Identity provider#

An Identity Provider (IDP) is required in order to federate with Identity. Services are provided to manage Identity Providers (IDPs) within Identity.

Access restrictions

Access to the CRUD Identity Provider Management services using metadata are controlled via the following roles.

Service

identity:user-admin

identity:user-manage

rcn:admin

CreateIDPs

Yes

Yes

Yes

UpdateIDPs

Yes

Yes

Yes

GetIDPs

Yes

Yes

Yes

ListIDPs

Yes

Yes

Yes

GetIDPsMetadata

Yes

Yes

Yes

GetIDPsMappingPolicy

Yes

Yes

Yes

UpdateIDPsMappingPolicy

Yes

Yes

Yes

Note

  • User-admin or User-manage can make requests only when the caller’s domain is the same as the specified Identity Provider’s (IDP’s) approvedDomainId.

  • A user with the role rcn:admin can make requests only when the caller’s domain is within the same RCN as the IDP’s specified approvedDomainId.

Use the following API operations to create, review, update, and delete Identity Providers.

Create IDP with metadata#

POST /v2.0/RAX-AUTH/federation/identity-providers

Create a new Identity Provider using XML metadata.

Note

  • Creating IDP using metadata auto assigns the IDP’s name to at most 29 characters of the caller’s domain ID.

  • If the IDP’s name already exists, a digit is added at the end of the name until a unique name is found. Ex: example_2

  • This resource describes a single deployment using EntityDescriptor.

This table shows the possible response codes for this operation:

Response Code

Name

Description

201

Created

The request has been fulfilled. The IDP has been created.

400

Bad Request

The request is missing one or more elements, or the values of some elements are invalid.

401

Unauthorized

You are not authorized to complete this operation. This error can occur if the request is submitted with an invalid authentication token.

403

Forbidden

The request was valid, but the server is refusing to respond because you do not have permission to access the requested resource. Submit a request to your account administrator to determine how to gain access.

404

Not Found

The requested resource was not found.

405

Invalid Method

The method specified in the request is not valid for the resource identified in the request URI.

406

Not Acceptable

The server cannot send data in a format requested.

413

Over Limit

The number of items returned is above the allowed limit.

503

Service Fault

Service is not available.

Request#

This table shows the URI parameters for the request:

Name

Type

Description

X-Auth-Token

String (Required)

A valid authentication token.

This table shows the body parameters for the request:

Name

Type

Description

EntityDescriptor

Object (Required)

Describes a system entity such as an Identity Provider.

EntityDescriptor.entityID

String (Required)

The issuer for IDP.

EntityDescriptor.IDPSSODescriptor

Object (Required)

An IDP role.

EntityDescriptor.IDPSSODescriptor.protocolSupportEnumeration

String (Required)

Represents general classes of protocol support for the role in question.

EntityDescriptor.IDPSSODescriptor.SingleSignOnService

Object (Required)

Describes a protocol binding endpoint.

EntityDescriptor.IDPSSODescriptor.SingleSignOnService.Binding

String (Required)

Describes a protocol binding. Only HTTP-Redirect is currently supported.

EntityDescriptor.IDPSSODescriptor.SingleSignOnService.Location

String (Required)

Describes the authentication url.

EntityDescriptor.IDPSSODescriptor.KeyDescriptor

Object (Optional)

Associates one or more public keys with the system being defined.

EntityDescriptor.IDPSSODescriptor.KeyDescriptor.KeyInfo

Object (Optional)

An element describing keys.

Example: Create IDP request: XML

<?xml version="1.0" encoding="UTF-8"?>
<ns0:EntityDescriptor xmlns:ns0="urn:oasis:names:tc:SAML:2.0:metadata"
    xmlns:ns1="http://www.w3.org/2000/09/xmldsig#"
    xmlns:ns2="urn:oasis:names:tc:SAML:metadata:algsupport"
    ID="someId" entityID="https://my.issuer.com">
    <ns0:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <ns0:KeyDescriptor use="signing">
            <ns1:KeyInfo>
                <ns1:X509Data>
                    <ns1:X509Certificate>
                    MIICsDCCAhmgAwIBAgIJAPdQ9ZKjtRX5MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
                    BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX
                    aWRnaXRzIFB0eSBMdGQwHhcNMTQwODA2MTkxMzE4WhcNMjQwODA1MTkxMzE4WjBF
                    MQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50
                    ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
                    gQDiqa9KxLhEbMWXZsI1v/4OA0X8sAl3sglfsPMHnGjyIwB2Kz4Pl38in0/8p3ng
                    LHyI2/XOMQwAVZxOZ7sMwHq8FY4YgdkwqxFZ1esnASS6ty1286MJYWo+uDwUepH4
                    A4cKtqUKgIsT4VOxyXSDzreZPvWjFDNDsq+w42UnpI0s6QIDAQABo4GnMIGkMB0G
                    A1UdDgQWBBQ4+BePfVmEY4wY/gLAgec3J3J7JDB1BgNVHSMEbjBsgBQ4+BePfVmE
                    Y4wY/gLAgec3J3J7JKFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUt
                    U3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAPdQ9ZKj
                    tRX5MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAxD4+TDo+/MzQKg3f
                    H0HazXsSKQN1V9crvVe36VUQ79tIkufXATcwBlbA+SkkCpt68c0mfwKgffy2KucN
                    hLMhBUzzF+M8k9X07IgfmrAviOd3D5PqEoNpkP/am8RMm7mjSC/DPb1Jd+yRFB8I
                    0vUmFp8G+ZJ+F00zqabtCv/kMVM=
                    </ns1:X509Certificate>
                </ns1:X509Data>
            </ns1:KeyInfo>
        </ns0:KeyDescriptor>
        <ns0:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://my.login.com"/>
    </ns0:IDPSSODescriptor>
</ns0:EntityDescriptor>

Response#

This table shows the header parameters for the response:

Name

Type

Description

Location

String (Required)

The location URI of the newly created IDP.

