An Identity Provider (IDP) is required in order to federate with Identity. Services are provided to manage Identity Providers (IDPs) within Identity.
Access restrictions
Access to the CRUD Identity Provider Management services using metadata are controlled via the following roles.
| Service | identity:user-admin | identity:user-manage | rcn:admin |
|---|---|---|---|
| CreateIDPs | Yes | Yes | Yes |
| UpdateIDPs | Yes | Yes | Yes |
| GetIDPs | Yes | Yes | Yes |
| ListIDPs | Yes | Yes | Yes |
| GetIDPsMetadata | Yes | Yes | Yes |
| GetIDPsMappingPolicy | Yes | Yes | Yes |
| UpdateIDPsMappingPolicy | Yes | Yes | Yes |
Note
- User-admin or User-manage can make requests only when the caller’s domain is the same as the specified Identity Provider’s (IDP’s)
approvedDomainId.- A user with the role rcn:admin can make requests only when the caller’s domain is within the same RCN as the IDP’s specified
approvedDomainId.
Use the following API operations to create, review, update, and delete Identity Providers.
- Create IDP with metadata
- Update IDP
- Update IDP with metadata
- Get IDP
- List IDPs
- Get metadata for IDP
- Get IDP mapping policy
- Update IDP mapping policy
Create IDP with metadata
POST /v2.0/RAX-AUTH/federation/identity-providers
Create a new Identity Provider using XML metadata.
Note
- Creating IDP using metadata auto assigns the IDP’s name to at most 29 characters of the caller’s domain ID.
- If the IDP’s name already exists, a digit is added at the end of the name until a unique name is found. Ex: example_2
- This resource describes a single deployment using EntityDescriptor.
This table shows the possible response codes for this operation:
| Response Code | Name | Description |
|---|---|---|
| 201 | Created | The request has been fulfilled. The IDP has been created. |
| 400 | Bad Request | The request is missing one or more elements, or the values of some elements are invalid. |
| 401 | Unauthorized | You are not authorized to complete this operation. This error can occur if the request is submitted with an invalid authentication token. |
| 403 | Forbidden | The request was valid, but the server is refusing to respond because you do not have permission to access the requested resource. Submit a request to your account administrator to determine how to gain access. |
| 404 | Not Found | The requested resource was not found. |
| 405 | Invalid Method | The method specified in the request is not valid for the resource identified in the request URI. |
| 406 | Not Acceptable | The server cannot send data in a format requested. |
| 413 | Over Limit | The number of items returned is above the allowed limit. |
| 503 | Service Fault | Service is not available. |
Request
This table shows the URI parameters for the request:
| Name | Type | Description |
|---|---|---|
| X-Auth-Token | String (Required) | A valid authentication token. |
This table shows the body parameters for the request:
| Name | Type | Description |
|---|---|---|
| EntityDescriptor | Object (Required) | Describes a system entity such as an Identity Provider. |
| EntityDescriptor.entityID | String (Required) | The issuer for IDP. |
| EntityDescriptor.IDPSSODescriptor | Object (Required) | An IDP role. |
| EntityDescriptor.IDPSSODescriptor.protocolSupportEnumeration | String (Required) | Represents general classes of protocol support for the role in question. |
| EntityDescriptor.IDPSSODescriptor.SingleSignOnService | Object (Required) | Describes a protocol binding endpoint. |
| EntityDescriptor.IDPSSODescriptor.SingleSignOnService.Binding | String (Required) | Describes a protocol binding. Only HTTP-Redirect is currently supported. |
| EntityDescriptor.IDPSSODescriptor.SingleSignOnService.Location | String (Required) | Describes the authentication url. |
| EntityDescriptor.IDPSSODescriptor.KeyDescriptor | Object (Optional) | Associates one or more public keys with the system being defined. |
| EntityDescriptor.IDPSSODescriptor.KeyDescriptor.KeyInfo | Object (Optional) | An element describing keys. |
Example: Create IDP request: XML
<?xml version="1.0" encoding="UTF-8"?>
<ns0:EntityDescriptor xmlns:ns0="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:ns1="http://www.w3.org/2000/09/xmldsig#"
xmlns:ns2="urn:oasis:names:tc:SAML:metadata:algsupport"
ID="someId" entityID="https://my.issuer.com">
<ns0:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<ns0:KeyDescriptor use="signing">
<ns1:KeyInfo>
<ns1:X509Data>
<ns1:X509Certificate>
MIICsDCCAhmgAwIBAgIJAPdQ9ZKjtRX5MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMTQwODA2MTkxMzE4WhcNMjQwODA1MTkxMzE4WjBF
MQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50
ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQDiqa9KxLhEbMWXZsI1v/4OA0X8sAl3sglfsPMHnGjyIwB2Kz4Pl38in0/8p3ng
LHyI2/XOMQwAVZxOZ7sMwHq8FY4YgdkwqxFZ1esnASS6ty1286MJYWo+uDwUepH4
A4cKtqUKgIsT4VOxyXSDzreZPvWjFDNDsq+w42UnpI0s6QIDAQABo4GnMIGkMB0G
A1UdDgQWBBQ4+BePfVmEY4wY/gLAgec3J3J7JDB1BgNVHSMEbjBsgBQ4+BePfVmE
Y4wY/gLAgec3J3J7JKFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUt
U3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAPdQ9ZKj
tRX5MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAxD4+TDo+/MzQKg3f
H0HazXsSKQN1V9crvVe36VUQ79tIkufXATcwBlbA+SkkCpt68c0mfwKgffy2KucN
hLMhBUzzF+M8k9X07IgfmrAviOd3D5PqEoNpkP/am8RMm7mjSC/DPb1Jd+yRFB8I
0vUmFp8G+ZJ+F00zqabtCv/kMVM=
</ns1:X509Certificate>
</ns1:X509Data>
</ns1:KeyInfo>
</ns0:KeyDescriptor>
<ns0:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://my.login.com"/>
</ns0:IDPSSODescriptor>
</ns0:EntityDescriptor>
Response
This table shows the header parameters for the response:
| Name | Type | Description |
|---|---|---|
| Location | String (Required) | The location URI of the newly created IDP. |
Example: Create IDP: XML response
< HTTP/1.1 201 Created
< vary: Accept, Accept-Encoding, X-Auth-Token
< Location: http://localhost:8083/idm/cloud/v2.0/RAX-AUTH/federation/identity-providers/123456
< Content-Type: application/xml
<?xml version="1.0" encoding="UTF-8"?>
<identityProvider id="123456" name="name" issuer="https://my.issuer.com" authenticationUrl="https://my.login.com" description="A description" federationType="DOMAIN"
xmlns="http://docs.rackspace.com/identity/api/ext/RAX-AUTH/v1.0"
xmlns:OS-KSADM="http://docs.openstack.org/identity/api/ext/OS-KSADM/v1.0"
xmlns:atom="http://www.w3.org/2005/Atom" xmlns:identity="http://docs.openstack.org/identity/api/v2.0">
<publicCertificates>
<publicCertificate id="7d2bf0ecd98d2cb0f5c42ef6ae0edf4da985459b" pemEncoded="MIICsDCCAhmgAwIBAgIJAPdQ9ZKjtRX5MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTQwODA2MTkxMzE4WhcNMjQwODA1MTkxMzE4WjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDiqa9KxLhEbMWXZsI1v/4OA0X8sAl3sglfsPMHnGjyIwB2Kz4Pl38in0/8p3ngLHyI2/XOMQwAVZxOZ7sMwHq8FY4YgdkwqxFZ1esnASS6ty1286MJYWo+uDwUepH4A4cKtqUKgIsT4VOxyXSDzreZPvWjFDNDsq+w42UnpI0s6QIDAQABo4GnMIGkMB0GA1UdDgQWBBQ4+BePfVmEY4wY/gLAgec3J3J7JDB1BgNVHSMEbjBsgBQ4+BePfVmEY4wY/gLAgec3J3J7JKFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAPdQ9ZKjtRX5MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAxD4+TDo+/MzQKg3fH0HazXsSKQN1V9crvVe36VUQ79tIkufXATcwBlbA+SkkCpt68c0mfwKgffy2KucNhLMhBUzzF+M8k9X07IgfmrAviOd3D5PqEoNpkP/am8RMm7mjSC/DPb1Jd+yRFB8I0vUmFp8G+ZJ+F00zqabtCv/kMVM=" />
</publicCertificates>
<approvedDomainIds>
<approvedDomainId>12345</approvedDomainId>
</approvedDomainIds>
</identityProvider>
Example: Create IDP: JSON response
< HTTP/1.1 201 Created
< vary: Accept, Accept-Encoding, X-Auth-Toke
< Location: http://localhost:8083/idm/cloud/v2.0/RAX-AUTH/federation/identity-providers/adsdfwejjbwerh
< Content-Type: application/json
{
"RAX-AUTH:identityProvider": {
"id": "123456",
"name": "name",
"issuer": "https://my.issuer.com",
"description": "A description",
"federationType": "DOMAIN",
"authenticationUrl": "https://my.login.com",
"approvedDomainIds": [
"12345"
],
"publicCertificates": [
{
"id":"7d2bf0ecd98d2cb0f5c42ef6ae0edf4da985459b",
"pemEncoded":"MIICsDCCAhmgAwIBAgIJAPdQ9ZKjtRX5MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTQwODA2MTkxMzE4WhcNMjQwODA1MTkxMzE4WjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDiqa9KxLhEbMWXZsI1v/4OA0X8sAl3sglfsPMHnGjyIwB2Kz4Pl38in0/8p3ngLHyI2/XOMQwAVZxOZ7sMwHq8FY4YgdkwqxFZ1esnASS6ty1286MJYWo+uDwUepH4A4cKtqUKgIsT4VOxyXSDzreZPvWjFDNDsq+w42UnpI0s6QIDAQABo4GnMIGkMB0GA1UdDgQWBBQ4+BePfVmEY4wY/gLAgec3J3J7JDB1BgNVHSMEbjBsgBQ4+BePfVmEY4wY/gLAgec3J3J7JKFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAPdQ9ZKjtRX5MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAxD4+TDo+/MzQKg3fH0HazXsSKQN1V9crvVe36VUQ79tIkufXATcwBlbA+SkkCpt68c0mfwKgffy2KucNhLMhBUzzF+M8k9X07IgfmrAviOd3D5PqEoNpkP/am8RMm7mjSC/DPb1Jd+yRFB8I0vUmFp8G+ZJ+F00zqabtCv/kMVM="
},
]
}
}
Update IDP
PUT /v2.0/RAX-AUTH/federation/identity-providers/{identityProviderId}
Update an Identity provider (IDP).
Note
- User-admin or User-manage roles can make a request only when the caller’s domain is the same as the specified Identity Provider’s approvedDomainId.
- User-admin or User-manage roles can update the name, description, and emailDomains. Any specified values for other fields are ignored.
- A user with the role
rcn:admincan make a request only when the caller’s domain is within the same RCN as the IDP’s specified approvedDomainId.- A user with the role
rcn:admincan update the name, description, emailDomains, and approvedDomainId. Any specified values for other fields are ignored.
