Domains

A domain establishes an administrative boundary for a customer and a container for customer tenants (accounts) and users.

Use the following Domain operations supplied by the RAX-AUTH extension to get information about available domains or about the domain associated with a specified user account.

Note

Typically, only Identity service administrators have the capabilities to create, update, and delete domains.

Retrieve domains
Get a domain
Update a domain
Set domain password policy
Get domain password policy
Delete domain password policy\

Retrieve domains

GET /v2.0/RAX-AUTH/domains

Lists domains that a customer or process can access with the specified authentication token.

Use this operation to get a list of domains that the user can access with the supplied authentication token. Tokens have access to domains by the token having access to a tenant that exists in the domain.

Note

This API operation is implemented through the RAX-AUTH extension to the core Identity API.

This table shows the possible response codes for this operation:

Response Code	Name	Description
200	OK	The request succeeded.
400	Bad Request	The request is missing one or more elements, or the values of some elements are invalid.
401	Unauthorized	You are not authorized to complete this operation. This error can occur if the request is submitted with an invalid authentication token.
403	Forbidden	The request was valid, but the server is refusing to respond because you do not have permission to access the requested resource. Submit a request to your account administrator to determine how to gain access.
404	Not Found	The requested resource was not found.
405	Invalid Method	The method specified in the request is not valid for the resource identified in the request URI.
413	Over Limit	The number of items returned is above the allowed limit.
503	Service Fault	Service is not available.

Request

This table shows the URI parameters for the request:

Name	Type	Description
X-Auth-Token	String (Required)	A valid authentication token

This operation does not accept a request body.

Example: List domains HTTP request header: XML

GET /v2.0/RAX-AUTH/domains HTTP/1.1
Host: identity.api.rackspacecloud.com
Accept: application/xml
Content-type: application/xml
X-Auth-Token: c6f56a1d89274da4b14c1de36c412345

Example: List domains HTTP request header: JSON

GET /v2.0/RAX-AUTH/domains HTTP/1.1
Host: identity.api.rackspacecloud.com
Accept: application/json
Content-type: application/json
X-Auth-Token: c6f56a1d89274da4b14c1de36c412345

Response

This table shows the body parameters for the response:

Name	Type	Description
RAX-AUTH:domains	Object (Required)	The collection of `domains` that the authenticated user has permission to view.
RAX-AUTH:domain	Object (Required)	An object that contains the domain configuration attribute settings.
RAX-AUTH:domain.id	String (Required)	The unique id for the domain.
RAX-AUTH:domain.sessionInactivityTimeout	Duration (Required)	Session inactivity timeout property used across all Rackspace UIs.
RAX-AUTH:domain.enabled	Boolean (Optional)	Indicates whether the domain is enabled.
RAX-AUTH:domain.rax-auth:description	String (Optional)	The domain description.
RAX-AUTH:domain.name	String (Optional)	The domain name.
RAX-AUTH:domain.rackspaceCustomerNumber	String (Optional)	The Rackspace customer number.
RAX-AUTH:domain.domainMultiFactorEnforcementLevel	String (Optional)	If present, this extended attribute specifies the multi- factor authentication enforcement policy that applies to accounts within the specified domain. `REQUIRED` Users within the domain must use multi- factor authentication to access their account. `OPTIONAL` Users have the option to authenticate using multi-factor authentication.

