Domains

Domains

A domain establishes an administrative boundary for a customer and a container for customer tenants (accounts) and users.

Use the following Domain operations supplied by the RAX-AUTH extension to get information about available domains or about the domain associated with a specified user account.

Note

Typically, only Identity service administrators have the capabilities to create, update, and delete domains.

Retrieve domains

GET /v2.0/RAX-AUTH/domains

Lists domains that a customer or process can access with the specified authentication token.

Use this operation to get a list of domains that the user can access with the supplied authentication token. Tokens have access to domains by the token having access to a tenant that exists in the domain.

Note

This API operation is implemented through the RAX-AUTH extension to the core Identity API.

This table shows the possible response codes for this operation:

Response CodeNameDescription
200OKThe request succeeded.
400Bad RequestThe request is missing one or more elements, or the values of some elements are invalid.
401UnauthorizedYou are not authorized to complete this operation. This error can occur if the request is submitted with an invalid authentication token.
403ForbiddenThe request was valid, but the server is refusing to respond because you do not have permission to access the requested resource. Submit a request to your account administrator to determine how to gain access.
404Not FoundThe requested resource was not found.
405Invalid MethodThe method specified in the request is not valid for the resource identified in the request URI.
413Over LimitThe number of items returned is above the allowed limit.
503Service FaultService is not available.

Request

This table shows the URI parameters for the request:

NameTypeDescription
X-Auth-TokenString (Required)A valid authentication token

This operation does not accept a request body.

Example: List domains HTTP request header: XML

GET /v2.0/RAX-AUTH/domains HTTP/1.1
Host: identity.api.rackspacecloud.com
Accept: application/xml
Content-type: application/xml
X-Auth-Token: c6f56a1d89274da4b14c1de36c412345

Example: List domains HTTP request header: JSON

GET /v2.0/RAX-AUTH/domains HTTP/1.1
Host: identity.api.rackspacecloud.com
Accept: application/json
Content-type: application/json
X-Auth-Token: c6f56a1d89274da4b14c1de36c412345

Response

This table shows the body parameters for the response:

NameTypeDescription
RAX-AUTH:domainsObject (Required)The collection of domains that the authenticated user has permission to view.
RAX-AUTH:domainObject (Required)An object that contains the domain configuration attribute settings.
RAX-AUTH:domain.idString (Required)The unique id for the domain.
RAX-AUTH:domain.sessionInactivityTimeoutDuration (Required)Session inactivity timeout property used across all Rackspace UIs.
RAX-AUTH:domain.enabledBoolean (Optional)Indicates whether the domain is enabled.
RAX-AUTH:domain.rax-auth:descriptionString (Optional)The domain description.
RAX-AUTH:domain.nameString (Optional)The domain name.
RAX-AUTH:domain.rackspaceCustomerNumberString (Optional)The Rackspace customer number.
RAX-AUTH:domain.domainMultiFactorEnforcementLevelString (Optional)If present, this extended attribute specifies the multi- factor authentication enforcement policy that applies to accounts within the specified domain. REQUIRED Users within the domain must use multi- factor authentication to access their account. OPTIONAL Users have the option to authenticate using multi-factor authentication.

Example: List domains HTTP and XML response

HTTP/1.1 200 OK
Content-Type: application/xml

<?xml version="1.0" encoding="UTF-8"?>
<rax-auth:domains
     xmlns:atom="http://www.w3.org/2005/Atom"
     xmlns:rax-auth="http://docs.rackspace.com/identity/api/ext/RAX-AUTH/v1.0"
     xmlns="http://docs.openstack.org/identity/api/v2.0"
     xmlns:ns4="http://docs.rackspace.com/identity/api/ext/RAX-KSGRP/v1.0"
     xmlns:rax-ksqa="http://docs.rackspace.com/identity/api/ext/RAX-KSQA/v1.0"
     xmlns:os-ksadm="http://docs.openstack.org/identity/api/ext/OS-KSADM/v1.0"
     xmlns:rax-kskey="http://docs.rackspace.com/identity/api/ext/RAX-KSKEY/v1.0"
     xmlns:os-ksec2="http://docs.openstack.org/identity/api/ext/OS-KSEC2/v1.0">
     <rax-auth:domain sessionInactivityTimeout="PT15M" enabled="true" id="9883948" name="GCorp" rackspaceCustomerNumber="RCN-123-123-123">
         <rax-auth:description>A very good customer</rax-auth:description>
     </rax-auth:domain>
     <rax-auth:domain sessionInactivityTimeout="PT15M" enabled="true" id="111" name="Azuri" rackspaceCustomerNumber="RCN-123-123-123">
         <rax-auth:description>High profile</rax-auth:description>
     </rax-auth:domain>
     <rax-auth:domain sessionInactivityTimeout="PT15M" enabled="true" id="222" name="domain123" rackspaceCustomerNumber="RCN-123-123-124">
         <rax-auth:description>Domain's description</rax-auth:description>
     </rax-auth:domain>
</rax-auth:domain>