This table shows the possible response codes for this operation:
| Response code | Name | Description |
|---|---|---|
| 200 | OK | The request has been fulfilled. |
| 400 | Bad Request | The request is missing one or more elements, or the values of some elements are invalid. |
| 401 | Unauthorized | You are not authorized to complete this operation. This error can occur if the request is submitted with an invalid authentication token. |
| 403 | Forbidden | The request was valid, but the server is refusing to respond because you do not have permission to access the requested resource. Submit a request to your account administrator to determine how to gain access. |
| 404 | Not Found | The requested resource was not found. |
| 405 | Invalid Method | The method specified in the request is not valid for the resource identified in the request URI. |
| 406 | Not Acceptable | The server cannot send data in a format requested. |
| 409 | Conflict | The request could not be completed due to a conflict with the current state of the target resource. |
| 413 | Over Limit | The number of items returned is above the allowed limit. |
| 503 | Service Fault | Service is not available. |
Request
This table shows the header parameters for the request:
| Name | Type | Description |
|---|---|---|
| X-Auth-Token | String (Required) | A valid authentication token. |
This table shows the URI parameters for the request:
| Name | Type | Description |
|---|---|---|
| {identityProviderId} | String (Required) | The Identity Provider’s ID. |
This table shows the body parameters for the request:
| Name | Type | Description |
|---|---|---|
| RAX-AUTH:identityProvider | Object | An identity-provider object that specifies the IDP information. |
| RAX-AUTH:identityProvider.name | String (Optional) | The name of the provider. Must consist of only alphanumeric, ‘-‘, ‘.’, and be less than 255 characters. |
| RAX-AUTH:identityProvider.description | String (Optional) | Blurb to describe the IDP. Used for informative purposes only. |
| RAX-AUTH:identityProvider.approvedDomainIds | Object (Optional) | Limits the IDP to authenticating only for the specified domains. Mutually exclusive with approvedDomainGroup. |
| RAX-AUTH:identityProvider.emailDomains | Object (Optional) | List of email domains. |
| RAX-AUTH:identityProvider.emailDomains.emailDomain | String (Optional) | String representing an email domain. Value must be unique across all identity providers. |
Example: Update IDP request: XML
<?xml version="1.0" encoding="UTF-8"?>
<identityProvider name="name" description="A description"
xmlns="http://docs.rackspace.com/identity/api/ext/RAX-AUTH/v1.0"
xmlns:OS-KSADM="http://docs.openstack.org/identity/api/ext/OS-KSADM/v1.0"
xmlns:atom="http://www.w3.org/2005/Atom" xmlns:identity="http://docs.openstack.org/identity/api/v2.0">
<approvedDomainIds>
<approvedDomainId>12345</approvedDomainId>
</approvedDomainIds>
<emailDomains>
<emailDomain>emailDomain.com</emailDomain>
</emailDomains>
</identityProvider>
Example: Update IDP request: JSON
{
"RAX-AUTH:identityProvider": {
"name": "name",
"description": "A description",
"approvedDomainIds": [
"12345"
],
"emailDomains": [
"emailDomain.com"
]
}
}
Response
Example: Update IDP: XML response
< HTTP/1.1 200 OK
< vary: Accept, Accept-Encoding, X-Auth-Token
< Content-Type: application/xml
<?xml version="1.0" encoding="UTF-8"?>
<identityProvider id="asdfqwerr" name="name" issuer="https://my.issuer.com" authenticationUrl="https://my.login.com" description="A description" federationType="DOMAIN"
xmlns="http://docs.rackspace.com/identity/api/ext/RAX-AUTH/v1.0"
xmlns:OS-KSADM="http://docs.openstack.org/identity/api/ext/OS-KSADM/v1.0"
xmlns:atom="http://www.w3.org/2005/Atom" xmlns:identity="http://docs.openstack.org/identity/api/v2.0">
<publicCertificates>
<publicCertificate id="7d2bf0ecd98d2cb0f5c42ef6ae0edf4da985459b" pemEncoded="MIICsDCCAhmgAwIBAgIJAPdQ9ZKjtRX5MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTQwODA2MTkxMzE4WhcNMjQwODA1MTkxMzE4WjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDiqa9KxLhEbMWXZsI1v/4OA0X8sAl3sglfsPMHnGjyIwB2Kz4Pl38in0/8p3ngLHyI2/XOMQwAVZxOZ7sMwHq8FY4YgdkwqxFZ1esnASS6ty1286MJYWo+uDwUepH4A4cKtqUKgIsT4VOxyXSDzreZPvWjFDNDsq+w42UnpI0s6QIDAQABo4GnMIGkMB0GA1UdDgQWBBQ4+BePfVmEY4wY/gLAgec3J3J7JDB1BgNVHSMEbjBsgBQ4+BePfVmEY4wY/gLAgec3J3J7JKFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAPdQ9ZKjtRX5MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAxD4+TDo+/MzQKg3fH0HazXsSKQN1V9crvVe36VUQ79tIkufXATcwBlbA+SkkCpt68c0mfwKgffy2KucNhLMhBUzzF+M8k9X07IgfmrAviOd3D5PqEoNpkP/am8RMm7mjSC/DPb1Jd+yRFB8I0vUmFp8G+ZJ+F00zqabtCv/kMVM=" />