Example: List domains HTTP and XML response

HTTP/1.1 200 OK
Content-Type: application/xml

<?xml version="1.0" encoding="UTF-8"?>
<rax-auth:domains
     xmlns:atom="http://www.w3.org/2005/Atom"
     xmlns:rax-auth="http://docs.rackspace.com/identity/api/ext/RAX-AUTH/v1.0"
     xmlns="http://docs.openstack.org/identity/api/v2.0"
     xmlns:ns4="http://docs.rackspace.com/identity/api/ext/RAX-KSGRP/v1.0"
     xmlns:rax-ksqa="http://docs.rackspace.com/identity/api/ext/RAX-KSQA/v1.0"
     xmlns:os-ksadm="http://docs.openstack.org/identity/api/ext/OS-KSADM/v1.0"
     xmlns:rax-kskey="http://docs.rackspace.com/identity/api/ext/RAX-KSKEY/v1.0"
     xmlns:os-ksec2="http://docs.openstack.org/identity/api/ext/OS-KSEC2/v1.0">
     <rax-auth:domain sessionInactivityTimeout="PT15M" enabled="true" id="9883948" name="GCorp" rackspaceCustomerNumber="RCN-123-123-123">
         <rax-auth:description>A very good customer</rax-auth:description>
     </rax-auth:domain>
     <rax-auth:domain sessionInactivityTimeout="PT15M" enabled="true" id="111" name="Azuri" rackspaceCustomerNumber="RCN-123-123-123">
         <rax-auth:description>High profile</rax-auth:description>
     </rax-auth:domain>
     <rax-auth:domain sessionInactivityTimeout="PT15M" enabled="true" id="222" name="domain123" rackspaceCustomerNumber="RCN-123-123-124">
         <rax-auth:description>Domain's description</rax-auth:description>
     </rax-auth:domain>
</rax-auth:domain>

Example: List domains HTTP and JSON response

HTTP/1.1 200 OK
Content-Type: application/json

{
    "RAX-AUTH:domains": {
        "rax-auth:domain": [
            {
                "id": "9883948",
                "enabled": true,
                "description": "A very good customer",
                "name": "GCorp",
                "rackspaceCustomerNumber": "RCN-123-123-123",
                "sessionInactivityTimeout": "PT15M"
            },
            {
                "id": "111",
                "enabled": true,
                "description": "High profile",
                "name": "Azuri",
                "rackspaceCustomerNumber": "RCN-123-123-123",
                "sessionInactivityTimeout": "PT15M"
            },
            {
                "id": "222",
                "enabled": true,
                "description": "Domain's description",
                "name": "domain123",
                "rackspaceCustomerNumber": "RCN-123-123-124",
                "sessionInactivityTimeout": "PT15M"
            }
        ]
    }
}

Get a domain

GET /v2.0/RAX-AUTH/domains/{domainId}

Use this operation to get detailed information about a specified domain.

Note

This API operation is implemented through the RAX-AUTH extension to the core Identity API.

This table shows the possible response codes for this operation:

Response Code	Name	Description
200	OK	The request succeeded.
400	Bad Request	The request is missing one or more elements, or the values of some elements are invalid.
401	Unauthorized	You are not authorized to complete this operation. This error can occur if the request is submitted with an invalid authentication token.
403	Forbidden	The request was valid, but the server is refusing to respond because you do not have permission to access the requested resource. Submit a request to your account administrator to determine how to gain access.
404	Not Found	The requested resource was not found.
405	Invalid Method	The method specified in the request is not valid for the resource identified in the request URI.
413	Over Limit	The number of items returned is above the allowed limit.
503	Service Fault	Service is not available.

Request

This table shows the header and URI parameters for the request:

Name	Type	Description
X-Auth-Token	Header String (Required)	A valid admin authentication token.
{domainId}	URI String (Required)	A domain ID.

This operation does not accept a request body.

Example: Get a domain HTTP request header XML

GET /v2.0/RAX-AUTH/domain/123456 HTTP/1.1
Host: identity.api.rackspacecloud.com
Accept: application/xml
Content-type: application/xml
X-Auth-Token: c6f56a1d89274da4b14c1de36c412345

Example: Get a domain HTTP request header: JSON

GET /v2.0/RAX-AUTH/domain/123456 HTTP/1.1
Host: identity.api.rackspacecloud.com
Accept: application/json
Content-type: application/json
X-Auth-Token: c6f56a1d89274da4b14c1de36c412345

Response

This table shows the body parameters for the response:

