Domains
A domain establishes an administrative boundary for a customer and a container for customer tenants (accounts) and users.
Use the following Domain operations supplied by the RAX-AUTH extension to get information about available domains or about the domain associated with a specified user account.
Note
Typically, only Identity service administrators have the capabilities to create, update, and delete domains.
- Retrieve domains
- Get a domain
- Update a domain
- Set domain password policy
- Get domain password policy
- Delete domain password policy
Retrieve domains
GET /v2.0/RAX-AUTH/domains
Lists domains that a customer or process can access with the specified authentication token.
Use this operation to get a list of domains that the user can access with the supplied authentication token. Tokens have access to domains by the token having access to a tenant that exists in the domain.
Note
This API operation is implemented through the RAX-AUTH extension to the core Identity API.
This table shows the possible response codes for this operation:
| Response Code | Name | Description |
|---|---|---|
| 200 | OK | The request succeeded. |
| 400 | Bad Request | The request is missing one or more elements, or the values of some elements are invalid. |
| 401 | Unauthorized | You are not authorized to complete this operation. This error can occur if the request is submitted with an invalid authentication token. |
| 403 | Forbidden | The request was valid, but the server is refusing to respond because you do not have permission to access the requested resource. Submit a request to your account administrator to determine how to gain access. |
| 404 | Not Found | The requested resource was not found. |
| 405 | Invalid Method | The method specified in the request is not valid for the resource identified in the request URI. |
| 413 | Over Limit | The number of items returned is above the allowed limit. |
| 503 | Service Fault | Service is not available. |
Request
This table shows the URI parameters for the request:
| Name | Type | Description |
|---|---|---|
| X-Auth-Token | String (Required) | A valid authentication token |
This operation does not accept a request body.
Example: List domains HTTP request header: XML
GET /v2.0/RAX-AUTH/domains HTTP/1.1
Host: identity.api.rackspacecloud.com
Accept: application/xml
Content-type: application/xml
X-Auth-Token: c6f56a1d89274da4b14c1de36c412345
Example: List domains HTTP request header: JSON
GET /v2.0/RAX-AUTH/domains HTTP/1.1
Host: identity.api.rackspacecloud.com
Accept: application/json
Content-type: application/json
X-Auth-Token: c6f56a1d89274da4b14c1de36c412345
Response
This table shows the body parameters for the response:
| Name | Type | Description |
|---|---|---|
| RAX-AUTH:domains | Object (Required) | The collection of domains that the authenticated user has permission to view. |
| RAX-AUTH:domain | Object (Required) | An object that contains the domain configuration attribute settings. |
| RAX-AUTH:domain.id | String (Required) | The unique id for the domain. |
| RAX-AUTH:domain.sessionInactivityTimeout | Duration (Required) | Session inactivity timeout property used across all Rackspace UIs. |
| RAX-AUTH:domain.enabled | Boolean (Optional) | Indicates whether the domain is enabled. |
| RAX-AUTH:domain.rax-auth:description | String (Optional) | The domain description. |
| RAX-AUTH:domain.name | String (Optional) | The domain name. |
| RAX-AUTH:domain.rackspaceCustomerNumber | String (Optional) | The Rackspace customer number. |