Example: Create IDP: XML response

< HTTP/1.1 201 Created
< vary:  Accept, Accept-Encoding, X-Auth-Token
< Location: http://localhost:8083/idm/cloud/v2.0/RAX-AUTH/federation/identity-providers/123456
< Content-Type: application/xml

<?xml version="1.0" encoding="UTF-8"?>
<identityProvider id="123456" name="name" issuer="https://my.issuer.com" authenticationUrl="https://my.login.com" description="A description" federationType="DOMAIN"
                  xmlns="http://docs.rackspace.com/identity/api/ext/RAX-AUTH/v1.0"
        xmlns:OS-KSADM="http://docs.openstack.org/identity/api/ext/OS-KSADM/v1.0"
        xmlns:atom="http://www.w3.org/2005/Atom" xmlns:identity="http://docs.openstack.org/identity/api/v2.0">
    <publicCertificates>
        <publicCertificate id="7d2bf0ecd98d2cb0f5c42ef6ae0edf4da985459b" pemEncoded="MIICsDCCAhmgAwIBAgIJAPdQ9ZKjtRX5MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTQwODA2MTkxMzE4WhcNMjQwODA1MTkxMzE4WjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDiqa9KxLhEbMWXZsI1v/4OA0X8sAl3sglfsPMHnGjyIwB2Kz4Pl38in0/8p3ngLHyI2/XOMQwAVZxOZ7sMwHq8FY4YgdkwqxFZ1esnASS6ty1286MJYWo+uDwUepH4A4cKtqUKgIsT4VOxyXSDzreZPvWjFDNDsq+w42UnpI0s6QIDAQABo4GnMIGkMB0GA1UdDgQWBBQ4+BePfVmEY4wY/gLAgec3J3J7JDB1BgNVHSMEbjBsgBQ4+BePfVmEY4wY/gLAgec3J3J7JKFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAPdQ9ZKjtRX5MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAxD4+TDo+/MzQKg3fH0HazXsSKQN1V9crvVe36VUQ79tIkufXATcwBlbA+SkkCpt68c0mfwKgffy2KucNhLMhBUzzF+M8k9X07IgfmrAviOd3D5PqEoNpkP/am8RMm7mjSC/DPb1Jd+yRFB8I0vUmFp8G+ZJ+F00zqabtCv/kMVM=" />
    </publicCertificates>
    <approvedDomainIds>
        <approvedDomainId>12345</approvedDomainId>
    </approvedDomainIds>
</identityProvider>

Example: Create IDP: JSON response

< HTTP/1.1 201 Created
< vary:  Accept, Accept-Encoding, X-Auth-Toke
< Location: http://localhost:8083/idm/cloud/v2.0/RAX-AUTH/federation/identity-providers/adsdfwejjbwerh
< Content-Type: application/json

 {
   "RAX-AUTH:identityProvider": {
     "id": "123456",
     "name": "name",
     "issuer": "https://my.issuer.com",
     "description": "A description",
     "federationType": "DOMAIN",
     "authenticationUrl": "https://my.login.com",
     "approvedDomainIds": [
       "12345"
     ],
     "publicCertificates": [
       {
         "id":"7d2bf0ecd98d2cb0f5c42ef6ae0edf4da985459b",
         "pemEncoded":"MIICsDCCAhmgAwIBAgIJAPdQ9ZKjtRX5MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTQwODA2MTkxMzE4WhcNMjQwODA1MTkxMzE4WjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDiqa9KxLhEbMWXZsI1v/4OA0X8sAl3sglfsPMHnGjyIwB2Kz4Pl38in0/8p3ngLHyI2/XOMQwAVZxOZ7sMwHq8FY4YgdkwqxFZ1esnASS6ty1286MJYWo+uDwUepH4A4cKtqUKgIsT4VOxyXSDzreZPvWjFDNDsq+w42UnpI0s6QIDAQABo4GnMIGkMB0GA1UdDgQWBBQ4+BePfVmEY4wY/gLAgec3J3J7JDB1BgNVHSMEbjBsgBQ4+BePfVmEY4wY/gLAgec3J3J7JKFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAPdQ9ZKjtRX5MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAxD4+TDo+/MzQKg3fH0HazXsSKQN1V9crvVe36VUQ79tIkufXATcwBlbA+SkkCpt68c0mfwKgffy2KucNhLMhBUzzF+M8k9X07IgfmrAviOd3D5PqEoNpkP/am8RMm7mjSC/DPb1Jd+yRFB8I0vUmFp8G+ZJ+F00zqabtCv/kMVM="
       },
     ]
   }
 }

Update IDP#

PUT /v2.0/RAX-AUTH/federation/identity-providers/{identityProviderId}

Update an Identity provider (IDP).

Note

  • User-admin or User-manage roles can make a request only when the caller’s domain is the same as the specified Identity Provider’s approvedDomainId.

  • User-admin or User-manage roles can update the name, description, and emailDomains. Any specified values for other fields are ignored.

  • A user with the role rcn:admin can make a request only when the caller’s domain is within the same RCN as the IDP’s specified approvedDomainId.

  • A user with the role rcn:admin can update the name, description, emailDomains, and approvedDomainId. Any specified values for other fields are ignored.

This table shows the possible response codes for this operation:

Response code

Name

Description

200

OK

The request has been fulfilled.

400

Bad Request

The request is missing one or more elements, or the values of some elements are invalid.

401

Unauthorized

You are not authorized to complete this operation. This error can occur if the request is submitted with an invalid authentication token.

403

Forbidden

The request was valid, but the server is refusing to respond because you do not have permission to access the requested resource. Submit a request to your account administrator to determine how to gain access.

404

Not Found

The requested resource was not found.

405

Invalid Method

The method specified in the request is not valid for the resource identified in the request URI.

406

Not Acceptable

The server cannot send data in a format requested.

409

Conflict

The request could not be completed due to a conflict with the current state of the target resource.

413

Over Limit

The number of items returned is above the allowed limit.

503

Service Fault

Service is not available.

Request#

This table shows the header parameters for the request:

Name

Type

Description

X-Auth-Token

String (Required)

A valid authentication token.

This table shows the URI parameters for the request:

Name

Type

Description

{identityProviderId}

String (Required)

The Identity Provider’s ID.

This table shows the body parameters for the request:

Name

Type

Description

RAX-AUTH:identityProvider

Object

An identity-provider object that specifies the IDP information.