Name	Type	Description
RAX-AUTH:domain	Object	An object that contains the domain configuration attribute settings.
RAX-AUTH:domain.id	String	The unique id for the domain.
RAX-AUTH:domain.enabled	Boolean	Indicates whether the domain is enabled.
RAX-AUTH:domain.description	String	The domain description.
RAX-AUTH:domain.name	String	The domain name.
RAX-AUTH:domain.sessionInactivityTimeout	Duration	Session inactivity timeout property used across all Rackspace UIs.
RAX-AUTH:domain.rackspaceCustomerNumber	String (Optional)	The Rackspace customer number.
RAX-AUTH:domain.domainMultiFactorEnforcementLevel	String	If present, this extended attribute specifies the multi- factor authentication enforcement policy that applies to accounts within the specified domain. `REQUIRED` Users within the domain must use multi- factor authentication to access their account. `OPTIONAL` Users have the option to authenticate using multi-factor authentication.

Example: Get domain response header XML

HTTP/1.1 200 OK
Content-Type: application/xml

Example: Get domain response: XML

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<rax-auth:domain xmlns:atom="http://www.w3.org/2005/Atom"
    xmlns:rax-auth="http://docs.rackspace.com/identity/api/ext/RAX-AUTH/v1.0"
    xmlns="http://docs.openstack.org/identity/api/v2.0"
    xmlns:ns4="http://docs.rackspace.com/identity/api/ext/RAX-KSGRP/v1.0"
    xmlns:rax-ksqa="http://docs.rackspace.com/identity/api/ext/RAX-KSQA/v1.0"
    xmlns:os-ksadm="http://docs.openstack.org/identity/api/ext/OS-KSADM/v1.0"
    xmlns:rax-kskey="http://docs.rackspace.com/identity/api/ext/RAX-KSKEY/v1.0"
    xmlns:os-ksec2="http://docs.openstack.org/identity/api/ext/OS-KSEC2/v1.0"
    id="123456" sessionInactivityTimeout="PT15M" name="GCorp" enabled="true" rackspaceCustomerNumber="RCN-123-123-123" domainMultiFactorEnforcementLevel="OPTIONAL">
        <rax-auth:description>A very good customer</rax-auth:description>
</rax-auth:domain>

Example: Get domain response header JSON

HTTP/1.1 200 OK
Content-Type: application/json

Example: Get domain response: JSON

{
    "RAX-AUTH:domain": {
        "id": "123456",
        "enabled": true,
        "description": "A very good customer",
        "sessionInactivityTimeout": "PT15M",
        "name": "GCorp",
        "rackspaceCustomerNumber": "RCN-123-123-123",
        "domainMultiFactorEnforcementLevel": "OPTIONAL"
    }
}

Update a domain

PUT /v2.0/RAX-AUTH/domains/{domainId}

Update properties for a domain.

When you submit the update request, include only the parameter values that you want to update.

Note

Owner or managers on account are only allowed to update the sessionInactivityTimeout attribute using the Update domain API operation.\

The following table shows the possible response codes for this operation:

Response Code	Name	Description
200	OK	The request completed successfully.
400	Bad Request	The request is missing one or more elements, or the values of some elements are invalid.
401	Unauthorized	You are not authorized to complete this operation. This error can occur if the request is submitted with an invalid authentication token.
403	Forbidden	The request was valid, but the server is refusing to respond because you do not have permission to access the requested resource. Submit a request to your account administrator to determine how to gain access.
404	Not Found	The requested resource was not found.
405	Invalid Method	The method specified in the request is not valid for the resource identified in the request URI.
413	Over Limit	The number of items returned is above the allowed limit.
415	Bad Media Type	Bad media type. This may result if the wrong media type is used in the API request. Check the content-type and accept headers included in the request.
503	Service Fault	Service is not available.

Request

The following table shows the header parameters for the update a domain request:

Name	Type	Description
X-Auth-Token	String (Required)	A valid authentication token.

