactivate": {
"href": "http://rain.okta1.com:1802/api/v1/apps/0oaigsp4oKodxsVjn0g3/lifecycle/deactivate"
},
"groups": {
"href": "http://rain.okta1.com:1802/api/v1/apps/0oaigsp4oKodxsVjn0g3/groups"
},
"metadata": {
"href": "http://rain.okta1.com:1802/api/v1/apps/0oaigsp4oKodxsVjn0g3/sso/saml/metadata",
"type": "application/xml"
}
}
}This operation allows the admin to control when the keys are swapped. If the kid is invalid an error should be returned.
PUT /api/v1/apps/0oaigsp4oKodxsVjn0g3 HTTP/1.1
Content-Type: application/json
{
"id": "0oaigsp4oKodxsVjn0g3",
"name": "zendesk",
"label": "Zendesk",
"status": "ACTIVE",
"lastUpdated": "2015-12-03T19:36:39.000Z",
"created": "2015-12-03T19:36:19.000Z",
"accessibility": {
"selfService": false,
"errorRedirectUrl": null,
"loginRedirectUrl": null
},
"licensing": {
"seatCount": 0
},
"visibility": {
"autoSubmitToolbar": true,
"hide": {
"iOS": false,
"web": false
},
"appLinks": {
"login": true
}
},
"features": [],
"signOnMode": "SAML_2_0",
"credentials": {
"userNameTemplate": {
"template": "${source.login}",
"type": "BUILT_IN"
},
"signing": {
"kid": "akmioaFPOaBcU6eYS0g3"
}
},
"settings": {
"app": {
"companySubDomain": "aaa",
"authToken": null
},
"notifications": {
"vpn": {
"network": {
"connection": "DISABLED"
},
"message": null,
"helpUrl": null
}
},
"signOn": {
"defaultRelayState": null
}
},
"_links": {
"logo": [
{
"name": "medium",
"href": "http://rain.okta1.com:1802/img/logos/zendesk.png",
"type": "image/png"
}
],
"appLinks": [
{
"name": "login",
"href": "http://rain.okta1.com:1802/home/zendesk/0oaigsp4oKodxsVjn0g3/120",
"type": "text/html"
}
],
"help": {
"href": "http://rain-admin.okta1.com:1802/app/zendesk/0oaigsp4oKodxsVjn0g3/setup/help/SAML_2_0/external-doc",
"type": "text/html"
},
"users": {
"href": "http://rain.okta1.com:1802/api/v1/apps/0oaigsp4oKodxsVjn0g3/users"
},
"deactivate": {
"href": "http://rain.okta1.com:1802/api/v1/apps/0oaigsp4oKodxsVjn0g3/lifecycle/deactivate"
},
"groups": {
"href": "http://rain.okta1.com:1802/api/v1/apps/0oaigsp4oKodxsVjn0g3/groups"
},
"metadata": {
"href": "http://rain.okta1.com:1802/api/v1/apps/0oaigsp4oKodxsVjn0g3/sso/saml/metadata",
"type": "application/xml"
}
}
}HTTP/1.1 200 OK
Content-Type: application/json
{
"id": "0oaigsp4oKodxsVjn0g3",
"name": "zendesk",
"label": "Zendesk",
"status": "ACTIVE",
"lastUpdated": "2015-12-03T23:38:14.000Z",
"created": "2015-12-03T19:36:19.000Z",
"accessibility": {
"selfService": false,
"errorRedirectUrl": null,
"loginRedirectUrl": null
},
"licensing": {
"seatCount": 0
},
"visibility": {
"autoSubmitToolbar": true,