| RAX-AUTH:domain.domainMultiFactorEnforcementLevel | String (Optional) | If present, this extended attribute specifies the multi- factor authentication enforcement policy that applies to accounts within the specified domain. REQUIRED Users within the domain must use multi- factor authentication to access their account. OPTIONAL Users have the option to authenticate using multi-factor authentication. |
Example: List domains HTTP and XML response
HTTP/1.1 200 OK
Content-Type: application/xml
<?xml version="1.0" encoding="UTF-8"?>
<rax-auth:domains
xmlns:atom="http://www.w3.org/2005/Atom"
xmlns:rax-auth="http://docs.rackspace.com/identity/api/ext/RAX-AUTH/v1.0"
xmlns="http://docs.openstack.org/identity/api/v2.0"
xmlns:ns4="http://docs.rackspace.com/identity/api/ext/RAX-KSGRP/v1.0"
xmlns:rax-ksqa="http://docs.rackspace.com/identity/api/ext/RAX-KSQA/v1.0"
xmlns:os-ksadm="http://docs.openstack.org/identity/api/ext/OS-KSADM/v1.0"
xmlns:rax-kskey="http://docs.rackspace.com/identity/api/ext/RAX-KSKEY/v1.0"
xmlns:os-ksec2="http://docs.openstack.org/identity/api/ext/OS-KSEC2/v1.0">
<rax-auth:domain sessionInactivityTimeout="PT15M" enabled="true" id="9883948" name="GCorp" rackspaceCustomerNumber="RCN-123-123-123">
<rax-auth:description>A very good customer</rax-auth:description>
</rax-auth:domain>
<rax-auth:domain sessionInactivityTimeout="PT15M" enabled="true" id="111" name="Azuri" rackspaceCustomerNumber="RCN-123-123-123">
<rax-auth:description>High profile</rax-auth:description>
</rax-auth:domain>
<rax-auth:domain sessionInactivityTimeout="PT15M" enabled="true" id="222" name="domain123" rackspaceCustomerNumber="RCN-123-123-124">
<rax-auth:description>Domain's description</rax-auth:description>
</rax-auth:domain>
</rax-auth:domain>
Example: List domains HTTP and JSON response
HTTP/1.1 200 OK
Content-Type: application/json
{
"RAX-AUTH:domains": {
"rax-auth:domain": [
{
"id": "9883948",
"enabled": true,
"description": "A very good customer",
"name": "GCorp",
"rackspaceCustomerNumber": "RCN-123-123-123",
"sessionInactivityTimeout": "PT15M"
},
{
"id": "111",
"enabled": true,
"description": "High profile",
"name": "Azuri",
"rackspaceCustomerNumber": "RCN-123-123-123",
"sessionInactivityTimeout": "PT15M"
},
{
"id": "222",
"enabled": true,
"description": "Domain's description",
"name": "domain123",
"rackspaceCustomerNumber": "RCN-123-123-124",
"sessionInactivityTimeout": "PT15M"
}
]
}
}
Get a domain
GET /v2.0/RAX-AUTH/domains/{domainId}
Use this operation to get detailed information about a specified domain.
Note
This API operation is implemented through the RAX-AUTH extension to the core Identity API.
This table shows the possible response codes for this operation:
| Response Code | Name | Description |
|---|---|---|
| 200 | OK | The request succeeded. |
| 400 | Bad Request | The request is missing one or more elements, or the values of some elements are invalid. |
| 401 | Unauthorized | You are not authorized to complete this operation. This error can occur if the request is submitted with an invalid authentication token. |
| 403 | Forbidden | The request was valid, but the server is refusing to respond because you do not have permission to access the requested resource. Submit a request to your account administrator to determine how to gain access. |
| 404 | Not Found | The requested resource was not found. |
| 405 | Invalid Method | The method specified in the request is not valid for the resource identified in the request URI. |
| 413 | Over Limit | The number of items returned is above the allowed limit. |
| 503 | Service Fault | Service is not available. |
Request
This table shows the header and URI parameters for the request:
| Name | Type | Description |
|---|---|---|
| X-Auth-Token | Header String (Required) | A valid admin authentication token. |
| {domainId} | URI String (Required) | A domain ID. |
This operation does not accept a request body.