The following table shows the URI parameters for the update a domain request:

Name	Type	Description
{domainId}	String	A domain ID.

The following table shows the body parameters for the update a domain request:

Name	Type	Description
RAX-AUTH:domain	Object (Required)	Object to specify these domain configuration settings: `sessionInactivityTimeout`
RAX-AUTH:domain.sessionInactivityTimeout	Duration (Optional)	Session inactivity timeout property used across all Rackspace UIs. Value must be of type ISO 8601 Duration.

Example: Update a domain XML request

<?xml version="1.0" encoding="UTF-8"?>
<rax-auth:domain sessionInactivityTimeout="PT15M"
     xmlns="http://docs.rackspace.com/identity/api/ext/RAX-AUTH/v1.0"
     xmlns:OS-KSADM="http://docs.openstack.org/identity/api/ext/OS-KSADM/v1.0"
     xmlns:atom="http://www.w3.org/2005/Atom"
     xmlns:identity="http://docs.openstack.org/identity/api/v2.0">
</rax-auth:domain>

Example: Update a domain JSON request

{
    "RAX-AUTH:domain": {
        "sessionInactivityTimeout": "PT15M"
    }
}

Response

Example: Update a domain XML response

< HTTP/1.1 200 OK
< vary:  Accept, Accept-Encoding, X-Auth-Token
< Content-Type: application/xml
< Content-Length: 148

 <?xml version="1.0" encoding="UTF-8"?>
 <rax-auth:domain id="123" enabled="false" name="domain" description="Domain description"
      sessionInactivityTimeout="PT15M"
      xmlns="http://docs.rackspace.com/identity/api/ext/RAX-AUTH/v1.0"
      xmlns:OS-KSADM="http://docs.openstack.org/identity/api/ext/OS-KSADM/v1.0"
      xmlns:atom="http://www.w3.org/2005/Atom"
      xmlns:identity="http://docs.openstack.org/identity/api/v2.0">
 </rax-auth:domain>

Example: Update a domain JSON response

< HTTP/1.1 200 OK
< vary:  Accept, Accept-Encoding, X-Auth-Token
< Content-Type: application/json
< Content-Length: 148

 {
     "RAX-AUTH:domain": {
         "description": "Domain description",
         "enabled": true,
         "id": "123",
         "name": "domain",
         "sessionInactivityTimeout": "PT15M"
     }
 }

Set domain password policy

PUT /v2.0/RAX-AUTH/domains/{domainId}/password-policy

Set the domain’s password policy. The policy allows authorized users to set a password rotation requirement for all users within the domain. This forces users to change their password after a specified time period. A User administrator and User manager can set a policy on their own domain. System and Identity administrators can set a policy on any domain. A password policy is effective immediately for a domain.

Note

If the password on a user’s account has been updated since the Identity 3.12.0 release in June, 2017, Identity uses the date and time of the password change to determine whether the password has expired. Otherwise, Identity uses the last time any attribute on the account was updated (including password, email, and MFA settings).\
Password policies can only be set using JSON. XML is not supported.\
Regardless of the value set for passwordHistoryRestriction, a user’s password cannot be updated to its current password.\

The following table shows the possible response codes for this operation:

Response Code	Name	Description
200	Updated	The request has been fulfilled. The domain’s password policy was updated.
400	Bad Request	The request is missing one or more elements, or the values of some elements are invalid.
401	Unauthorized	You are not authorized to complete this operation. This error can occur if the request is submitted with an invalid authentication token.
403	Forbidden	The request was valid, but the server is refusing to respond because you do not have permission to access the requested resource. Submit a request to your account administrator to determine how to gain access.
404	Not Found	The requested resource was not found.
405	Invalid Method	The method specified in the request is not valid for the resource identified in the request URI.
413	Over Limit	The number of items returned is above the allowed limit.
503	Service Fault	The service is not available.