RAX-AUTH:identityProvider.name

String (Optional)

The name of the provider. Must consist of only alphanumeric, ‘-‘, ‘.’, and be less than 255 characters.

RAX-AUTH:identityProvider.description

String (Optional)

Blurb to describe the IDP. Used for informative purposes only.

RAX-AUTH:identityProvider.approvedDomainIds

Object (Optional)

Limits the IDP to authenticating only for the specified domains. Mutually exclusive with approvedDomainGroup.

RAX-AUTH:identityProvider.emailDomains

Object (Optional)

List of email domains.

RAX-AUTH:identityProvider.emailDomains.emailDomain

String (Optional)

String representing an email domain. Value must be unique across all identity providers.

Example: Update IDP request: XML

<?xml version="1.0" encoding="UTF-8"?>
<identityProvider name="name" description="A description"
                  xmlns="http://docs.rackspace.com/identity/api/ext/RAX-AUTH/v1.0"
        xmlns:OS-KSADM="http://docs.openstack.org/identity/api/ext/OS-KSADM/v1.0"
        xmlns:atom="http://www.w3.org/2005/Atom" xmlns:identity="http://docs.openstack.org/identity/api/v2.0">
    <approvedDomainIds>
        <approvedDomainId>12345</approvedDomainId>
    </approvedDomainIds>
    <emailDomains>
        <emailDomain>emailDomain.com</emailDomain>
    </emailDomains>
</identityProvider>

Example: Update IDP request: JSON

{
  "RAX-AUTH:identityProvider": {
    "name": "name",
    "description": "A description",
    "approvedDomainIds": [
        "12345"
    ],
    "emailDomains": [
        "emailDomain.com"
    ]
  }
}

Response#

Example: Update IDP: XML response

< HTTP/1.1 200 OK
< vary:  Accept, Accept-Encoding, X-Auth-Token
< Content-Type: application/xml

 <?xml version="1.0" encoding="UTF-8"?>
 <identityProvider id="asdfqwerr" name="name" issuer="https://my.issuer.com" authenticationUrl="https://my.login.com" description="A description" federationType="DOMAIN"
                   xmlns="http://docs.rackspace.com/identity/api/ext/RAX-AUTH/v1.0"
         xmlns:OS-KSADM="http://docs.openstack.org/identity/api/ext/OS-KSADM/v1.0"
         xmlns:atom="http://www.w3.org/2005/Atom" xmlns:identity="http://docs.openstack.org/identity/api/v2.0">
     <publicCertificates>
         <publicCertificate id="7d2bf0ecd98d2cb0f5c42ef6ae0edf4da985459b" pemEncoded="MIICsDCCAhmgAwIBAgIJAPdQ9ZKjtRX5MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTQwODA2MTkxMzE4WhcNMjQwODA1MTkxMzE4WjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDiqa9KxLhEbMWXZsI1v/4OA0X8sAl3sglfsPMHnGjyIwB2Kz4Pl38in0/8p3ngLHyI2/XOMQwAVZxOZ7sMwHq8FY4YgdkwqxFZ1esnASS6ty1286MJYWo+uDwUepH4A4cKtqUKgIsT4VOxyXSDzreZPvWjFDNDsq+w42UnpI0s6QIDAQABo4GnMIGkMB0GA1UdDgQWBBQ4+BePfVmEY4wY/gLAgec3J3J7JDB1BgNVHSMEbjBsgBQ4+BePfVmEY4wY/gLAgec3J3J7JKFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAPdQ9ZKjtRX5MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAxD4+TDo+/MzQKg3fH0HazXsSKQN1V9crvVe36VUQ79tIkufXATcwBlbA+SkkCpt68c0mfwKgffy2KucNhLMhBUzzF+M8k9X07IgfmrAviOd3D5PqEoNpkP/am8RMm7mjSC/DPb1Jd+yRFB8I0vUmFp8G+ZJ+F00zqabtCv/kMVM=" />
         <publicCertificate id="7d2bf0ecd98d2cb0f5c42ef6ae0edf4da985459b" pemEncoded="MIICsDCCAhmgAwIBAgIJAPdQ9ZKjtRX5MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTQwODA2MTkxMzE4WhcNMjQwODA1MTkxMzE4WjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDiqa9KxLhEbMWXZsI1v/4OA0X8sAl3sglfsPMHnGjyIwB2Kz4Pl38in0/8p3ngLHyI2/XOMQwAVZxOZ7sMwHq8FY4YgdkwqxFZ1esnASS6ty1286MJYWo+uDwUepH4A4cKtqUKgIsT4VOxyXSDzreZPvWjFDNDsq+w42UnpI0s6QIDAQABo4GnMIGkMB0GA1UdDgQWBBQ4+BePfVmEY4wY/gLAgec3J3J7JDB1BgNVHSMEbjBsgBQ4+BePfVmEY4wY/gLAgec3J3J7JKFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAPdQ9ZKjtRX5MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAxD4+TDo+/MzQKg3fH0HazXsSKQN1V9crvVe36VUQ79tIkufXATcwBlbA+SkkCpt68c0mfwKgffy2KucNhLMhBUzzF+M8k9X07IgfmrAviOd3D5PqEoNpkP/am8RMm7mjSC/DPb1Jd+yRFB8I0vUmFp8G+ZJ+F00zqabtCv/kMVM=" />
     </publicCertificates>
     <approvedDomainIds>
         <approvedDomainId>12345</approvedDomainId>
     </approvedDomainIds>
     <emailDomains>
         <emailDomain>emailDomain.com</emailDomain>
     </emailDomains>
 </identityProvider>

Example: Update IDP: JSON response

< HTTP/1.1 200 OK
< vary:  Accept, Accept-Encoding, X-Auth-Token
< Content-Type: application/json