<publicCertificate id="7d2bf0ecd98d2cb0f5c42ef6ae0edf4da985459b" pemEncoded="MIICsDCCAhmgAwIBAgIJAPdQ9ZKjtRX5MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTQwODA2MTkxMzE4WhcNMjQwODA1MTkxMzE4WjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDiqa9KxLhEbMWXZsI1v/4OA0X8sAl3sglfsPMHnGjyIwB2Kz4Pl38in0/8p3ngLHyI2/XOMQwAVZxOZ7sMwHq8FY4YgdkwqxFZ1esnASS6ty1286MJYWo+uDwUepH4A4cKtqUKgIsT4VOxyXSDzreZPvWjFDNDsq+w42UnpI0s6QIDAQABo4GnMIGkMB0GA1UdDgQWBBQ4+BePfVmEY4wY/gLAgec3J3J7JDB1BgNVHSMEbjBsgBQ4+BePfVmEY4wY/gLAgec3J3J7JKFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAPdQ9ZKjtRX5MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAxD4+TDo+/MzQKg3fH0HazXsSKQN1V9crvVe36VUQ79tIkufXATcwBlbA+SkkCpt68c0mfwKgffy2KucNhLMhBUzzF+M8k9X07IgfmrAviOd3D5PqEoNpkP/am8RMm7mjSC/DPb1Jd+yRFB8I0vUmFp8G+ZJ+F00zqabtCv/kMVM=" />
</publicCertificates>
<approvedDomainIds>
<approvedDomainId>12345</approvedDomainId>
</approvedDomainIds>
<emailDomains>
<emailDomain>emailDomain.com</emailDomain>
</emailDomains>
</identityProvider>
Example: Update IDP: JSON response
< HTTP/1.1 200 OK
< vary: Accept, Accept-Encoding, X-Auth-Token
< Content-Type: application/json
{
"RAX-AUTH:identityProvider": {
"id": "adsdfwejjbwerh",
"name": "name",
"issuer": "https://my.issuer.com",
"description": "A description",
"federationType": "DOMAIN",
"authenticationUrl": "https://my.login.com",
"approvedDomainIds": [
"12345"
],
"emailDomains": [
"emailDomain.com"
],
"publicCertificates": [
{
"id":"7d2bf0ecd98d2cb0f5c42ef6ae0edf4da985459b",
"pemEncoded":"MIICsDCCAhmgAwIBAgIJAPdQ9ZKjtRX5MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTQwODA2MTkxMzE4WhcNMjQwODA1MTkxMzE4WjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDiqa9KxLhEbMWXZsI1v/4OA0X8sAl3sglfsPMHnGjyIwB2Kz4Pl38in0/8p3ngLHyI2/XOMQwAVZxOZ7sMwHq8FY4YgdkwqxFZ1esnASS6ty1286MJYWo+uDwUepH4A4cKtqUKgIsT4VOxyXSDzreZPvWjFDNDsq+w42UnpI0s6QIDAQABo4GnMIGkMB0GA1UdDgQWBBQ4+BePfVmEY4wY/gLAgec3J3J7JDB1BgNVHSMEbjBsgBQ4+BePfVmEY4wY/gLAgec3J3J7JKFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAPdQ9ZKjtRX5MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAxD4+TDo+/MzQKg3fH0HazXsSKQN1V9crvVe36VUQ79tIkufXATcwBlbA+SkkCpt68c0mfwKgffy2KucNhLMhBUzzF+M8k9X07IgfmrAviOd3D5PqEoNpkP/am8RMm7mjSC/DPb1Jd+yRFB8I0vUmFp8G+ZJ+F00zqabtCv/kMVM="
},
{
"id":"7d2bf0ecd98d2cb0f5c42ef6ae0edf4da985459b",
"pemEncoded":"MIICsDCCAhmgAwIBAgIJAPdQ9ZKjtRX5MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTQwODA2MTkxMzE4WhcNMjQwODA1MTkxMzE4WjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDiqa9KxLhEbMWXZsI1v/4OA0X8sAl3sglfsPMHnGjyIwB2Kz4Pl38in0/8p3ngLHyI2/XOMQwAVZxOZ7sMwHq8FY4YgdkwqxFZ1esnASS6ty1286MJYWo+uDwUepH4A4cKtqUKgIsT4VOxyXSDzreZPvWjFDNDsq+w42UnpI0s6QIDAQABo4GnMIGkMB0GA1UdDgQWBBQ4+BePfVmEY4wY/gLAgec3J3J7JDB1BgNVHSMEbjBsgBQ4+BePfVmEY4wY/gLAgec3J3J7JKFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAPdQ9ZKjtRX5MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAxD4+TDo+/MzQKg3fH0HazXsSKQN1V9crvVe36VUQ79tIkufXATcwBlbA+SkkCpt68c0mfwKgffy2KucNhLMhBUzzF+M8k9X07IgfmrAviOd3D5PqEoNpkP/am8RMm7mjSC/DPb1Jd+yRFB8I0vUmFp8G+ZJ+F00zqabtCv/kMVM="
}
]
}
}
Update IDP with metadata
PUT /v2.0/RAX-AUTH/federation/identity-providers/{identityProviderId}/metadata
Update an existing Identity Provider using XML metadata.
Note
- Only IDP’s authentication url and certificates are allowed to be updated via metadata.
This table shows the possible response codes for this operation:
| Response Code | Name | Description |
|---|---|---|
| 200 | OK | The request has been fulfilled. |
| 400 | Bad Request | The request is missing one or more elements, or the values of some elements are invalid. |
| 401 | Unauthorized | You are not authorized to complete this operation. This error can occur if the request is submitted with an invalid authentication token. |
| 403 | Forbidden | The request was valid, but the server is refusing to respond because you do not have permission to access the requested resource. Submit a request to your account administrator to determine how to gain access. |
| 404 | Not Found | The requested resource was not found. |
| 405 | Invalid Method | The method specified in the request is not valid for the resource identified in the request URI. |
| 406 | Not Acceptable | The server cannot send data in a format requested. |
| 413 | Over Limit | The number of items returned is above the allowed limit. |
| 503 | Service Fault | Service is not available. |
Request
This table shows the header parameters for the request:
| Name | Type | Description |
|---|---|---|
| X-Auth-Token | String (Required) | A valid authentication token. |
This table shows the URI parameters for the request:
| Name | Type | Description |
|---|---|---|
| {identityProviderId} | String (Required) | The Identity Provider’s ID. |
This table shows the body parameters for the request:
| Name | Type | Description |
|---|---|---|
| EntityDescriptor | Object (Required) | Describes a system entity such as an Identity Provider. |
| EntityDescriptor.entityID | String (Required) | The issuer for IDP. |
| EntityDescriptor.IDPSSODescriptor | Object (Required) | An IDP role. |
| EntityDescriptor.IDPSSODescriptor.protocolSupportEnumeration | String (Required) | Represents general classes of protocol support for the role in question. |
| EntityDescriptor.IDPSSODescriptor.SingleSignOnService | Object (Required) | Describes a protocol binding endpoint. |