Request

The following table shows the header parameters for the request:

Name	Type	Description
X-Auth-Token	String (Required)	A valid authentication token.

The following table shows the URI parameters for the request:

Name	Type	Description
{domainId}	String (Required)	A domain ID.

The following table shows the body parameters for the request:

Name	Type	Description
passwordPolicy	Object	The password policy
passwordPolicy.passwordDuration	String	The duration for which a password can be used. The format is similar to an ISO 8601 Duration (https://en.wikipedia.org/wiki/ISO_8601#Durations), but only days, hours, minutes, and seconds can be specified.
passwordPolicy.passwordHistoryRestriction	String (Optional)	An integer value from 0-10 specifying how many previous passwords are looked at when a new password is being set. A value of `0` means the password history will be ignored.

Example: PUT Method request: JSON

This example demonstrates setting a password policy with a password expiration time of 90 days, 6 hours, 30 minutes, and 5 seconds after the password was set.

{
    "passwordPolicy": {
        "passwordDuration": "P90DT6H30M5S",
        "passwordHistoryRestriction": "10"
    }
}

Response

Example: PUT Method response: JSON

{
    "passwordPolicy": {
        "passwordDuration": "P90DT6H30M5S",
        "passwordHistoryRestriction": "10"
    }
}

Get domain password policy

GET /v2.0/RAX-AUTH/domains/{domainId}/password-policy

Get the domain’s password policy. A User administrator and User manager can get a policy on their own domain. System and Identity administrators can get a policy on any domain. For more information on password policies, see Set domain password policy.

Note

Password policies can only be returned in JSON.

The following table shows the possible response codes for this operation:

Response Code	Name	Description
200	OK	The request has been fulfilled. The domain’s password policy was returned.
400	Bad Request	The request is missing one or more elements, or the values of some elements are invalid.
401	Unauthorized	You are not authorized to complete this operation. This error can occur if the request is submitted with an invalid authentication token.
403	Forbidden	The request was valid, but the server is refusing to respond because you do not have permission to access the requested resource. Submit a request to your account administrator to determine how to gain access.
404	Not Found	The requested resource was not found.
405	Invalid Method	The method specified in the request is not valid for the resource identified in the request URI.
413	Over Limit	The number of items returned is above the allowed limit.
503	Service Fault	The service is not available.

Request

The following table shows the header parameters for the request:

Name	Type	Description
X-Auth-Token	String (Required)	A valid authentication token.

The following table shows the URI parameters for the request:

Name	Type	Description
`{domainId}`	String (Required)	A domain ID.

Response

Example: GET Method response: JSON

{
    "passwordPolicy": {
        "passwordDuration": "P90DT6H30M5S",
        "passwordHistoryRestriction": "10"
    }
}

Delete domain password policy

DELETE /v2.0/RAX-AUTH/domains/{domainId}/password-policy

This method deletes the domain’s password policy. For more information on password policies, see Set domain password policy.

The following table shows the possible response codes for this operation:

Response Code	Name	Description
204	No Content	The request has been fulfilled. The domain’s password policy was deleted.
400	Bad Request	The request is missing one or more elements, or the values of some elements are invalid.
401	Unauthorized	You are not authorized to complete this operation. This error can occur if the request is submitted with an invalid authentication token.
403	Forbidden	The request was valid, but the server is refusing to respond because you do not have permission to access the requested resource. Submit a request to your account administrator to determine how to gain access.
404	Not Found	The requested resource was not found.
405	Invalid Method	The method specified in the request is not valid for the resource identified in the request URI.
413	Over Limit	The number of items returned is above the allowed limit.
503	Service Fault	The service is not available.

Request

The following table shows the header parameters for the request:

Name	Type	Description
X-Auth-Token	String (Required)	A valid authentication token.

The following table shows the URI parameters for the request:

Name	Type	Description
`{domainId}`	String (Required)	A domain ID.

This operation does not accept a request body.

Response

This operation does not return a response body.