Example: List domains HTTP and JSON response

HTTP/1.1 200 OK
Content-Type: application/json

{
    "RAX-AUTH:domains": {
        "rax-auth:domain": [
            {
                "id": "9883948",
                "enabled": true,
                "description": "A very good customer",
                "name": "GCorp",
                "rackspaceCustomerNumber": "RCN-123-123-123",
                "sessionInactivityTimeout": "PT15M"
            },
            {
                "id": "111",
                "enabled": true,
                "description": "High profile",
                "name": "Azuri",
                "rackspaceCustomerNumber": "RCN-123-123-123",
                "sessionInactivityTimeout": "PT15M"
            },
            {
                "id": "222",
                "enabled": true,
                "description": "Domain's description",
                "name": "domain123",
                "rackspaceCustomerNumber": "RCN-123-123-124",
                "sessionInactivityTimeout": "PT15M"
            }
        ]
    }
}

Get a domain

GET /v2.0/RAX-AUTH/domains/{domainId}

Use this operation to get detailed information about a specified domain.

Note

This API operation is implemented through the RAX-AUTH extension to the core Identity API.

This table shows the possible response codes for this operation:

Response CodeNameDescription
200OKThe request succeeded.
400Bad RequestThe request is missing one or more elements, or the values of some elements are invalid.
401UnauthorizedYou are not authorized to complete this operation. This error can occur if the request is submitted with an invalid authentication token.
403ForbiddenThe request was valid, but the server is refusing to respond because you do not have permission to access the requested resource. Submit a request to your account administrator to determine how to gain access.
404Not FoundThe requested resource was not found.
405Invalid MethodThe method specified in the request is not valid for the resource identified in the request URI.
413Over LimitThe number of items returned is above the allowed limit.
503Service FaultService is not available.

Request

This table shows the header and URI parameters for the request:

NameTypeDescription
X-Auth-TokenHeader String (Required)A valid admin authentication token.
{domainId}URI String (Required)A domain ID.

This operation does not accept a request body.

Example: Get a domain HTTP request header XML

GET /v2.0/RAX-AUTH/domain/123456 HTTP/1.1
Host: identity.api.rackspacecloud.com
Accept: application/xml
Content-type: application/xml
X-Auth-Token: c6f56a1d89274da4b14c1de36c412345

Example: Get a domain HTTP request header: JSON

GET /v2.0/RAX-AUTH/domain/123456 HTTP/1.1
Host: identity.api.rackspacecloud.com
Accept: application/json
Content-type: application/json
X-Auth-Token: c6f56a1d89274da4b14c1de36c412345

Response

This table shows the body parameters for the response:

NameTypeDescription
RAX-AUTH:domainObjectAn object that contains the domain configuration attribute settings.
RAX-AUTH:domain.idStringThe unique id for the domain.
RAX-AUTH:domain.enabledBooleanIndicates whether the domain is enabled.
RAX-AUTH:domain.descriptionStringThe domain description.
RAX-AUTH:domain.nameStringThe domain name.
RAX-AUTH:domain.sessionInactivityTimeoutDurationSession inactivity timeout property used across all Rackspace UIs.
RAX-AUTH:domain.rackspaceCustomerNumberString (Optional)The Rackspace customer number.
RAX-AUTH:domain.domainMultiFactorEnforcementLevelStringIf present, this extended attribute specifies the multi- factor authentication enforcement policy that applies to accounts within the specified domain.

REQUIRED

Users within the domain must use multi- factor authentication to access their account.

OPTIONAL

Users have the option to authenticate using multi-factor authentication.

Example: Get domain response header XML

HTTP/1.1 200 OK
Content-Type: application/xml

Example: Get domain response: XML

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<rax-auth:domain xmlns:atom="http://www.w3.org/2005/Atom"
    xmlns:rax-auth="http://docs.rackspace.com/identity/api/ext/RAX-AUTH/v1.0"
    xmlns="http://docs.openstack.org/identity/api/v2.0"
    xmlns:ns4="http://docs.rackspace.com/identity/api/ext/RAX-KSGRP/v1.0"
    xmlns:rax-ksqa="http://docs.rackspace.com/identity/api/ext/RAX-KSQA/v1.0"
    xmlns:os-ksadm="http://docs.openstack.org/identity/api/ext/OS-KSADM/v1.0"
    xmlns:rax-kskey="http://docs.rackspace.com/identity/api/ext/RAX-KSKEY/v1.0"
    xmlns:os-ksec2="http://docs.openstack.org/identity/api/ext/OS-KSEC2/v1.0"
    id="123456" sessionInactivityTimeout="PT15M" name="GCorp" enabled="true" rackspaceCustomerNumber="RCN-123-123-123" domainMultiFactorEnforcementLevel="OPTIONAL">
        <rax-auth:description>A very good customer</rax-auth:description>
</rax-auth:domain>