| EntityDescriptor.IDPSSODescriptor.SingleSignOnService.Binding | String (Optional) | Describes a protocol binding. Only HTTP-Redirect is currently supported. |
| EntityDescriptor.IDPSSODescriptor.SingleSignOnService.Location | String (Optional) | Describes the authentication url. |
| EntityDescriptor.IDPSSODescriptor.KeyDescriptor | Object (Optional) | Associates one or more public keys with the system being defined. |
| EntityDescriptor.IDPSSODescriptor.KeyDescriptor.KeyInfo | Object (Optional) | An element describing keys. |
Example: Update IDP request: XML
<?xml version="1.0" encoding="UTF-8"?>
<ns0:EntityDescriptor xmlns:ns0="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:ns1="http://www.w3.org/2000/09/xmldsig#"
xmlns:ns2="urn:oasis:names:tc:SAML:metadata:algsupport"
ID="someId" entityID="https://my.issuer.com">
<ns0:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<ns0:KeyDescriptor use="signing">
<ns1:KeyInfo>
<ns1:X509Data>
<ns1:X509Certificate>
MIICsDCCAhmgAwIBAgIJAPdQ9ZKjtRX5MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMTQwODA2MTkxMzE4WhcNMjQwODA1MTkxMzE4WjBF
MQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50
ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQDiqa9KxLhEbMWXZsI1v/4OA0X8sAl3sglfsPMHnGjyIwB2Kz4Pl38in0/8p3ng
LHyI2/XOMQwAVZxOZ7sMwHq8FY4YgdkwqxFZ1esnASS6ty1286MJYWo+uDwUepH4
A4cKtqUKgIsT4VOxyXSDzreZPvWjFDNDsq+w42UnpI0s6QIDAQABo4GnMIGkMB0G
A1UdDgQWBBQ4+BePfVmEY4wY/gLAgec3J3J7JDB1BgNVHSMEbjBsgBQ4+BePfVmE
Y4wY/gLAgec3J3J7JKFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUt
U3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAPdQ9ZKj
tRX5MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAxD4+TDo+/MzQKg3f
H0HazXsSKQN1V9crvVe36VUQ79tIkufXATcwBlbA+SkkCpt68c0mfwKgffy2KucN
hLMhBUzzF+M8k9X07IgfmrAviOd3D5PqEoNpkP/am8RMm7mjSC/DPb1Jd+yRFB8I
0vUmFp8G+ZJ+F00zqabtCv/kMVM=
</ns1:X509Certificate>
</ns1:X509Data>
</ns1:KeyInfo>
</ns0:KeyDescriptor>
<ns0:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://my.login.com"/>
</ns0:IDPSSODescriptor>
</ns0:EntityDescriptor>
Response
This table shows the header parameters for the response:
| Name | Type | Description |
|---|---|---|
| Location | String (Required) | The location URI of the newly created IDP. |
Example: Update IDP: XML response
< HTTP/1.1 200 OK
< vary: Accept, Accept-Encoding, X-Auth-Token
< Content-Type: application/xml
<?xml version="1.0" encoding="UTF-8"?>
<identityProvider id="123456" name="name" issuer="https://my.issuer.com" authenticationUrl="https://my.login.com" description="A description" federationType="DOMAIN"
xmlns="http://docs.rackspace.com/identity/api/ext/RAX-AUTH/v1.0"
xmlns:OS-KSADM="http://docs.openstack.org/identity/api/ext/OS-KSADM/v1.0"
xmlns:atom="http://www.w3.org/2005/Atom" xmlns:identity="http://docs.openstack.org/identity/api/v2.0">
<publicCertificates>
<publicCertificate id="7d2bf0ecd98d2cb0f5c42ef6ae0edf4da985459b" pemEncoded="MIICsDCCAhmgAwIBAgIJAPdQ9ZKjtRX5MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTQwODA2MTkxMzE4WhcNMjQwODA1MTkxMzE4WjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDiqa9KxLhEbMWXZsI1v/4OA0X8sAl3sglfsPMHnGjyIwB2Kz4Pl38in0/8p3ngLHyI2/XOMQwAVZxOZ7sMwHq8FY4YgdkwqxFZ1esnASS6ty1286MJYWo+uDwUepH4A4cKtqUKgIsT4VOxyXSDzreZPvWjFDNDsq+w42UnpI0s6QIDAQABo4GnMIGkMB0GA1UdDgQWBBQ4+BePfVmEY4wY/gLAgec3J3J7JDB1BgNVHSMEbjBsgBQ4+BePfVmEY4wY/gLAgec3J3J7JKFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAPdQ9ZKjtRX5MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAxD4+TDo+/MzQKg3fH0HazXsSKQN1V9crvVe36VUQ79tIkufXATcwBlbA+SkkCpt68c0mfwKgffy2KucNhLMhBUzzF+M8k9X07IgfmrAviOd3D5PqEoNpkP/am8RMm7mjSC/DPb1Jd+yRFB8I0vUmFp8G+ZJ+F00zqabtCv/kMVM=" />
</publicCertificates>
<approvedDomainIds>
<approvedDomainId>12345</approvedDomainId>
</approvedDomainIds>
</identityProvider>
Example: Update IDP: JSON response
< HTTP/1.1 200 OK
< vary: Accept, Accept-Encoding, X-Auth-Toke
< Content-Type: application/json
{
"RAX-AUTH:identityProvider": {
"id": "123456",
"name": "name",
"issuer": "https://my.issuer.com",
"description": "A description",
"federationType": "DOMAIN",
"authenticationUrl": "https://my.login.com",
"approvedDomainIds": [
"12345"
],
"publicCertificates": [
{
"id":"7d2bf0ecd98d2cb0f5c42ef6ae0edf4da985459b",
"pemEncoded":"MIICsDCCAhmgAwIBAgIJAPdQ9ZKjtRX5MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTQwODA2MTkxMzE4WhcNMjQwODA1MTkxMzE4WjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDiqa9KxLhEbMWXZsI1v/4OA0X8sAl3sglfsPMHnGjyIwB2Kz4Pl38in0/8p3ngLHyI2/XOMQwAVZxOZ7sMwHq8FY4YgdkwqxFZ1esnASS6ty1286MJYWo+uDwUepH4A4cKtqUKgIsT4VOxyXSDzreZPvWjFDNDsq+w42UnpI0s6QIDAQABo4GnMIGkMB0GA1UdDgQWBBQ4+BePfVmEY4wY/gLAgec3J3J7JDB1BgNVHSMEbjBsgBQ4+BePfVmEY4wY/gLAgec3J3J7JKFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAPdQ9ZKjtRX5MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAxD4+TDo+/MzQKg3fH0HazXsSKQN1V9crvVe36VUQ79tIkufXATcwBlbA+SkkCpt68c0mfwKgffy2KucNhLMhBUzzF+M8k9X07IgfmrAviOd3D5PqEoNpkP/am8RMm7mjSC/DPb1Jd+yRFB8I0vUmFp8G+ZJ+F00zqabtCv/kMVM="
},
]
}
}
Get IDP
GET /v2.0/RAX-AUTH/federation/identity-providers/{identityProviderId}
Get an Identity provider.