 {
   "RAX-AUTH:identityProvider": {
     "id": "adsdfwejjbwerh",
     "name": "name",
     "issuer": "https://my.issuer.com",
     "description": "A description",
     "federationType": "DOMAIN",
     "authenticationUrl": "https://my.login.com",
     "approvedDomainIds": [
         "12345"
     ],
     "emailDomains": [
         "emailDomain.com"
     ],
     "publicCertificates": [
       {
         "id":"7d2bf0ecd98d2cb0f5c42ef6ae0edf4da985459b",
         "pemEncoded":"MIICsDCCAhmgAwIBAgIJAPdQ9ZKjtRX5MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTQwODA2MTkxMzE4WhcNMjQwODA1MTkxMzE4WjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDiqa9KxLhEbMWXZsI1v/4OA0X8sAl3sglfsPMHnGjyIwB2Kz4Pl38in0/8p3ngLHyI2/XOMQwAVZxOZ7sMwHq8FY4YgdkwqxFZ1esnASS6ty1286MJYWo+uDwUepH4A4cKtqUKgIsT4VOxyXSDzreZPvWjFDNDsq+w42UnpI0s6QIDAQABo4GnMIGkMB0GA1UdDgQWBBQ4+BePfVmEY4wY/gLAgec3J3J7JDB1BgNVHSMEbjBsgBQ4+BePfVmEY4wY/gLAgec3J3J7JKFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAPdQ9ZKjtRX5MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAxD4+TDo+/MzQKg3fH0HazXsSKQN1V9crvVe36VUQ79tIkufXATcwBlbA+SkkCpt68c0mfwKgffy2KucNhLMhBUzzF+M8k9X07IgfmrAviOd3D5PqEoNpkP/am8RMm7mjSC/DPb1Jd+yRFB8I0vUmFp8G+ZJ+F00zqabtCv/kMVM="
       },
       {
         "id":"7d2bf0ecd98d2cb0f5c42ef6ae0edf4da985459b",
         "pemEncoded":"MIICsDCCAhmgAwIBAgIJAPdQ9ZKjtRX5MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTQwODA2MTkxMzE4WhcNMjQwODA1MTkxMzE4WjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDiqa9KxLhEbMWXZsI1v/4OA0X8sAl3sglfsPMHnGjyIwB2Kz4Pl38in0/8p3ngLHyI2/XOMQwAVZxOZ7sMwHq8FY4YgdkwqxFZ1esnASS6ty1286MJYWo+uDwUepH4A4cKtqUKgIsT4VOxyXSDzreZPvWjFDNDsq+w42UnpI0s6QIDAQABo4GnMIGkMB0GA1UdDgQWBBQ4+BePfVmEY4wY/gLAgec3J3J7JDB1BgNVHSMEbjBsgBQ4+BePfVmEY4wY/gLAgec3J3J7JKFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAPdQ9ZKjtRX5MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAxD4+TDo+/MzQKg3fH0HazXsSKQN1V9crvVe36VUQ79tIkufXATcwBlbA+SkkCpt68c0mfwKgffy2KucNhLMhBUzzF+M8k9X07IgfmrAviOd3D5PqEoNpkP/am8RMm7mjSC/DPb1Jd+yRFB8I0vUmFp8G+ZJ+F00zqabtCv/kMVM="
       }
     ]
   }
 }

Update IDP with metadata#

PUT /v2.0/RAX-AUTH/federation/identity-providers/{identityProviderId}/metadata

Update an existing Identity Provider using XML metadata.

Note

  • Only IDP’s authentication url and certificates are allowed to be updated via metadata.

This table shows the possible response codes for this operation:

Response Code

Name

Description

200

OK

The request has been fulfilled.

400

Bad Request

The request is missing one or more elements, or the values of some elements are invalid.

401

Unauthorized

You are not authorized to complete this operation. This error can occur if the request is submitted with an invalid authentication token.

403

Forbidden

The request was valid, but the server is refusing to respond because you do not have permission to access the requested resource. Submit a request to your account administrator to determine how to gain access.

404

Not Found

The requested resource was not found.

405

Invalid Method

The method specified in the request is not valid for the resource identified in the request URI.

406

Not Acceptable

The server cannot send data in a format requested.

413

Over Limit

The number of items returned is above the allowed limit.

503

Service Fault

Service is not available.

Request#

This table shows the header parameters for the request:

Name

Type

Description

X-Auth-Token

String (Required)

A valid authentication token.

This table shows the URI parameters for the request:

Name

Type

Description

{identityProviderId}

String (Required)

The Identity Provider’s ID.

This table shows the body parameters for the request:

Name

Type

Description

EntityDescriptor

Object (Required)

Describes a system entity such as an Identity Provider.

EntityDescriptor.entityID

String (Required)

The issuer for IDP.

EntityDescriptor.IDPSSODescriptor

Object (Required)

An IDP role.

EntityDescriptor.IDPSSODescriptor.protocolSupportEnumeration

String (Required)

Represents general classes of protocol support for the role in question.

EntityDescriptor.IDPSSODescriptor.SingleSignOnService

Object (Required)

Describes a protocol binding endpoint.

EntityDescriptor.IDPSSODescriptor.SingleSignOnService.Binding

String (Optional)

Describes a protocol binding. Only HTTP-Redirect is currently supported.

EntityDescriptor.IDPSSODescriptor.SingleSignOnService.Location

String (Optional)

Describes the authentication url.

EntityDescriptor.IDPSSODescriptor.KeyDescriptor

Object (Optional)

Associates one or more public keys with the system being defined.

EntityDescriptor.IDPSSODescriptor.KeyDescriptor.KeyInfo

Object (Optional)

An element describing keys.

