Identity Providers

Returns the IdPs currently linked to the active organization. Each entry carries alias, provider_id, display_name, enabled flag, and hide_on_login. Config is intentionally omitted on List - secrets like client_secret stay server-side; fetch a single IdP via Get to receive its config.

Creates a realm-level IdP and links it to the active org in one saga. On link failure the realm IdP is deleted to avoid orphans. Provider IDs supported: oidc, keycloak-oidc, saml. The config map is forwarded to Keycloak as-is (issuer URL, client secret, SAML metadata, etc.).

Returns one IdP's full representation including config. Returns 404 when the alias isn't linked to the active org (cross-tenant guard).

Unlinks the IdP from the active org and deletes the realm-level IdP itself. Order is unlink-then-delete - the reverse leaves a dangling org→alias binding the OrganizationAuthenticator handles ungracefully.

Replaces the IdP's representation. Note: Keycloak's PUT is full-representation replace, not partial-merge - clients should fetch via Get and pass back the merged shape if they want to preserve unchanged fields. Returns 404 when the alias isn't linked to the active org (cross-tenant guard).

Returns the domain list Keycloak holds for the active organization. Each entry carries the hostname and the verified flag (true once the org admin has asserted ownership in v1; v2 will require DNS-TXT proof). Empty array when the org has no domains. Drives the security panel's domain-management section alongside PUT /organization/domains.

Replaces the org's domain list with the supplied entries. v1 ships operator-asserted: every domain the request supplies is set verified=true so Keycloak's OrganizationAuthenticator picks it up for home-realm-discovery. Empty arrays clear the list.