This table shows the possible response codes for this operation:
Note
- User-admin or User-manage can retrieve an Identity Provider only if their domain is the same as the specified Identity Provider’s (IDP’s)
approvedDomainId.- A user with the role rcn:admin can retrieve an Identity Provider if their domain is within the same RCN as the IDP’s specified
approvedDomainId.
| Response Code | Name | Description |
|---|---|---|
| 200 | OK | The request has succeeded. |
| 403 | Forbidden | Caller does not have appropriate role. |
| 404 | Not Found | The requested resource was not found. |
Request
This table shows the header parameters for the request:
| Name | Type | Description |
|---|---|---|
| X-Auth-Token | String (Required) | A valid authentication token. |
Response
Example: Get IDP: XML response
< HTTP/1.1 200 OK
< vary: Accept, Accept-Encoding, X-Auth-Token
< Content-Type: application/xml
<?xml version="1.0" encoding="UTF-8"?>
<identityProvider id="asdfqwerr" name="name" issuer="https://my.issuer.com" authenticationUrl="https://my.login.com" description="A description" federationType="DOMAIN"
xmlns="http://docs.rackspace.com/identity/api/ext/RAX-AUTH/v1.0"
xmlns:OS-KSADM="http://docs.openstack.org/identity/api/ext/OS-KSADM/v1.0"
xmlns:atom="http://www.w3.org/2005/Atom" xmlns:identity="http://docs.openstack.org/identity/api/v2.0">
<publicCertificates>
<publicCertificate id="7d2bf0ecd98d2cb0f5c42ef6ae0edf4da985459b" pemEncoded="MIICsDCCAhmgAwIBAgIJAPdQ9ZKjtRX5MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTQwODA2MTkxMzE4WhcNMjQwODA1MTkxMzE4WjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDiqa9KxLhEbMWXZsI1v/4OA0X8sAl3sglfsPMHnGjyIwB2Kz4Pl38in0/8p3ngLHyI2/XOMQwAVZxOZ7sMwHq8FY4YgdkwqxFZ1esnASS6ty1286MJYWo+uDwUepH4A4cKtqUKgIsT4VOxyXSDzreZPvWjFDNDsq+w42UnpI0s6QIDAQABo4GnMIGkMB0GA1UdDgQWBBQ4+BePfVmEY4wY/gLAgec3J3J7JDB1BgNVHSMEbjBsgBQ4+BePfVmEY4wY/gLAgec3J3J7JKFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAPdQ9ZKjtRX5MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAxD4+TDo+/MzQKg3fH0HazXsSKQN1V9crvVe36VUQ79tIkufXATcwBlbA+SkkCpt68c0mfwKgffy2KucNhLMhBUzzF+M8k9X07IgfmrAviOd3D5PqEoNpkP/am8RMm7mjSC/DPb1Jd+yRFB8I0vUmFp8G+ZJ+F00zqabtCv/kMVM=" />
<publicCertificate id="7d2bf0ecd98d2cb0f5c42ef6ae0edf4da985459b" pemEncoded="MIICsDCCAhmgAwIBAgIJAPdQ9ZKjtRX5MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTQwODA2MTkxMzE4WhcNMjQwODA1MTkxMzE4WjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDiqa9KxLhEbMWXZsI1v/4OA0X8sAl3sglfsPMHnGjyIwB2Kz4Pl38in0/8p3ngLHyI2/XOMQwAVZxOZ7sMwHq8FY4YgdkwqxFZ1esnASS6ty1286MJYWo+uDwUepH4A4cKtqUKgIsT4VOxyXSDzreZPvWjFDNDsq+w42UnpI0s6QIDAQABo4GnMIGkMB0GA1UdDgQWBBQ4+BePfVmEY4wY/gLAgec3J3J7JDB1BgNVHSMEbjBsgBQ4+BePfVmEY4wY/gLAgec3J3J7JKFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAPdQ9ZKjtRX5MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAxD4+TDo+/MzQKg3fH0HazXsSKQN1V9crvVe36VUQ79tIkufXATcwBlbA+SkkCpt68c0mfwKgffy2KucNhLMhBUzzF+M8k9X07IgfmrAviOd3D5PqEoNpkP/am8RMm7mjSC/DPb1Jd+yRFB8I0vUmFp8G+ZJ+F00zqabtCv/kMVM=" />
</publicCertificates>
<approvedDomainIds>
<approvedDomainId>12345</approvedDomainId>
</approvedDomainIds>
</identityProvider>
Example: Get IDP: JSON response
< HTTP/1.1 200 OK
< vary: Accept, Accept-Encoding, X-Auth-Token
< Content-Type: application/json
{
"RAX-AUTH:identityProvider": {
"id": "adsdfwejjbwerh",
"name": "name",
"issuer": "https://my.issuer.com",
"description": "A description",
"federationType": "DOMAIN",
"authenticationUrl": "https://my.login.com",
"approvedDomainIds": [
"12345"
],
"publicCertificates": [
{
"id":"7d2bf0ecd98d2cb0f5c42ef6ae0edf4da985459b",
"pemEncoded":"MIICsDCCAhmgAwIBAgIJAPdQ9ZKjtRX5MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTQwODA2MTkxMzE4WhcNMjQwODA1MTkxMzE4WjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDiqa9KxLhEbMWXZsI1v/4OA0X8sAl3sglfsPMHnGjyIwB2Kz4Pl38in0/8p3ngLHyI2/XOMQwAVZxOZ7sMwHq8FY4YgdkwqxFZ1esnASS6ty1286MJYWo+uDwUepH4A4cKtqUKgIsT4VOxyXSDzreZPvWjFDNDsq+w42UnpI0s6QIDAQABo4GnMIGkMB0GA1UdDgQWBBQ4+BePfVmEY4wY/gLAgec3J3J7JDB1BgNVHSMEbjBsgBQ4+BePfVmEY4wY/gLAgec3J3J7JKFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAPdQ9ZKjtRX5MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAxD4+TDo+/MzQKg3fH0HazXsSKQN1V9crvVe36VUQ79tIkufXATcwBlbA+SkkCpt68c0mfwKgffy2KucNhLMhBUzzF+M8k9X07IgfmrAviOd3D5PqEoNpkP/am8RMm7mjSC/DPb1Jd+yRFB8I0vUmFp8G+ZJ+F00zqabtCv/kMVM="
},
{
"id":"7d2bf0ecd98d2cb0f5c42ef6ae0edf4da985459b",
"pemEncoded":"MIICsDCCAhmgAwIBAgIJAPdQ9ZKjtRX5MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTQwODA2MTkxMzE4WhcNMjQwODA1MTkxMzE4WjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDiqa9KxLhEbMWXZsI1v/4OA0X8sAl3sglfsPMHnGjyIwB2Kz4Pl38in0/8p3ngLHyI2/XOMQwAVZxOZ7sMwHq8FY4YgdkwqxFZ1esnASS6ty1286MJYWo+uDwUepH4A4cKtqUKgIsT4VOxyXSDzreZPvWjFDNDsq+w42UnpI0s6QIDAQABo4GnMIGkMB0GA1UdDgQWBBQ4+BePfVmEY4wY/gLAgec3J3J7JDB1BgNVHSMEbjBsgBQ4+BePfVmEY4wY/gLAgec3J3J7JKFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAPdQ9ZKjtRX5MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAxD4+TDo+/MzQKg3fH0HazXsSKQN1V9crvVe36VUQ79tIkufXATcwBlbA+SkkCpt68c0mfwKgffy2KucNhLMhBUzzF+M8k9X07IgfmrAviOd3D5PqEoNpkP/am8RMm7mjSC/DPb1Jd+yRFB8I0vUmFp8G+ZJ+F00zqabtCv/kMVM="
}
]
}
}
List IDPs
GET /v2.0/RAX-AUTH/federation/identity-providers
List Identity providers.