"hide": {
"iOS": false,
"web": false
},
"appLinks": {
"login": true
}
},
"features": [],
"signOnMode": "SAML_2_0",
"credentials": {
"userNameTemplate": {
"template": "${source.login}",
"type": "BUILT_IN"
},
"signing": {
"kid": "akmioaFPOaBcU6eYS0g3"
}
},
"settings": {
"app": {
"companySubDomain": "aaa",
"authToken": null
},
"notifications": {
"vpn": {
"network": {
"connection": "DISABLED"
},
"message": null,
"helpUrl": null
}
},
"signOn": {
"defaultRelayState": null
}
},
"_links": {
"logo": [
{
"name": "medium",
"href": "http://rain.okta1.com:1802/img/logos/zendesk.png",
"type": "image/png"
}
],
"appLinks": [
{
"name": "login",
"href": "http://rain.okta1.com:1802/home/zendesk/0oaigsp4oKodxsVjn0g3/120",
"type": "text/html"
}
],
"help": {
"href": "http://rain-admin.okta1.com:1802/app/zendesk/0oaigsp4oKodxsVjn0g3/setup/help/SAML_2_0/external-doc",
"type": "text/html"
},
"users": {
"href": "http://rain.okta1.com:1802/api/v1/apps/0oaigsp4oKodxsVjn0g3/users"
},
"deactivate": {
"href": "http://rain.okta1.com:1802/api/v1/apps/0oaigsp4oKodxsVjn0g3/lifecycle/deactivate"
},
"groups": {
"href": "http://rain.okta1.com:1802/api/v1/apps/0oaigsp4oKodxsVjn0g3/groups"
},
"metadata": {
"href": "http://rain.okta1.com:1802/api/v1/apps/0oaigsp4oKodxsVjn0g3/sso/saml/metadata",
"type": "application/xml"
}
}
}POST /api/v1/apps/0oaaxj6jHI15dNcsQ0g4/credentials/keys/generate?validityYears=2 HTTP/1.1HTTP/1.1 201 Created
Content-Type: application/json
Location: http://rain.okta1.com:1802/api/v1/apps/0oaaxj6jHI15dNcsQ0g4/credentials/keys/akmip6ekYBlG9WMJc0g3
{
"created": "2015-12-03T23:28:23.000Z",
"expiresAt": "2017-12-03T23:28:22.000Z",
"x5c": [
"MIIDmDCCAoCgAwIBAgIGAVFqLNm/MA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxDTALBgNVBAMMBHJhaW4xHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMTUxMjAzMjMyNzIyWhcNMTcxMjAzMjMyODIyWjCBjDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMQ0wCwYDVQQDDARyYWluMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA27R+TDbkHYYk7ji+T4Ip9BMT8LZKLi8s78oGabBspZG1KooL22vidp/3MVYBGnEgr+CWRjJy/gK5zUfxIydqSJ5BTVo2S1wTxFv7OIjHugg1G/Mjq46CxsrmzFjaS/FdoM5r7Wxqg1JflCw0o367rwbOl6lWwUbbptf+fby0DbRCbj5QZwXKTkTkPbi/a6JNlOseJZjdE7PJ91uQ9aDf6OyrPx3W3cIdLFAhQ6jBcF0jKFeSxPtdKVg/uDZZw23bUkoB6wACF+McmByIBN7sXAXQSitlsyiK6uymSzA+9E9Hd9ZLXqVrzy3O6ABlUhcnoC789upEpT5UKKwLVzRTnwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQARghunlORCB5xnZ8Knq7eCk63xCOXflQGDtpSG9DEsCC1hVMnOvGpMu/p/P1g2mx6aDG4AaE4qhyrHE50/l5phna+5X3TfyrKZB21+LKVyyU/3UFQftymnxYBEUrRaFpQ4etevFay3Gi3AEIFiusEQr+m6fsPLDs1q7fpaEGrRDcPWieG5EQ79+BiW3nw1YEFoJSTiGYfAO3qWHH0wJoSnnV6zofeKN/7BejHiOc6m2t0j/XpAVGupF0JpJG/TGxLdmR9aSvF0Rud797CXPlAaLwC0Hy60YHFNzRxZLSqlmiy1jnaGJONChKeYqRqBBProASsfzskjn6ygeohoOqbI"