Example: Get a domain HTTP request header XML
GET /v2.0/RAX-AUTH/domain/123456 HTTP/1.1
Host: identity.api.rackspacecloud.com
Accept: application/xml
Content-type: application/xml
X-Auth-Token: c6f56a1d89274da4b14c1de36c412345
Example: Get a domain HTTP request header: JSON
GET /v2.0/RAX-AUTH/domain/123456 HTTP/1.1
Host: identity.api.rackspacecloud.com
Accept: application/json
Content-type: application/json
X-Auth-Token: c6f56a1d89274da4b14c1de36c412345
Response
This table shows the body parameters for the response:
| Name | Type | Description |
|---|---|---|
| RAX-AUTH:domain | Object | An object that contains the domain configuration attribute settings. |
| RAX-AUTH:domain.id | String | The unique id for the domain. |
| RAX-AUTH:domain.enabled | Boolean | Indicates whether the domain is enabled. |
| RAX-AUTH:domain.description | String | The domain description. |
| RAX-AUTH:domain.name | String | The domain name. |
| RAX-AUTH:domain.sessionInactivityTimeout | Duration | Session inactivity timeout property used across all Rackspace UIs. |
| RAX-AUTH:domain.rackspaceCustomerNumber | String (Optional) | The Rackspace customer number. |
| RAX-AUTH:domain.domainMultiFactorEnforcementLevel | String | If present, this extended attribute specifies the multi- factor authentication enforcement policy that applies to accounts within the specified domain. REQUIREDUsers within the domain must use multi- factor authentication to access their account. OPTIONALUsers have the option to authenticate using multi-factor authentication. |
Example: Get domain response header XML
HTTP/1.1 200 OK
Content-Type: application/xml
Example: Get domain response: XML
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<rax-auth:domain xmlns:atom="http://www.w3.org/2005/Atom"
xmlns:rax-auth="http://docs.rackspace.com/identity/api/ext/RAX-AUTH/v1.0"
xmlns="http://docs.openstack.org/identity/api/v2.0"
xmlns:ns4="http://docs.rackspace.com/identity/api/ext/RAX-KSGRP/v1.0"
xmlns:rax-ksqa="http://docs.rackspace.com/identity/api/ext/RAX-KSQA/v1.0"
xmlns:os-ksadm="http://docs.openstack.org/identity/api/ext/OS-KSADM/v1.0"
xmlns:rax-kskey="http://docs.rackspace.com/identity/api/ext/RAX-KSKEY/v1.0"
xmlns:os-ksec2="http://docs.openstack.org/identity/api/ext/OS-KSEC2/v1.0"
id="123456" sessionInactivityTimeout="PT15M" name="GCorp" enabled="true" rackspaceCustomerNumber="RCN-123-123-123" domainMultiFactorEnforcementLevel="OPTIONAL">
<rax-auth:description>A very good customer</rax-auth:description>
</rax-auth:domain>
Example: Get domain response header JSON
HTTP/1.1 200 OK
Content-Type: application/json
Example: Get domain response: JSON
{
"RAX-AUTH:domain": {
"id": "123456",
"enabled": true,
"description": "A very good customer",
"sessionInactivityTimeout": "PT15M",
"name": "GCorp",
"rackspaceCustomerNumber": "RCN-123-123-123",
"domainMultiFactorEnforcementLevel": "OPTIONAL"
}
}
Update a domain
PUT /v2.0/RAX-AUTH/domains/{domainId}
Update properties for a domain.
When you submit the update request, include only the parameter values that you want to update.
Note
- Owner or managers on account are only allowed to update the sessionInactivityTimeout attribute using the Update domain API operation.