Example: Get domain response header JSON

HTTP/1.1 200 OK
Content-Type: application/json

Example: Get domain response: JSON

{
    "RAX-AUTH:domain": {
        "id": "123456",
        "enabled": true,
        "description": "A very good customer",
        "sessionInactivityTimeout": "PT15M",
        "name": "GCorp",
        "rackspaceCustomerNumber": "RCN-123-123-123",
        "domainMultiFactorEnforcementLevel": "OPTIONAL"
    }
}

Update a domain

PUT /v2.0/RAX-AUTH/domains/{domainId}

Update properties for a domain.

When you submit the update request, include only the parameter values that you want to update.

Note

  • Owner or managers on account are only allowed to update the sessionInactivityTimeout attribute using the Update domain API operation.

The following table shows the possible response codes for this operation:

Response CodeNameDescription
200OKThe request completed successfully.
400Bad RequestThe request is missing one or more elements, or the values of some elements are invalid.
401UnauthorizedYou are not authorized to complete this operation. This error can occur if the request is submitted with an invalid authentication token.
403ForbiddenThe request was valid, but the server is refusing to respond because you do not have permission to access the requested resource. Submit a request to your account administrator to determine how to gain access.
404Not FoundThe requested resource was not found.
405Invalid MethodThe method specified in the request is not valid for the resource identified in the request URI.
413Over LimitThe number of items returned is above the allowed limit.
415Bad Media TypeBad media type. This may result if the wrong media type is used in the API request. Check the content-type and accept headers included in the request.
503Service FaultService is not available.

Request

The following table shows the header parameters for the update a domain request:

NameTypeDescription
X-Auth-TokenString (Required)A valid authentication token.

The following table shows the URI parameters for the update a domain request:

NameTypeDescription
{domainId}StringA domain ID.

The following table shows the body parameters for the update a domain request:

NameTypeDescription
RAX-AUTH:domainObject (Required)Object to specify these domain configuration settings: sessionInactivityTimeout
RAX-AUTH:domain.sessionInactivityTimeoutDuration (Optional)Session inactivity timeout property used across all Rackspace UIs. Value must be of type ISO 8601 Duration.

Example: Update a domain XML request

<?xml version="1.0" encoding="UTF-8"?>
<rax-auth:domain sessionInactivityTimeout="PT15M"
     xmlns="http://docs.rackspace.com/identity/api/ext/RAX-AUTH/v1.0"
     xmlns:OS-KSADM="http://docs.openstack.org/identity/api/ext/OS-KSADM/v1.0"
     xmlns:atom="http://www.w3.org/2005/Atom"
     xmlns:identity="http://docs.openstack.org/identity/api/v2.0">
</rax-auth:domain>

Example: Update a domain JSON request

{
    "RAX-AUTH:domain": {
        "sessionInactivityTimeout": "PT15M"
    }
}

Response

Example: Update a domain XML response

< HTTP/1.1 200 OK
< vary:  Accept, Accept-Encoding, X-Auth-Token
< Content-Type: application/xml
< Content-Length: 148

 <?xml version="1.0" encoding="UTF-8"?>
 <rax-auth:domain id="123" enabled="false" name="domain" description="Domain description"
      sessionInactivityTimeout="PT15M"
      xmlns="http://docs.rackspace.com/identity/api/ext/RAX-AUTH/v1.0"
      xmlns:OS-KSADM="http://docs.openstack.org/identity/api/ext/OS-KSADM/v1.0"
      xmlns:atom="http://www.w3.org/2005/Atom"
      xmlns:identity="http://docs.openstack.org/identity/api/v2.0">
 </rax-auth:domain>

Example: Update a domain JSON response

< HTTP/1.1 200 OK
< vary:  Accept, Accept-Encoding, X-Auth-Token
< Content-Type: application/json
< Content-Length: 148

 {
     "RAX-AUTH:domain": {
         "description": "Domain description",
         "enabled": true,
         "id": "123",
         "name": "domain",
         "sessionInactivityTimeout": "PT15M"
     }
 }

Set domain password policy

PUT /v2.0/RAX-AUTH/domains/{domainId}/password-policy

Set the domain’s password policy. The policy allows authorized users to set a password rotation requirement for all users within the domain. This forces users to change their password after a specified time period. A User administrator and User manager can set a policy on their own domain. System and Identity administrators can set a policy on any domain. A password policy is effective immediately for a domain.