Note
- User-admin or User-manage can list only Identity Providers that are within the same domain.
- A user with the role rcn:admin can list only Identity Providers which are within the same RCN as the IDP’s specified
approvedDomainId.
This table shows the possible response codes for this operation:
| Response Code | Name | Description |
|---|---|---|
| 200 | OK | The request has succeeded. |
| 400 | Bad Request | If both the approvedTenantId and approvedDomainId query params are provided. |
| 400 | Bad Request | If the idpType param is specified with an unsupported value. |
| 403 | Forbidden | Caller does not have appropriate role. |
| 403 | Forbidden | If more than the maximum number of IDPs would be returned by the search - as specified by configuration property identity.provider.max.search.result.size. |
Request
This table shows the header parameters for the request:
| Name | Type | Description |
|---|---|---|
| X-Auth-Token | String (Required) | A valid authentication token. |
This table shows the query parameters for the request:
| Name | Type | Description |
|---|---|---|
| name | String (Optional) | Allows searching IDPs by name specified. This will return a list of max size one. |
| issuer | String (Optional) | Allows searching IDPs by issuer specified. This will return a list of max size one. |
| idpType | String (Optional) | When specified the resultant list of IDPs will ONLY include IDPs that match the specified type. The allowed values are: * EXPLICIT - Limits results to only those IDPs that were created with an approvedDomainIds specifiedThe idpType filter can be provided by itself OR combined with approvedDomainId filter |
| approvedDomainId | String (Optional) | Limits the resultant IDPs to those DOMAIN federated IDPs that can request tokens for the specified domain. This will include those DOMAIN federated IDPs that are GLOBAL IDPs (created with approvedDomainGroup = GLOBAL)The approvedDomainId and idpType filters can be used together to limit the result list to non-global domain ids that are explicitly configured for a given domain. |
| approvedTenantId | String (Optional) | When specified the resultant list of IDPs will ONLY include IDPs that can receive tokens for the specified tenantId. The service will look up the domainId associated with the specific tenantId to determine which IDPs can received tokens for the given tenantId. The approvedTenantId and approvedDomainId filters are mutually exclusive. If both are specified, a HTTP 400 response will be returned.The approvedTenantId and idpType filters can be used together to limit the result list to non-global domain ids that are explicitly configured for a given domain. |
Response
Example: List IDPs: XML response
< HTTP/1.1 200 OK
< vary: Accept, Accept-Encoding, X-Auth-Token
< Content-Type: application/xml
<?xml version="1.0" encoding="UTF-8"?>
<identityProviders xmlns="http://docs.rackspace.com/identity/api/ext/RAX-AUTH/v1.0"
xmlns:OS-KSADM="http://docs.openstack.org/identity/api/ext/OS-KSADM/v1.0"
xmlns:atom="http://www.w3.org/2005/Atom" xmlns:identity="http://docs.openstack.org/identity/api/v2.0">
<identityProvider id="asdfqwerr" name="name1" issuer="https://my.issuer.com" authenticationUrl="https://my.login.com" description="A description" federationType="DOMAIN">
<approvedDomainIds>
<approvedDomainId>12345</approvedDomainId>
</approvedDomainIds>
</identityProvider>
<identityProvider id="ty656" name="name2" issuer="https://my.issuer.com" authenticationUrl="https://my.login.com" description="A description" federationType="DOMAIN" approvedDomainGroup="GLOBAL" />
<identityProvider id="jiyougfhjhrt" name="name3" issuer="https://my.issuer2.com" authenticationUrl="https://my.login.com" description="Another description" federationType="RACKER" />
</identityProviders>
Example: List IDPs: JSON response
< HTTP/1.1 200 OK
< vary: Accept, Accept-Encoding, X-Auth-Token
< Content-Type: application/json
{
"RAX-AUTH:identityProviders": [
{
"id": "asdfqwerr",
"name": "name1",
"issuer": "https://my.issuer.com",
"description": "A description",
"federationType": "DOMAIN",
"authenticationUrl": "https://my.login.com",
"approvedDomainIds": [
"12345"
]
},
{
"id": "byfghrt",
"name": "name2",
"issuer": "https://my.issuer.com",
"description": "A description",
"federationType": "DOMAIN",
"authenticationUrl": "https://my.login.com",
"approvedDomainGroup": "GLOBAL"
},
{
"id": "jiyougfhjhrt",
"name": "name3",
"issuer": "https://my.issuer2.com",
"description": "Another description",
"authenticationUrl": "https://my.login.com",
"federationType": "RACKER"
}
]
}
Get metadata for IDP
GET /v2.0/RAX-AUTH/federation/identity-providers/{identityProviderId}/metadata
Retrieve an Identity Provider’s XML metadata.