The following table shows the possible response codes for this operation:
| Response Code | Name | Description |
|---|---|---|
| 200 | OK | The request completed successfully. |
| 400 | Bad Request | The request is missing one or more elements, or the values of some elements are invalid. |
| 401 | Unauthorized | You are not authorized to complete this operation. This error can occur if the request is submitted with an invalid authentication token. |
| 403 | Forbidden | The request was valid, but the server is refusing to respond because you do not have permission to access the requested resource. Submit a request to your account administrator to determine how to gain access. |
| 404 | Not Found | The requested resource was not found. |
| 405 | Invalid Method | The method specified in the request is not valid for the resource identified in the request URI. |
| 413 | Over Limit | The number of items returned is above the allowed limit. |
| 415 | Bad Media Type | Bad media type. This may result if the wrong media type is used in the API request. Check the content-type and accept headers included in the request. |
| 503 | Service Fault | Service is not available. |
Request
The following table shows the header parameters for the update a domain request:
| Name | Type | Description |
|---|---|---|
| X-Auth-Token | String (Required) | A valid authentication token. |
The following table shows the URI parameters for the update a domain request:
| Name | Type | Description |
|---|---|---|
| {domainId} | String | A domain ID. |
The following table shows the body parameters for the update a domain request:
| Name | Type | Description |
|---|---|---|
| RAX-AUTH:domain | Object (Required) | Object to specify these domain configuration settings: sessionInactivityTimeout |
| RAX-AUTH:domain.sessionInactivityTimeout | Duration (Optional) | Session inactivity timeout property used across all Rackspace UIs. Value must be of type ISO 8601 Duration. |
Example: Update a domain XML request
<?xml version="1.0" encoding="UTF-8"?>
<rax-auth:domain sessionInactivityTimeout="PT15M"
xmlns="http://docs.rackspace.com/identity/api/ext/RAX-AUTH/v1.0"
xmlns:OS-KSADM="http://docs.openstack.org/identity/api/ext/OS-KSADM/v1.0"
xmlns:atom="http://www.w3.org/2005/Atom"
xmlns:identity="http://docs.openstack.org/identity/api/v2.0">
</rax-auth:domain>
Example: Update a domain JSON request
{
"RAX-AUTH:domain": {
"sessionInactivityTimeout": "PT15M"
}
}
Response
Example: Update a domain XML response
< HTTP/1.1 200 OK
< vary: Accept, Accept-Encoding, X-Auth-Token
< Content-Type: application/xml
< Content-Length: 148
<?xml version="1.0" encoding="UTF-8"?>
<rax-auth:domain id="123" enabled="false" name="domain" description="Domain description"
sessionInactivityTimeout="PT15M"
xmlns="http://docs.rackspace.com/identity/api/ext/RAX-AUTH/v1.0"
xmlns:OS-KSADM="http://docs.openstack.org/identity/api/ext/OS-KSADM/v1.0"
xmlns:atom="http://www.w3.org/2005/Atom"
xmlns:identity="http://docs.openstack.org/identity/api/v2.0">
</rax-auth:domain>
Example: Update a domain JSON response
< HTTP/1.1 200 OK
< vary: Accept, Accept-Encoding, X-Auth-Token
< Content-Type: application/json
< Content-Length: 148
{
"RAX-AUTH:domain": {
"description": "Domain description",
"enabled": true,
"id": "123",
"name": "domain",
"sessionInactivityTimeout": "PT15M"
}
}
Set domain password policy
PUT /v2.0/RAX-AUTH/domains/{domainId}/password-policy
Set the domain’s password policy. The policy allows authorized users to set a password rotation requirement for all users within the domain. This forces users to change their password after a specified time period. A User administrator and User manager can set a policy on their own domain. System and Identity administrators can set a policy on any domain. A password policy is effective immediately for a domain.
Note
- If the password on a user’s account has been updated since the Identity 3.12.0 release in June, 2017, Identity uses the date and time of the password change to determine whether the password has expired. Otherwise, Identity uses the last time any attribute on the account was updated (including password, email, and MFA settings).
- Password policies can only be set using JSON. XML is not supported.
- Regardless of the value set for
passwordHistoryRestriction, a user’s password cannot be updated to its current password.
The following table shows the possible response codes for this operation:
| Response Code | Name | Description |
|---|---|---|
| 200 | Updated | The request has been fulfilled. The domain’s password policy was updated. |
| 400 | Bad Request | The request is missing one or more elements, or the values of some elements are invalid. |
| 401 | Unauthorized | You are not authorized to complete this operation. This error can occur if the request is submitted with an invalid authentication token. |
| 403 | Forbidden | The request was valid, but the server is refusing to respond because you do not have permission to access the requested resource. Submit a request to your account administrator to determine how to gain access. |
| 404 | Not Found | The requested resource was not found. |
| 405 | Invalid Method | The method specified in the request is not valid for the resource identified in the request URI. |
| 413 | Over Limit | The number of items returned is above the allowed limit. |
| 503 | Service Fault | The service is not available. |
Request
The following table shows the header parameters for the request:
| Name | Type | Description |
|---|---|---|
| X-Auth-Token | String (Required) | A valid authentication token. |
The following table shows the URI parameters for the request:
| Name | Type | Description |
|---|---|---|
| {domainId} | String (Required) | A domain ID. |
The following table shows the body parameters for the request:
| Name | Type | Description |
|---|---|---|
| passwordPolicy | Object | The password policy |
| passwordPolicy.passwordDuration | String | The duration for which a password can be used. The format is similar to an ISO 8601 Duration (https://en.wikipedia.org/wiki/ISO_8601#Durations), but only days, hours, minutes, and seconds can be specified. |
| passwordPolicy.passwordHistoryRestriction | String (Optional) | An integer value from 0-10 specifying how many previous passwords are looked at when a new password is being set. A value of 0 means the password history will be ignored. |
Example: PUT Method request: JSON
This example demonstrates setting a password policy with a password expiration time of 90 days, 6 hours, 30 minutes, and 5 seconds after the password was set.
