| description | string | This description is optional but will drastically improve the understand of the AI assistant about the structural elements of the organization |
| disabled | bool | If true, this identity provider configuration will be disabled. |
| permissions | Permissions | |
| displayName | string | The display name for the identity provider, which will be shown to end-users on the login page. |
| mode | string | Defines the way social sign-in is handled. Possible values are 'POPUP' and 'REDIRECT'. |
| providers | Providers | A block to enable or disable specific third-party identity providers. For each provider set to true, the identity provider configuration is updated, and the platform expects corresponding client StateID and secret to be present in the centralized secret manager. |
| termsOfService | string | A URL to the terms of service document for the application. If absolute, it must use the https scheme. If relative, it must be relative to the domain where the application is hosted. |
| privacyPolicy | string | A URL to the privacy policy document for the application. If absolute, it must use the https scheme. If relative, it must be relative to the domain where the application is hosted. |
| logoUrl | string | A URL to the logo that will be displayed on the sign-in page. |
| iconUrl | string | A URL to the icon that will be displayed on the sign-in page. |
| buttonColor | string | The color of the button used on the sign-in page for this provider. This MUST be a hex color code. |
| styleUrl | string | URL to a custom CSS stylesheet for this tenant. Overrides the ingress-level styleUrl. Must be HTTPS if absolute. |
| heroImageUrl | string | URL to a hero/background image displayed in the login page's hero panel. |
| heroBackground | string | CSS background value for the hero panel (e.g., "linear-gradient(135deg, #667eea, #764ba2)"). |
| immediateFederatedRedirect | bool | When true and exactly one federated provider is configured, skip the sign-in UI and redirect immediately to the provider. |
| redirectOnLogin | string | Redirect URL after successful sign-in. Overrides the ingress-level default. |
| redirectOnLogout | string | Redirect URL after sign-out. Overrides the ingress-level default. |
| passwordPolicy | PasswordPolicy | Password policy for this tenant. Applied at the GCIP tenant level in multi-tenant setups. |
| smsRegionPolicy | SmsRegionPolicy | Controls which geographic regions can receive SMS for phone authentication. Required when phone auth is enabled to prevent toll fraud. |
| testPhoneNumbers | list of TestPhoneNumbersEntry | Testing phone numbers for this tenant. Maps phone number (E.164 format) to a fixed verification code. Maximum 10 entries. |