Example: Update IDP request: XML

<?xml version="1.0" encoding="UTF-8"?>
<ns0:EntityDescriptor xmlns:ns0="urn:oasis:names:tc:SAML:2.0:metadata"
    xmlns:ns1="http://www.w3.org/2000/09/xmldsig#"
    xmlns:ns2="urn:oasis:names:tc:SAML:metadata:algsupport"
    ID="someId" entityID="https://my.issuer.com">
    <ns0:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <ns0:KeyDescriptor use="signing">
            <ns1:KeyInfo>
                <ns1:X509Data>
                    <ns1:X509Certificate>
                    MIICsDCCAhmgAwIBAgIJAPdQ9ZKjtRX5MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
                    BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX
                    aWRnaXRzIFB0eSBMdGQwHhcNMTQwODA2MTkxMzE4WhcNMjQwODA1MTkxMzE4WjBF
                    MQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50
                    ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
                    gQDiqa9KxLhEbMWXZsI1v/4OA0X8sAl3sglfsPMHnGjyIwB2Kz4Pl38in0/8p3ng
                    LHyI2/XOMQwAVZxOZ7sMwHq8FY4YgdkwqxFZ1esnASS6ty1286MJYWo+uDwUepH4
                    A4cKtqUKgIsT4VOxyXSDzreZPvWjFDNDsq+w42UnpI0s6QIDAQABo4GnMIGkMB0G
                    A1UdDgQWBBQ4+BePfVmEY4wY/gLAgec3J3J7JDB1BgNVHSMEbjBsgBQ4+BePfVmE
                    Y4wY/gLAgec3J3J7JKFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUt
                    U3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAPdQ9ZKj
                    tRX5MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAxD4+TDo+/MzQKg3f
                    H0HazXsSKQN1V9crvVe36VUQ79tIkufXATcwBlbA+SkkCpt68c0mfwKgffy2KucN
                    hLMhBUzzF+M8k9X07IgfmrAviOd3D5PqEoNpkP/am8RMm7mjSC/DPb1Jd+yRFB8I
                    0vUmFp8G+ZJ+F00zqabtCv/kMVM=
                    </ns1:X509Certificate>
                </ns1:X509Data>
            </ns1:KeyInfo>
        </ns0:KeyDescriptor>
        <ns0:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://my.login.com"/>
    </ns0:IDPSSODescriptor>
</ns0:EntityDescriptor>

Response#

This table shows the header parameters for the response:

Name

Type

Description

Location

String (Required)

The location URI of the newly created IDP.

Example: Update IDP: XML response

< HTTP/1.1 200 OK
< vary:  Accept, Accept-Encoding, X-Auth-Token
< Content-Type: application/xml

<?xml version="1.0" encoding="UTF-8"?>
<identityProvider id="123456" name="name" issuer="https://my.issuer.com" authenticationUrl="https://my.login.com" description="A description" federationType="DOMAIN"
                  xmlns="http://docs.rackspace.com/identity/api/ext/RAX-AUTH/v1.0"
        xmlns:OS-KSADM="http://docs.openstack.org/identity/api/ext/OS-KSADM/v1.0"
        xmlns:atom="http://www.w3.org/2005/Atom" xmlns:identity="http://docs.openstack.org/identity/api/v2.0">
    <publicCertificates>
        <publicCertificate id="7d2bf0ecd98d2cb0f5c42ef6ae0edf4da985459b" pemEncoded="MIICsDCCAhmgAwIBAgIJAPdQ9ZKjtRX5MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTQwODA2MTkxMzE4WhcNMjQwODA1MTkxMzE4WjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDiqa9KxLhEbMWXZsI1v/4OA0X8sAl3sglfsPMHnGjyIwB2Kz4Pl38in0/8p3ngLHyI2/XOMQwAVZxOZ7sMwHq8FY4YgdkwqxFZ1esnASS6ty1286MJYWo+uDwUepH4A4cKtqUKgIsT4VOxyXSDzreZPvWjFDNDsq+w42UnpI0s6QIDAQABo4GnMIGkMB0GA1UdDgQWBBQ4+BePfVmEY4wY/gLAgec3J3J7JDB1BgNVHSMEbjBsgBQ4+BePfVmEY4wY/gLAgec3J3J7JKFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAPdQ9ZKjtRX5MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAxD4+TDo+/MzQKg3fH0HazXsSKQN1V9crvVe36VUQ79tIkufXATcwBlbA+SkkCpt68c0mfwKgffy2KucNhLMhBUzzF+M8k9X07IgfmrAviOd3D5PqEoNpkP/am8RMm7mjSC/DPb1Jd+yRFB8I0vUmFp8G+ZJ+F00zqabtCv/kMVM=" />
    </publicCertificates>
    <approvedDomainIds>
        <approvedDomainId>12345</approvedDomainId>
    </approvedDomainIds>
</identityProvider>

Example: Update IDP: JSON response

< HTTP/1.1 200 OK
< vary:  Accept, Accept-Encoding, X-Auth-Toke
< Content-Type: application/json

 {
   "RAX-AUTH:identityProvider": {
     "id": "123456",
     "name": "name",
     "issuer": "https://my.issuer.com",
     "description": "A description",
     "federationType": "DOMAIN",
     "authenticationUrl": "https://my.login.com",
     "approvedDomainIds": [
       "12345"
     ],
     "publicCertificates": [
       {
         "id":"7d2bf0ecd98d2cb0f5c42ef6ae0edf4da985459b",
         "pemEncoded":"MIICsDCCAhmgAwIBAgIJAPdQ9ZKjtRX5MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTQwODA2MTkxMzE4WhcNMjQwODA1MTkxMzE4WjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDiqa9KxLhEbMWXZsI1v/4OA0X8sAl3sglfsPMHnGjyIwB2Kz4Pl38in0/8p3ngLHyI2/XOMQwAVZxOZ7sMwHq8FY4YgdkwqxFZ1esnASS6ty1286MJYWo+uDwUepH4A4cKtqUKgIsT4VOxyXSDzreZPvWjFDNDsq+w42UnpI0s6QIDAQABo4GnMIGkMB0GA1UdDgQWBBQ4+BePfVmEY4wY/gLAgec3J3J7JDB1BgNVHSMEbjBsgBQ4+BePfVmEY4wY/gLAgec3J3J7JKFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAPdQ9ZKjtRX5MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAxD4+TDo+/MzQKg3fH0HazXsSKQN1V9crvVe36VUQ79tIkufXATcwBlbA+SkkCpt68c0mfwKgffy2KucNhLMhBUzzF+M8k9X07IgfmrAviOd3D5PqEoNpkP/am8RMm7mjSC/DPb1Jd+yRFB8I0vUmFp8G+ZJ+F00zqabtCv/kMVM="
       },
     ]
   }
 }

Get IDP#

GET /v2.0/RAX-AUTH/federation/identity-providers/{identityProviderId}

Get an Identity provider.

This table shows the possible response codes for this operation:

Note

  • User-admin or User-manage can retrieve an Identity Provider only if their domain is the same as the specified Identity Provider’s (IDP’s) approvedDomainId.

  • A user with the role rcn:admin can retrieve an Identity Provider if their domain is within the same RCN as the IDP’s specified approvedDomainId.