This table shows the possible response codes for this operation:
| Response Code | Name | Description |
|---|---|---|
| 200 | OK | The request has been fulfilled. |
| 401 | Unauthorized | You are not authorized to complete this operation. This error can occur if the request is submitted with an invalid authentication token. |
| 403 | Forbidden | The request was valid, but the server is refusing to respond because you do not have permission to access the requested resource. Submit a request to your account administrator to determine how to gain access. |
| 404 | Not Found | The requested resource was not found. |
| 405 | Invalid Method | The method specified in the request is not valid for the resource identified in the request URI. |
| 406 | Not Acceptable | The server cannot send data in a format requested. |
| 413 | Over Limit | The number of items returned is above the allowed limit. |
| 503 | Service Fault | Service is not available. |
Request
This table shows the URI parameters for the request:
| Name | Type | Description |
|---|---|---|
| X-Auth-Token | String (Required) | A valid authentication token. |
Response
Example: Get IDP’s metadata: XML response
< HTTP/1.1 200 OK
< vary: Accept, Accept-Encoding, X-Auth-Token
< Content-Type: application/xml
<?xml version="1.0" encoding="UTF-8"?>
<ns0:EntityDescriptor xmlns:ns0="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:ns1="http://www.w3.org/2000/09/xmldsig#"
xmlns:ns2="urn:oasis:names:tc:SAML:metadata:algsupport"
ID="someId" entityID="https://my.issuer.com">
<ns0:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<ns0:KeyDescriptor use="signing">
<ns1:KeyInfo>
<ns1:X509Data>
<ns1:X509Certificate>
MIICsDCCAhmgAwIBAgIJAPdQ9ZKjtRX5MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMTQwODA2MTkxMzE4WhcNMjQwODA1MTkxMzE4WjBF
MQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50
ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQDiqa9KxLhEbMWXZsI1v/4OA0X8sAl3sglfsPMHnGjyIwB2Kz4Pl38in0/8p3ng
LHyI2/XOMQwAVZxOZ7sMwHq8FY4YgdkwqxFZ1esnASS6ty1286MJYWo+uDwUepH4
A4cKtqUKgIsT4VOxyXSDzreZPvWjFDNDsq+w42UnpI0s6QIDAQABo4GnMIGkMB0G
A1UdDgQWBBQ4+BePfVmEY4wY/gLAgec3J3J7JDB1BgNVHSMEbjBsgBQ4+BePfVmE
Y4wY/gLAgec3J3J7JKFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUt
U3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAPdQ9ZKj
tRX5MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAxD4+TDo+/MzQKg3f
H0HazXsSKQN1V9crvVe36VUQ79tIkufXATcwBlbA+SkkCpt68c0mfwKgffy2KucN
hLMhBUzzF+M8k9X07IgfmrAviOd3D5PqEoNpkP/am8RMm7mjSC/DPb1Jd+yRFB8I
0vUmFp8G+ZJ+F00zqabtCv/kMVM=
</ns1:X509Certificate>
</ns1:X509Data>
</ns1:KeyInfo>
</ns0:KeyDescriptor>
<ns0:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://my.login.com"/>
</ns0:IDPSSODescriptor>
</ns0:EntityDescriptor>
Get IDP mapping policy
GET /v2.0/RAX-AUTH/federation/identity-providers/{identityProviderId}/mapping
Get mapping policy for identity provider.
Note
- Only JSON and YAML formats are allowed for IDP mapping policy. Accept type must be either application/json or text/yaml.
This table shows the possible response codes for this operation:
| Response code | Name | Description |
|---|---|---|
| 200 | OK | The request has been fulfilled. |
| 400 | Bad Request | The request is missing one or more elements, or the values of some elements are invalid. |
| 401 | Unauthorized | You are not authorized to complete this operation. This error can occur if the request is submitted with an invalid authentication token. |
| 403 | Forbidden | The request was valid, but the server is refusing to respond because you do not have permission to access the requested resource. Submit a request to your account administrator to determine how to gain access. |
| 404 | Not Found | The requested resource was not found. |
| 405 | Invalid Method | The method specified in the request is not valid for the resource identified in the request URI. |
| 406 | Not Acceptable | The server cannot send data in a format requested. |
| 413 | Over Limit | The number of items returned is above the allowed limit. |
| 503 | Service Fault | Service is not available. |
Request
This table shows the header parameters for the request:
| Name | Type | Description |
|---|---|---|
| X-Auth-Token | String (Required) | A valid authentication token. |
This table shows the URI parameters for the request:
| Name | Type | Description |
|---|---|---|
| {identityProviderId} | String (Required) | The Identity Provider’s ID. |
Response
Example: Get IDP mapping policy response: JSON
{
"property":{
"value":"default policy"
}
}
Example: Get IDP mapping policy response: YAML
---
property:
value: default policy
Update IDP mapping policy
PUT /v2.0/RAX-AUTH/federation/identity-providers/{identityProviderId}/mapping
Update mapping policy for identity provider.
Note
- Only JSON and YAML formats are allowed for IDP mapping policy. Content type must be either application/json or text/yaml.
This table shows the possible response codes for this operation:
| Response code | Name | Description |
|---|---|---|
| 204 | No Content | The request has been fulfilled. |
| 400 | Bad Request | The request is missing one or more elements, or the values of some elements are invalid. |
| 401 | Unauthorized | You are not authorized to complete this operation. This error can occur if the request is submitted with an invalid authentication token. |
| 403 | Forbidden | The request was valid, but the server is refusing to respond because you do not have permission to access the requested resource. Submit a request to your account administrator to determine how to gain access. |
| 404 | Not Found | The requested resource was not found. |
| 405 | Invalid Method | The method specified in the request is not valid for the resource identified in the request URI. |
| 406 | Not Acceptable | The server cannot send data in a format requested. |
| 413 | Over Limit | The number of items returned is above the allowed limit. |
| 503 | Service Fault | Service is not available. |
Request
This table shows the header parameters for the request:
| Name | Type | Description |
|---|---|---|
| X-Auth-Token | String (Required) | A valid authentication token. |
This table shows the URI parameters for the request:
| Name | Type | Description |
|---|---|---|
| {identityProviderId} | String (Required) | The Identity Provider’s ID. |
Example: Update IDP mapping policy request: JSON
{
"property":{
"value":"default policy"
}
}
Example: Update IDP mapping policy request: YAML
---
property:
value: default policy
Response
This operation does not return a response body.