Note

  • If the password on a user’s account has been updated since the Identity 3.12.0 release in June, 2017, Identity uses the date and time of the password change to determine whether the password has expired. Otherwise, Identity uses the last time any attribute on the account was updated (including password, email, and MFA settings).
  • Password policies can only be set using JSON. XML is not supported.
  • Regardless of the value set for passwordHistoryRestriction, a user’s password cannot be updated to its current password.

The following table shows the possible response codes for this operation:

Response CodeNameDescription
200UpdatedThe request has been fulfilled. The domain’s password policy was updated.
400Bad RequestThe request is missing one or more elements, or the values of some elements are invalid.
401UnauthorizedYou are not authorized to complete this operation. This error can occur if the request is submitted with an invalid authentication token.
403ForbiddenThe request was valid, but the server is refusing to respond because you do not have permission to access the requested resource. Submit a request to your account administrator to determine how to gain access.
404Not FoundThe requested resource was not found.
405Invalid MethodThe method specified in the request is not valid for the resource identified in the request URI.
413Over LimitThe number of items returned is above the allowed limit.
503Service FaultThe service is not available.

Request

The following table shows the header parameters for the request:

NameTypeDescription
X-Auth-TokenString (Required)A valid authentication token.

The following table shows the URI parameters for the request:

NameTypeDescription
{domainId}String (Required)A domain ID.

The following table shows the body parameters for the request:

NameTypeDescription
passwordPolicyObjectThe password policy
passwordPolicy.passwordDurationStringThe duration for which a password can be used. The format is similar to an ISO 8601 Duration (https://en.wikipedia.org/wiki/ISO_8601#Durations), but only days, hours, minutes, and seconds can be specified.
passwordPolicy.passwordHistoryRestrictionString (Optional)An integer value from 0-10 specifying how many previous passwords are looked at when a new password is being set. A value of 0 means the password history will be ignored.

Example: PUT Method request: JSON

This example demonstrates setting a password policy with a password expiration time of 90 days, 6 hours, 30 minutes, and 5 seconds after the password was set.

{
    "passwordPolicy": {
        "passwordDuration": "P90DT6H30M5S",
        "passwordHistoryRestriction": "10"
    }
}

Response

Example: PUT Method response: JSON

{
    "passwordPolicy": {
        "passwordDuration": "P90DT6H30M5S",
        "passwordHistoryRestriction": "10"
    }
}

Get domain password policy

GET /v2.0/RAX-AUTH/domains/{domainId}/password-policy

Get the domain’s password policy. A User administrator and User manager can get a policy on their own domain. System and Identity administrators can get a policy on any domain. For more information on password policies, see Set domain password policy.

Note

Password policies can only be returned in JSON.

The following table shows the possible response codes for this operation:

Response CodeNameDescription
200OKThe request has been fulfilled. The domain’s password policy was returned.
400Bad RequestThe request is missing one or more elements, or the values of some elements are invalid.
401UnauthorizedYou are not authorized to complete this operation. This error can occur if the request is submitted with an invalid authentication token.
403ForbiddenThe request was valid, but the server is refusing to respond because you do not have permission to access the requested resource. Submit a request to your account administrator to determine how to gain access.
404Not FoundThe requested resource was not found.
405Invalid MethodThe method specified in the request is not valid for the resource identified in the request URI.
413Over LimitThe number of items returned is above the allowed limit.
503Service FaultThe service is not available.

Request

The following table shows the header parameters for the request:

NameTypeDescription
X-Auth-TokenString (Required)A valid authentication token.

The following table shows the URI parameters for the request:

NameTypeDescription
{domainId}String (Required)A domain ID.

Response

Example: GET Method response: JSON

{
    "passwordPolicy": {
        "passwordDuration": "P90DT6H30M5S",
        "passwordHistoryRestriction": "10"
    }
}

Delete domain password policy

DELETE /v2.0/RAX-AUTH/domains/{domainId}/password-policy

This method deletes the domain’s password policy. For more information on password policies, see Set domain password policy.

The following table shows the possible response codes for this operation:

Response CodeNameDescription
204No ContentThe request has been fulfilled. The domain’s password policy was deleted.
400Bad RequestThe request is missing one or more elements, or the values of some elements are invalid.
401UnauthorizedYou are not authorized to complete this operation. This error can occur if the request is submitted with an invalid authentication token.
403ForbiddenThe request was valid, but the server is refusing to respond because you do not have permission to access the requested resource. Submit a request to your account administrator to determine how to gain access.
404Not FoundThe requested resource was not found.
405Invalid MethodThe method specified in the request is not valid for the resource identified in the request URI.
413Over LimitThe number of items returned is above the allowed limit.
503Service FaultThe service is not available.

Request

The following table shows the header parameters for the request:

NameTypeDescription
X-Auth-TokenString (Required)A valid authentication token.

The following table shows the URI parameters for the request:

NameTypeDescription
{domainId}String (Required)A domain ID.

This operation does not accept a request body.

Response

This operation does not return a response body.