Response Code

Name

Description

200

OK

The request has succeeded.

403

Forbidden

Caller does not have appropriate role.

404

Not Found

The requested resource was not found.

Request#

This table shows the header parameters for the request:

Name

Type

Description

X-Auth-Token

String (Required)

A valid authentication token.

Response#

Example: Get IDP: XML response

< HTTP/1.1 200 OK
< vary:  Accept, Accept-Encoding, X-Auth-Token
< Content-Type: application/xml

 <?xml version="1.0" encoding="UTF-8"?>
 <identityProvider id="asdfqwerr" name="name" issuer="https://my.issuer.com" authenticationUrl="https://my.login.com" description="A description" federationType="DOMAIN"
                   xmlns="http://docs.rackspace.com/identity/api/ext/RAX-AUTH/v1.0"
         xmlns:OS-KSADM="http://docs.openstack.org/identity/api/ext/OS-KSADM/v1.0"
         xmlns:atom="http://www.w3.org/2005/Atom" xmlns:identity="http://docs.openstack.org/identity/api/v2.0">
     <publicCertificates>
         <publicCertificate id="7d2bf0ecd98d2cb0f5c42ef6ae0edf4da985459b" pemEncoded="MIICsDCCAhmgAwIBAgIJAPdQ9ZKjtRX5MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTQwODA2MTkxMzE4WhcNMjQwODA1MTkxMzE4WjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDiqa9KxLhEbMWXZsI1v/4OA0X8sAl3sglfsPMHnGjyIwB2Kz4Pl38in0/8p3ngLHyI2/XOMQwAVZxOZ7sMwHq8FY4YgdkwqxFZ1esnASS6ty1286MJYWo+uDwUepH4A4cKtqUKgIsT4VOxyXSDzreZPvWjFDNDsq+w42UnpI0s6QIDAQABo4GnMIGkMB0GA1UdDgQWBBQ4+BePfVmEY4wY/gLAgec3J3J7JDB1BgNVHSMEbjBsgBQ4+BePfVmEY4wY/gLAgec3J3J7JKFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAPdQ9ZKjtRX5MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAxD4+TDo+/MzQKg3fH0HazXsSKQN1V9crvVe36VUQ79tIkufXATcwBlbA+SkkCpt68c0mfwKgffy2KucNhLMhBUzzF+M8k9X07IgfmrAviOd3D5PqEoNpkP/am8RMm7mjSC/DPb1Jd+yRFB8I0vUmFp8G+ZJ+F00zqabtCv/kMVM=" />
         <publicCertificate id="7d2bf0ecd98d2cb0f5c42ef6ae0edf4da985459b" pemEncoded="MIICsDCCAhmgAwIBAgIJAPdQ9ZKjtRX5MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTQwODA2MTkxMzE4WhcNMjQwODA1MTkxMzE4WjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDiqa9KxLhEbMWXZsI1v/4OA0X8sAl3sglfsPMHnGjyIwB2Kz4Pl38in0/8p3ngLHyI2/XOMQwAVZxOZ7sMwHq8FY4YgdkwqxFZ1esnASS6ty1286MJYWo+uDwUepH4A4cKtqUKgIsT4VOxyXSDzreZPvWjFDNDsq+w42UnpI0s6QIDAQABo4GnMIGkMB0GA1UdDgQWBBQ4+BePfVmEY4wY/gLAgec3J3J7JDB1BgNVHSMEbjBsgBQ4+BePfVmEY4wY/gLAgec3J3J7JKFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAPdQ9ZKjtRX5MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAxD4+TDo+/MzQKg3fH0HazXsSKQN1V9crvVe36VUQ79tIkufXATcwBlbA+SkkCpt68c0mfwKgffy2KucNhLMhBUzzF+M8k9X07IgfmrAviOd3D5PqEoNpkP/am8RMm7mjSC/DPb1Jd+yRFB8I0vUmFp8G+ZJ+F00zqabtCv/kMVM=" />
     </publicCertificates>
     <approvedDomainIds>
         <approvedDomainId>12345</approvedDomainId>
     </approvedDomainIds>
 </identityProvider>

Example: Get IDP: JSON response

< HTTP/1.1 200 OK
< vary:  Accept, Accept-Encoding, X-Auth-Token
< Content-Type: application/json

 {
   "RAX-AUTH:identityProvider": {
     "id": "adsdfwejjbwerh",
     "name": "name",
     "issuer": "https://my.issuer.com",
     "description": "A description",
     "federationType": "DOMAIN",
     "authenticationUrl": "https://my.login.com",
     "approvedDomainIds": [
       "12345"
     ],
     "publicCertificates": [
       {
         "id":"7d2bf0ecd98d2cb0f5c42ef6ae0edf4da985459b",
         "pemEncoded":"MIICsDCCAhmgAwIBAgIJAPdQ9ZKjtRX5MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTQwODA2MTkxMzE4WhcNMjQwODA1MTkxMzE4WjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDiqa9KxLhEbMWXZsI1v/4OA0X8sAl3sglfsPMHnGjyIwB2Kz4Pl38in0/8p3ngLHyI2/XOMQwAVZxOZ7sMwHq8FY4YgdkwqxFZ1esnASS6ty1286MJYWo+uDwUepH4A4cKtqUKgIsT4VOxyXSDzreZPvWjFDNDsq+w42UnpI0s6QIDAQABo4GnMIGkMB0GA1UdDgQWBBQ4+BePfVmEY4wY/gLAgec3J3J7JDB1BgNVHSMEbjBsgBQ4+BePfVmEY4wY/gLAgec3J3J7JKFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAPdQ9ZKjtRX5MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAxD4+TDo+/MzQKg3fH0HazXsSKQN1V9crvVe36VUQ79tIkufXATcwBlbA+SkkCpt68c0mfwKgffy2KucNhLMhBUzzF+M8k9X07IgfmrAviOd3D5PqEoNpkP/am8RMm7mjSC/DPb1Jd+yRFB8I0vUmFp8G+ZJ+F00zqabtCv/kMVM="
       },
       {
         "id":"7d2bf0ecd98d2cb0f5c42ef6ae0edf4da985459b",
         "pemEncoded":"MIICsDCCAhmgAwIBAgIJAPdQ9ZKjtRX5MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTQwODA2MTkxMzE4WhcNMjQwODA1MTkxMzE4WjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDiqa9KxLhEbMWXZsI1v/4OA0X8sAl3sglfsPMHnGjyIwB2Kz4Pl38in0/8p3ngLHyI2/XOMQwAVZxOZ7sMwHq8FY4YgdkwqxFZ1esnASS6ty1286MJYWo+uDwUepH4A4cKtqUKgIsT4VOxyXSDzreZPvWjFDNDsq+w42UnpI0s6QIDAQABo4GnMIGkMB0GA1UdDgQWBBQ4+BePfVmEY4wY/gLAgec3J3J7JDB1BgNVHSMEbjBsgBQ4+BePfVmEY4wY/gLAgec3J3J7JKFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAPdQ9ZKjtRX5MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAxD4+TDo+/MzQKg3fH0HazXsSKQN1V9crvVe36VUQ79tIkufXATcwBlbA+SkkCpt68c0mfwKgffy2KucNhLMhBUzzF+M8k9X07IgfmrAviOd3D5PqEoNpkP/am8RMm7mjSC/DPb1Jd+yRFB8I0vUmFp8G+ZJ+F00zqabtCv/kMVM="
       }
     ]
   }
 }

