Manage IdP bindings

An IdP binding tells a Domain which upstream OIDC provider to drive for sign-in. plexctl domain-idp wraps /v1/admin/idp.

Prerequisites

• An authenticated session — see Log in with plexctl.
• The Domain UUID and the OIDC client credentials from your provider.
• The client secret saved to a file (inline literals are rejected).

Steps

Create a binding

printf '%s' "$OIDC_CLIENT_SECRET" > /tmp/idp-secret
plexctl domain-idp create \
  --domain-id <domain-uuid> \
  --client-id plexsphere \
  --client-secret @/tmp/idp-secret \
  --discovery-url https://idp.example.com/.well-known/openid-configuration \
  --issuer https://idp.example.com \
  --jit-policy allow \
  --claim-mapping email=preferred_email

--client-secret must be @<path>; the file is read once and trimmed. Secret-shaped response fields are masked unless you pass --reveal-secrets (audit-logged).

List bindings

plexctl domain-idp list --domain-id <domain-uuid>

Get or update a binding

plexctl domain-idp get    --id <binding-uuid>
plexctl domain-idp update --id <binding-uuid> --jit-policy deny

update is a partial PATCH: only the flags you set (--jit-policy, --discovery-url, --required-acr, --required-amr, --claim-mapping) are forwarded. Status is changed through enable/disable, not update.

Enable, disable, or delete

plexctl domain-idp enable  --id <binding-uuid>
plexctl domain-idp disable --id <binding-uuid>
plexctl domain-idp delete  --id <binding-uuid>

Verification

plexctl domain-idp list --domain-id <domain-uuid> --output json \
  | jq '.[] | {id, issuer, status}'

See also

• Log in with plexctl — uses the binding ID.
• ../../reference/cli/plexctl/domain-idp.md — every flag and exit code.
• ../../contexts/identity/idp.md — the IdP binding model.