{
"passwordPolicy": {
"passwordDuration": "P90DT6H30M5S",
"passwordHistoryRestriction": "10"
}
}
Response
Example: PUT Method response: JSON
{
"passwordPolicy": {
"passwordDuration": "P90DT6H30M5S",
"passwordHistoryRestriction": "10"
}
}
Get domain password policy
GET /v2.0/RAX-AUTH/domains/{domainId}/password-policy
Get the domain’s password policy. A User administrator and User manager can get a policy on their own domain. System and Identity administrators can get a policy on any domain. For more information on password policies, see Set domain password policy.
Note
Password policies can only be returned in JSON.
The following table shows the possible response codes for this operation:
| Response Code | Name | Description |
|---|---|---|
| 200 | OK | The request has been fulfilled. The domain’s password policy was returned. |
| 400 | Bad Request | The request is missing one or more elements, or the values of some elements are invalid. |
| 401 | Unauthorized | You are not authorized to complete this operation. This error can occur if the request is submitted with an invalid authentication token. |
| 403 | Forbidden | The request was valid, but the server is refusing to respond because you do not have permission to access the requested resource. Submit a request to your account administrator to determine how to gain access. |
| 404 | Not Found | The requested resource was not found. |
| 405 | Invalid Method | The method specified in the request is not valid for the resource identified in the request URI. |
| 413 | Over Limit | The number of items returned is above the allowed limit. |
| 503 | Service Fault | The service is not available. |
Request
The following table shows the header parameters for the request:
| Name | Type | Description |
|---|---|---|
| X-Auth-Token | String (Required) | A valid authentication token. |
The following table shows the URI parameters for the request:
| Name | Type | Description |
|---|---|---|
{domainId} | String (Required) | A domain ID. |
Response
Example: GET Method response: JSON
{
"passwordPolicy": {
"passwordDuration": "P90DT6H30M5S",
"passwordHistoryRestriction": "10"
}
}
Delete domain password policy
DELETE /v2.0/RAX-AUTH/domains/{domainId}/password-policy
This method deletes the domain’s password policy. For more information on password policies, see Set domain password policy.
The following table shows the possible response codes for this operation:
| Response Code | Name | Description |
|---|---|---|
| 204 | No Content | The request has been fulfilled. The domain’s password policy was deleted. |
| 400 | Bad Request | The request is missing one or more elements, or the values of some elements are invalid. |
| 401 | Unauthorized | You are not authorized to complete this operation. This error can occur if the request is submitted with an invalid authentication token. |
| 403 | Forbidden | The request was valid, but the server is refusing to respond because you do not have permission to access the requested resource. Submit a request to your account administrator to determine how to gain access. |
| 404 | Not Found | The requested resource was not found. |
| 405 | Invalid Method | The method specified in the request is not valid for the resource identified in the request URI. |
| 413 | Over Limit | The number of items returned is above the allowed limit. |
| 503 | Service Fault | The service is not available. |
Request
The following table shows the header parameters for the request:
| Name | Type | Description |
|---|---|---|
| X-Auth-Token | String (Required) | A valid authentication token. |
The following table shows the URI parameters for the request:
| Name | Type | Description |
|---|---|---|
{domainId} | String (Required) | A domain ID. |
This operation does not accept a request body.
Response
This operation does not return a response body.