List IDPs#

GET /v2.0/RAX-AUTH/federation/identity-providers

List Identity providers.

Note

  • User-admin or User-manage can list only Identity Providers that are within the same domain.

  • A user with the role rcn:admin can list only Identity Providers which are within the same RCN as the IDP’s specified approvedDomainId.

This table shows the possible response codes for this operation:

Response Code

Name

Description

200

OK

The request has succeeded.

400

Bad Request

If both the approvedTenantId and approvedDomainId query params are provided.

400

Bad Request

If the idpType param is specified with an unsupported value.

403

Forbidden

Caller does not have appropriate role.

403

Forbidden

If more than the maximum number of IDPs would be returned by the search - as specified by configuration property identity.provider.max.search.result.size.

Request#

This table shows the header parameters for the request:

Name

Type

Description

X-Auth-Token

String (Required)

A valid authentication token.

This table shows the query parameters for the request:

Name

Type

Description

name

String (Optional)

Allows searching IDPs by name specified. This will return a list of max size one.

issuer

String (Optional)

Allows searching IDPs by issuer specified. This will return a list of max size one.

idpType

String (Optional)

When specified the resultant list of IDPs will ONLY include IDPs that match the specified type. The allowed values are:

  • EXPLICIT - Limits results to only those IDPs that were created with an approvedDomainIds specified

The idpType filter can be provided by itself OR combined with approvedDomainId filter

approvedDomainId

String (Optional)

Limits the resultant IDPs to those DOMAIN federated IDPs that can request tokens for the specified domain. This will include those DOMAIN federated IDPs that are GLOBAL IDPs (created with approvedDomainGroup = GLOBAL)

The approvedDomainId and idpType filters can be used together to limit the result list to non-global domain ids that are explicitly configured for a given domain.

approvedTenantId

String (Optional)

When specified the resultant list of IDPs will ONLY include IDPs that can receive tokens for the specified tenantId. The service will look up the domainId associated with the specific tenantId to determine which IDPs can received tokens for the given tenantId.

The approvedTenantId and approvedDomainId filters are mutually exclusive. If both are specified, a HTTP 400 response will be returned.

The approvedTenantId and idpType filters can be used together to limit the result list to non-global domain ids that are explicitly configured for a given domain.

Response#

Example: List IDPs: XML response

< HTTP/1.1 200 OK
< vary:  Accept, Accept-Encoding, X-Auth-Token
< Content-Type: application/xml

 <?xml version="1.0" encoding="UTF-8"?>
 <identityProviders xmlns="http://docs.rackspace.com/identity/api/ext/RAX-AUTH/v1.0"
                   xmlns:OS-KSADM="http://docs.openstack.org/identity/api/ext/OS-KSADM/v1.0"
                   xmlns:atom="http://www.w3.org/2005/Atom" xmlns:identity="http://docs.openstack.org/identity/api/v2.0">
     <identityProvider id="asdfqwerr" name="name1" issuer="https://my.issuer.com" authenticationUrl="https://my.login.com" description="A description" federationType="DOMAIN">
         <approvedDomainIds>
             <approvedDomainId>12345</approvedDomainId>
         </approvedDomainIds>
     </identityProvider>
     <identityProvider id="ty656" name="name2" issuer="https://my.issuer.com" authenticationUrl="https://my.login.com" description="A description" federationType="DOMAIN" approvedDomainGroup="GLOBAL" />
     <identityProvider id="jiyougfhjhrt" name="name3" issuer="https://my.issuer2.com" authenticationUrl="https://my.login.com" description="Another description" federationType="RACKER" />
 </identityProviders>

Example: List IDPs: JSON response

< HTTP/1.1 200 OK
< vary:  Accept, Accept-Encoding, X-Auth-Token
< Content-Type: application/json

 {
   "RAX-AUTH:identityProviders": [
     {
       "id": "asdfqwerr",
       "name": "name1",
       "issuer": "https://my.issuer.com",
       "description": "A description",
       "federationType": "DOMAIN",
       "authenticationUrl": "https://my.login.com",
       "approvedDomainIds": [
         "12345"
       ]
     },
     {
       "id": "byfghrt",
       "name": "name2",
       "issuer": "https://my.issuer.com",
       "description": "A description",
       "federationType": "DOMAIN",
       "authenticationUrl": "https://my.login.com",
       "approvedDomainGroup": "GLOBAL"
     },
     {
       "id": "jiyougfhjhrt",
       "name": "name3",
       "issuer": "https://my.issuer2.com",
       "description": "Another description",
       "authenticationUrl": "https://my.login.com",
       "federationType": "RACKER"
     }
   ]
 }

Get metadata for IDP#

GET /v2.0/RAX-AUTH/federation/identity-providers/{identityProviderId}/metadata

Retrieve an Identity Provider’s XML metadata.

This table shows the possible response codes for this operation:

Response Code

Name

Description

200

OK

The request has been fulfilled.