],
"kid": "akmip6ekYBlG9WMJc0g3",
"kty": "RSA",
"use": "sig",
"x5t#S256": "uBajQqfNYJXU5D6ivrKPz73nb161ZXYZ5_ZOKQfMDBk"
}GET /api/v1/apps/0oaaxj6jHI15dNcsQ0g4/credentials/keys/akmip6ekYBlG9WMJc0g3 HTTP/1.1HTTP/1.1 200 OK
Content-Type: application/json
{
"created": "2015-12-03T23:28:23.000Z",
"expiresAt": "2017-12-03T23:28:22.000Z",
"x5c": [
"MIIDmDCCAoCgAwIBAgIGAVFqLNm/MA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxDTALBgNVBAMMBHJhaW4xHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMTUxMjAzMjMyNzIyWhcNMTcxMjAzMjMyODIyWjCBjDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMQ0wCwYDVQQDDARyYWluMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA27R+TDbkHYYk7ji+T4Ip9BMT8LZKLi8s78oGabBspZG1KooL22vidp/3MVYBGnEgr+CWRjJy/gK5zUfxIydqSJ5BTVo2S1wTxFv7OIjHugg1G/Mjq46CxsrmzFjaS/FdoM5r7Wxqg1JflCw0o367rwbOl6lWwUbbptf+fby0DbRCbj5QZwXKTkTkPbi/a6JNlOseJZjdE7PJ91uQ9aDf6OyrPx3W3cIdLFAhQ6jBcF0jKFeSxPtdKVg/uDZZw23bUkoB6wACF+McmByIBN7sXAXQSitlsyiK6uymSzA+9E9Hd9ZLXqVrzy3O6ABlUhcnoC789upEpT5UKKwLVzRTnwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQARghunlORCB5xnZ8Knq7eCk63xCOXflQGDtpSG9DEsCC1hVMnOvGpMu/p/P1g2mx6aDG4AaE4qhyrHE50/l5phna+5X3TfyrKZB21+LKVyyU/3UFQftymnxYBEUrRaFpQ4etevFay3Gi3AEIFiusEQr+m6fsPLDs1q7fpaEGrRDcPWieG5EQ79+BiW3nw1YEFoJSTiGYfAO3qWHH0wJoSnnV6zofeKN/7BejHiOc6m2t0j/XpAVGupF0JpJG/TGxLdmR9aSvF0Rud797CXPlAaLwC0Hy60YHFNzRxZLSqlmiy1jnaGJONChKeYqRqBBProASsfzskjn6ygeohoOqbI"
],
"kid": "akmip6ekYBlG9WMJc0g3",
"kty": "RSA",
"use": "sig",
"x5t#S256": "uBajQqfNYJXU5D6ivrKPz73nb161ZXYZ5_ZOKQfMDBk"
}GET /api/v1/apps/0oaaxj6jHI15dNcsQ0g4/credentials/keys HTTP/1.1HTTP/1.1 200 OK
Content-Type: application/json
[
{
"created": "2015-12-03T19:58:37.000Z",
"expiresAt": "2045-02-08T17:50:31.000Z",
"x5c": [
"MIIDvTCCAqWgAwIBAgIERoPxeDANBgkqhkiG9w0BAQUFADCBjjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY3NpY28xDTALBgNVBAoTBE9rdGExFDASBgNVBAsTC1NTT1Byb3ZpZGVyMS0wKwYDVQQDDCRib290c3RyYXAvZW1haWxBZGRyZXNzPWluZm9Ab2t0YS5jb20wHhcNMTUwMjA5MTc1MDMxWhcNNDUwMjA4MTc1MDMxWjCBjjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY3NpY28xDTALBgNVBAoTBE9rdGExFDASBgNVBAsTC1NTT1Byb3ZpZGVyMS0wKwYDVQQDDCRib290c3RyYXAvZW1haWxBZGRyZXNzPWluZm9Ab2t0YS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCG1uLkfkw3+hhopxny+VZFmfahOs9jS/z/YGv9Vk8mAnnt0KCC6rl0OTUx79rH4HeSME91dxbzAShQVpTfSynJV5CNmt2qxK8XScxbg7Osw4iqsYvAKsCgMFLy261+Tljupz7nEAHPGC7gGOBIrmdZdsK39RHQPNVOSei2YwZ5Py0B6PwXoYCmEtrRiEjFZPsnL7L+l0A2yJQ9GJkGgu54YjSusKqBgchBWM2iPj6yLXTkoJdtC7Jgz38J353LK7konghzRw5brWCnHimd5wyBLLw5fnsUR3TpbaETEF3j1qHqOtrYoUx44Z7euQheKt2Sh+XWYGB5Dvuu4o7XBb1DAgMBAAGjITAfMB0GA1UdDgQWBBTA0lR8MLwC7BMTTMwkHUNAIdaxADANBgkqhkiG9w0BAQUFAAOCAQEAXI/fsVZIi1vtBRt3d5e7KZQ+X8jPYcroAFNYNaC7i5EYzrnTIjD30aV30iGJb6Z2PBoa9O05j343i/SBuBvQhMjdOSd48jJW2afdxwadfjG8Ils4gG015Ey16fw/yv5y+jkUD73Ayt0QTpD/ZisK2emvhndeBRoMdzH8YD/srX5mDcm8uIN/pIiFsWYt6T9nSWEmMuLKbdohmNBkEjLyU2F9lfXXtBnLkUuvzmKogOE0UNzTGjndBalPKu1JwzVNUJxhekmFh0rVOqEstgBOlcO6dqIatY7IVaMJ1v0rtZcYvN0TEb3TPupS/wxyU48uJLOPltwDsj5xatOzvA/Kzw=="
],
"kid": "akmio72mri0JkowgQ0g3",
"kty": "RSA",
"use": "sig",
"x5t#S256": "CyhOiLD8_9hCFT02nUbkvmlNncBsb31xY_SUbF6fHPA"
},
{
"created": "2015-12-03T20:01:03.000Z",
"expiresAt": "2017-12-03T20:01:03.000Z",
"x5c": [
"MIIDmDCCAoCgAwIBAgIGAVFpbwskMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxDTALBgNVBAMMBHJhaW4xHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMTUxMjAzMjAwMDAzWhcNMTcxMjAzMjAwMTAzWjCBjDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMQ0wCwYDVQQDDARyYWluMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhoNk4MQ5DMQYgsMfLOlhYUC86Vwq1rd5W+XB0sFu0NtopdmDJzRRJ1YYEcJFyuDaS0mqdEdHBn7Dbj8gTInARCrm+mXT8ACAL2cAgx+T+xCh3TSvdDBAewFLpn+SbCwLqH7kbPHNbe9jSmNUIJMKiOnCAN6z4owKEgLdzVt1ZQEQcmPFN87vroP8xyIVqbMqFcXDFTqZEH8ibusU1asi9kNqE6oSTUyVgd528mj56xrZQ7feBRWFqXzFF0xrLCOrfxObwRb4SmytBZmPdmOMhI4+XLC1yziQDMyAwvX/sTlSkhtAA3C0oS4p6WyNmM7Sd0Bb0s/qZZRAcuGKV1ZidwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQB/Sp70i+GyyqlRmJ91oKXNQgv0T/en0/IMKhnafZGgBIoBbzPTOPMG63r4TxRDtscex681eFni58MYjh9NvWvWnPpfQWhiVNbHrjENj1bVdBlvihXzWZSfNDMub0sAvRLVuCIERlZZJvZg0t3lzVoTImsrscpovf+Ld7wRs941nWWcPAQA66qZYds192RfSDisbzvElWdHNwUv52b3UddEtOw0Y2YgRvWgtDsyulEI7ELHnANWEmYjWJpt/9c4odIryNdSxU5K31qguf5wuVCCWaG8lEkfBvF0lWJI2hsX/VaBI8eKwJr9S1sQGRrXN2DQfX5txgClxu8Sobw7KO4e"
],
"kid": "akmioaFPOaBcU6eYS0g3",
"kty": "RSA",
"use": "sig",
"x5t#S256": "EiYn5q_ONDBoqoFXsxwSKyWrz3ByTRlEKgpqZ74z8VQ"
},
{
"created": "2015-12-03T23:28:23.000Z",
"expiresAt": "2017-12-03T23:28:22.000Z",
"x5c": [
"MIIDmDCCAoCgAwIBAgIGAVFqLNm/MA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxDTALBgNVBAMMBHJhaW4xHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMTUxMjAzMjMyNzIyWhcNMTcxMjAzMjMyODIyWjCBjDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMQ0wCwYDVQQDDARyYWluMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA27R+TDbkHYYk7ji+T4Ip9BMT8LZKLi8s78oGabBspZG1KooL22vidp/3MVYBGnEgr+CWRjJy/gK5zUfxIydqSJ5BTVo2S1wTxFv7OIjHugg1G/Mjq46CxsrmzFjaS/FdoM5r7Wxqg1JflCw0o367rwbOl6lWwUbbptf+fby0DbRCbj5QZwXKTkTkPbi/a6JNlOseJZjdE7PJ91uQ9aDf6OyrPx3W3cIdLFAhQ6jBcF0jKFeSxPtdKVg/uDZZw23bUkoB6wACF+McmByIBN7sXAXQSitlsyiK6uymSzA+9E9Hd9ZLXqVrzy3O6ABlUhcnoC789upEpT5UKKwLVzRTnwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQARghunlORCB5xnZ8Knq7eCk63xCOXflQGDtpSG9DEsCC1hVMnOvGpMu/p/P1g2mx6aDG4AaE4qhyrHE50/l5phna+5X3TfyrKZB21+LKVyyU/3UFQftymnxYBEUrRaFpQ4etevFay3Gi3AEIFiusEQr+m6fsPLDs1q7fpaEGrRDcPWieG5EQ79+BiW3nw1YEFoJSTiGYfAO3qWHH0wJoSnnV6zofeKN/7BejHiOc6m2t0j/XpAVGupF0JpJG/TGxLdmR9aSvF0Rud797CXPlAaLwC0Hy60YHFNzRxZLSqlmiy1jnaGJONChKeYqRqBBProASsfzskjn6ygeohoOqbI"
],
"kid": "akmip6ekYBlG9WMJc0g3",
"kty": "RSA",
"use": "sig",
"x5t#S256": "uBajQqfNYJXU5D6ivrKPz73nb161ZXYZ5_ZOKQfMDBk"
}
]GET /api/v1/apps/0oaaxj6jHI15dNcsQ0g4/sso/saml/metadata?kid=akmioaFPOaBcU6eYS0g3 HTTP/1.1
Accept: application/xmlHTTP/1.1 200 OK
Content-Type: application/xml
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="okta">
<md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDmDCCAoCgAwIBAgIGAVFpbwskMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
MBIGA1UECwwLU1NPUHJvdmlkZXIxDTALBgNVBAMMBHJhaW4xHDAaBgkqhkiG9w0BCQEWDWluZm9A
b2t0YS5jb20wHhcNMTUxMjAzMjAwMDAzWhcNMTcxMjAzMjAwMTAzWjCBjDELMAkGA1UEBhMCVVMx
EzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9r
dGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMQ0wCwYDVQQDDARyYWluMRwwGgYJKoZIhvcNAQkBFg1p
bmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhoNk4MQ5DMQYgsMf
LOlhYUC86Vwq1rd5W+XB0sFu0NtopdmDJzRRJ1YYEcJFyuDaS0mqdEdHBn7Dbj8gTInARCrm+mXT
8ACAL2cAgx+T+xCh3TSvdDBAewFLpn+SbCwLqH7kbPHNbe9jSmNUIJMKiOnCAN6z4owKEgLdzVt1
ZQEQcmPFN87vroP8xyIVqbMqFcXDFTqZEH8ibusU1asi9kNqE6oSTUyVgd528mj56xrZQ7feBRWF
qXzFF0xrLCOrfxObwRb4SmytBZmPdmOMhI4+XLC1yziQDMyAwvX/sTlSkhtAA3C0oS4p6WyNmM7S
d0Bb0s/qZZRAcuGKV1ZidwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQB/Sp70i+GyyqlRmJ91oKXN
Qgv0T/en0/IMKhnafZGgBIoBbzPTOPMG63r4TxRDtscex681eFni58MYjh9NvWvWnPpfQWhiVNbH
rjENj1bVdBlvihXzWZSfNDMub0sAvRLVuCIERlZZJvZg0t3lzVoTImsrscpovf+Ld7wRs941nWWc
PAQA66qZYds192RfSDisbzvElWdHNwUv52b3UddEtOw0Y2YgRvWgtDsyulEI7ELHnANWEmYjWJpt
/9c4odIryNdSxU5K31qguf5wuVCCWaG8lEkfBvF0lWJI2hsX/VaBI8eKwJr9S1sQGRrXN2DQfX5t
xgClxu8Sobw7KO4e</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://rain.okta1.com:1802/app/zendesk/exkigrsAVHv5MyrHn0g3/sso/saml"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://rain.okta1.com:1802/app/zendesk/exkigrsAVHv5MyrHn0g3/sso/saml"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>Notes:
- Key management attempts that are cross org are forbidden
- Key management attempts are forbidden when
KEY_ROLLOVERfeature flag is off