401

Unauthorized

You are not authorized to complete this operation. This error can occur if the request is submitted with an invalid authentication token.

403

Forbidden

The request was valid, but the server is refusing to respond because you do not have permission to access the requested resource. Submit a request to your account administrator to determine how to gain access.

404

Not Found

The requested resource was not found.

405

Invalid Method

The method specified in the request is not valid for the resource identified in the request URI.

406

Not Acceptable

The server cannot send data in a format requested.

413

Over Limit

The number of items returned is above the allowed limit.

503

Service Fault

Service is not available.

Request#

This table shows the URI parameters for the request:

Name

Type

Description

X-Auth-Token

String (Required)

A valid authentication token.

Response#

Example: Get IDP’s metadata: XML response

< HTTP/1.1 200 OK
< vary:  Accept, Accept-Encoding, X-Auth-Token
< Content-Type: application/xml

<?xml version="1.0" encoding="UTF-8"?>
<ns0:EntityDescriptor xmlns:ns0="urn:oasis:names:tc:SAML:2.0:metadata"
    xmlns:ns1="http://www.w3.org/2000/09/xmldsig#"
    xmlns:ns2="urn:oasis:names:tc:SAML:metadata:algsupport"
    ID="someId" entityID="https://my.issuer.com">
    <ns0:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <ns0:KeyDescriptor use="signing">
            <ns1:KeyInfo>
                <ns1:X509Data>
                    <ns1:X509Certificate>
                    MIICsDCCAhmgAwIBAgIJAPdQ9ZKjtRX5MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
                    BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX
                    aWRnaXRzIFB0eSBMdGQwHhcNMTQwODA2MTkxMzE4WhcNMjQwODA1MTkxMzE4WjBF
                    MQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50
                    ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
                    gQDiqa9KxLhEbMWXZsI1v/4OA0X8sAl3sglfsPMHnGjyIwB2Kz4Pl38in0/8p3ng
                    LHyI2/XOMQwAVZxOZ7sMwHq8FY4YgdkwqxFZ1esnASS6ty1286MJYWo+uDwUepH4
                    A4cKtqUKgIsT4VOxyXSDzreZPvWjFDNDsq+w42UnpI0s6QIDAQABo4GnMIGkMB0G
                    A1UdDgQWBBQ4+BePfVmEY4wY/gLAgec3J3J7JDB1BgNVHSMEbjBsgBQ4+BePfVmE
                    Y4wY/gLAgec3J3J7JKFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUt
                    U3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAPdQ9ZKj
                    tRX5MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAxD4+TDo+/MzQKg3f
                    H0HazXsSKQN1V9crvVe36VUQ79tIkufXATcwBlbA+SkkCpt68c0mfwKgffy2KucN
                    hLMhBUzzF+M8k9X07IgfmrAviOd3D5PqEoNpkP/am8RMm7mjSC/DPb1Jd+yRFB8I
                    0vUmFp8G+ZJ+F00zqabtCv/kMVM=
                    </ns1:X509Certificate>
                </ns1:X509Data>
            </ns1:KeyInfo>
        </ns0:KeyDescriptor>
        <ns0:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://my.login.com"/>
    </ns0:IDPSSODescriptor>
</ns0:EntityDescriptor>

Get IDP mapping policy#

GET /v2.0/RAX-AUTH/federation/identity-providers/{identityProviderId}/mapping

Get mapping policy for identity provider.

Note

  • Only JSON and YAML formats are allowed for IDP mapping policy. Accept type must be either application/json or text/yaml.

This table shows the possible response codes for this operation:

Response code

Name

Description

200

OK

The request has been fulfilled.

400

Bad Request

The request is missing one or more elements, or the values of some elements are invalid.

401

Unauthorized

You are not authorized to complete this operation. This error can occur if the request is submitted with an invalid authentication token.

403

Forbidden

The request was valid, but the server is refusing to respond because you do not have permission to access the requested resource. Submit a request to your account administrator to determine how to gain access.

404

Not Found

The requested resource was not found.

405

Invalid Method

The method specified in the request is not valid for the resource identified in the request URI.

406

Not Acceptable

The server cannot send data in a format requested.

413

Over Limit

The number of items returned is above the allowed limit.

503

Service Fault

Service is not available.

Request#

This table shows the header parameters for the request:

Name

Type

Description

X-Auth-Token

String (Required)

A valid authentication token.

This table shows the URI parameters for the request:

Name

Type

Description

{identityProviderId}

String (Required)

The Identity Provider’s ID.

Response#

Example: Get IDP mapping policy response: JSON

{
    "property":{
        "value":"default policy"
    }
}

Example: Get IDP mapping policy response: YAML

---
property:
   value: default policy

Update IDP mapping policy#

PUT /v2.0/RAX-AUTH/federation/identity-providers/{identityProviderId}/mapping

Update mapping policy for identity provider.

Note

  • Only JSON and YAML formats are allowed for IDP mapping policy. Content type must be either application/json or text/yaml.

This table shows the possible response codes for this operation:

Response code

Name

Description

204

No Content

The request has been fulfilled.

400

Bad Request

The request is missing one or more elements, or the values of some elements are invalid.

401

Unauthorized

You are not authorized to complete this operation. This error can occur if the request is submitted with an invalid authentication token.

403

Forbidden

The request was valid, but the server is refusing to respond because you do not have permission to access the requested resource. Submit a request to your account administrator to determine how to gain access.

404

Not Found

The requested resource was not found.

405

Invalid Method

The method specified in the request is not valid for the resource identified in the request URI.

406

Not Acceptable

The server cannot send data in a format requested.

413

Over Limit

The number of items returned is above the allowed limit.

503

Service Fault

Service is not available.

Request#

This table shows the header parameters for the request:

Name

Type

Description

X-Auth-Token

String (Required)

A valid authentication token.

This table shows the URI parameters for the request:

Name

Type

Description

{identityProviderId}

String (Required)

The Identity Provider’s ID.

Example: Update IDP mapping policy request: JSON

{
    "property":{
        "value":"default policy"
    }
}

Example: Update IDP mapping policy request: YAML

---
property:
   value: default policy

Response#

This operation does not return a response body.